Solved it. Contrary to what http://www.shorewall.net/NAT.htm implies,
ADD_IP_ALIASES does not default to 'yes,' at least not on Ubuntu.
Once I did that, all started working.
Thanks to bleve on #shorewall!
On Monday, June 04, 2012, Joshua J. Kugler elucidated thus:
> Dump attached.
> So, I have this situation. Pretty straight-forward masq situation,
> but with an odd wrinkle I can't figure out. All machines DHCP. All
> can ping the router, get IP addresses, etc. Some machines can ping
> past the router, some cannot. Logging the loc2net chain shows it
> hitting the ACCEPCT rule, but it cannot connecting to anything
> beyond the firewall.
> The machine that currently cannot ping past the firewall is a
> KVM/qemu guest, but it *can* ping the firewall.
> The machine that can't get past the firewall has the following line
> in nat:
> xx.xx.131.63 eth0 192.168.100.248 no no
> If I try to connect to another system where I've set up logging on a
> port, I get:
> Jun 4 12:15:28 azariah kernel: [5305753.084529]
> Shorewall:net2fw:LOG:IN=ppp0 OUT= MAC= SRC=xx.xxx.131.63
> DST=xxx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=22600 DF
> PROTO=TCP SPT=58446 DPT=5000 WINDOW=14600 RES=0x00 SYN URGP=0
> So, its source address is correct, but it's never making it back to
> the nat'ed system.
> I'm at a loss. Ideas? Links? Silly mistakes?
Part-Time System Admin/Programmer
http://www.eeinternet.com - Fairbanks, AK
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A