[Shorewall-newbies] Port changing incomming DNAT problem
teastep at shorewall.net
Thu Jan 8 17:40:57 PST 2004
On Thu, 8 Jan 2004 nkjbox at internetgruppen.dk wrote:
> Hi all,
> I have a server on the dmz with IP=192.168.2.112 called pampas.
> pampas accepts incomming http and notes traffic to 220.127.116.11 via
> this DNAT rule:
> DNAT net dmz:192.168.2.112 tcp http,notes - 18.104.22.168
> Another rule should send the ssh port to the notes port of pampas. The
> idea is that this enables people behind a firewall which allows outgoing
> ssh traffic but not notes traffic to use notes on pampas anyway (!)
> DNAT:info net dmz:192.168.2.112 tcp ssh notes 22.214.171.124
That rule says:
For traffic from the net with a source port of 'notes' and a destination
port of 'ssh' and a destionation IP of 126.96.36.199, change the
destination address to 192.168.2.112
That isn't what you want.
> I rewrote the rule to:
> DNAT:info net:188.8.131.52 dmz:192.168.2.112 tcp ssh notes
I think that will generate an error.
> It didn't work either.
> I have a rule about ssh at the top of the rules file:
> ACCEPT all all ssh
> Could that rule mess up the port redirection?
> Or is it an example of the corrected SNAT bug of the new 1.4.9 Beta
You should consult FAQ #1c to see how to do what you want.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies