-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 03/24/2017 05:11 AM, Nerijus Baliunas wrote: > I even tried a simper method. shorewall/rules: ACCEPT net fw > tcp 443 DNAT net loc:10.10.10.12 tcp 443 > > DNAT takes the precedence, so the browser from outside opens > 10.10.10.12. Then I run iptables -D net-loc -p tcp -d 10.10.10.12 > --dport 443 -j ACCEPT it deletes above DNAT rule, but the broser > cannot connect to fw port 443. Then I run shorewall open all > 81.x.x.x tcp 443, but the browser still cannot connect. Why? >
You are not deleting the DNAT rule; you are deleting the ACCEPT rule. When you include a DNAT rule in /etc/shorewall/rules, two iptables rules are created; the DNAT rule in the nat table and an ACCEPT rule in the filter table. To solve you issue, I suggest that you place '!direct' in the SWITCH column of the your DNAT rule. That way, you can turn it off by setting the 'direct' switch. Then the open command will work. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJY1TFkAAoJEJbms/JCOk0QlTQP/1kjih+jfG07ezw0XfFeJI3I 0Hw0/Iit9d7liMJwJjT8XXy3/bZ+1a342Y5FHvY+BYuPefGZfa3LntSZ/u9KLtel r4T8H9lCxcjMMQvqgCBia8GQXibje7RKIOCoikpZyzKayxhtslljMd6F/vhOoQOF S/VHfDKIK/okutLxE7F6JTwWPP7ca96wGJ2pTwIArQlgzaOMXRc2JHNZYK4CYeoF EEgCemC87P0YomC+MNqx5EnQEBNAWmcXOIldMSrC55McOQmIPnMfX47FaGKhPYqq n5U+kSFeiBL7jfkIfvrpAPwYB4aLWVvJ4jlj43QiaCRVVsh0sESDgC/KyNisRMVc Yw4WeCitTSawGOlhqxTONHqcBuqBVnZxhhdjZkNBvKkCmOU5t1wXXfLvWpOTLwTn PPEURhrsQfuWpNSqQytIKmb721pVj/CKjnE39mbcppDKyeOGmcVFgIsElSCC3u6G G/Cz8zlxbiRGSkha/mso4anUUgk1hvENW2V8FYxaxSkTUGM/vWcD0P01DK9pZeDN YImoAqHsL7ZZhp6r29lcC9gP3rPGLfGeCNAkDN6/QDKkUl5u+Zq9/hTk26s+ntb+ xtUKRBevU18r/ZBfg8N8feHHu3PyHPeZt+D/3bJRfKpYcREioPxkZImi3W4TiHsx Usz7ZxXHho1x5xYQAdxo =nEK6 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
