thr3ads.net - Shorewall users - [Shorewall-users] DNAT: one port and one IP only [Apr 2003]

If this information is useful, please help other people find it:
Share via:

Ernest Beinrohr

2003-Apr-23 06:58 UTC

[Shorewall-users] DNAT: one port and one IP only

Hi there, i''ve tried to set up a DNAT for allowing out internal users
to
connect to just ONE particular SSH server. I''ve used this the line 
below, but that allowed ssh not just to that one host, but to all.


DNAT  loc     net:66.35.250.207       tcp     ssh     -

I have also tried to use "DNAT-" with ACCEPT, but achieved the same 
result, local users could connect to any IP with ssh. Have you any hints 
how could I accomplish my goal ?

PS: it''s cvs.sf.net ;-)

-- 
Ernest Beinrohr, OERNii
eAdmin @ AxonPro.sk, http://www.AxonPro.sk
+421-2-62410360, +421-903-482603
HomePage: http://www.OERNii.sk/
-----
   "Be liberal in what you accept,and conservative in what you send."
   -- Postel

Tom Eastep

2003-Apr-23 07:37 UTC

head link

[Shorewall-users] DNAT: one port and one IP only

On Wed, 23 Apr 2003, Ernest Beinrohr wrote:
> Hi there, i''ve tried to set up a DNAT for allowing out internal
users to
> connect to just ONE particular SSH server. I''ve used this the line
> below, but that allowed ssh not just to that one host, but to all.
> 
> 
> DNAT  loc     net:66.35.250.207       tcp     ssh     -
> 
> I have also tried to use "DNAT-" with ACCEPT, but achieved the
same
> result, local users could connect to any IP with ssh. Have you any hints 
> how could I accomplish my goal ?
> 
Why in the world are you using DNAT on a loc->net rule???? 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Apr-23 07:42 UTC

head link

[Shorewall-users] DNAT: one port and one IP only

yOn Wed, 23 Apr 2003, Tom Eastep wrote:
> On Wed, 23 Apr 2003, Ernest Beinrohr wrote:
>
> > Hi there, i''ve tried to set up a DNAT for allowing out
internal users to
> > connect to just ONE particular SSH server. I''ve used this the
line
> > below, but that allowed ssh not just to that one host, but to all.
> >
> >
> > DNAT  loc     net:66.35.250.207       tcp     ssh     -
> >
> > I have also tried to use "DNAT-" with ACCEPT, but achieved
the same
> > result, local users could connect to any IP with ssh. Have you any
hints
> > how could I accomplish my goal ?
> >
>
> Why in the world are you using DNAT on a loc->net rule????
>
Assuming that you have the normal ''loc->net ACCEPT'' policy,
what you
apparently want is:

REJECT	loc	net:!66.35.250.207	tcp	ssh

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Apr 2003 - DNAT: one port and one IP only

[Shorewall-users] DNAT: one port and one IP only

[Shorewall-users] DNAT: one port and one IP only

[Shorewall-users] DNAT: one port and one IP only