[Shorewall-newbies] Port changing incomming DNAT problem

Tom Eastep teastep at shorewall.net
Thu Jan 8 17:40:57 PST 2004

On Thu, 8 Jan 2004 nkjbox at internetgruppen.dk wrote:

> Hi all,
> I have a server on the dmz with IP= called pampas.
> pampas accepts incomming http and notes traffic to via
> this DNAT rule:
> DNAT net dmz: tcp http,notes -
> Another rule should send the ssh port to the notes port of pampas. The
> idea is that this enables people behind a firewall which allows outgoing
> ssh traffic but not notes traffic to use notes on pampas anyway (!)
> DNAT:info net dmz: tcp ssh notes

That rule says:

For traffic from the net with a source port of 'notes' and a destination
port of 'ssh' and a destionation IP of, change the
destination address to

That isn't what you want.

> I rewrote the rule to:
> DNAT:info net: dmz: tcp ssh notes

I think that will generate an error.

> It didn't work either.
> I have a rule about ssh at the top of the rules file:
> ACCEPT all all ssh
> Could that rule mess up the port redirection?
> Or is it an example of the corrected SNAT bug of the new 1.4.9 Beta
> shorewall?

You should consult FAQ #1c to see how to do what you want.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list