On Monday 7 March, 2011 07:55:39 Tom Eastep wrote: > First of all, your rules are wrong. You want a single rule: > > DNAT net cam:10.5.12.40 tcp www Thanks, but it's not working. Everything's set like you say, but when I try from another machine: [515690.154919] Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.1 DST=10.5.12.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32540 DF PROTO=TCP SPT=59797 DPT=80 WINDOW=4380 RES=0x00 SYN URGP=0
For some reason it's not masquerading through the camera server. > That assumes that 'cam' is defined to be the zone consisting of hosts > attached to eth2; e.g., the following in /etc/shorewall/interfaces: > > cam eth2 - ... Ya have that. Using tcpflags as only option. Only the one IP camera is on this interface ATM. > Secondly, your camera probably doesn't have a default route defined; in > fact, it is probably incapable of having a default route and can only > communicate with other hosts on its own LAN. > > In the latter case, you need this entry in /etc/shorewall/masq: > > eth2:10.5.12.40 0.0.0.0/0 Thank you. This seems to be setting it to masquerade requests from any machine on the LAN on any port, specifically to one camera. How would I craft it if multiple cams on eth2? What I want to do is route all requests that are to 192.168.1.4:10080 to 10.5.12.40:80. The camera is on eth2, and 192.168.1.4 is my LAN on eth0. I'd like the LAN to access the camera even though it's on a different interface and IP, but machines accessing it are vetted and the server is protected by Shorewall. I could set different cameras to different ports. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
