Shorewall users - May 2010 - DNAT configuration issue on single interface machine

Hello folks

I have as DNAT configuration issue that I like to submit to your 
experiences and see why it is not working

here is my network layout

int-machine (INT-NET.IP1) ----- (INT-NET.IP2) int-FW (DMZ-NET.IP2)
--------------- (DMZ-NET.IP3) dmz-machine
                                                                  |
                                                              (DMZ-NET.IP1)
                                                                ext-FW
                                                                  |
                                                               internet
                                                                  |
                                                             client public IP



dmz-machine has a public address accessible from my client public IP

What I am trying to achieve is to redirect all incoming traffic on 
dmz-machine:port1 to int-machine:port1
and dmz machine is running shorewall+ulogd for that matter and external 
security issues

Note that the dmz-machine is mono interfaced which might be the cause of 
my problem but you''ll tell me

I do not own the Firewalls (int-FW and ext-FW) but rules have been 
configured properly as:

- incomming traffic from client to dmz-machine on port1 is running because
     telnet dmz-machine port1+ tcpdump + shorewall ulog tail -f show 
proper traces and
     nc -l DMZ-NET.IP3 port1 running on dmz-machine receives the packets 
from my telnet connection

- incomming traffic from dmz-machine to int-machine on port1 is running 
because
     telnet DMZ-NET-IP2 port1+ tcpdump + shorewall ulog tail -f show 
proper traces and
     nc -l INT-NET.IP1port1 running on int-machine receives the packets 
from my telnet connection

the rules I wrote in /etc/shorewall rules are

ACCEPT       net:client-public-IP            net:DMZ-NET.IP2        tcp    port1
DNAT:ULOG    net:client-public-IP            net:DMZ-NET.IP2:port1  tcp    port1
-    DMZ-NET.IP3


in the /var/log/ulogd/ulogd.syslogemu I can see
May  6 14:45:27 factory Shorewall:net_dnat:DNAT: IN=eth0 OUT= MAC=....  
SRC=client-public-IP DST=DMZ-NET.IP3 LEN=60 TOS=00 PREC=0x00 TTL=51 
ID=64859 CE DF PROTO=TCP SPT=45343 DPT=port1 SEQ=3031743659 ACK=0 
WINDOW=5840 SYN URGP=0
but no other messages can be seen

Note that I had not put the accept rule in the 1st place and got
May  6 15:41:15 factory Shorewall:FORWARD:REJECT: IN=eth0 OUT=eth0 
MAC=....  SRC=client-public-IP DST=DMZ-NET.IP2 LEN=60 TOS=00 PREC=0x00 
TTL=50 ID=24825 DF PROTO=TCP SPT=56811 DPT=port1 SEQ=3334722914 ACK=0 
WINDOW=5840 SYN URGP=0
therefore the rule seems to remove this traces

the packet never makes it to int-machine (empty tcpdump outpout)
tcpdump on dmz-machine only shows incoming traffic and no other traffic 
not even on lo interface :-(

zones shorewall cfg file
#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4

interfaces shorewall cfg file
#ZONE	INTERFACE	BROADCAST	OPTIONS
net	eth0		detect		tcpflags,logmartians,nosmurfs

policy shorewall cfg file
#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
#				LEVEL	BURST		MASK
$FW		net		ACCEPT
net		$FW		DROP		ULOG
net		all		DROP		ULOG
# The FOLLOWING POLICY MUST BE LAST
all		all		REJECT		ULOG

nat&  hosts shorewall cfg files are empty


I also tried to use the infos provided in
http://www.shorewall.net/manpages/shorewall-nesting.html

but this lead to the same behaviour

I also tried sysctl -w net.ipv4.ip_forward=1 without any more success

Does someone has a clue on what is wrong or if it is possible at all

Thanks


------------------------------------------------------------------------------

On 05/06/2010 06:50 AM, Olivier Bourdon wrote:
> 
> I do not own the Firewalls (int-FW and ext-FW) but rules have been 
> configured properly as:
> 
> the packet never makes it to int-machine (empty tcpdump outpout)
> tcpdump on dmz-machine only shows incoming traffic and no other traffic 
> not even on lo interface :-(
> 
> Does someone has a clue on what is wrong or if it is possible at all
> 
For this to work:

a) int-FW must accept port1 traffic from dmz-machine -> int-machine; and
b) You must apply the miserable hack in Shorewall FAQ 1g on dmz-machine
(where that FAQ refers to ''public address'', just use the
address of the
machine''s only NIC).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------

Tom Eastep <teastep <at> shorewall.net> writes:
> 
> On 05/06/2010 06:50 AM, Olivier Bourdon wrote:
> 
> > 
> > I do not own the Firewalls (int-FW and ext-FW) but rules have been 
> > configured properly as:
> 
> > 
> > the packet never makes it to int-machine (empty tcpdump outpout)
> > tcpdump on dmz-machine only shows incoming traffic and no other
traffic
> > not even on lo interface 
> 
> > 
> > Does someone has a clue on what is wrong or if it is possible at all
> > 
> 
> For this to work:
> 
> a) int-FW must accept port1 traffic from dmz-machine -> int-machine; and
> b) You must apply the miserable hack in Shorewall FAQ 1g on dmz-machine
> (where that FAQ refers to ''public address'', just use the
address of the
> machine''s only NIC).
> 
> -Tom
Thanks a million Tom works like a charm but after restarting shorewall
I had to relaunch the forwarding command
sysctl -w net.ipv4.ip_forward=1
to make it work
and therefore change the IP_FORWARDING option to On 
in shorewall.conf

Thanks again for your help


------------------------------------------------------------------------------