[Shorewall-users] DNAT Problem

Andrea Fastame Wed, 23 May 2007 07:24:11 -0700

Hi.
I have a Debian Etch (4.0) server with Shorewall 3.2.6 / iptables 1.3.6.


/etc/network/interfaces:

iface eth0 inet static
        address 10.0.100.5
        netmask 255.255.255.0
        gateway 10.0.100.1
        dns-nameservers 151.99.125.2
auto eth0

iface eth0:1 inet static
        address 13.0.0.2
        netmask 255.255.255.0
auto eth0:1


As you can see I have a single Network Card with 1 main IP ( 10.0.100.5)
and an Alias (13.0.0.2). This was done because I had to setup racoon /
ipsec-tools for a IPSEC VPN Tunnel and the 13.0.0.x/24 class was forced
from the other's side sysadmin.
Still, the tunnel works fine (i can ping a remote host 10.11.100.24
successfullty). I manually had to setup a route to route all packets to
the 10.100.11.24 trhough the 13.0.0.2 interface (alias).
I read that (eventually) I should put some entry in the
/etc/shorewall/masq file. Still, I have not grasped what I should really
enter in that conf file. Any hint (if positive)?

Now, this is my problem: I would like to FORWARD all incoming conns to
TCP 3030 to the remote 10.100.11.24, hence,  through the IPSEC tunnel.
I have read the whole Shorewall FAQ and MASQ, but no luck.

Follows my routing table and shorewall confs (IP_FORWARDING is enabled
in shorewall.conf)

sys05:/etc/shorewall# route
Kernel IP routing table
Destination     Gateway         Genmask                     Flags
Metric Ref    Use Iface
10.100.11.24    13.0.0.2        255.255.255.255         UGH   0
0        0 eth0
10.0.100.0      *                       255.255.255.0           U
    0      0        0 eth0
13.0.0.0        *                       255.255.255.0               U
     0      0        0 eth0
default         10.0.100.1          0.0.0.0
UG        0      0        0 eth0

/etc/shorewall/interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS
fw      firewall
net     eth0            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


/etc/shorewall/zones

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4

/etc/shorewall/policy

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
net             fw              DROP            info
all             all             REJECT          info


/etc/shorewall/rules

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE
ORIGINAL       RATE            USER/
#                                               PORT(S) PORT(S)
DEST  LIMIT            GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#DNAT    net       net:13.0.0.2                 tcp     3030
ACCEPT  net:10.0.100.0/24 fw            icmp
ACCEPT  net             fw              tcp     http
ACCEPT  net             fw              tcp     1723
ACCEPT  net             fw              tcp     isakmp
ACCEPT  net             fw              udp     500
ACCEPT  net:10.0.100.3  fw              tcp     ssh
DNAT    net             net:13.0.0.2    tcp     3030


Thank you
Andrea Fastame
DAXO - Italy











-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DNAT Problem

Reply via email to