Hello! I just have two questions about DNAT rules: (1) In a rule like DNAT net loc:192.168.1.3 tcp ssh given that this will cause the destination address of the packets from the net zone to be rewritten as 192.168.1.3 regardless of their original destination, what is the purpose of specifying the zone in the DEST column? It''s hard to understand how loc could really be a necessary qualifier for 192.168.1.3 since loc itself would not be used as a criterion for determining whether or not to apply the rule. Well, unless the meaning of loc is that *incoming* packets must match SOURCE=net and DEST=loc. (2) Along similar lines, it seems that there is no zone specified in the ORIGINAL DEST column. There seem to be three ways to interpret this: A. The original destination zone is implicitly $FW B. The original destination zone is implicitly "all" C. The original destination zone is, in fact "loc" Thanks for any help you can provide! We''re trying to write some software that generates Shorewall configurations, and these little details have us a bit confused! Tim
--On Thursday, November 21, 2002 05:15:42 PM +0900 Tim Burress <tim@ambisys.com> wrote:> Hello! > > I just have two questions about DNAT rules: > > (1) In a rule like > > DNAT net loc:192.168.1.3 tcp ssh > > given that this will cause the destination address of the packets from > the net zone to be rewritten as 192.168.1.3 regardless of their original > destination, what is the purpose of specifying the zone in the DEST > column?Because the entire structure of the firewall is based on zones. Please read http://shorewall.sf.net/shorewall_firewall_structure.htm. The zone in the DEST column determines which chain the DNAT rule and the companion filter rule are placed in.> > > (2) Along similar lines, it seems that there is no zone specified in the > ORIGINAL DEST column. There seem to be three ways to interpret this: > > A. The original destination zone is implicitly $FW > B. The original destination zone is implicitly "all" > C. The original destination zone is, in fact "loc" >That column is used to restict the scope of a DNAT or REDIRECT rule. The zone that the address falls into (if any) is immaterial because the address will only be used in the DNAT rule created in the NetFilter ''nat'' table. The address is typically an address associated with the firewall''s external interface but it need not be -- I have used "!206.124.146.177" in that column before (to bypass transparent proxy redirection when the original request was for my own web server); that expression encompases ALL of my zones. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net