[leaf-user] shorewall DNAT problem

Wed, 10 Nov 2010 06:07:39 -0800 

Hello !
I'm running Bering Leaf 3.1.1R6 with shorewall 3.4.8 R3 and have a
strange behaviour of having redirected ports.

We have the zones loc 192.168.146.0/24, fw, net and dmz 192.168.147.0/24.

In the zone loc is one host (192.168.146.2) running 2 different
webservers on it. One listening at 443 and the other at 444.
Requests to the official IP 123.123.123.1 should be DNATed to
192.168.146.2:443 and requests for 123.123.123.2 to 192.168.146.2:444.

DNAT   net   loc:192.168.146.2:443      tcp    443      -     123.123.123.1
DNAT   net   loc:192.168.146.2:444      tcp      443      -       123.123.123.2

Nothing special. This works perfect.

Now I want users located in the dmz be able to connect these
webservers too and added the follwing rules to the exising ones:

DNAT   dmz loc:192.168.146.2:443        tcp      443      -     123.123.123.1
DNAT   dmz loc:192.168.146.2:444        tcp      443      -     123.123.123.2

I can't connect to the webservers from within the dmz to the offical
IPs. I cant see any packet arriving at 192.168.146.2 port 443 or 444.

In one testing scenario I forgot the the source port and the offical
addresses, so it looks like

DNAT   dmz loc:192.168.146.2:443        tcp      443
DNAT   dmz loc:192.168.146.2:444        tcp      443

then all https connections from the dmz hit the webserver at 192.168.146.2:443.

/etc/shorewall/masq:
eth1:0    192.168.146.2  123.123.123.1 tcp 443
eth1:1    192.168.146.2  123.123.123.2 tcp 443
eth1         192.168.146.0/24   123.123.123.254
eth1         192.168.147.0/24   123.123.123.254

I have no idea how solve the riddle. Any help appreciated.

Regards Juergen

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to