Hi All. I had a look at the documentation and FAQ at shorewall.net before posting and couldn''t find an answer. If I overlooked something, please feel free to point me to the right section. What I''m trying to achieve: Client on the Internet somewhere connects to my firewall''s EXTERNAL IP on port 80 and shorewall/iptables forwards the packets to different web server *on the Internet* -- my firewall is NOT the gateway/router/whatever for this external web server so the packets do not pass on the way back from client to web server through my firewall (unless of course somebody can tell me how to do it). I would imagine for this to work the packet''s header would have to be rewritten so the source address becomes my firewalls address before it gets sent to the destination web server, and on the way back the packet passes my firewall and back to the client. How is this achieved with Shorewall? Thanks in advance, Gonzalo.
On Sat, 26 Apr 2003 05:24:57 +1000, Gonzalo Servat <gonzalo@linuxaus.com> wrote:> How is this achieved with Shorewall?This is FAQ #2 with the ''net'' zone replacing the ''loc'' zone. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On 25/04/2003 12:33 PM -0700 Tom Eastep wrote:>> How is this achieved with Shorewall? > > This is FAQ #2 with the ''net'' zone replacing the ''loc'' zone.Ok, I thought this is a bit more advanced since forwarding to a local server usually means the firewall is the gateway point and the packets have to traverse it, therefore there''s no problem. When forwarding to a server on the Internet where the client can route to it directly I thought is a different story. I''ve added: DNAT net net:XX.XX.XX.XX tcp 80 - YY.YY.YY.YY .. where XX.XX.XX.XX is the destination web server and YY.YY.YY.YY is the firewalls IP address. This doesn''t seem to work. tcpdump just shows incoming packets to port 80 but no outgoing packets from the firewall to XX.XX.XX.XX show up. Any ideas? Thanks Tom Regards, Gonzalo.
On Sat, 26 Apr 2003 05:38:57 +1000, Gonzalo Servat <gonzalo@linuxaus.com> wrote:> On 25/04/2003 12:33 PM -0700 Tom Eastep wrote: > >>> How is this achieved with Shorewall? >> >> This is FAQ #2 with the ''net'' zone replacing the ''loc'' zone. > > Ok, I thought this is a bit more advanced since forwarding to a local > server usually means the firewall is the gateway point and the packets > have to traverse it, therefore there''s no problem. When forwarding to a > server on the Internet where the client can route to it directly I > thought is a different story. > > I''ve added: > > DNAT net net:XX.XX.XX.XX tcp 80 - YY.YY.YY.YY > > .. where XX.XX.XX.XX is the destination web server and YY.YY.YY.YY is the > firewalls IP address.DNAT net net.XX.XX.XX.XX TCP 80 - YY.YY.YY.YY:YY.YY.YY.YY Same as in FAQ #2 with the ''net'' zone replacing the ''loc'' zone. In FAQ #2, packets are being redirected from the ''loc'' zone to a server in the ''loc'' zone; in your case packets are being redirected from the ''net'' zone to a server in the ''net'' zone. And since zone names mean absolutely nothing to Shorewall, the two cases are identical (except that in your case, there is only two addresses involved where in FAQ #2, there are three). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 25 Apr 2003 12:46:17 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > Same as in FAQ #2 with the ''net'' zone replacing the ''loc'' zone. In FAQ > #2, packets are being redirected from the ''loc'' zone to a server in the > ''loc'' zone; in your case packets are being redirected from the ''net'' zone > to a server in the ''net'' zone. And since zone names mean absolutely > nothing to Shorewall, the two cases are identical (except that in your > case, there is only two addresses involved where in FAQ #2, there are > three).And be sure you look at the FAQ for important version-dependent information (for example, if you are running 1.4.1[a], you need to upgrade to 1.4.2 and set the ''routeback'' option on your external interface). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On 25/04/2003 1:02 PM -0700 Tom Eastep wrote:> And be sure you look at the FAQ for important version-dependent > information (for example, if you are running 1.4.1[a], you need to > upgrade to 1.4.2 and set the ''routeback'' option on your external > interface).I''m using Shorewall 1.3.13 and thank you very much for that. Works beautifully! Regards, Gonzalo.