[Shorewall-users] Portforwarding within a zone

Tom Eastep teastep@shorewall.net
Sun, 6 Jan 2002 11:13:35 -0800


Chris,

On Sunday 06 January 2002 11:02 am, Chris Freeze wrote:
> I have a transparent squid proxy in the DMZ, but would like to also pro=
xy
> outbound http traffic as well as local zone traffic.  I've tried settin=
g
> this rule,
>
> ACCEPT  dmz     dmz:192.168.2.42:3128  tcp   http    -  all
>
>
> I've also got the policy file to allow all traffic from the DMZ to the =
net
> zone.  Can you portforward/redirect within a zone?

I'm unclear about exactly what you are trying to do. Is it that you have =
http=20
clients in your DMZ other than your proxy server? If so, you have yet ano=
ther=20
variant on FAQ 2 (http://www.shorewall.net/FAQ.htm#faq2 and faq2a). You h=
ave=20
to be carefull though that you don't forward the proxy server's HTTP requ=
ests=20
back to itself.

Try this:

a) specify 'multi' on the entry for the DMZ's interface in =20
/etc/shoreall/interfaces; and
b) you need to masquerade the DMZ to itself; and
c) You need to ammend your rule above:

ACCEPT  dmz:!192.168.2.42  dmz:192.168.2.42:3128  tcp   http    -  all

-Tom
--=20
Tom Eastep    \  teastep@shorewall.net
AIM: tmeastep  \  http://www.shorewall.net
ICQ: #60745924  \  Firewalls for Linux 2.4