Thanks for your help,
I am using the shorewall-3.1.4 on suse machine.
It is working . Now my rules are:
ACCEPT:info net:123.xxx.xxx.xxx fw tcp 22 - 123.345.3.28
NONAT net:123.xxx.xxx.xxx fw tcp 22 - 123.345.3.28
DNAT:info net loc:192.192.192.221 tcp 22 -
123.345.3.28
About difining the ip addreess in Destination .. I found that on 3
zones (with 3 nics)
it works well if I want to dnat to eth2 or eth1 from zone connected to
eth0. Plus few days back I faced a case where I had to DNAT from net
zone to a local machine (windows machine ) running a special s/w for
it''s remote client . Still not so sure about it whether the problem
was with the software(on windows machine located in net zone accesing
a local windows machine via shorewall server), but next day after
giving the destination ip it worked..this is why I am adopting it.
Thanks to the beautiful documentation of shorewall (I wish if I can
read and learn all).
Best Regards
Anuj
On 2/1/06, Arne Bernin <arne@alamut.de> wrote:> On Wed, 2006-02-01 at 01:11 +0530, anuj singh wrote:
> > Hello everyone !
> > I configured my firewall to dnat all the ssh connections to another
> > system on the lan, it is working fine but at the same time I want to
> > allow few ip''s for ssh to firewall(directly zone net to fw
machine) .
> > I have this rule in my /etc/shorewall/rules
> >
> > ACCEPT:info net:123.xxx.xxx.xxx fw tcp 22 -
> > 123.345.3.28
>
> for accept rules, don''t specify the "Original
Destination" field (source
> ports are not needed, too). So use something like
> ACCEPT net:123.xxx.xxx.xxx fw tcp 22
>
>
> > DNAT:info net loc:192.192.192.221 tcp 22 -
> > 123.345.3.28
> >
> > Now my ssh with DNAT is working fine (sending me to the machine on lan
> > with ip 192.192.192.221 ) but first rule is also sending me to the
> > same system(192.192.192.221) instead of my firewall machine itself.
> > The zones above are
> > net = internet
> > loc = local network
> >
>
> The Problem is, that the dnatting takes place before the accept rules
> would match (dnat is done in the nat table, accept in the filter table
> which is traversed afterwards). If you are using shorewall > 2.2 (you
> didn''t tell us your version), the following might work:
> Put a line of the form
>
> NONAT net:123.xxx.xxx.xxx fw tcp 22
>
> BEFORE the DNAT entry. This should prevent the NAT to happen.
>
> (Please notice that i haven''t tried it, i just looked at the
> documentation of the rules file).
>
>
> --arne
>
> --
> Arne Bernin <arne@alamut.de>
>
> http://www.ucBering.de
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
--
===========Linux Rocks
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642