This looks ok. I suggest you make a quick try with
(policy file) loc net ACCEPT If you still cannot access to the internet by telnet something with your routing is wrong or you have conflicts in your policy or rules file. To check this I think a shorewall dump is needed. But if this would be true you should maybe see something in your messages. A tcpdump output could help as well. Routing seems to be ok if you still have But if this is kernel route command I miss the netmask parameter. I dont know anything about your distribution but to add routes there should be always a netmask parameter. Try to trace the internet ip > route add 9.8.7.6 gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1 Cheers Mike -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangpr...@gmail.com] Gesendet: Freitag, 5. Februar 2010 17:23 An: Shorewall Users Betreff: Re: [Shorewall-users] DNAT Problem Thanks for the reply, I have this setting in /etc/shorewall/masq: eth0 eth1 eth0 is the public IP, while eth1 is the private network I have tried your solution but it doesn't work as well. sangprabv sangpr...@gmail.com On Feb 5, 2010, at 3:51 PM, Michael Weickel - iQom Business Services GmbH wrote: > > If you want to let your local machines access the internet by telnet than > DNAT is the wrong choice. DNAT is for access from internet to local > machines. > > You should try something like (rules file) > > ACCEPT loc:192.168.8.37 net:5.4.3.2 tcp > 55000 > > If you have policy > > ACCEPT loc net > > The rule will be useless. > > If your first client can but your sencond cant access, I guess you already > have some rules or policies allowing this. > > In this case I suggest to doublecheck your masq file whether you only masq > 192.168.8.35 or the whole network e.g. 192.168.8.0/24? > > > Cheers > Mike > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangpr...@gmail.com] > Gesendet: Freitag, 5. Februar 2010 09:28 > An: Shorewall Users > Betreff: [Shorewall-users] DNAT Problem > > Hi, > I have a client behind shorewall which has 2 IP: > 192.168.8.35 is the real IP and 192.168.8.37 is the virtual IP. > I have added DNAT rules into shorewall: > DNAT net loc:192.168.8.35 tcp > 11008 - 1.2.3.4 > DNAT net loc:192.168.8.37 tcp > 55000 - 1.2.3.5 > > 1.2.3.4 and 1.2.3.5 is virtual IP on firewall side > > I want 192.168.8.35 able to telnet to my partner IP 9.8.7.6:11008 and it can > connect OK. > And I want also 192.168.8.37 able to my partner IP 5.4.3.2:55000 and this > one FAIL. > If i try telnet my.partner.ip.add:55000 -b 1.2.3.5 at firewall it is OK. > > I have manually added > route add 9.8.7.6 gw 192.168.8.1 > route add 5.4.3.2 gw 192.168.8.1 > Both added to the client routing table. What's wrong with my configuration? > Many thanks for help. > > > > sangprabv > sangpr...@gmail.com > > > > ---------------------------------------------------------------------------- > -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the > business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- -- > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ---------------------------------------------------------------------------- -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users