On 03/27/2018 02:24 PM, Farkas Levente wrote: > On 03/27/2018 11:19 PM, Tom Eastep wrote: >> On 03/27/2018 02:15 PM, Farkas Levente wrote: >>> On 03/27/2018 07:15 PM, Tom Eastep wrote: >>>> On 03/27/2018 10:01 AM, Farkas Levente wrote: >>>>> hi, >>>>> we've got an old and a new server. each has one single public eth0 >>>>> interface on the net. i'd like to forward all traffic from the old >>>>> server's 12345 port to the new server's 12345 port. how can i do that >>>>> with shorewall (actually shorewall-lite)? >>>>> i'd have to add a DNAT rules to the PREROUTING table but if i put a DNAT >>>>> rule into the rules file the result will be in the POSTROUTING table. ie >>>>> i'm not able to put anything in the PREROUTING. if i put a line into the >>>>> nat file than i can't add a port. >>>>> so is it possible with shorewall or should i've to manually add iptable >>>>> rules? >>>> >>>> DNAT entries in the rules file generate a DNAT rule in the PREROUTING >>>> table and an ACCEPT rule in the filter table. >>> >>> i use shorewall-5.1.11-2 >>> >>> in the rules file this line: >>> >>> DNAT all net:$TEST_IP:12345 tcp 12345 >>> >>> generate this firewall file: >>> ------------------------------- >>> # >>> # Generated by Shorewall 5.1.11.2 - Tue Mar 27 23:01:16 CEST 2018 >>> # >>> *raw >>> :PREROUTING ACCEPT [0:0] >>> :OUTPUT ACCEPT [0:0] >>> COMMIT >>> *nat >>> :PREROUTING ACCEPT [0:0] >>> :OUTPUT ACCEPT [0:0] >>> :POSTROUTING ACCEPT [0:0] >>> -A OUTPUT -p 6 --dport 12345 -j DNAT --to-destination 1.2.3.4:12345 >>> ------------------------------- >>> and there is not any line in the filter table with 12345 port (or >>> anywhere else the 12345 number). >>> >> >> And I assume that your only zones are 'net' and 'fw'? If so, then that >> rule is correct. Traffic originating from the firewall never goes >> through the PREROUTING chain. > > yes as i wrote both machine has one one interface so 2 zones. net and > fw. and i'd like to forward all incoming traffic from net interface to > goes to the second machines same port. > >
Then you are basically looking at Shorewall FAQ 2, using the 'net' interface rather than the 'loc' interface. And on the new server, all forwarded traffic is going to look like it originated on the old server. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
