Hi,
Today I added to rules:
DNAT:info inet:58.108.209.135 hw001:10.240.1.7:8000 tcp
8000 80 180.233.128.7
Followed by "sudo shorewall check" [OK] then "sudo service shorewall
restart" [OK]
But "sudo iptables -v -t nat -n -L inet_dnat" showed no change [Shorewall
BUG?] or have I misread "man shorewall-rules"?
/etc/shorewall/rules
ACCEPT+ $FW pub tcp 80
ACCEPT+ all pub:180.233.129.6 tcp 80
DNAT:info inet:58.108.209.135 hw001:10.240.1.7:8000 tcp
8000 80 180.233.128.7
DNAT inet $HYPERWEB tcp 80 -
180.233.128.7
DNAT inet $HYPERWEB tcp 80 -
180.233.131.7
DNAT inet $HYPERWEB0 tcp 80 -
180.233.128.40
DNAT inet $HYPERWEB1 tcp 80 -
180.233.128.41
DNAT inet $HYPERWEB2 tcp 80 -
180.233.128.42
DNAT inet $HYPERWEB3 tcp 80 -
180.233.128.43
DNAT inet $HYPERWEB tcp 80 -
121.200.226.210
/etc/shorewall/params
HYPERWEB=hw001:10.240.1.7
HYPERWEB0=hw001:10.240.1.7
HYPERWEB1=hw001:10.240.1.7
HYPERWEB2=hw001:10.240.1.7
HYPERWEB3=hw001:10.240.1.7
$ sudo iptables -v -t nat -n -L inet_dnat
Chain inet_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * eth2 0.0.0.0/0
180.233.128.0/23
0 0 RETURN all -- * eth2 0.0.0.0/0
180.233.131.0/24
0 0 RETURN tcp -- * * 0.0.0.0/0
180.233.129.6 tcp dpt:80
48061 2504K DNAT tcp -- * * 0.0.0.0/0
180.233.128.7 tcp dpt:80 to:10.240.1.7
208 11736 DNAT tcp -- * * 0.0.0.0/0
180.233.131.7 tcp dpt:80 to:10.240.1.7
90972 4816K DNAT tcp -- * * 0.0.0.0/0
180.233.128.40 tcp dpt:80 to:10.240.1.7
90866 4806K DNAT tcp -- * * 0.0.0.0/0
180.233.128.41 tcp dpt:80 to:10.240.1.7
90997 4818K DNAT tcp -- * * 0.0.0.0/0
180.233.128.42 tcp dpt:80 to:10.240.1.7
91093 4824K DNAT tcp -- * * 0.0.0.0/0
180.233.128.43 tcp dpt:80 to:10.240.1.7
44 2384 DNAT tcp -- * * 0.0.0.0/0
121.200.226.210 tcp dpt:80 to:10.240.1.7
0 0 RETURN tcp -- * * 0.0.0.0/0
10.240.0.0/22 tcp dpt:80
0 0 RETURN tcp -- * * 0.0.0.0/0
10.240.0.0/22 tcp dpt:80
0 0 RETURN tcp -- * * 0.0.0.0/0
180.233.129.6 tcp dpt:80
0 0 RETURN tcp -- * * 0.0.0.0/0
10.240.3.0/24 tcp dpt:80
64 5100 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 RETURN icmp -- * * 0.0.0.0/0
0.0.0.0/0
6 192 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:33434:33500
I have forced the iptables change I was looking for with:
sudo iptables -t nat -I inet_dnat 4 -p tcp -s 58.108.209.135 -d
180.233.128.7 --dport 80 -j LOG --log-prefix HTTP8000
sudo iptables -t nat -I inet_dnat 5 -p tcp -s 58.108.209.135 -d
180.233.128.7 --dport 80 -j DNAT \
--to-destination 10.240.1.7:8000
But I would prefer the DNAT src inet:58.108.209.135 rule to do this.
Kind regards,
Trent O'Callaghan
Network Manager
www.nearmap.com
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
