Hi,
I have a problem with a forwarding rule, although I scanned through all
docs yet ...
I want to forward smb requests which come from an external zone (urban)
to the firewall machine to be re-directed to another machine in the
internal zone (nw). The firewall machine hosts a smb server itself, but
only on the internal interface (corresponding to the "nw" zone) I
added
the following ruleset:
----------------------------------------------------------
# SMB nach NAS
# DNAT urban nw:192.168.72.2:137 udp 137
- 192.168.172.1
# DNAT urban nw:192.168.72.2:138 udp 138
- 192.168.172.1
# DNAT urban nw:192.168.72.2:139 tcp 139
- 192.168.172.1
# DNAT urban nw:192.168.72.2:445 tcp 445
- 192.168.172.1
----------------------------------------------------------
here ist the output of "shorewall show nat":
----------------------------------------------------------
Shorewall 4.4.5.2 NAT Table at locutus - Wed Jan 6 22:01:57 CET 2010
Counters reset Wed Jan 6 22:01:55 CET 2010
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 dnat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 urban_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.72.0/24 0.0.0.0/0
Chain urban_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.172.1
udp dpt:137 to:192.168.72.2:137
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.172.1
udp dpt:138 to:192.168.72.2:138
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.172.1
tcp dpt:139 to:192.168.72.2:139
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.172.1
tcp dpt:445 to:192.168.72.2:445
----------------------------------------------------------
I can reach the firewall machine throught smbclient: answers come back
if I open the local smb server to respond to requests from the "urban"
zone. But if I close the local server for this side and add the
forwarding rule, I don''t get any response from the ...72.2 machine.
Where is my fault? Did I miss something obvious? Do I have a conflict
with some other NAT rule? I''m a bit lost now, would be very nice if
someone can give me the crucial hint ;-)
Greetings, Thomas
--
------------------------------------------
* Thommie Rother *
* Mail: thommienw@googlemail.com *
------------------------------------------
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
Thomas Rother wrote:> here ist the output of "shorewall show nat": > > ---------------------------------------------------------- > Shorewall 4.4.5.2 NAT Table at locutus - Wed Jan 6 22:01:57 CET 2010 > Counters reset Wed Jan 6 22:01:55 CET 2010 > > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 dnat all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > > Chain dnat (1 references) > pkts bytes target prot opt in out source destination > 0 0 urban_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > Chain eth0_masq (1 references) > pkts bytes target prot opt in out source destination > 0 0 MASQUERADE all -- * * 192.168.72.0/24 0.0.0.0/0 > > Chain urban_dnat (1 references) > pkts bytes target prot opt in out source destination > 0 0 DNAT udp -- * * 0.0.0.0/0 192.168.172.1 > udp dpt:137 to:192.168.72.2:137 > 0 0 DNAT udp -- * * 0.0.0.0/0 192.168.172.1 > udp dpt:138 to:192.168.72.2:138 > 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.172.1 > tcp dpt:139 to:192.168.72.2:139 > 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.172.1 > tcp dpt:445 to:192.168.72.2:445 > ----------------------------------------------------------According to that output, no SMB traffic is reaching eth0.> > I can reach the firewall machine throught smbclient: answers come back > if I open the local smb server to respond to requests from the "urban" > zone. But if I close the local server for this side and add the > forwarding rule, I don''t get any response from the ...72.2 machine. > > Where is my fault? Did I miss something obvious? Do I have a conflict > with some other NAT rule? I''m a bit lost now, would be very nice if > someone can give me the crucial hint ;-)Shorewall FAQs 1a and 1b give complete DNAT troubleshooting instructions. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev