[Shorewall-users] Using Shorewall as a gateway EC2 Instance on Ubuntu in AWS: Rule/Policy Problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I have a question about a secure way to firewall and route traffic from an EC2 instance in AWS. The setup is different from any other shorewall configuration i have used (OpenWRT, OpenVPN, etc). 
In this case there are two subnets in one VPC 
VPC - 10.252.0.0/16 
1) Public - 10.252.128.0/17 
2) Private - 10.252.0.0/17 
I have created an instance in the Public subnet with an elastic IP 54.x.x.100 which is NAT'ed to the eth0 interface on that server: 
NAT/GW/VPN Shorewall Server: 
10.252.128.200 (1 interface - ETH0) 
Traffic flows in and out to the internet without issue. The IGW (internet gateway) on AWS is properly configured. The route tables are correct. 
In the private subnet, there is a test windows server with IP address 10.252.0.10. It is currently configured to use the Shorewall Server as it's gateway. When I configure the Shorewall policy file to use ALL to ALL ACCEPT (I know this is not secure - obviously...) it works. Traffic comes in and out to 10.252.0.10. With Shorewall simply passing packets with no firewalling, everything works as expected. 
But when I try to secure it, I end up with this error in the log no matter how many rules I try to use: 
kernel: [ 5138.802818] Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 
So instead of a typical configuration with an eth1 (loc) and eth0 (net) interface, there is only one 'physical' interface which is eth0 
The masq file looks like this: 
#MASQ 
eth0	0.0.0.0/0  #--> allow any server to be masq'd as eth0 
How can I keep the correct Shorewall policy (all all REJECT info) while using the rules file to allow traffic in/out through the same eth0 interface? 
I cannot do the following like I could on a physical server (which would work) 
loc net ACCEPT 
Mike