I had to subscribe to leaf-user for this one,
A fate worse that death? Surely not. Welcome back, Matt.
As to your problem (described below) ... remember that in iptables (unlike the older ipchains), prerouting happens first, so the forward rule you describe rewrites packets with (for example) DEST 63.194.213.179:6881 to DEST 10.2.3.4:6881 . This happens *before* the packet hits the more general iptables rulesets (including the one that triggers the DENY, or maybe REJECT, that gets logged). This answers your #1 and #4 below; Tom's separate answer has addressed your #2 and #3 better than I ever can.
The question you should focus on now is why Shorewall is blocking traffic to 10.2.3.4, if that is a legit address on your LAN. It suggests to me a misconfiguration of Shorewall. Figuring that part out requires knowing the details of your LAN setup, but perhaps with the help of Tom's comments on Shorewall details, you'll be able to work that detail out. If not, tell us more ... you know the routine.
which maybe I don't understand because shorewall doesn't log every piece of information? I don't know, but here's the log entry and the details:
Sep 16 09:12:31 hub kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=82.82.76.144 DST=10.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=29083 DF PROTO=TCP SPT=4535 DPT=6885 WINDOW=30370 RES=0x00 SYN URGP=0
Details: ========== * I'm running BitTorrent, a p2p downloading application
* ports 6881-6889 are opened to new inbound connections and forwarded to 10.2.3.4.
* My ip is 63.194.213.179
* Proper BT traffic would be DST=63.194.213.179 6881:6889 SYN and of course responses to that from me.
I can't for the life of me figure out how this traffic gets here. I mean it's a SYN for pete's sake. Unless is was specifically routed purely with MAC addresses, it makes no sense.
Questions: =========== 1) How on earth is traffic destined for 10.2.3.4 getting all the way from 82.82.76.144 to me, i.e. How is it passing through so many internet routers to me? There should be no route. My ISP has no idea that I use 10.2.3.4 in a NAT setup.
2) Does shorewall not tell me if there is MAC addressing involved?
3) And if it was routed using MAC addresses only (which is the way the net works, correct?) then why doesn't Shorewall give me the MAC skinny?
4) And who has 10.2.3.4 in their ARP cache besides Bering. You can't tell me that 10.2.3.4 is ARP all the way through the internet to me?
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
