On 03/27/2018 07:15 PM, Tom Eastep wrote: > On 03/27/2018 10:01 AM, Farkas Levente wrote: >> hi, >> we've got an old and a new server. each has one single public eth0 >> interface on the net. i'd like to forward all traffic from the old >> server's 12345 port to the new server's 12345 port. how can i do that >> with shorewall (actually shorewall-lite)? >> i'd have to add a DNAT rules to the PREROUTING table but if i put a DNAT >> rule into the rules file the result will be in the POSTROUTING table. ie >> i'm not able to put anything in the PREROUTING. if i put a line into the >> nat file than i can't add a port. >> so is it possible with shorewall or should i've to manually add iptable >> rules? > > DNAT entries in the rules file generate a DNAT rule in the PREROUTING > table and an ACCEPT rule in the filter table.
i use shorewall-5.1.11-2 in the rules file this line: DNAT all net:$TEST_IP:12345 tcp 12345 generate this firewall file: ------------------------------- # # Generated by Shorewall 5.1.11.2 - Tue Mar 27 23:01:16 CEST 2018 # *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A OUTPUT -p 6 --dport 12345 -j DNAT --to-destination 1.2.3.4:12345 ------------------------------- and there is not any line in the filter table with 12345 port (or anywhere else the 12345 number). -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
