How do in Shorewall? iptables -t nat -A PREROUTING-d 200.200.10.10 -p tcp - dport 2181 -j DNAT - to 10.101.71: 2180 iptables -A FORWARD -d 10.101.7.1 -p tcp -dport 2180 - syn -j ACCEPT Thanks ------------------------------------------------------------------------------
On 04/27/2010 09:34 AM, Orlandinei Vujanski wrote:> How do in Shorewall? > > > iptables -t nat -A PREROUTING-d 200.200.10.10 -p tcp - dport 2181 -j > DNAT - to 10.101.71: 2180 > iptables -A FORWARD -d 10.101.7.1 -p tcp -dport 2180 - syn -j ACCEPT/etc/shorewall/rules: DNAT net loc:10.101.7.1:2180 tcp 2181 - 200.200.10.10 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Thanks Tom But my internal equipment only responds on port 2180, how do they respond to this request? 2010/4/27 Tom Eastep <teastep@shorewall.net>> On 04/27/2010 09:34 AM, Orlandinei Vujanski wrote: > > How do in Shorewall? > > > > > > iptables -t nat -A PREROUTING-d 200.200.10.10 -p tcp - dport 2181 -j > > DNAT - to 10.101.71: 2180 > > iptables -A FORWARD -d 10.101.7.1 -p tcp -dport 2180 - syn -j ACCEPT > > /etc/shorewall/rules: > > DNAT net loc:10.101.7.1:2180 tcp 2181 - 200.200.10.10 > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------
The config Tom gave to you treats only incoming traffic. What arrives on 200.200.10.10:2181(tcp) will be pushed to 10.101.7.1:2180(tcp) The response will be done by your machine itself, either by highport or whatever is configured in the application running on 10.101.7.1 _____ Von: Orlandinei Vujanski [mailto:orlandinei@gmail.com] Gesendet: Dienstag, 27. April 2010 22:59 An: Shorewall Users; teastep@shorewall.net Betreff: Re: [Shorewall-users] Help - Please Thanks Tom But my internal equipment only responds on port 2180, how do they respond to this request? 2010/4/27 Tom Eastep <teastep@shorewall.net> On 04/27/2010 09:34 AM, Orlandinei Vujanski wrote:> How do in Shorewall? > > > iptables -t nat -A PREROUTING-d 200.200.10.10 -p tcp - dport 2181 -j > DNAT - to 10.101.71: 2180 > iptables -A FORWARD -d 10.101.7.1 -p tcp -dport 2180 - syn -j ACCEPT/etc/shorewall/rules: DNAT net loc:10.101.7.1:2180 <http://10.101.7.1:2180/> tcp 2181 - 200.200.10.10 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net <http://shorewall.net/> \________________________________________________ ---------------------------------------------------------------------------- -- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
On 04/27/2010 01:58 PM, Orlandinei Vujanski wrote:> Thanks Tom > But my internal equipment only responds on port 2180, how do they > respond to this request?The rules file entry that I gave you generates the same DNAT transformation as your iptables nat table rule. The ACCEPT iptables rule generated by my DNAT entry is slightly tighter than yours in that it insists that the original IP address prior to DNAT be 200.200.10.10. My entry also maps only connections originating in the ''net'' zone and assumes that the server resides in the ''loc'' zone; you''ll need to change those names to fit your naming convention and topology. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Thanks Tom This works perfectly. Congratulations. *Orlandinei Vujanski* Information Technology - Network Administrator Porto de Cima Adm. Part. e Serv. S/A - Grupo J.Malucelli (41) 3351-5587 www.jmalucelli.com.br <http://www.jmalucelli.com.br%20/> Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Comunicações pela Internet não podem ser garantidas quanto à segurança ou inexistência de erros, ou contendo vírus. O remetente por esta razão não aceita responsabilidade por qualquer erro ou omissão no contexto da mensagem decorrente da transmissão via Internet. * * This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. 2010/4/27 Tom Eastep <teastep@shorewall.net>> On 04/27/2010 01:58 PM, Orlandinei Vujanski wrote: > > Thanks Tom > > But my internal equipment only responds on port 2180, how do they > > respond to this request? > > The rules file entry that I gave you generates the same DNAT transformation > as your iptables nat table rule. The ACCEPT iptables rule generated by my > DNAT entry is slightly tighter than yours in that it insists that the > original IP address prior to DNAT be 200.200.10.10. > > My entry also maps only connections originating in the ''net'' zone and > assumes that the server resides in the ''loc'' zone; you''ll need to change > those names to fit your naming convention and topology. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >------------------------------------------------------------------------------