Shorewall users - Jun 2005 - Port forwarding to different Port?

Hi!

I guess I just overread the part I need, I checked the FAQ and
online-documentation, but could not find the solution for my problem:

I have a server with 1 external IP and a LAN behind, where I need ports to
be forwarded like this:

external 1.2.3.4:81 forwarded to internal 192.168.1.1:80
external 1.2.3.4:82 forwarded to internal 192.168.1.2:80
and so on .. (for configuring/accessing the axis-cams)

I''m sure that the solution is simple and I''m just blind and
having a
typical monday-comprehension-problem .. if someone could just link me to
the solution or paste the few necessary nat/rules ...

thanks in advance

	M.
-- 
*********************************************************************
*                                                                   *
*  Martin Schipany        email: elcondor(at)warum.net              *
*                         IRC  : ElCondor on channel #diddl         *
*                                                                   *
*******************************************************************''

DNAT    net    loc:IPADDRESS:80    tcp    81


joshua





----- Original Message ----- 
From: "Martin Schipany" <elcondor+shorewall@warum.net>
To: <shorewall-users@lists.shorewall.net>
Sent: Monday, June 20, 2005 9:30 AM
Subject: [Shorewall-users] Port forwarding to different Port?

> Hi!
>
> I guess I just overread the part I need, I checked the FAQ and
> online-documentation, but could not find the solution for my problem:
>
> I have a server with 1 external IP and a LAN behind, where I need ports to
> be forwarded like this:
>
> external 1.2.3.4:81 forwarded to internal 192.168.1.1:80
> external 1.2.3.4:82 forwarded to internal 192.168.1.2:80
> and so on .. (for configuring/accessing the axis-cams)
>
> I''m sure that the solution is simple and I''m just blind
and having a
> typical monday-comprehension-problem .. if someone could just link me to
> the solution or paste the few necessary nat/rules ...
>
> thanks in advance
>
> M.
> -- 
> *********************************************************************
> *                                                                   *
> *  Martin Schipany        email: elcondor(at)warum.net              *
> *                         IRC  : ElCondor on channel #diddl         *
> *                                                                   *
>
*******************************************************************''
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

> Hi!
>
> I guess I just overread the part I need, I checked the FAQ and
> online-documentation, but could not find the solution for my problem:
>
> I have a server with 1 external IP and a LAN behind, where I need ports
to
> be forwarded like this:
>
> external 1.2.3.4:81 forwarded to internal 192.168.1.1:80
> external 1.2.3.4:82 forwarded to internal 192.168.1.2:80
> and so on .. (for configuring/accessing the axis-cams)
>
> I''m sure that the solution is simple and I''m just blind
and having a
> typical monday-comprehension-problem .. if someone could just link me to
> the solution or paste the few necessary nat/rules ...
>
> thanks in advance
>
> M.
Rules file:

#   The port that the server is listening on may be
#   included and separated from the server''s IP address by
#   ":". If omitted, the firewall will not modifiy the
#   destination port. A destination port may only be
#   included if the ACTION is DNAT or REDIRECT.
#
#   Example: loc:192.168.1.3:3128 specifies a local
#   server at IP address 192.168.1.3 and listening on port
#   3128. The port number MUST be specified as an integer
#   and not as a name from /etc/services.

Try:

DNAT     net     loc:192.168.1.1:80     tcp     81
DNAT     net     loc:192.168.1.2:80     tcp     82

Jerry

Jerry Vonau wrote:

>>be forwarded like this:
>>
>>external 1.2.3.4:81 forwarded to internal 192.168.1.1:80
>>external 1.2.3.4:82 forwarded to internal 192.168.1.2:80
> Try:
>
> DNAT     net     loc:192.168.1.1:80     tcp     81
> DNAT     net     loc:192.168.1.2:80     tcp     82
>

I tried that (already before I mailed), but it doesn''t work, I get no
answer back. to be exact: the packets arrive at the firewall, but do not
pass through, there is no traffic on the internal interface corresponding
to the DNAT entry. I also opened the port 81 on the firewall. Is there
anything else necessary ? I get no messages in syslog or elsewhere that the
packet has been rejected

	+M.

-- 
*******************************************************************
Martin Schipany
email: elcondor+shorewall@warum.net
IRC : ElCondor on channel #diddl
*******************************************************************

Hi Martin,

It is possible that your ISP is blocking the traffic out (on low ports?). I 
pulled my hair once for this kind of DNAT (to mail server port 25). In my 
case I saw the traffic going in and using TCPDUMP I see that goes to 
internal machine, but from the outside you did not get answer.

I do not know if the ISP firewall can detect the internal port 80, but for 
testing DNAT, you can

1 - run internal Web on high port, say 10000, and DNAT them to port 10000 
too, so
>> DNAT     net     loc:192.168.1.1:10000     tcp     10000
2 - run internal Web on port 80, and DNAT to 10000
>> DNAT     net     loc:192.168.1.1:80     tcp     10000



----- Original Message ----- 
From: "Martin Schipany" <elcondor+shorewall@warum.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Tuesday, June 21, 2005 10:49 AM
Subject: Re: [Shorewall-users] Port forwarding to different Port?

> Jerry Vonau wrote:
>
>
>>>be forwarded like this:
>>>
>>>external 1.2.3.4:81 forwarded to internal 192.168.1.1:80
>>>external 1.2.3.4:82 forwarded to internal 192.168.1.2:80
>
>
>> Try:
>>
>> DNAT     net     loc:192.168.1.1:80     tcp     81
>> DNAT     net     loc:192.168.1.2:80     tcp     82
>>
>
>
> I tried that (already before I mailed), but it doesn''t work, I get
no
> answer back. to be exact: the packets arrive at the firewall, but do not
> pass through, there is no traffic on the internal interface corresponding
> to the DNAT entry. I also opened the port 81 on the firewall. Is there
> anything else necessary ? I get no messages in syslog or elsewhere that 
> the
> packet has been rejected
>
> +M.
>
> -- 
> *******************************************************************
> Martin Schipany
> email: elcondor+shorewall@warum.net
> IRC : ElCondor on channel #diddl
> *******************************************************************
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

> Jerry Vonau wrote:
>
>
> >>be forwarded like this:
> >>
> >>external 1.2.3.4:81 forwarded to internal 192.168.1.1:80
> >>external 1.2.3.4:82 forwarded to internal 192.168.1.2:80
>
>
> > Try:
> >
> > DNAT     net     loc:192.168.1.1:80     tcp     81
> > DNAT     net     loc:192.168.1.2:80     tcp     82
> >
>
>
> I tried that (already before I mailed), but it doesn''t work, I get
no
> answer back. to be exact: the packets arrive at the firewall, but do not
> pass through, there is no traffic on the internal interface corresponding
> to the DNAT entry. I also opened the port 81 on the firewall. Is there
> anything else necessary ? I get no messages in syslog or elsewhere that
the
> packet has been rejected
>
> +M.
>
Your not testing from within the local lan are you?

Can you post a shorewall status from the instructions here:
http://www.shorewall.net/support.htm

Along with your config files.

Thanks
Jerry