I am currently using shorewall as my firewall and am having problems getting a port forwarded through the firewall using DNAT. I say routing issue because when the firewall is on I am able to ping an internal machine from my (inside) lan card but cannot telnet to it (testing to see if I can even connect to the port - 80). When the firewall is off I am able to. While on the firewall reports the following with respect to the connection: Oct 6 05:13:35 gtds-vpnserver kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.254 DST=192.168.1.199 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=23886 DF PROTO=TCP SPT=54651 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 6 05:13:36 gtds-vpnserver kernel: Shorewall:net2all:DROP:IN=eth0 OUTMAC=00:14:2a:08:46:f3:00:0f:cc:18:64:34:08:00 SRC=219.146.10.108 DST70.141.19.100 LEN=404 TOS=0x00 PREC=0x00 TTL=107 ID=45016 PROTO=UDP SPT=3458 DPT=1434 LEN=384 192.168.1.254 being my inside interface of my firewall (eth1) 192.168.1.199 being my inside machine I want to port forward to eth0 is my outside interface, connected to dsl policy file: loc net ACCEPT fw net ACCEPT net all DROP info all all REJECT info rules file: ACCEPT loc all all ACCEPT net:gtdsvpn.dyndns.org all all ACCEPT all fw tcp ssh ACCEPT loc fw tcp 10000 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT fw net icmp ACCEPT fw loc icmp ACCEPT all fw udp 10000 ACCEPT all fw udp 4500 ACCEPT all fw udp 500 ACCEPT all fw udp 1701 ACCEPT all fw tcp 1701 ACCEPT all $FW GRE ACCEPT all all ESP ACCEPT loc all tcp 80 masq file: eth0 192.168.1.0/24 I''m just not sure what''s wrong with it, is that enough info or is there somethign else missing? DNAT net loc:192.168.1.199 tcp 80 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tim P wrote:> I am currently using shorewall as my firewall and am having problems > getting > a port forwarded through the firewall using DNAT. I say routing issue > because when the firewall is on I am able to ping an internal machine from > my (inside) lan card but cannot telnet to it (testing to see if I can even > connect to the port - 80). When the firewall is off I am able to.Tim, The ability or inability to connect from your firewall to a local system with Shorewall started has absolutely no bearing on whether DNAT will work to that system. The two are totally independent. I suggest that you: a) Follow the DNAT debugging instructions in Shorewall FAQs 1a and 1b. b) If you still cannot find the cause then please submit a problem report as detailed at http://www.shorewall.net/support.htm#Guidelines and we will try to help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Tim P wrote: >> I am currently using shorewall as my firewall and am having problems >> getting >> a port forwarded through the firewall using DNAT. I say routing issue >> because when the firewall is on I am able to ping an internal machine from >> my (inside) lan card but cannot telnet to it (testing to see if I can even >> connect to the port - 80). When the firewall is off I am able to. > > Tim, > > The ability or inability to connect from your firewall to a local system with > Shorewall started has absolutely no bearing on whether DNAT will work to that > system. The two are totally independent.Let me try to clarify. You have the rule: DNAT net loc:192.168.1.199 tcp 80 That forwards *any* connection to tcp port 80 received by your external interface to 192.168.1.199. It also generates a rule to accept that redirected traffic. To be able to telnet to port 80 on 192.168.1.199 from your firewall, you would need this rule: ACCEPT $FW loc:192.168.1.199 tcp 80 Remember that Shorewall rules are expressed in terms of *connections*, not packets. So while the DNAT rule allows redirected packets to flow from your firewall to your server, it does not allow connections from your firewall to your server. Your problem with DNAT *may*, in fact, be a routing problem -- if so, it is that your server (192.168.1.199) is configured with a default gateway address that is not the IP address of your Shorewall box''s internal interface. That is explained in the FAQs that I referred you to in my post from yesterday. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV