On 09/25/2012 05:00 AM, David Westlund wrote: > We have a Shorewall configuration where we: * sets up one-to-one NAT > in the file /etc/shorewall/nat * sets up port forwarding rules for > specific IPs and ports in /etc/shorewall/rules > > So basically, what we want to achieve is that all traffic to ip > 10.10.10.10 should point to inside 192.168.0.2 _except_ for port 80 > which should go to 192.168.0.3. > > Unfortunately, with this setup the more general one-to-one rule ends > up in the NAT chain "nat_in", while the more specific port forwarding > ends up in the chain "dnat". And, in the configuration generated by > shorewall, the nat_in chain is placed above the dnat chain. This is > done in file "Misc.pm", lines 1446-1448. > > Should we do our configuration some other way, or is this something > that should be fixed in Shorewall?
Currently, the only way to achieve what you are asking is to replace each entry in /etc/shorewall/nat with an entry in /etc/shorewall/masq and a DNAT- entry in /etc/shorewall/rules. I'll add a way to allow DNAT to preempt /etc/shorewall/nat in the 4.5.9 release. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
