Ok that did the trick, I had tried tcp 80:firewall_ip but this was the wrong syntax. I'll read the documentation slowly next time. Thanks a lot !
Bruno -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryan Vukich Sent: lundi 29 janvier 2007 16:31 To: Shorewall Users Subject: Re: [Shorewall-users] NAT & DMZ pulbic Have you tried something along the lines of: ACCEPT net net:dmz_webserver_ip tcp 80 - dmz_webserver_ip DNAT net loc:lan_webserver_ip tcp 80 - firewall_ip You also may need the routeback option on the bridged interface. Thank you, Bryan Vukich On Mon, 2007-01-29 at 15:09 +0100, Leon Bruno wrote: > > Hi all, > > I'm running shorewall-3.0.5 and am having an issue with DNAT. > The shorewall machine has 3 interfaces, one for Internet, one for the > LAN and one for public DMZ. > - LAN to Internet is masqueraded > - DMZ and Internet interfaces are bridged > > We are running an http server on a machine from our DMZ. > There is also an http server on our LAN, thus I forwarded a port from > our firewall to port 80 of the LAN machine. > > THE ISSUE is that when I enable the forward rule, all packet arriving > on port 80 of the firewall are forwarded to the LAN event though the > dest IP is one of the DMZ public. > > The rule is DNAT net loc:lan_machine_ip:80 tcp > 80 > The resulting iptables part is DNAT tcp -- * * > 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > to:lan_machine_ip:80 > > The problem is that we should be able to specify a destination IP > (where I could put the firewall IP) and I didn't see a way of doing > that in Shorewall. > > Is that a known limitation ? > > ------------------ > Bruno LEON > > > > ---------------------------------------------------------------------- > --- Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys - and earn > cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV > DEV _______________________________________________ Shorewall-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
