sond wrote: > So, whe I want to DNAT a port I have first to ACCEPT net to fw > connection for that port. Right?
No. Shorewall's DNAT action creates both the DNAT and ACCEPT rules; DNAT- (note the trailing "-") omits generation of the ACCEPT rules. > In the iptables rules (created by shorewall) I've this (for example the > tcp part of the previous rules): > > iptables -L | grep 4662 > > ACCEPT tcp -- anywhere anywhere multiport > dports 4662,4661,4242,3000 > > ACCEPT tcp -- anywhere anywhere tcp > dpt:4662 > > Why source and destination are both "anywhere"? Because those rules are in user-defined chains that only gets traffic from net->fw and fw->net. Also, iptables output is much more useful if you use the "-nv" options. In general, you can't look at a single Netfilter rule out of context and draw any valid conclusions. > I think it should be something like that: > > ACCEPT tcp -- 127.0.0.1 anywhere multiport > dports 4662,4661,4242,3000 > > ACCEPT tcp -- anywhere 127.0.0.1 tcp > dpt:4662 > > Am I wrong? Yes. Completely.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
