[Shorewall-users] DNAT woes

metapope ray@lenin.net
Tue, 30 Jul 2002 22:45:13 -0700 (PDT)

Hi there,
	I'm new to shorewall, using version 1.3.5b. I am attempting to
set up a masquerading/DNATting two-interface firewall which will manage
connections for several internal servers using a range of external (real)
ip addresses. I have followed the quick-start guide and was able to get
masquerading working for my outbound connections to the internet.
However, I have not been able to get DNAT to work as I expect. An
instance of the DNAT rules I have placed in my rules file is as follows:

DNAT    net     loc:   tcp     80,443	-	xxx.xxx.xxx.203

It should be noted that xxx.xxx.xxx.203 is not the address of my
firewall's external interface card, but another address being routed to
the firewall. I have installed snort and verified that packets destined
for this IP address are hitting the outside interface of the firewall, but
they are not making it through to the inside.

If I remove the ORIGINAL DEST entry and restart the firewall, I find that
connections to the firewall's IP address at port 80 are successfully
forwarded to It seems to be the ORIGINAL DEST entry which
causes the problem. Unfortunately, I don't see anything in syslog, even
when I add an INFO or DEBUG option in the DNAT line.

I'd be happy to send along the output of "shorewall status" if that would

Shorewall is a fantastic product, by the way. Thanks very much for your