[Shorewall-newbies] Port changing incomming DNAT problem

Tom Eastep teastep at shorewall.net
Thu Jan 8 17:40:57 PST 2004


On Thu, 8 Jan 2004 nkjbox at internetgruppen.dk wrote:

> Hi all,
>
> I have a server on the dmz with IP=192.168.2.112 called pampas.
>
> pampas accepts incomming http and notes traffic to 194.192.161.166 via
> this DNAT rule:
>
> DNAT net dmz:192.168.2.112 tcp http,notes - 194.192.161.166
>
> Another rule should send the ssh port to the notes port of pampas. The
> idea is that this enables people behind a firewall which allows outgoing
> ssh traffic but not notes traffic to use notes on pampas anyway (!)
>
> DNAT:info net dmz:192.168.2.112 tcp ssh notes 194.192.161.166
>

That rule says:

For traffic from the net with a source port of 'notes' and a destination
port of 'ssh' and a destionation IP of 194.192.161.166, change the
destination address to 192.168.2.112

That isn't what you want.

> I rewrote the rule to:
>
> DNAT:info net:194.192.161.166 dmz:192.168.2.112 tcp ssh notes
>

I think that will generate an error.

> It didn't work either.
>
> I have a rule about ssh at the top of the rules file:
>
> ACCEPT all all ssh
>
> Could that rule mess up the port redirection?
> Or is it an example of the corrected SNAT bug of the new 1.4.9 Beta
> shorewall?
>

You should consult FAQ #1c to see how to do what you want.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net


More information about the Shorewall-newbies mailing list