Shorewall users - Aug 2008 - Shorewall 4.06 + DNAT + Problem with internal routing

I have a multiple internal router on my LAN in a Shorewall 2 interfaces 
configuration and a DNAT from public IP to internal subnets.
I set up shorewall with nested zones:

file: /etc/shorewall/zones
###############################################################################
#ZONE    TYPE        OPTIONS        IN            OUT
#                    OPTIONS            OPTIONS
net    ipv4
loc    ipv4
loc1:loc ipv4
loc2:loc ipv4
loc3:loc ipv4

file: /etc/shorewall/interfaces
#ZONE    INTERFACE    BROADCAST    OPTIONS
loc    eth1    detect    routeback
net    eth0    detect    logmartians,nosmurfs

###############################################################################
#ZONE    HOST(S)                    OPTIONS
loc1                eth1:10.10.1.0/24
loc2                eth1:10.10.2.0/24
loc3                eth1:10.10.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

The IP range related to loc zone is: 10.10.10.0/24 and the internal 
shorewall loc interface (that is also the internal loc gateway) has 
private IP 10.10.10.254
The internal router has interfaces 10.10.10.1
I added the following static routes to my shorewall gateway on interface 
eth1:

ip route add -net 10.10.1.0/24 netmask 255.255.255.0 gw 10.10.10.1 dev eth1
ip route add -net 10.10.2.0/24 netmask 255.255.255.0 gw 10.10.10.1 dev eth1
ip route add -net 10.10.3.0/24 netmask 255.255.255.0 gw 10.10.10.1 dev eth1

The public IP range in the net zone is: 88.xx.xx.0/29
where 88.xx.xx.0/29 is my public IP range obfuscated.

Let''s suppose that my Shorewall public IP gateway interface is 
88.XX.XX.1 on eth0 and i need to DNAT port 22 to internal loc2 zone  
host with IP 10.10.2.4

I added the following rule:

etc/shorewall/rules
############################################################################################################################
#ACTION        SOURCE        DEST        PROTO    DEST    SOURCE        
ORIGINAL    RATE        USER/    MARK
#                            PORT    PORT(S)        DEST        LIMIT    
    GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DNAT:info    net    loc2:10.10.2.4    tcp    22    -    88.xx.xx.1

I also add to the masq file the following line:

etc/shorewall/masq
###############################################################################
#INTERFACE        SOURCE        ADDRESS        PROTO    PORT(S)    
IPSEC    MARK
eth0            eth1
eth1:10.10.2.4        eth0        10.10.10.254    tcp    22

and i set the CONTINUE policy for subnets:

loc    loc1    CONTINUE
loc1    loc    CONTINUE
loc    loc2    CONTINUE
loc2    loc    CONTINUE
loc    loc3    CONTINUE
loc3    loc    CONTINUE
loc        net        ACCEPT
fw        net        ACCEPT

from the log i got:

Aug  4 19:10:07 mylinuxbox kernel: [276232.278815]
Shorewall:net_dnat:DNAT:IN=eth0 SRC=88.xx.xx.xx DST=88.xx.xx.1 LEN=48 TOS=0x00
PREC=0x00 TTL=128 ID=4891 DF PROTO=TCP SPT=1128 DPT=22 WINDOW=16384 RES=0x00 SYN
URGP=0
Aug  4 19:10:07 mylinuxbox kernel: [276232.278839]
Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=88.xx.xx.xx DST=10.10.2.4 LEN=48
TOS=0x00 PREC=0x00 TTL=127 ID=4891 DF PROTO=TCP SPT=1128 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0

It seem that DNAT rule work well but after DNAT REJECT policy takes place.

Can anyone help me to solve the configuration error? I need urgently to 
set other DNAT rules towards the other nested zones.

Best Regards

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Gianni Socionovo wrote:
> 
> from the log i got:
> 
> Aug  4 19:10:07 mylinuxbox kernel: [276232.278815]
Shorewall:net_dnat:DNAT:IN=eth0 SRC=88.xx.xx.xx DST=88.xx.xx.1 LEN=48 TOS=0x00
PREC=0x00 TTL=128 ID=4891 DF PROTO=TCP SPT=1128 DPT=22 WINDOW=16384 RES=0x00 SYN
URGP=0
> Aug  4 19:10:07 mylinuxbox kernel: [276232.278839]
Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=88.xx.xx.xx DST=10.10.2.4 LEN=48
TOS=0x00 PREC=0x00 TTL=127 ID=4891 DF PROTO=TCP SPT=1128 DPT=80 WINDOW=16384
RES=0x00 SYN URGP=0
> 
> It seem that DNAT rule work well but after DNAT REJECT policy takes place.
> 
> Can anyone help me to solve the configuration error? I need urgently to 
> set other DNAT rules towards the other nested zones.
It''s a routing issue. See http://www.shorewall.net/Multiple_Zones.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Tom Eastep wrote:
> Gianni Socionovo wrote:
> 
>>
>> from the log i got:
>>
>> Aug  4 19:10:07 mylinuxbox kernel: [276232.278815] 
>> Shorewall:net_dnat:DNAT:IN=eth0 SRC=88.xx.xx.xx DST=88.xx.xx.1 LEN=48 
>> TOS=0x00 PREC=0x00 TTL=128 ID=4891 DF PROTO=TCP SPT=1128 DPT=22 
>> WINDOW=16384 RES=0x00 SYN URGP=0 Aug  4 19:10:07 mylinuxbox kernel: 
>> [276232.278839] Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 
>> SRC=88.xx.xx.xx DST=10.10.2.4 LEN=48 TOS=0x00 PREC=0x00 TTL=127 
>> ID=4891 DF PROTO=TCP SPT=1128 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
>> It seem that DNAT rule work well but after DNAT REJECT policy takes 
>> place.
>>
>> Can anyone help me to solve the configuration error? I need urgently 
>> to set other DNAT rules towards the other nested zones.
> 
> It''s a routing issue. See
http://www.shorewall.net/Multiple_Zones.html
> 
Note that since you didn''t follow the problem reporting Guidelines 
(http://www.shorewall.net/support.htm#Guidelines), we can''t tell you
how
your routing is wrong. But from the REJECT message, it is apparent that your 
router is routing 10.10.2.4 out of eth0, not eth1 as you intend.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/