thr3ads.net - Shorewall users - DNAT and REDIRECT question [Dec 2005]

If this information is useful, please help other people find it:
Share via:

Juan Jose Lopez Gonzalez

2005-Dec-15 15:05 UTC

DNAT and REDIRECT question

Hi all ¡,


I have a DNAT and REDIRECT question

I have my firewall with two interfaces, the local network interface and internet
interface and I want to redirect all www request from local network to a
webserver on my local network EXCEPT a dinamic group of box that i get in a
validation form in the web server.

I´m trying with the following rule:

DNAT     loc:!192.168.1.100,!192.168.1.101    loc:192.168.1.240     tcp     80

Where:

192.168.1.240 is the web server
192.168.1.100 is the ok validate box
192.168.1.101 is the other ok validate box.

With only one validate IP it´s works fine

DNAT     loc:!192.168.1.101    loc:192.168.1.240     tcp     80

, but if add another IP (with !<IP>, like in the example below) it doesn´t
work. The firewall redirect all the IP

Could anybody help us??



 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

Tom Eastep

2005-Dec-15 16:01 UTC

head link

Re: DNAT and REDIRECT question

On Thursday 15 December 2005 07:05, Juan Jose Lopez Gonzalez
wrote:>  Hi all ¡,
>
>
> I have a DNAT and REDIRECT question
>
> I have my firewall with two interfaces, the local network interface and
> internet interface and I want to redirect all www request from local
> network to a webserver on my local network EXCEPT a dinamic group of box
> that i get in a validation form in the web server.
>
> I´m trying with the following rule:
>
> DNAT     loc:!192.168.1.100,!192.168.1.101    loc:192.168.1.240     tcp    
> 80
>
> Where:
>
> 192.168.1.240 is the web server
> 192.168.1.100 is the ok validate box
> 192.168.1.101 is the other ok validate box.
>
> With only one validate IP it´s works fine
>
> DNAT     loc:!192.168.1.101    loc:192.168.1.240     tcp     80
>
> , but if add another IP (with !<IP>, like in the example below) it
doesn´t
> work. The firewall redirect all the IP
>
> Could anybody help us??
Either:

A)

	NONAT	loc:<ip list>	net			tcp	80
	DNAT	loc		loc:192.168.1.240	tcp	80

B) Upgrade to Shorewall 3.0.3 and use a single rule:

	DNAT	loc:!<ip list>	net:192.168.1.240	tcp	80

In both cases, <ip list> is a comma-separated list of hosts that you
don''t
want to be redirected (e.g., 192.168.1.100,192.168.1.101)



-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Shorewall users - Dec 2005 - DNAT and REDIRECT question

DNAT and REDIRECT question

Re: DNAT and REDIRECT question