On 3/17/11 9:05 AM, [email protected] wrote: > On Monday 7 March, 2011 07:55:39 Tom Eastep wrote: >> First of all, your rules are wrong. You want a single rule: >> >> DNAT net cam:10.5.12.40 tcp www > > Thanks, but it's not working. Everything's set like you say, but > when I try from another machine: [515690.154919] > Shorewall:FORWARD:DROP:IN=eth0 OUT=eth0 SRC=192.168.1.1 > DST=10.5.12.40 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32540 DF PROTO=TCP > SPT=59797 DPT=80 WINDOW=4380 RES=0x00 SYN URGP=0 > > For some reason it's not masquerading through the camera server. >
Your routing is wrong. Note that it is trying to route the packet back out of eth0. > >> That assumes that 'cam' is defined to be the zone consisting of >> hosts attached to eth2; e.g., the following in >> /etc/shorewall/interfaces: >> >> cam eth2 - ... > > Ya have that. Using tcpflags as only option. Only the one IP camera > is on this interface ATM. > How have you configured eth2? > >> Secondly, your camera probably doesn't have a default route >> defined; in fact, it is probably incapable of having a default >> route and can only communicate with other hosts on its own LAN. >> >> In the latter case, you need this entry in /etc/shorewall/masq: >> >> eth2:10.5.12.40 0.0.0.0/0 > > Thank you. This seems to be setting it to masquerade requests from > any machine on the LAN on any port, specifically to one camera. How > would I craft it if multiple cams on eth2? Then just remove the :10.4.12.40 part. > > What I want to do is route all requests that are to 192.168.1.4:10080 > to 10.5.12.40:80. The camera is on eth2, and 192.168.1.4 is my LAN > on eth0. Shorewall does not handle routing. You must configure that using your distributions network configuration tools. It will happen automatically if you configure eth2 to have an address beginning with 10.4.12. and a net mask of 255.255.255.0. > > I'd like the LAN to access the camera even though it's on a different > interface and IP, but machines accessing it are vetted and the server > is protected by Shorewall. I could set different cameras to > different ports. Let's get one working first. And if you have additional problems, please include the output of 'shorewall dump' as an attachment to your report. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
