Hi, I did quite a stupid thing - I have moved our mail server to Zimbra suite. Zimbra is all-in-one mail & collaboration server, written in Java. It installs its own copies of Postfix, Apache, Tomcat, Cyrus-IMAP, OpenLDAP and few other things. The problem is a culprit in Zimbra 3 config script - although it was instructed to run Zimbra-bundled apache on port 8080, its still running on port 80 anyway. Even manual editing on httpd.cond did not help - we were unable to figure out how all this Java/Perl/PHP stuff have been interconnected so even manual editing of config files have very strange & unexpected effect(s). Zimbra is installed on SuSE 10 box, which acts as 2-interface firewall (external ip xx.xx.xx.xx and internal IP 192.168.0.1), router, web server (with default SuSE apache install), and Zimbra host. Since it was not possible to install our company web scripts under Zimbra''s Apache, I have had to launch second copy of Apache (shipped with SuSE) listening port 8080. Now is the most interesting thing. If someone types www.company.com, it will be connected to Zimbra. In order to connect to our company site, one have to type www.company.com:8080, what is simply awkward. My idea is to use DNAT to "swap" ports, so requests from net:80 would be forwarded to 192.168.0.1:8080, and opposite. I wrote this line in rules: DNAT net loc:192.168.0.1 tcp 80 8080 DNAT net loc:192.168.0.1 tcp 8080 80 However, I am still not getting desired effect. What might be wrong? Thanks in advance for any suggestion(s). Andrei ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>I wrote this line in rules: > >DNAT net loc:192.168.0.1 tcp 80 8080 >DNAT net loc:192.168.0.1 tcp 8080 80 > >However, I am still not getting desired effect. What might be wrong? > >Try params WSERVER=192.168.0.1 and in rules DNAT net loc:$WSERVER:8080 tcp 80 Read the examples in rules file. Harry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>I wrote this line in rules: > >#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP | | V V>DNAT net loc:192.168.0.1 tcp 80 8080 >DNAT net loc:192.168.0.1 tcp 8080 80 > >Did you observe your columns ???? Harry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Saturday 08 April 2006 15:02, Harry Lachanas wrote:> >I wrote this line in rules: > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) > DEST LIMIT GROUP > > V V > > >DNAT net loc:192.168.0.1 tcp 80 8080 > >DNAT net loc:192.168.0.1 tcp 8080 80 > > Did you observe your columns ????The amount of whitespace between columns is not significant. What is significant though is that the above rules have ''loc'' as the destination zone but the OP reported that the servers are running on the firewall itself ($FW). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>On Saturday 08 April 2006 15:02, Harry Lachanas wrote: > > >>>I wrote this line in rules: >>> >>> >>#ACTION SOURCE DEST PROTO DEST SOURCE >>ORIGINAL RATE USER/ >># PORT PORT(S) >>DEST LIMIT GROUP >> >> V V >> >> >> >>>DNAT net loc:192.168.0.1 tcp 80 8080 >>>DNAT net loc:192.168.0.1 tcp 8080 80 >>> >>> >>Did you observe your columns ???? >> >> > >The amount of whitespace between columns is not significant. What is >significant though is that the above rules have ''loc'' as the destination zone >but the OP reported that the servers are running on the firewall itself >($FW). > >-Tom > >Yes you are right about the zone I did not pay attention to his writting As far as the column remark, I''ve always thought that source ports are the clients port(s) So Finally ... I quote from Tom''s examples in the rules file.... # Example: Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall # system) except when the destination address is 192.168.2.2 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # # PORT PORT(S) DEST # REDIRECT loc 3128 tcp www - !192.168.2.2 Harry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Saturday 08 April 2006 15:28, Harry Lachanas wrote:> Tom Eastep wrote: > >On Saturday 08 April 2006 15:02, Harry Lachanas wrote: > >>>I wrote this line in rules: > >> > >>#ACTION SOURCE DEST PROTO DEST SOURCE > >>ORIGINAL RATE USER/ > >># PORT PORT(S) > >>DEST LIMIT GROUP > >> > >> V V > >> > >>>DNAT net loc:192.168.0.1 tcp 80 8080 > >>>DNAT net loc:192.168.0.1 tcp 8080 80 > >> > >>Did you observe your columns ???? > > > >The amount of whitespace between columns is not significant. What is > >significant though is that the above rules have ''loc'' as the destination > > zone but the OP reported that the servers are running on the firewall > > itself ($FW). > > > >-Tom > > Yes you are right about the zone I did not pay attention to his writting > As far as the column remark, I''ve always thought that source ports are > the clients port(s) > > So Finally ... > > I quote from Tom''s examples in the rules file.... > > # Example: Redirect all locally-originating www connection requests > to > # port 3128 on the firewall (Squid running on the > firewall > # system) except when the destination address is > 192.168.2.2 > > # > > # #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL > > # # PORT PORT(S) > DEST > > # REDIRECT loc 3128 tcp www - !192.168.2.2 >Yes, you are right -- I misunderstood what you were trying to say with your downward pointing arrows. To make things short, the two rules required are: REDIRECT net 80 tcp 8080 REDIRECT net 8080 tcp 80 or DNAT net $FW:80 tcp 8080 DNAT net $FW:8080 tcp 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Saturday 08 April 2006 15:40, Tom Eastep wrote:> or > > DNAT net $FW:80 tcp 8080 > DNAT net $FW:8080 tcp 80 >We will get this right eventually: DNAT net $FW:192.168.0.1:80 tcp 8080 DNAT net $FW:192.168.0.1:8080 tcp 80 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, Thanks a lot, Tom and Harry. I will try it again on Monday. BTW, how Shorewall "thinks of" FW zone? Does it consider it as the whole machine (all network interfaces running on it), or something virtual which do not have particular IP whatsoever? What about loopback address? Will that work? DNAT net $FW:127.0.0.1:80 tcp 8080 DNAT net $FW:127.168.0.1:8080 tcp 80 DNAT loc $FW:127.0.0.1:80 tcp 8080 DNAT loc $FW:127.168.0.1:8080 tcp 80> On Saturday 08 April 2006 15:40, Tom Eastep wrote: > > or > > > > DNAT net $FW:80 tcp 8080 > > DNAT net $FW:8080 tcp 80 > > We will get this right eventually: > > DNAT net $FW:192.168.0.1:80 tcp 8080 > DNAT net $FW:192.168.0.1:8080 tcp 80 > > -Tom------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Sunday 09 April 2006 02:06, Andrei Verovski (aka MacGuru) wrote:> Hi, > > Thanks a lot, Tom and Harry. I will try it again on Monday. > > BTW, how Shorewall "thinks of" FW zone? Does it consider it as the whole > machine (all network interfaces running on it), or something virtual which > do not have particular IP whatsoever?It is the firewall system, all of the IP addresses assigned to any interface on that system and all of the programs running on that system.> > What about loopback address? Will that work?If you are asking if the disgusting hack we supplied you with will work from clients on the firewall itself, the answer is no -- you need separate $FW->$FW rules for that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key