edit3:
i would like to get exactly what is descripted in http://shorewall.net/FAQ.htm#faq1g but it doesn't work for me.
edit3 end;
os: debian squeeze shorwall: 4.4.11.6-3
3 computers a, b & c; shorewall is on computer b i would like to dnat port 8140 from b->c, so computer a can connect to b and will be dnated to c followed the faq 1g (thanks go out to omache) http://www.shorewall.net/FAQ.htm#faq1g. rules, interfaces, masq set according the faq
the direct connections work:
a->b a->b->b(temp rule: DNAT:debug net fw:ip.of.computer.b:80 tcp 8140 - -)
b->c
a->c
regular shorwall rules on computer b:
DNAT:debug net net:ip.of.computer.c:8140 tcp 8140 - ip.of.computer.b
DNAT:debug $FW net:ip.of.computer.c:8140 tcp 8140 - ip.of.computer.b
so dnating should work. according the faqs i debugged the dnat. package count increases.
is the problem the http://www.shorewall.net/FAQ.htm#faq1a "dropping the outbound SYN,ACK response." how to debug this? shouldn't then also the b->c and a->c direct connections be a problem or do they work without syn,ack
a->b->c does not work
b->b->c does work
log entry from the a->b->c connection
Oct 11 03:34:03 servername kernel: [3457359.671611] Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=-SNIP- SRC=ip.of.computer.a DST=ip.of.computer.b LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=49585 DF PROTO=TCP SPT=60499 DPT=8140 WINDOW=5840 RES=0x00 SYN URGP=0
edit1:
made more debugging tests, thanks go again to omache.
tcpdump 'ip host A or B or C and not (port ssh or http or smtp or pop3)' tcpdump 'ip host A or B or D and not (port ssh or smtp or pop3)'
A->B->C (dnat): shows incomming traffic but nothing goes out to C B->B->C (local dnat): works and traffic is shown going to C
it is not the syn, ack problem, i made a test with a forth host D and exchanged C with D, D is a server which is able to reply ACK and SYN
i double checked the faq info, this is the content of my affected files:
rule
DNAT:debug net net:$HOST_IP_D:80 tcp 8140 - $HOST_IP_B
interfaces
net eth0 detect tcpflags,logmartians,nosmurfs,routeback
masq
eth0:$HOST_IP_D 0.0.0.0/0 $HOST_IP_B tcp 80