Shorewall users - Aug 2002 - DNAT

Hello,

=09First, I looked in the Docs for mention of my situation and I found
nothing,=20
I hope I didn''t miss anything.  Here my problem.

I am using shorewall-1.3.1.  I am trying to set up several servers on the lan=20
zone, excessable from the wan zone.  I am not using a dmz zone, (there is=20
nothing on the lan with security conserns other then the servers, maybe I=20
should have called my lan zone dmz?). =20

=09Now I am trying to forward ports through to the server using rules.  This=20
works great untell I try this on an alias ip.  I have added aliases to the=20
exteran nic (wan), and I can access the firewall through them, so I now they=20
are working.  But when I try to do DNAT on them with a rule, it is rejected=20
in the wan2all chain.  If it was DNAT''ed, it will never make it to
the=20
wan2all chain because I have a wan2lan policy of reject. Here is my policies.

#client server  policy  log_level
lan     wan     ACCEPT  info
lan     all     REJECT  info
fw      all     REJECT  info
wan     lan     REJECT  info
wan     all     REJECT  info
all     all     REJECT  info
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

DNAT works just fine on the interface Default IP.  So why is it not=20
DNATing aliased ip''s?

--=20
Regards

Joseph =09                      http://www.datakota.com

On Sat, 17 Aug 2002, Joseph T Watson wrote:
> 
> DNAT works just fine on the interface Default IP.  So why is it not 
> DNATing aliased ip''s?
> 
Probably because you are using the wrong rule syntax -- what syntax are 
you using for these "rules that don''t work"?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Saturday 17 August 2002 09:49 am, Tom Eastep wrote:
> On Sat, 17 Aug 2002, Joseph T Watson wrote:
> > DNAT works just fine on the interface Default IP.  So why is it not
> > DNATing aliased ip''s?
>
> Probably because you are using the wrong rule syntax -- what syntax are
> you using for these "rules that don''t work"?
>
> -Tom
Thanks Tom,=20

=09When I was preparing a response, I noticed that I had a ip number=20
transposed.  GRRRRRRRRRRR!!!

--=20
Regards

Joseph =09                      http://www.datakota.com

On Sat, 17 Aug 2002, Joseph T Watson wrote:
> 	When I was preparing a response, I noticed that I had a ip number 
> transposed.  GRRRRRRRRRRR!!!
Sometimes happens even in the best of homes :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net