Re: [Shorewall-users] Unable to setup DNAT via VPN

Thu, 12 Feb 2015 20:37:42 -0800 

On 2/12/2015 5:21 PM, Matthias F. Brandstetter wrote:
> Hello, I am running Shorewall 4.5.5.3 on a Debian machine.
> 
> I have a firewall (10.8.0.1) connected to an internal server (10.8.0.2)
> via OpenVPN. On the firewall the VPN interface is called |tun0|. So in
> my shorewall configuration I have this:
> 
> |$ cat interfaces
> #ZONE   INTERFACE   OPTIONS
> -       lo          ignore
> vpn     tun+        optional
> net     eth+        dhcp,physical=+,routeback,optional
> 
> $ cat zones
> #ZONE   TYPE        OPTIONS     IN          OUT
> #                               OPTIONS     OPTIONS
> fw      firewall
> vpn     ipv4
> net     ip
> 
> $ cat policy
> #SOURCE DEST    POLICY      LOG LIMIT:      CONNLIMIT:
> #               LEVEL       BURST           MASK
> $FW     net     ACCEPT
> $FW     vpn     ACCEPT
> vpn     all     ACCEPT
> net     all     DROP        info
> |
> 
> Now I want to forward all traffic from the public net coming to TCP port
> 2222 on the firewall to the internal server port 22. So I have added the
> following two lines:
> 
> |$ cat rules
> ACCEPT          net         $FW                 tcp     2222
> DNAT:info       net         vpn:10.8.0.2:22 <http://10.8.0.2:22>     tcp     
> 2222

The first rule is unnecessary.

> |
> 
> In my |shorewall.conf| file I have this line:
> 
> |IP_FORWARDING=On
> |
> 
> However, this does not seem to work.
> In the log file I can see these lines:
> 
> Feb 13 01:59:44 helios kernel: [2390648.826670]
> Shorewall:net_dnat:DNAT:IN=eth0 OUT=
> MAC=52:54:ed:88:f9:f5:5c:5e:ab:03:66:c0:08:00 SRC=<client-IP>
> DST=<firewall-IP> LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=21389 DF PROTO=TCP
> SPT=38026 DPT=2222 WINDOW=29200 RES=0x00 SYN URGP=0
> 
> What am I missing here?

Have you followed the troubleshooting procedure outlined in Shorewall
FAQs 1a and 1b?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to