DNAT in Shorewall not working for VPN

Question

I have a firewall (10.8.0.1) connected to an internal server (10.8.0.2) via VPN. On the firewall the VPN interface is called tun0. So in my shorewall configuration I have this:

$ cat interfaces
#ZONE   INTERFACE   OPTIONS
-       lo          ignore
vpn     tun+        optional
net     eth+        dhcp,physical=+,routeback,optional

$ cat zones
#ZONE   TYPE        OPTIONS     IN          OUT
#                               OPTIONS     OPTIONS
fw      firewall
vpn     ipv4
net     ip

$ cat policy
#SOURCE DEST    POLICY      LOG LIMIT:      CONNLIMIT:
#               LEVEL       BURST           MASK
$FW     net     ACCEPT
$FW     vpn     ACCEPT
vpn     all     ACCEPT
net     all     DROP        info

Now I want to forward all traffic from the public net coming to TCP port 2222 on the firewall to the internal server port 22. So I have added the following two lines:

$ cat rules
ACCEPT          net         $FW                 tcp     2222
DNAT            net         vpn:10.8.0.2:22     tcp     2222

In my shorewall.conf file I have this line:

IP_FORWARDING=On

However, this does not seem to work.
What am I missing here?

score 2 · Answer 1 · edited Jul 11 '15 at 18:41

2

#
# Shorewall version 4 - Masq file
#

#INTERFACE:DEST         SOURCE              ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/   SWITCH
#                                           GROUP
tun+:10.8.0.0/16        0.0.0.0/0           10.8.0.1

edited Jul 11 '15 at 18:41

Michael Hampton

237,123
42
477
940

answered Jul 11 '15 at 17:35

user298901

21
2

DNAT in Shorewall not working for VPN

1 Answers1