I'm using opennode for a hypervisor and used the howto on their site to set up shorewall (using the exact same config here: http://opennodecloud.com/documentation/howtos/firewall-support/) So, I have 2 servers running opennode each with several vms. The 2 opennode servers are separated over the internet. On each opennode server, there is a vm running elasticsearch. I want these two elasticsearch servers to communicate but I also want to encrypt their communications. I decided to use stunnel for this. So I have this working so far: ES_VM_1 <--> STUNNEL_1 <--> INTERNET <--> STUNNEL_2 <--> ES_VM_2 ES_VM_1: 192.168.1.200 STUNNEL_1: 10.10.1.1 STUNNEL_2: 10.10.2.1 ES_VM_2: 192.168.2.200 ES_VM_1 has it's host peer set to 10.10.1.1:9300 (to connect to STUNNEL_1), and ES_VM_2 has it's host peer set to 10.10.2.1:9300 (to connect to STUNNEL_2) - once connected to each stunnel, then stunnel routes it over the internet and connects on each of the far sides to their local ES_VM. I have tested STUNNEL_1 to STUNNEL_2 and vice versa and all works fine. I have used telnet to verify connection from ES_VM_1 to ES_VM_2 (over stunnel) and vice versa, and all seems to be working fine (I can connect and when I type send some junk text, the es logs report a parsing error). The problem comes in that elasticsearch can use ports 9300-9400 to communicate node to node, so I'm thinking a REDIRECT rule for outgoing traffic to anything where dest ports are in the range 9300-9400 to the stunnel listening ip:port would do the trick. I've used the following rule: For location 2: REDIRECT- venet:192.168.2.200 9300 tcp 9300:9400 As I understand it, this would redirect all traffic from 192.168.2.200 with destination ports between 9300 and 9400 to the local fw:9300 (which, I think, fw would 10.10.2.1 or any listening ip on the opennode location 2 server). When I do iptables -L -t nat -v I can see there is a new dnat interface venet_dnat, and the pkts and bytes increase, so the REDIRECT appears to redirecting the right traffic. Unfortunately, the traffic seems to disappear after that. Any insight would be appreciated. ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk