On Thu, 23 Mar 2017 20:39:35 +0000 Simon Hobson <[email protected]> wrote:
> > I have in rules file: > > DNAT net loc:10.10.10.12 tcp 443 > > > > I want to temporarily open 443 on firewall itself so that connections to > > tcp port 443 > > from outside would go to fw, not 10.10.10.12. > > > > I run command: > > # shorewall open all 81.x.x.x tcp 443 > > Firewall dynamically opened for connections from all to 81.x.x.x tcp port > > 443 > > > > 81.x.x.x is my external interface IP addr. > > > > But if I open https://81.x.x.x from outside I still am forwarded to > > 10.10.10.12. > > According to the diagram at http://www.shorewall.org/NetfilterOverview.html > the NAT rules are processed before the input filter. So the rule created by > the open command will have no effect as the packet will not make it that far > - it's been through the nat table first. So I decided to remove "DNAT net loc:10.10.10.12 tcp 443" rule so that it does not interfere, but, if I run shorewall open all 10.10.10.12 tcp 443 it does not work - 443 port is not DNAT'ed to 10.10.10.12. Could it be done with iptables perhaps? iptables -I INPUT 1 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT does not work as I want (if the above DNAT rule is present) - https connection is forwarded to 10.10.10.12. Regards, Nerijus ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
