On 12/13/18 9:00 AM, Tom Eastep wrote: > On 12/13/18 12:40 AM, HÖGLUND, Göran via Shorewall-users wrote: >> Hi >> >> I can not figure out how to DNAT traffic from a specific IP address in >> one zone to a specific ip address in another zone all let all other >> traffic be treated ”normally” >> >> My idea is: >> >> DNAT loc:192.168.0.2 dmz:192.168.1.2 udp 53 >> >> Seems to fail …. > > That rule will forward UDP DNS requests from 192.168.0.2 in the loc zone > to the DNS server at 192.168.1.2 in the dmz zone, PROVIDED THAT there > are no existing conntrack entries for udp 53 from 192.168.0.2 to > whatever the original destination address in the request. > > If the conntrack utility is installed, you can delete any such entries via: > > conntrack -D -s 192.168.0.2 -p udp --dport 53 >
One more thing - DNS sometimes falls back to TCP if the response is too
long for a single datagram. So you probably want:
DNAT log:192.168.0.2 dmz:192.168.1.2 udp,tcp 53
----
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
