Re: [Shorewall-users] Port Forwarding

Roberto C . Sánchez Fri, 04 Mar 2011 06:17:24 -0800

On Thu, Mar 03, 2011 at 10:28:34PM -0800, [email protected] wrote:
> 
> I have a backup server, hex, which also has security cameras on eth2.  eth1 
> is the LAN.
> 
> I want to take a given security camera at IP 10.5.12.40 on eth2 (cam) and 
> present it to the LAN as 192.168.1.4:80.  So in Shorewall rules I have:
> DNAT    net     $FW:10.5.12.40          tcp     www
> ACCEPT  net:192.168.1.1  cam          tcp     www    -
> 
> Of course cam is defined in interfaces, zones, and policy.  But when I point 
> my browser at 192.168.1.4 nothing happens.  No dmesg firewall messages, but 
> also nothing else.  What am I doing wrong?
> 
> 
First, to confirm, do you have ip forwarding enabled?


Second, you shouldn't need the ACCEPT rule, since the DNAT creates a
coresponding ACEPT rule for you already.  If you lok at the
shorewall-rules(5) man page, this example corresponds to what you want
to do:

Example 2:

    Forward all ssh and http connection requests from the internet to local 
system 192.168.1.3

            #ACTION SOURCE  DEST            PROTO   DEST    SOURCE  ORIGINAL
            #                                       PORT    PORT(S) DEST
            DNAT    net     loc:192.168.1.3 tcp     ssh,http

So, something like this would work:

DNAT    net     $FW:10.5.12.40          tcp     www

Which is what you already have for your first rule.  Now, if you want
to limit the DNAT requests to a prticular host in the net zone, you
incorporate it into the same rule:

DNAT    net:192.168.1.1     $FW:10.5.12.40          tcp     www

Now, please also note that if you are rudoing the DNAT redirection on
the same machine from which you are running the web browser, that you
may want to see this as well:
http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall

It is written for Squid, but the same principle applies.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

signature.asc
Description: Digital signature

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Port Forwarding

Reply via email to