[Shorewall-users] redirecting pseudo-internal traffic
Mon, 29 Apr 2002 09:15:33 -0700 (PDT)
On Sat, 27 Apr 2002, Steve Estes wrote:
> Greetings all,
> Now I have a workaround for this which was to include a rule that took
> connections coming in off the gateway (ipsec tunnel) destined for the
> game ports and forwarded to the creators IP. That works fine too if a
> little restrictive but that's okay for the few times we actually go out
> that way. But when we switch back to lan gaming, the workaround rule has
> broken lan gaming if the game creator is at a different (local) IP than
> the one the rule is forwarding to because the workaround rule is picking
> up ANY destination, not just the destination being the FW and forwarding
> The rule I have is as follows:
> ACCEPT gw:192.168.1.0/24 local:192.168.2.2 udp <portlist> - all
Why don't you just specify the external IP rather than "all" -- "all"
means "I don't care what the destination IP is on the incoming packet, I
want the packet forwarded to 22.214.171.124.
> The directions say that "all" should only be used for port forwarding
> from external ips but I haven't found anything that works quite right
> without specifying all. What I would ideally like is a rule that says
> connections from the gateway for the game ports that END ON the firewall
> (i.e. on the external IP) should be forwarded to local:xxxx but
> connections from the gateway (for the game ports) with a destination
> other than the firewall should be left alone and routed per normal.
That is exacly what you will get if you replace "all" with the external
> I tried specifying $FW where "all" is but that did not work (message
> from iptables 1.2.5 that host/network 'fw' was not found). I could
> perhaps hardcode my external IP instead of all but I can't see that
> really improving the configuration situation.
Did you try it?
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ email@example.com