[Shorewall-users] redirecting pseudo-internal traffic

Tom Eastep teastep@shorewall.net
Mon, 29 Apr 2002 09:15:33 -0700 (PDT)


On Sat, 27 Apr 2002, Steve Estes wrote:

> Greetings all, 
> 
> Now I have a workaround for this which was to include a rule that took
> connections coming in off the gateway (ipsec tunnel) destined for the
> game ports and forwarded to the creators IP. That works fine too if a
> little restrictive but that's okay for the few times we actually go out
> that way. But when we switch back to lan gaming, the workaround rule has
> broken lan gaming if the game creator is at a different (local)  IP than
> the one the rule is forwarding to because the workaround rule is picking
> up ANY destination, not just the destination being the FW and forwarding
> them.
> 
> The rule I have is as follows:
> 
> ACCEPT  gw:192.168.1.0/24  local:192.168.2.2   udp  <portlist>  -    all
>

Why don't you just specify the external IP rather than "all" -- "all" 
means "I don't care what the destination IP is on the incoming packet, I 
want the packet forwarded to 192.128.2.2. 
 
> The directions say that "all" should only be used for port forwarding
> from external ips but I haven't found anything that works quite right
> without specifying all. What I would ideally like is a rule that says
> connections from the gateway for the game ports that END ON the firewall
> (i.e. on the external IP) should be forwarded to local:xxxx but
> connections from the gateway (for the game ports) with a destination
> other than the firewall should be left alone and routed per normal.

That is exacly what you will get if you replace "all" with the external 
IP.

> I tried specifying $FW where "all" is but that did not work (message
> from iptables 1.2.5 that host/network 'fw' was not found). I could
> perhaps hardcode my external IP instead of all but I can't see that
> really improving the configuration situation.
>

Did you try it?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net