Shorewall users - Jan 2005 - Dnat problems with adsl-box

Hello!

So i got this problem. I have a debian sarge (with 2.6 kernel) box with 
shorewall up and network something like this: 
(net-ip)adsl-router(10.0.0.2)->(10.0.0.5)debian(192.168.0.1)->(192.168.0.x)lan-machines

Everything works just great but i cant get port forwarding to work. 
shorewall show nat shows the traffic (to port 2002) but the machine 
(192.168.0.3) isnt getting it.. I have tried some tips i got from 
helpmanuals and so on but no help. I used the two-interferface guide mostly.
I got these in my rules:

DNAT            net             loc:192.168.0.3 tcp 2002
DNAT            net             loc:192.168.0.3 udp 2002

Also ssh isnt working from internet to the firewall altough i got:

ACCEPT          net             fw              tcp     22
ACCEPT          net             fw              udp     22


Some tips? I cant get the adsl-router(a-link roadrunner 44)  to bridge 
the "real" ip to the ethernet-card so this is kind of complicated. I
got
eth2 but it isnnt connected to anything atm. I am probably going to but 
this 192.168.0.3 machine to a dmz zone trought it later.

Shorewall version: 2.0.13 (from apt-get)

ip addr show :

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:d0:b7:e6:02:2b brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/24 brd 10.255.255.255 scope global eth0
    inet6 fe80::2d0:b7ff:fee6:22b/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:05:5d:4d:10:a0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
    inet6 fe80::205:5dff:fe4d:10a0/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:00:e8:ee:c0:f8 brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.5
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
default via 10.0.0.2 dev eth0


Thanks for the in advance!

Niko Kurtti
niko.kurtti@gmail.com

On Sun, 2005-01-02 at 15:03 +0200, Niko Kurtti wrote:
> Hello!
> 
> So i got this problem. I have a debian sarge (with 2.6 kernel) box with 
> shorewall up and network something like this: 
>
(net-ip)adsl-router(10.0.0.2)->(10.0.0.5)debian(192.168.0.1)->(192.168.0.x)lan-machines
> 
> Everything works just great but i cant get port forwarding to work. 
> shorewall show nat shows the traffic (to port 2002) but the machine 
> (192.168.0.3) isnt getting it.. I have tried some tips i got from 
> helpmanuals and so on but no help. I used the two-interferface guide
mostly.
But you didn''t follow it closely enough, particularly this part:

        Before starting Shorewall, you should look at the IP address of
        your external interface and if it is in one of the above ranges,
        you should remove the ''norfc1918'' option from the
external
        interface''s entry in /etc/shorewall/interfaces.

The "above list" is:

        10.0.0.0    - 10.255.255.255
        172.16.0.0  - 172.31.255.255
        192.168.0.0 - 192.168.255.255

The lesson to be learned here is "LOOK AT YOUR LOG" -- there you would
have seen lots of messages like:

Jan  2 14:18:19 localhost Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1
SRC=81.182.237.201 DST=192.168.0.3 LEN=180 TOS=0x00 PREC=0x20 TTL=109
ID=56389 PROTO=UDP SPT=3100 DPT=2002 LEN=160

Those messages plus a quick look at Shorewall FAQ 17 would have given
you the answer.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key