I am using shorewall-perl-4.0.4-2 on RHEL5. I am using the following line in my rules file to forward a port to an inside machine: DNAT net hq:10.10.12.108 tcp 80 - 123.123.123.123 This works fine from outside but from inside the client is connected to port 80 on the firewall itself. This sounds at first like FAQ 1d but notice that I am specifying the original destination address (I have substituted a bogus IP for my real external interface IP). I seem to recall having looked into this before and learning that it was simply impossible to make this configuration work and that split dns to direct the local clients to the internal server was the only answer. But FAQ 1d appears to claim to do exactly what I want but it isn''t working for me. And split DNS isn''t an option in this case because I don''t control the DNS. Maybe the difference between my situation and that of FAQ 1d is that the server is in the DMZ in the FAQ question and my server and my users are both in the same zone/network. Am I right in that this just won''t work? Can someone explain why? One option is to set up another machine straddling both networks with shorewall to do the port forward and set the local servers default route to this new machine and move the external IP I am doing the forwarding on over to this new machine. This way the clients will not be using the same gateway that the port is being forwarded on and all should work. Does this sound right? Thanks for any insight you can provide! -- Tracy R Reed Read my blog at http://ultraviolet.org Key fingerprint = D4A8 4860 535C ABF8 BA97 25A6 F4F2 1829 9615 02AD ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tracy R Reed wrote:> I am using shorewall-perl-4.0.4-2 on RHEL5. I am using the following > line in my rules file to forward a port to an inside machine: > > > DNAT net hq:10.10.12.108 tcp 80 - > 123.123.123.123 > > This works fine from outside but from inside the client is connected to > port 80 on the firewall itself. This sounds at first like FAQ 1d but > notice that I am specifying the original destination address (I have > substituted a bogus IP for my real external interface IP).It is actually Shorewall FAQ 2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/