[Shorewall-users] Unable to setup DNAT via VPN

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello, I am running Shorewall 4.5.5.3 on a Debian machine.

I have a firewall (10.8.0.1) connected to an internal server (10.8.0.2) via
OpenVPN. On the firewall the VPN interface is called tun0. So in my
shorewall configuration I have this:

$ cat interfaces
#ZONE   INTERFACE   OPTIONS
-       lo          ignore
vpn     tun+        optional
net     eth+        dhcp,physical=+,routeback,optional

$ cat zones
#ZONE   TYPE        OPTIONS     IN          OUT
#                               OPTIONS     OPTIONS
fw      firewall
vpn     ipv4
net     ip

$ cat policy
#SOURCE DEST    POLICY      LOG LIMIT:      CONNLIMIT:
#               LEVEL       BURST           MASK
$FW     net     ACCEPT
$FW     vpn     ACCEPT
vpn     all     ACCEPT
net     all     DROP        info

Now I want to forward all traffic from the public net coming to TCP port
2222 on the firewall to the internal server port 22. So I have added the
following two lines:

$ cat rules
ACCEPT          net         $FW                 tcp     2222
DNAT:info       net         vpn:10.8.0.2:22     tcp     2222

In my shorewall.conf file I have this line:

IP_FORWARDING=On

However, this does not seem to work.
In the log file I can see these lines:

Feb 13 01:59:44 helios kernel: [2390648.826670]
Shorewall:net_dnat:DNAT:IN=eth0 OUT=
MAC=52:54:ed:88:f9:f5:5c:5e:ab:03:66:c0:08:00 SRC=<client-IP>
DST=<firewall-IP> LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=21389 DF PROTO=TCP
SPT=38026 DPT=2222 WINDOW=29200 RES=0x00 SYN URGP=0

What am I missing here?

Cheers!

-- 
Matthias F. Brandstetter
ha...@gm...
@maflobra <https://twitter.com/maflobra>