Haim Ashkenazi
2003-Jun-06 07:17 UTC
[Shorewall-users] DNAT rule doesn''t work on local interface
Hi
I''m not subscribed to this list so please cc your responds to me.
I''m trying to set a DNAT rule to forward connections from the internet
to
another IP of the same machine. (I need it for djbdns, I''m only testing
it on
smtp):
DNAT net loc:192.168.0.1 tcp 25
where 192.168.0.1 is another interface on my firewall. the problem is that it
doesn''t work. if I try to telnet from the outside to port 25 I get
dropped.
if I change this ip to 192.168.0.10 which is another host on the network
everything works fine.
I''ve attached the output of ip addr show, ip route show, shorewall
status, and
lsmod.
the other parameters are:
kernel: 2.4.20-babysnakes
iptables version: 1.2.6a-5
shorewall version: 1.4.2
I''m running debian woody.
Any ideas?
thanx
--
Haim
-------------- next part --------------
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
3: ipsec0: <NOARP> mtu 16260 qdisc pfifo_fast qlen 10
link/ipip
inet 62.90.233.201 peer 62.90.133.4/32 scope global ipsec0
4: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
6: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:5a:ce:26:46 brd ff:ff:ff:ff:ff:ff
inet 10.200.1.1/8 brd 10.255.255.255 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:d0:b7:09:3d:1f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
inet 192.168.0.2/24 brd 192.168.0.255 scope global secondary eth1:0
33: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 62.90.139.134 peer 62.90.133.4/32 scope global ppp0
-------------- next part --------------
62.90.133.4 dev ppp0 proto kernel scope link src 62.90.139.134
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
10.0.0.0/8 dev eth0 proto kernel scope link src 10.200.1.1
default via 62.90.133.4 dev ppp0
-------------- next part --------------
Module Size Used by Not tainted
sg 24036 0 (autoclean)
ipt_TOS 1088 12 (autoclean)
ipt_MASQUERADE 1248 1 (autoclean)
ipt_REDIRECT 832 0 (autoclean)
ipt_LOG 3168 2 (autoclean)
ipt_REJECT 2880 2 (autoclean)
ipt_state 608 30 (autoclean)
iptable_mangle 2208 1 (autoclean)
ip_nat_irc 2304 0 (unused)
ip_nat_ftp 2848 0 (unused)
iptable_nat 13716 3 [ipt_MASQUERADE ipt_REDIRECT ip_nat_irc
ip_nat_ftp]
ip_conntrack_irc 3040 1
ip_conntrack_ftp 3776 1
ip_conntrack 16108 4 [ipt_MASQUERADE ipt_REDIRECT ipt_state
ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 1728 1 (autoclean)
ip_tables 10272 11 [ipt_TOS ipt_MASQUERADE ipt_REDIRECT ipt_LOG
ipt_REJECT ipt_state iptable_mangle iptable_nat iptable_filter]
nfsd 43840 8 (autoclean)
apm 8872 1 (autoclean)
ppp_deflate 2944 0 (autoclean)
zlib_deflate 17376 0 (autoclean) [ppp_deflate]
bsd_comp 3968 0 (autoclean)
ppp_async 6272 1 (autoclean)
ppp_generic 19084 3 (autoclean) [ppp_deflate bsd_comp ppp_async]
slhc 4368 0 (autoclean) [ppp_generic]
st 26068 1
emu10k1 52544 1
sound 51308 0 [emu10k1]
ac97_codec 9792 0 [emu10k1]
soundcore 3268 7 [emu10k1 sound]
eepro100 17932 1
3c59x 25032 1
keybdev 1664 0 (unused)
input 3072 0 [keybdev]
-------------- next part --------------
[H[2JShorewall-1.4.2 Status at coltrane - Fri Jun 6 16:51:30 IDT 2003
Counters reset Fri Jun 6 16:51:00 IDT 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 120 ppp_in all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
237 21261 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
53 7097 ppp_fwd all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
84 8243 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT udp -- * ppp+ 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 fw2net all -- * ppp+ 0.0.0.0/0 0.0.0.0/0
224 28680 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 fw2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
192.168.0.255
0 0 DROP all -- * * 0.0.0.0/0
10.255.255.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- * ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
84 8243 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
84 8243 loc2net all -- * ppp+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
237 21261 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
237 21261 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (2 references)
pkts bytes target prot opt in out source destination
224 28680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (2 references)
pkts bytes target prot opt in out source destination
236 21209 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 52 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (2 references)
pkts bytes target prot opt in out source destination
82 8107 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
2 136 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
2 120 common all -- * * 0.0.0.0/0 0.0.0.0/0
2 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:443
0 0 ACCEPT tcp -- * * 80.178.114.145 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
2 120 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (2 references)
pkts bytes target prot opt in out source destination
53 7097 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.1
state NEW tcp dpt:25
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (8 references)
pkts bytes target prot opt in out source destination
1 52 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp_fwd (1 references)
pkts bytes target prot opt in out source destination
53 7097 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
53 7097 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain ppp_in (1 references)
pkts bytes target prot opt in out source destination
2 120 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
2 120 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
2 120 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
NAT Table
Chain PREROUTING (policy ACCEPT 379K packets, 21M bytes)
pkts bytes target prot opt in out source destination
2 120 net_dnat all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 439K packets, 32M bytes)
pkts bytes target prot opt in out source destination
2 136 ppp_masq all -- * ppp+ 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 437K packets, 32M bytes)
pkts bytes target prot opt in out source destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
2 120 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 to:192.168.0.1
Chain ppp_masq (1 references)
pkts bytes target prot opt in out source destination
2 136 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 16M packets, 15G bytes)
pkts bytes target prot opt in out source destination
2 120 man1918 all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
state NEW
377 36773 pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 12M packets, 12G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 4658K packets, 2790M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7094K packets, 4617M bytes)
pkts bytes target prot opt in out source destination
225 28828 outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 12M packets, 7406M bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0
172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 logdrop all -- * * 0.0.0.0/0
192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0
198.18.0.0/15
0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
27 2812 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
129 11603 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
50 6831 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 431840 ESTABLISHED src=192.168.0.5 dst=62.90.61.51 sport=42520
dport=993 src=62.90.61.51 dst=62.90.139.134 sport=993 dport=42520 [ASSURED]
use=1
tcp 6 431991 ESTABLISHED src=192.168.0.5 dst=62.90.61.51 sport=42522
dport=993 src=62.90.61.51 dst=62.90.139.134 sport=993 dport=42522 [ASSURED]
use=1
tcp 6 431993 ESTABLISHED src=192.168.0.5 dst=62.90.61.51 sport=42528
dport=22 src=62.90.61.51 dst=62.90.139.134 sport=22 dport=42528 [ASSURED] use=1
udp 17 20 src=192.168.0.5 dst=128.139.6.20 sport=123 dport=123
src=128.139.6.20 dst=62.90.139.134 sport=123 dport=123 use=1
tcp 6 36 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=3262 dport=1339
src=127.0.0.1 dst=127.0.0.1 sport=1339 dport=3262 [ASSURED] use=1
tcp 6 431999 ESTABLISHED src=192.168.0.5 dst=192.168.0.1 sport=32777
dport=22 src=192.168.0.1 dst=192.168.0.5 sport=22 dport=32777 [ASSURED] use=1
tcp 6 431953 ESTABLISHED src=192.168.0.5 dst=64.12.30.140 sport=42527
dport=5190 src=64.12.30.140 dst=62.90.139.134 sport=5190 dport=42527 [ASSURED]
use=1
tcp 6 431987 ESTABLISHED src=192.168.0.5 dst=192.168.0.1 sport=41912
dport=143 src=192.168.0.1 dst=192.168.0.5 sport=143 dport=41912 [ASSURED] use=1
udp 17 159 src=192.168.0.5 dst=192.168.0.1 sport=33014 dport=53
src=192.168.0.1 dst=192.168.0.5 sport=53 dport=33014 [ASSURED] use=1
tcp 6 53 TIME_WAIT src=192.168.0.5 dst=192.168.0.1 sport=42523 dport=80
src=192.168.0.1 dst=192.168.0.5 sport=80 dport=42523 [ASSURED] use=1
tcp 6 53 TIME_WAIT src=192.168.0.5 dst=192.168.0.1 sport=42524 dport=80
src=192.168.0.1 dst=192.168.0.5 sport=80 dport=42524 [ASSURED] use=1
tcp 6 71 TIME_WAIT src=192.168.0.5 dst=64.12.200.89 sport=42526 dport=5190
src=64.12.200.89 dst=62.90.139.134 sport=5190 dport=42526 [ASSURED] use=1
tcp 6 84222 ESTABLISHED src=158.140.2.102 dst=62.90.230.121 sport=30966
dport=80 src=62.90.230.121 dst=158.140.2.102 sport=80 dport=30966 [ASSURED]
use=1
Tom Eastep
2003-Jun-06 07:23 UTC
[Shorewall-users] DNAT rule doesn''t work on local interface
On Fri, 6 Jun 2003 17:17:36 +0300, Haim Ashkenazi <haim@babysnakes.org> wrote:> Hi > > I''m not subscribed to this list so please cc your responds to me. > > I''m trying to set a DNAT rule to forward connections from the internet to > another IP of the same machine. (I need it for djbdns, I''m only testing > it on smtp): > > DNAT net loc:192.168.0.1 tcp 25 > > where 192.168.0.1 is another interface on my firewall.If it is the IP address of another interface on your firewall, then it isn''t in the ''loc'' zone now is it? Try: DNAT net fw:192.168.0.1 tcp 25 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Haim Ashkenazi
2003-Jun-06 07:42 UTC
[Shorewall-users] DNAT rule doesn''t work on local interface
On Friday 06 June 2003 17:23, Tom Eastep wrote:> If it is the IP address of another interface on your firewall, then it > isn''t in the ''loc'' zone now is it? > > Try: > > DNAT net fw:192.168.0.1 tcp 25thanx, it solved the problem. Bye -- Haim