Hi! First of all, let me say a big "thank you" to Tom for creating shorewall. I''ve been using it for a few months now and it''s such a relief to not have to resort to OpenBSD''s pf (which is so much more sane than Linux'' iptables madness) for the most basic firewalling tasks. I have a question that I didn''t seem to be able to find in the FAQ. $CLIENT runs a dual homed internet gateway, with Squid on it and without(!) Masquerading/SNAT. Now he wants to forward incoming HTTPS connections from the outside to an internal server. How do I do this? Will a single DNAT rule suffice, or will I also need to set up Masquerading/SNAT with a reject policy from loc to net, explicitly allowing access only for the one internal host? Sounds strange to me, because there are actually no outbound connections that need to be established from the internal system. I''ve also thought about setting up a plug gateway using xinetd and netcat on the gateway, but I''d prefer to see everything in one place, that is the shorewall configuration files. No, I haven''t tried out anything yet, mainly because the internal server that will receive the requests isn''t up yet and can hardly be tested. :-) Thanks in advance, -martin -- +-------------------------+------------------------+ | Martin Schmitt | Schmitt Systemberatung | | http://www.scsy.de/~mas | http://www.scsy.de | +-------------------------+------------------------+
A single DNAT rule will be enough. Something like this in /etc/shorewall/rules: DNAT <net-zone> <dmz/loc-zone:serverip> tcp 443 - (<original destination>) No SNAT (masquerading) is needed For further documentation read http://www.shorewall.net/FAQ.htm, Faq 1(x) Alex Martin Schmitt wrote:>Hi! > >First of all, let me say a big "thank you" to Tom for creating >shorewall. I''ve been using it for a few months now and it''s such a >relief to not have to resort to OpenBSD''s pf (which is so much more sane >than Linux'' iptables madness) for the most basic firewalling tasks. > >I have a question that I didn''t seem to be able to find in the FAQ. > >$CLIENT runs a dual homed internet gateway, with Squid on it and >without(!) Masquerading/SNAT. > >Now he wants to forward incoming HTTPS connections from the outside to >an internal server. How do I do this? Will a single DNAT rule suffice, >or will I also need to set up Masquerading/SNAT with a reject policy >from loc to net, explicitly allowing access only for the one internal >host? Sounds strange to me, because there are actually no outbound >connections that need to be established from the internal system. > >I''ve also thought about setting up a plug gateway using xinetd and >netcat on the gateway, but I''d prefer to see everything in one place, >that is the shorewall configuration files. > >No, I haven''t tried out anything yet, mainly because the internal server >that will receive the requests isn''t up yet and can hardly be tested. :-) > >Thanks in advance, > >-martin > > > >------------------------------------------------------------------------ > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >
Alexander Wilms schrieb:> A single DNAT rule will be enough. Something like this in > /etc/shorewall/rules: > > DNAT <net-zone> <dmz/loc-zone:serverip> tcp 443 - (<original destination>) > > No SNAT (masquerading) is neededSorry for my late response, but I haven''t been able to give it a try until today. Everything works as expected. Thanks for your advice, Alexander. -martin -- +-------------------------+------------------------+ | Martin Schmitt | Schmitt Systemberatung | | http://www.scsy.de/~mas | http://www.scsy.de | +-------------------------+------------------------+