I even tried a simper method. shorewall/rules: ACCEPT net fw tcp 443 DNAT net loc:10.10.10.12 tcp 443
DNAT takes the precedence, so the browser from outside opens 10.10.10.12. Then I run iptables -D net-loc -p tcp -d 10.10.10.12 --dport 443 -j ACCEPT it deletes above DNAT rule, but the broser cannot connect to fw port 443. Then I run shorewall open all 81.x.x.x tcp 443, but the browser still cannot connect. Why? On Fri, 24 Mar 2017 13:42:58 +0200 Nerijus Baliunas <[email protected]> wrote: > Hello, > > I left the rule DNAT net loc:10.10.10.12 tcp 443 in > shorewall/rules, but I do: > iptables -D net-loc -p tcp -d 10.10.10.12 --dport 443 -j ACCEPT > so that the rule is deleted before trying to open 443 port on fw itself. I > test > with a browser, and I am no longer forwarded to 10.10.10.12. > > Then I run shorewall open all 81.x.x.x tcp 443: > Firewall dynamically opened for connections from all to 81.x.x.x tcp port 443 > > iptables -L -n shows a new rule in chain dynamic: > Chain dynamic (10 references) > target prot opt source destination > ACCEPT tcp -- 0.0.0.0/0 81.x.x.x tcp dpt:443 > > But the browser timeouts, does not connect to apache running on fw. > > Regards, > Nerijus ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
