Shorewall users - Jan 2010 - Redirecting a port from a specific external address

Hello list, 

My first time writing here :) 

I have the following question - i have a setup on a certain server like this : 

br0 -> external ip''s ( port eth0 ) 
br1 -> internal ip''s ( port eth1 ) 

On br0 there are several ip addresses : 

8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
link/ether 00:30:48:be:70:5c brd ff:ff:ff:ff:ff:ff 
inet 212.116.129.230/30 brd 212.116.129.231 scope global br0 
inet 213.145.99.115/29 scope global br0 
inet6 fe80::230:48ff:febe:705c/64 scope link 
valid_lft forever preferred_lft forever 


What i need to do is redirect port 80 to an internal address based on the ip
address to which the request was made, i.e. :

212.116.129.230/30 on port 80 goes to -> 192.168.1.254:80 
213.145.99.115/29 on port 80 goes to -> 192.168.1.248:80 

With normal iptables, i would achieve this with something like this : 


iptables -t nat -A PREROUTING -i br0 -d 212.116.129.230 -p tcp --dport 80 -j
DNAT --to-destination 192.168.1.248:80

How do i do this with shorewall ? 

Also the 192.168.1.248:80 is the ip address of br1 ( the firewall ) if that
matters.

Thanks. 


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Nikolai K. Bochev wrote:
> Hello list,
> 
> My first time writing here :)
> 
> I have the following question - i have a setup on a certain server like
> this :
> 
> br0 -> external ip''s ( port eth0 )
> br1 -> internal ip''s ( port eth1 )
> 
> On br0 there are several ip addresses :
> 
> 8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state
> UNKNOWN
>     link/ether 00:30:48:be:70:5c brd ff:ff:ff:ff:ff:ff
>     inet 212.116.129.230/30 brd 212.116.129.231 scope global br0
>     inet 213.145.99.115/29 scope global br0
>     inet6 fe80::230:48ff:febe:705c/64 scope link
>        valid_lft forever preferred_lft forever
> 
> 
> What i need to do is redirect port 80 to an internal address based on
> the ip address to which the request was made, i.e. :
> 
> 212.116.129.230/30 on port 80 goes to -> 192.168.1.254:80
> 213.145.99.115/29  on port 80 goes to -> 192.168.1.248:80
> 
> With normal iptables, i would achieve this with something like this :
> 
> 
> iptables -t nat -A PREROUTING -i br0 -d 212.116.129.230 -p tcp --dport
> 80 -j DNAT --to-destination 192.168.1.248:80
> 
> How do i do this with shorewall ?
> 
> Also the 192.168.1.248:80 is the ip address of br1 ( the firewall ) if
> that matters.
Your question is addressed by example 5 in the shorewall-rules manpage.

In /etc/shorewall/rules:

DNAT	net	$FW:192.168.1.254	tcp	80   -	212.116.129.230

Given that you didn''t tell us the location of the host with address
192.168.1.254, I can''t tell you what the exact rule should be. But
whatever zone ''Z'' that 192.168.1.254 is in, you will have:

DNAT	net	Z:192.168.1.254		tcp	80   -  212.116.129.230

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Thanks, works perfectly. I guess i should read the docs more carefully.

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, January 29, 2010 5:41:16 PM
Subject: Re: [Shorewall-users] Redirecting a port from a specific external
address

Nikolai K. Bochev wrote:
> Hello list,
> 
> My first time writing here :)
> 
> I have the following question - i have a setup on a certain server like
> this :
> 
> br0 -> external ip''s ( port eth0 )
> br1 -> internal ip''s ( port eth1 )
> 
> On br0 there are several ip addresses :
> 
> 8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state
> UNKNOWN
>     link/ether 00:30:48:be:70:5c brd ff:ff:ff:ff:ff:ff
>     inet 212.116.129.230/30 brd 212.116.129.231 scope global br0
>     inet 213.145.99.115/29 scope global br0
>     inet6 fe80::230:48ff:febe:705c/64 scope link
>        valid_lft forever preferred_lft forever
> 
> 
> What i need to do is redirect port 80 to an internal address based on
> the ip address to which the request was made, i.e. :
> 
> 212.116.129.230/30 on port 80 goes to -> 192.168.1.254:80
> 213.145.99.115/29  on port 80 goes to -> 192.168.1.248:80
> 
> With normal iptables, i would achieve this with something like this :
> 
> 
> iptables -t nat -A PREROUTING -i br0 -d 212.116.129.230 -p tcp --dport
> 80 -j DNAT --to-destination 192.168.1.248:80
> 
> How do i do this with shorewall ?
> 
> Also the 192.168.1.248:80 is the ip address of br1 ( the firewall ) if
> that matters.
Your question is addressed by example 5 in the shorewall-rules manpage.

In /etc/shorewall/rules:

DNAT	net	$FW:192.168.1.254	tcp	80   -	212.116.129.230

Given that you didn''t tell us the location of the host with address
192.168.1.254, I can''t tell you what the exact rule should be. But
whatever zone ''Z'' that 192.168.1.254 is in, you will have:

DNAT	net	Z:192.168.1.254		tcp	80   -  212.116.129.230

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com