Shorewall users - Feb 2010 - Problem with internal forwards from masqueraded network

Hello.

I have some port forwards that work good externally. Since I wanted to be
able to use the same domain-name and port combination internally as well
as externally I read through and followed the instructions at
http://shorewall.net/FAQ.htm#faq2. The problem I am having is some of the
forwards work, some don''t. They all work externally. Where would I go
from
here?

My config is as follows:


providers:
knology         1       0x100       main            eth1           
111.222.333.9   track,balance=1    vlan1,vlan2,vlan3
brighthouse     2       0x200       main            eth2           
111.222.333.145   track,balance=2    vlan1,vlan3


rules:
# External Forwards for the matt-matt dev servers
DNAT    net     vlan1:192.168.198.2:22    tcp     40002
DNAT    net     vlan1:192.168.198.2:3690  tcp     3690
DNAT    net     vlan1:192.168.198.2:3690  tcp     43690
DNAT    net     vlan1:192.168.198.3:80    tcp     40080
DNAT    net     vlan1:192.168.198.3:22    tcp     40003
DNAT    net     vlan1:192.168.198.4:22    tcp     40004
DNAT    net     vlan1:192.168.198.5:22    tcp     40005
DNAT    net     vlan1:192.168.198.5:4569  udp     40569
# Internal forwards for Matt Matt craziness
DNAT    vlan1   vlan1:192.168.198.2:3690        tcp     43690   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.2             tcp     3690    -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.2:22          tcp     40002   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.3:22          tcp     40003   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.3:80          tcp     40080   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.4:22          tcp     40004   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.5:22          tcp     40005   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.5:4569        udp     40569   -      
111.222.333.146


masq:
eth1    10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 111.222.333.9
eth2    10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16
111.222.333.146
eth1    111.222.333.146   111.222.333.9
eth2    111.222.333.9    111.222.333.146
# oddball from internal to external to internal masquerade crap
vlan1:192.168.198.2     vlan1   192.168.198.1   tcp     43690
vlan1:192.168.198.2     vlan1   192.168.198.1   tcp     3690
vlan1:192.168.198.2     vlan1   192.168.198.1   tcp     40002
vlan1:192.168.198.3     vlan1   192.168.198.1   tcp     40003
vlan1:192.168.198.3     vlan1   192.168.198.1   tcp     40080
vlan1:192.168.198.4     vlan1   192.168.198.1   tcp     40004
vlan1:192.168.198.5     vlan1   192.168.198.1   tcp     40005
vlan1:192.168.198.5     vlan1   192.168.198.1   udp     40569


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Hello.

I have some port forwards that work good externally. Since I wanted to be
able to use the same domain-name and port combination internally as well
as externally I read through and followed the instructions at
http://shorewall.net/FAQ.htm#faq2. The problem I am having is some of the
forwards work, some don''t. They all work externally. Where would I go
from
here?

My config is as follows:


providers:
knology         1       0x100       main            eth1           
111.222.333.9   track,balance=1    vlan1,vlan2,vlan3
brighthouse     2       0x200       main            eth2           
111.222.333.145   track,balance=2    vlan1,vlan3


rules:
# External Forwards for the matt-matt dev servers
DNAT    net     vlan1:192.168.198.2:22    tcp     40002
DNAT    net     vlan1:192.168.198.2:3690  tcp     3690
DNAT    net     vlan1:192.168.198.2:3690  tcp     43690
DNAT    net     vlan1:192.168.198.3:80    tcp     40080
DNAT    net     vlan1:192.168.198.3:22    tcp     40003
DNAT    net     vlan1:192.168.198.4:22    tcp     40004
DNAT    net     vlan1:192.168.198.5:22    tcp     40005
DNAT    net     vlan1:192.168.198.5:4569  udp     40569
# Internal forwards for Matt Matt craziness
DNAT    vlan1   vlan1:192.168.198.2:3690        tcp     43690   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.2             tcp     3690    -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.2:22          tcp     40002   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.3:22          tcp     40003   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.3:80          tcp     40080   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.4:22          tcp     40004   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.5:22          tcp     40005   -      
111.222.333.146
DNAT    vlan1   vlan1:192.168.198.5:4569        udp     40569   -      
111.222.333.146


masq:
eth1    10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16
111.222.333.9 eth2   
10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16
111.222.333.146
eth1    111.222.333.146   111.222.333.9
eth2    111.222.333.9    111.222.333.146
# oddball from internal to external to internal masquerade crap
vlan1:192.168.198.2     vlan1   192.168.198.1   tcp     43690
vlan1:192.168.198.2     vlan1   192.168.198.1   tcp     3690
vlan1:192.168.198.2     vlan1   192.168.198.1   tcp     40002
vlan1:192.168.198.3     vlan1   192.168.198.1   tcp     40003
vlan1:192.168.198.3     vlan1   192.168.198.1   tcp     40080
vlan1:192.168.198.4     vlan1   192.168.198.1   tcp     40004
vlan1:192.168.198.5     vlan1   192.168.198.1   tcp     40005
vlan1:192.168.198.5     vlan1   192.168.198.1   udp     40569




------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

jamesp@vicidial.com wrote:
> The problem I am having is some of the forwards work, some don''t.
> Where would I go from here?
> 
> My config is as follows:
> 
From http://www.shorewall.net/support.htm:

	Please do not include Shorewall configuration files unless you
	have been specifically asked to do so. The output of shorewall
	dump collected as described above is much more useful.

Only think I can think of is that you are trying to forward ports that
are normally in the local range (cat
/proc/sys/net/ipv4/ip_local_port_range) which might cause intermittent
failure if the port was already in use.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev