Hi maybe you can help me, I would need to route packets with destination port 80 and 443 to my third interface. Is that pomehow possible with shorewall? I know it is with plain iptables and ip2. here is what I have tryed: interfaces: eth1 : loc (192.168.1.5) eth0 : net (a.b.c.d) ->real IP eth2 : isp2 (192.168.0.2) masq: "eth0 eth1" rules : "DNAT loc net:192.168.0.2 tcp http,https" this rewrites packets destined to http(s) to IP of IPS2, but they get REJECTED with no outgoing interface. -- Ernest Beinrohr, OERNii eAdmin @ axonpro.sk, http://www.axonpro.sk/ +421-2--6241-0360, +421-903--482-603 HomePage: http://www.OERNii.sk/ ICQ: 28153343 --- There are 10 kinds of people, those that understand binary, and those that do not
shorewall-users-bounces@lists.shorewall.net wrote:> Hi maybe you can help me, I would need to route packets with destination > port 80 and 443 to my third interface.Which "third" interface?> Is that pomehow possible with > shorewall? I know it is with plain iptables and ip2.It is. You''ll need a DNAT rule. It''s listed in FAQ number 1: http://shorewall.net/FAQ.htm#id2807600> here is what I have tryed: > > interfaces: > eth1 : loc (192.168.1.5) > eth0 : net (a.b.c.d) ->real IP > eth2 : isp2 (192.168.0.2) > > masq: "eth0 eth1"This will allow users on eth0 to get out using eth1 - it seems strange to me?> > rules : "DNAT loc net:192.168.0.2 tcp http,https" > > this rewrites packets destined to http(s) to IP of IPS2, but they get > REJECTED with no outgoing interface.I don''t get it? Why do you want users on "loc" to contact the "net" only if they use port http and https ? Best regards, Niels Kristian Jensen Denmark
It should be DNAT net loc:192.168.0.2 tcp http,https -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Niels Kristian Jensen Sent: Tuesday, February 17, 2004 6:03 PM To: Mailing List for Experienced Shorewall Users Subject: Re: [Shorewall-users] Per port routing (with DNAT rewiting)? shorewall-users-bounces@lists.shorewall.net wrote:> Hi maybe you can help me, I would need to route packets with destination > port 80 and 443 to my third interface.Which "third" interface?> Is that pomehow possible with > shorewall? I know it is with plain iptables and ip2.It is. You''ll need a DNAT rule. It''s listed in FAQ number 1: http://shorewall.net/FAQ.htm#id2807600> here is what I have tryed: > > interfaces: > eth1 : loc (192.168.1.5) > eth0 : net (a.b.c.d) ->real IP > eth2 : isp2 (192.168.0.2) > > masq: "eth0 eth1"This will allow users on eth0 to get out using eth1 - it seems strange to me?> > rules : "DNAT loc net:192.168.0.2 tcp http,https" > > this rewrites packets destined to http(s) to IP of IPS2, but they get > REJECTED with no outgoing interface.I don''t get it? Why do you want users on "loc" to contact the "net" only if they use port http and https ? Best regards, Niels Kristian Jensen Denmark _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
shorewall-users-bounces@lists.shorewall.net wrote:> It should be > > DNAT net loc:192.168.0.2 tcp http,httpsThat seems correct. Try to change it to : DNAT:info net loc:192.168.0.2 tcp http,https run some tests and check out /var/log/messages What does it give you? Best regards, Niels Kristian Jensen Denmark
Jason Png wrote:> It should be > > DNAT net loc:192.168.0.2 tcp http,httpsI''m far from a shorewall expert here, but shouldn''t the DNAT be REDIRECT since the destination is an interface on the firewall? Steve Cowles