Re: [Shorewall-users] DNAT Question

[Tom E. <te...@sh...>]

ko...@su... wrote:
> Hopefully this hasn't been asked a number of times.. I did some searchi=
ng,=20
> and didn't come up with anything initially.

This is actually Shorewall FAQ #2 but it is disguised enough that you pro=
bably
didn't recognize it.

>=20
> Here is my info (modified sightly to make safe to broadcast):

So you believe in "security by obscurity"...

> Masq:  (not sure if this is necessary..)
> eth0                    0.0.0.0/0       175.31.30.10

It *is* necessary.

>=20
> When I try to ftp to the box from the outside (72.36.210.44), the=20
> connection is refused, and the following is in the log:
>=20
> Nov 10 16:25:17 revproxy kernel: Shorewall:FORWARD:REJECT:IN=3Deth0 OUT=
=3Deth0=20
> SRC=3D72.36.210.44 DST=3D10.111.46.4 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TT=
L=3D48=20
> ID=3D61493 DF PROTO=3DTCP SPT=3D51483 DPT=3D21 WINDOW=3D5840 RES=3D0x00=
 SYN URGP=3D0A

=46rom the answer to Shorewall FAQ 17 (Why are these packets being
Dropped/Rejected?/How do I decode Shorewall log messages?):

	If the chain is FORWARD and the IN and OUT interfaces are the same, then=

        you probably need the 'routeback' option on that interface in
        /etc/shorewall/interfaces or you need the 'routeback' option in t=
he
        relevant entry in /etc/shorewall/hosts.

-Tom
--=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key