I am missing a tiny detail on understanding a simple port forward: I want to forward just like the FAQ listed, via #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.3:22 tcp 1022 Which works just fine. Now I also tried this following type of rule, which I thought would work, but it did not. #ACTION SOURCE DEST PROTO DEST-PORT SOURCE-PORT ORIGINAL-DEST DNAT net loc:192.168.1.3 tcp 22 1022 123.123.123.123 Now I wondering why it does not? Are the two equivalent?
Assuming SSH had you set /etc/ssh/sshd_config : Port 9922 TGS <spam@tachegroup.com> wrote: I am missing a tiny detail on understanding a simple port forward: I want to forward just like the FAQ listed, via #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.3:22 tcp 1022 Which works just fine. Now I also tried this following type of rule, which I thought would work, but it did not. #ACTION SOURCE DEST PROTO DEST-PORT SOURCE-PORT ORIGINAL-DEST DNAT net loc:192.168.1.3 tcp 22 1022 123.123.123.123 Now I wondering why it does not? Are the two equivalent? _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm http://www.debian.org/consultants/#Malaysia --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
Ops! typo... mine is 9922 and yours will be Port 1022 mynullvoid <mynullvoid@yahoo.com> wrote: Assuming SSH had you set /etc/ssh/sshd_config : Port 9922 TGS wrote: I am missing a tiny detail on understanding a simple port forward: I want to forward just like the FAQ listed, via #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:192.168.1.3:22 tcp 1022 Which works just fine. Now I also tried this following type of rule, which I thought would work, but it did not. #ACTION SOURCE DEST PROTO DEST-PORT SOURCE-PORT ORIGINAL-DEST DNAT net loc:192.168.1.3 tcp 22 1022 123.123.123.123 Now I wondering why it does not? Are the two equivalent? _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm http://www.debian.org/consultants/#Malaysia --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site! _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm http://www.debian.org/consultants/#Malaysia --------------------------------- Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
TGS wrote:> I am missing a tiny detail on understanding a simple port forward: > > I want to forward just like the FAQ listed, via > > #ACTION SOURCE DEST PROTO DEST PORT > DNAT net loc:192.168.1.3:22 tcp 1022 > > Which works just fine. Now I also tried this following type of rule, > which I thought would work, but it did not. > > #ACTION SOURCE DEST PROTO DEST-PORT SOURCE-PORT > ORIGINAL-DEST > DNAT net loc:192.168.1.3 tcp 22 1022 > 123.123.123.123 > > Now I wondering why it does not? Are the two equivalent?No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I was looking for a bit of detail on why they are different. On Mar 22, 2005, at 10:46 PM, Tom Eastep wrote:> TGS wrote: >> I am missing a tiny detail on understanding a simple port forward: >> >> I want to forward just like the FAQ listed, via >> >> #ACTION SOURCE DEST PROTO DEST PORT >> DNAT net loc:192.168.1.3:22 tcp 1022 >> >> Which works just fine. Now I also tried this following type of rule, >> which I thought would work, but it did not. >> >> #ACTION SOURCE DEST PROTO DEST-PORT SOURCE-PORT >> ORIGINAL-DEST >> DNAT net loc:192.168.1.3 tcp 22 1022 >> 123.123.123.123 >> >> Now I wondering why it does not? Are the two equivalent? > > No. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
In the first case, you are redirecting ALL traffic seen from the net zone fitting the port requirements you listed. In the second, you are only directing traffic from the net zone to the specified IP in the net zone, meeting all the port requirements you specified. Thusly, they are not equivelant, which is exactly what the documentation says. On Tue, 22 Mar 2005 23:05:34 -0500, TGS <spam@tachegroup.com> wrote:> I was looking for a bit of detail on why they are different. > > On Mar 22, 2005, at 10:46 PM, Tom Eastep wrote: > > > TGS wrote: > >> I am missing a tiny detail on understanding a simple port forward: > >> > >> I want to forward just like the FAQ listed, via > >> > >> #ACTION SOURCE DEST PROTO DEST PORT > >> DNAT net loc:192.168.1.3:22 tcp 1022 > >> > >> Which works just fine. Now I also tried this following type of rule, > >> which I thought would work, but it did not. > >> > >> #ACTION SOURCE DEST PROTO DEST-PORT SOURCE-PORT > >> ORIGINAL-DEST > >> DNAT net loc:192.168.1.3 tcp 22 1022 > >> 123.123.123.123 > >> > >> Now I wondering why it does not? Are the two equivalent? > > > > No. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Gary Buckmaster wrote:> In the first case, you are redirecting ALL traffic seen from the net > zone fitting the port requirements you listed. In the second, you are > only directing traffic from the net zone to the specified IP in the > net zone, meeting all the port requirements you specified. Thusly, > they are not equivelant, which is exactly what the documentation says.>>>> >>>>#ACTION SOURCE DEST PROTO DEST PORT >>>>DNAT net loc:192.168.1.3:22 tcp 1022 >>>> >>>>Which works just fine. Now I also tried this following type of rule, >>>>which I thought would work, but it did not. >>>> >>>>#ACTION SOURCE DEST PROTO DEST-PORT SOURCE-PORT >>>>ORIGINAL-DEST >>>>DNAT net loc:192.168.1.3 tcp 22 1022 >>>>123.123.123.123More importantly, "the port requirements" in the two rules are totally different. In the first rule, the destination port is being rewritten from 1022 to 22 whereas in the second rule, the destination port remains 22 and the source port is required to be 1022. Since for 99%+ of the available applications the source port is chosen randomly, it is almost always wrong to have an entry in that column. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key