Menu
▾
▴
Re: [Shorewall-users] Unable to setup DNAT via VPN
|
From: Tom E. <te...@sh...> - 2015-02-13 04:28:39
|
On 2/12/2015 5:21 PM, Matthias F. Brandstetter wrote: > Hello, I am running Shorewall 4.5.5.3 on a Debian machine. > > I have a firewall (10.8.0.1) connected to an internal server (10.8.0.2) > via OpenVPN. On the firewall the VPN interface is called |tun0|. So in > my shorewall configuration I have this: > > |$ cat interfaces > #ZONE INTERFACE OPTIONS > - lo ignore > vpn tun+ optional > net eth+ dhcp,physical=+,routeback,optional > > $ cat zones > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > vpn ipv4 > net ip > > $ cat policy > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > $FW net ACCEPT > $FW vpn ACCEPT > vpn all ACCEPT > net all DROP info > | > > Now I want to forward all traffic from the public net coming to TCP port > 2222 on the firewall to the internal server port 22. So I have added the > following two lines: > > |$ cat rules > ACCEPT net $FW tcp 2222 > DNAT:info net vpn:10.8.0.2:22 <http://10.8.0.2:22> tcp 2222 The first rule is unnecessary. > | > > In my |shorewall.conf| file I have this line: > > |IP_FORWARDING=On > | > > However, this does not seem to work. > In the log file I can see these lines: > > Feb 13 01:59:44 helios kernel: [2390648.826670] > Shorewall:net_dnat:DNAT:IN=eth0 OUT= > MAC=52:54:ed:88:f9:f5:5c:5e:ab:03:66:c0:08:00 SRC=<client-IP> > DST=<firewall-IP> LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=21389 DF PROTO=TCP > SPT=38026 DPT=2222 WINDOW=29200 RES=0x00 SYN URGP=0 > > What am I missing here? Have you followed the troubleshooting procedure outlined in Shorewall FAQs 1a and 1b? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ |
