Have you tried something along the lines of: ACCEPT net net:dmz_webserver_ip tcp 80 - dmz_webserver_ip DNAT net loc:lan_webserver_ip tcp 80 - firewall_ip
You also may need the routeback option on the bridged interface. Thank you, Bryan Vukich On Mon, 2007-01-29 at 15:09 +0100, Leon Bruno wrote: > > Hi all, > > I'm running shorewall-3.0.5 and am having an issue with DNAT. > The shorewall machine has 3 interfaces, one for Internet, one for the > LAN and one for public DMZ. > - LAN to Internet is masqueraded > - DMZ and Internet interfaces are bridged > > We are running an http server on a machine from our DMZ. > There is also an http server on our LAN, thus I forwarded a port from > our firewall to port 80 of the LAN machine. > > THE ISSUE is that when I enable the forward rule, all packet arriving > on port 80 of the firewall are forwarded to the LAN event though the > dest IP is one of the DMZ public. > > The rule is DNAT net loc:lan_machine_ip:80 tcp > 80 > The resulting iptables part is DNAT tcp -- * * > 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > to:lan_machine_ip:80 > > The problem is that we should be able to specify a destination IP > (where I could put the firewall IP) and I didn't see a way of doing > that in Shorewall. > > Is that a known limitation ? > > ------------------ > Bruno LEON > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
