Ok, after spending the requisite hours swearing and bashing about, I
give up.
All I am trying to do are some (presumably) simple DNAT rules. I have a
fairly typical two NIC setup.
I have an admin zone, a net zone, a local zone, and a firewall. I want
to do two things:
1. Port foward 443 and 80 (amongst other ports) to a local machine
behind the firewall.
2. Redirect and port forward external port 2222 to port 22 on a local
machine behind the firewall and leave port 22 accepted into the firewall
itself. The port 22 into the firewall is working fine.
The Shorewall site and mailing list is absolutely rife with
documentation on how to do this, yet I cannot see where I am erring.
The syslog shows Shorewall letting traffic in as desired. The problem is
that nothing ever comes back out. Let's focus on my SSH rule at the
moment. It is:
DNAT:info net loc:10.0.50.50:22 tcp 2222
When I attempt to connect the client side times out and the firewall log
shows:
Mar 16 11:56:12 server root: Shorewall Restarted
Mar 16 11:56:17 server kernel: [18057936.908000]
Shorewall:net_dnat:DNAT:IN=eth0 OUT=
MAC=00:11:95:c5:0b:83:00:90:1a:40:90:4d:08:00 SRC=161.184.172.35
DST=137.186.135.69 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=6429 DF PROTO=TCP
SPT=58075 DPT=2222 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 16 11:56:17 server kernel: [18057936.908000]
Shorewall:admin2loc:ACCEPT:IN=eth0 OUT=eth1 SRC=161.184.172.35
DST=10.0.50.50 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=6429 DF PROTO=TCP
SPT=58075 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 16 11:56:20 server kernel: [18057939.908000]
Shorewall:admin2loc:ACCEPT:IN=eth0 OUT=eth1 SRC=161.184.172.35
DST=10.0.50.50 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=6430 DF PROTO=TCP
SPT=58075 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 16 11:56:26 server kernel: [18057945.908000]
Shorewall:admin2loc:ACCEPT:IN=eth0 OUT=eth1 SRC=161.184.172.35
DST=10.0.50.50 LEN=60 TOS=0x00 PREC=0x00 TTL=59 ID=6431 DF PROTO=TCP
SPT=58075 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
C=0x00 TTL=59 ID=37621 DF PROTO=TCP SPT=49739 DPT=22 WINDOW=5840
RES=0x00 SYN URGP=0
Some info:
[EMAIL PROTECTED]:/etc/shorewall# shorewall version
3.0.4
-----
[EMAIL PROTECTED]:/etc/shorewall# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:13:d4:b1:6c:ff brd ff:ff:ff:ff:ff:ff
inet 10.0.50.10/24 brd 10.0.50.255 scope global eth1
inet6 fe80::213:d4ff:feb1:6cff/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:11:95:c5:0b:83 brd ff:ff:ff:ff:ff:ff
inet 137.186.135.69/22 brd 137.186.135.255 scope global eth0
inet6 fe80::211:95ff:fec5:b83/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
----
[EMAIL PROTECTED]:/etc/shorewall# ip route show
10.0.50.0/24 dev eth1 proto kernel scope link src 10.0.50.10
137.186.132.0/22 dev eth0 proto kernel scope link src 137.186.135.69
default via 137.186.132.1 dev eth0
Any and all help is appreciated.
Thanks!
Jon
--
Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E
http://www.jonwatson.ca
+1.403.770.2837
"Trying to learn to hack on a DOS or Windows machine or under MacOS is
like trying to learn to dance while wearing a body cast" - ESR
begin:vcard
fn:Jon Watson
n:Watson;Jon
email;internet:[EMAIL PROTECTED]
tel;work:1.403.875.6048
x-mozilla-html:FALSE
url:http://www.jonwatson.ca
version:2.1
end:vcard
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
