With DNAT can I specify a different SRC port than the DST port? I want to be redirect port 443 on the external IP to port 80 on the internal IP. Don''t ask why. ;-) Its temporary kludge... Something like: /etc/shorewall/rules DNAT net:443 vpn:192.168.155.10 tcp 80 - 111.222.333.4 Also, 111.222.333.4 is actually a proxy ARP''ed IP. -- Matt Burleigh Senior Systems Engineer Enterprise Integration, Inc. eiisolutions.com 703.236.0790
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Burleigh wrote: | With DNAT can I specify a different SRC port than the DST port? You can change the port number with either DNAT or REDIRECT. For instructions for DNAT, please see FAQ #1c. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBNIZ1O/MAbZfjDLIRAp26AKC18aUSIjaISHbujh1VXWBaO2jGUACffyA0 cF8r8AtXeWObfSmmMY3xCds=lgfy -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matt Burleigh wrote: > | With DNAT can I specify a different SRC port than the DST port? > > You can change the port number with either DNAT or REDIRECT. For > instructions for DNAT, please see FAQ #1c. >Thanks and BTW FAQ 1c''s example is broken. ;-) -- Matt Burleigh Senior Systems Engineer Enterprise Integration, Inc. eiisolutions.com 703.236.0790
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Burleigh wrote: | Tom Eastep wrote: | |> -----BEGIN PGP SIGNED MESSAGE----- |> Hash: SHA1 |> |> Matt Burleigh wrote: |> | With DNAT can I specify a different SRC port than the DST port? |> |> You can change the port number with either DNAT or REDIRECT. For |> instructions for DNAT, please see FAQ #1c. |> | Thanks and BTW FAQ 1c''s example is broken. ;-) | And how is it broken? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBNIsuO/MAbZfjDLIRAv1BAJoD2ynyfhiWAO6zyJmgiLFzC0yQxQCfSH3G IH3CN8QD0vtVLnRhqLpq4XY=yhra -----END PGP SIGNATURE-----
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matt Burleigh wrote: > | Tom Eastep wrote: > | > |> -----BEGIN PGP SIGNED MESSAGE----- > |> Hash: SHA1 > |> > |> Matt Burleigh wrote: > |> | With DNAT can I specify a different SRC port than the DST port? > |> > |> You can change the port number with either DNAT or REDIRECT. For > |> instructions for DNAT, please see FAQ #1c. > |> > | Thanks and BTW FAQ 1c''s example is broken. ;-) > | > > And how is it broken?(FAQ 1c) From the internet, I want to connect to port 1022 on my firewall and have the firewall forward the connection to port 22 on local system 192.168.1.3. How do I do that? In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.3:22 tcp 1022 The rule local system is "192.168.3" and should be "192.168.1.3". -- Matt Burleigh Senior Systems Engineer Enterprise Integration, Inc. eiisolutions.com 703.236.0790
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Burleigh wrote: | | In /etc/shorewall/rules: | | #ACTION SOURCE DEST PROTO DEST PORT | DNAT net loc:192.168.3:22 tcp 1022 | | | | The rule local system is "192.168.3" and should be "192.168.1.3". | Thanks, - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBNI1PO/MAbZfjDLIRAtU4AJ9GCs1CiqfuAmnBk0gvvIKbe7JDpQCffUEr Gxmy3U0AoS1o0FvRbI5aaBI=8lle -----END PGP SIGNATURE-----