Hello, I'm having some very odd problems with dnat, and after digging for quite some time I can't come up with an answer. As requested on the support page, I will be sending a shorewall dump to [EMAIL PROTECTED] It probably makes it tougher, but I prefer not to post my filter configs for the world.
The problem is as follows: I have multiple zones, each with a single interface. Two are internet-facing. I am dnatting from one of those to a zone "loc." I have a rule that says dnat from all zones to loc:10.24.101.103 when the original destination is 69.129.249.241 (a public IP of mine in the tds01 zone) udp port 2301. The rule works as expected for traffic arriving on all interfaces except the tds01 zone (the public facing zone with the dnat IP). tcpdump shows the traffic coming in on tds01, and nothing going out on the loc zone. The counter for the rule in tds01_dnat is incremented, and the associated rule in tds012loc does not get incremented. It sounds like a routing issue, but the routing tables are correct, and traffic can pass through each of them to 10.24.101.103 and out the right interface (eth7 a.k.a. "loc"). The accompanying dump was performed after clearing the counters and attempting connections from the zones $FW (this originates as 69.129.249.241 when trying the dnat), ndev (10.99.55.146), mnet (10.24.99.250), loc itself (10.24.101.103 - just making sure it didn't work like normal) and tds01 (64.73.12.253). As I said, the only traffic that doesn't work is traffic from the internet (tds01). I have noticed that the connections coming in via tds01 are never going into connection tracking even though the dnat rule is hit. dropInvalid doesn't seem to be where the traffic disappears based on watching the dropInvalid counter and sending packets from the internet to the dnat address. I have many dnat rules to zones which aren't "loc" (including rules on the same public IP), all of which work correctly. I have tried a dnat from tds02 -> loc:10.24.101.103 and that works fine. I've tried other IPs on tds01 -> loc and that fails. It seems to be only tds01 -> loc (dnat) traffic which disappears. I realize this may not be the best problem description. It will be difficult to understand without the dump; I'm not sure where the [EMAIL PROTECTED] address goes. Ask questions if I wasn't clear enough. Many thanks in advance. -Brad ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
