Hi, I installed shorewall for a company which has several subnets. The internal IP of the shorewall is 192.168.254.254/24. The router interface to firewall is 192.168.254.252/24. Router connects to shorweall. Router also routes packet to the right subnet (i.e. 192.168.3.0/24, 192.168.5.0/24). If I want to port forward with different port numbers, i.e.: Port forward from the internet of port number 5555 to port number 6666 of IP 192.168.3.4, how would I do that? I tried: DNAT net: 203.33.201.250:5555 loc:192.168.3.4 tcp 6666 I got blocked: May 10 10:16:15 fwcolo Shorewall:net2fw:DROP: IN=eth0 OUTMAC=00:02:44:7e:04:0e :00:01:64:db:74:70:08:00 SRC=203.33.201.250 DST=203.241.216.136 LEN=60 TOS=00 P REC=0x00 TTL=53 ID=36043 CE DF PROTO=TCP SPT=3158 DPT=5555 SEQ=3014076151 ACK=0 WINDOW=5840 SYN URGP=0 Shorewall version is 1.4.8 Also why: DNAT net: 203.33.201.240/28:5555 loc:192.168.3.4 tcp 6666 doesn''t allow a block of IPs to port forward 5555 to 6666 of 192.168.3.4? It complains about the syntax. Thank you. Lee
Lito Kusnadi wrote:> Hi, > I installed shorewall for a company which has several subnets. > > The internal IP of the shorewall is 192.168.254.254/24. > The router interface to firewall is 192.168.254.252/24. > Router connects to shorweall. > Router also routes packet to the right subnet (i.e. 192.168.3.0/24, > 192.168.5.0/24). > > If I want to port forward with different port numbers, i.e.: > Port forward from the internet of port number 5555 to port number 6666 > of IP 192.168.3.4, how would I do that?This is FAQ #1C. And the rule is independent of how many local routers are involved. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > > This is FAQ #1C. And the rule is independent of how many local routers > are involved. >The subject of routers behind Shorewall is discussed at http://shorewall.net/Multiple_Zones.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net