Shorewall users - Dec 2004 - Bizarre DNAT problem...

Ok, ive been pulling whats left of my hair out trying
to figure this one out and I give up.


I seemingly simple DNAT is not working.  Below is a
snippet from my rules file.


DNAT       net   loc:192.168.1.1:22      tcp     2022
DNAT       net   loc:192.168.1.175:22    tcp     1022


Basically Im trying to forward port 1022 on my
firewall to a machine on my local network.

My firewall machine is 192.168.1.1 and if I telnet
(from an external machine) to port 2022 I correctly
get connected to ssh on my firewall.  (This was a test
that the rule was formed correctly)

If I telnet to port 1022 I get a timeout.  But if I
run telnet 192.168.1.175 22 from the firewall machine
I get  connected to ssh on the other machine.

Also I have run the shorewall show nat and it does
show that the # of packets increases when I try to
connect so it definitely appears that the packets are
getting to the firewall but alas are getting lost
somewhere...

This is why I am so confused.  It appears the rules
are  configured correctly and it appears the routing
is working correctly.

I am running Fedora Core 3.  I have unsucessfully
tried 2.0.10, 2.0.13 and 2.2 RC2.

Any ideas??  Or am I doing something stupid??

Ifthere any additional information people need to help
diagnose this just holler and Ill post??

--
John Cavanaugh

On Tue, 2004-12-28 at 23:55 -0800, John Cavanaugh wrote:
> Ok, ive been pulling whats left of my hair out trying
> to figure this one out and I give up.
> 
> 
> I seemingly simple DNAT is not working.  Below is a
> snippet from my rules file.
> 
> 
> DNAT       net   loc:192.168.1.1:22      tcp     2022
> DNAT       net   loc:192.168.1.175:22    tcp     1022
> 
> 
> Basically Im trying to forward port 1022 on my
> firewall to a machine on my local network.
> 
> My firewall machine is 192.168.1.1 and if I telnet
> (from an external machine) to port 2022 I correctly
> get connected to ssh on my firewall.  (This was a test
> that the rule was formed correctly)
Er -- if 192.168.1.1 is the IP address assigned to your firewall''s
internal interface then the first rule is nonsense because 192.168.1.1
IS NOT IN THE ''loc'' ZONE but is rather in the $FW zone. What I
suspect
is that you also have a rule that reads:

ACCEPT	net	$FW	tcp	22

And if you put that (correct) rule together with your silly first rule
then you are able to connect externally to port 2022.
> 
> If I telnet to port 1022 I get a timeout.  But if I
> run telnet 192.168.1.175 22 from the firewall machine
> I get  connected to ssh on the other machine.
> 
> Also I have run the shorewall show nat and it does
> show that the # of packets increases when I try to
> connect so it definitely appears that the packets are
> getting to the firewall but alas are getting lost
> somewhere...
> 
> This is why I am so confused.  It appears the rules
> are  configured correctly and it appears the routing
> is working correctly.
So 192.168.1.175 can access the internet okay and it''s default gateway
is set to 192.168.1.1 and not to the address of some other router?
> 
> I am running Fedora Core 3.  I have unsucessfully
> tried 2.0.10, 2.0.13 and 2.2 RC2.
Rather than madly installing newer versions of Shorewall, you would have
been better advised to read the DNAT debugging tips in FAQs 1a and 1b.
If those don''t help then I would begin looking at traffic on your
internal interface using tcpdump or ethereal to see what is happening:

	tcpdump -nei <internal if> host 192.168.1.175

then try to connect externally to port 1022.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key