Rob Hicks wrote: > Hi. Hi,
> The test lab firewall has two NICS. One (eth0) has two ip addresses, > eth0 10.161.101.40 and eth0:0 10.161.10.49. The other one, eth1 is > on a private network, 10.20.30.0. > > I want to use DNAT to allow test engineers to ssh into the machines in > the web farm. [...] > ACCEPT net $FW tcp 22 > DNAT net dmz:10.20.30.21:22 tcp > 22 > My problem is with the DNAT entry. If I enable it, when someone uses ssh > to log into the firewall (the first rule), somehow the request is > forwarded to the dmz:10.20.30.21 machine. If I comment out the DNAT > rule, logging into the firewall using ssh works. The firewall has two external ip addresses, so if you don't want to use non-standard ssh ports you can only address two ssh servers: One on each ip address. In neither of the two ssh rules above the column "ORIGINAL DEST" is specified, so they will both handle ssh connections to both your external addresses. Shorewall honors the last rule by default. You can choose one of these two solutions instead: 1) Let your users use the firewall machine as a "jump host". 2) DNAT non-standard ports for ssh connections to the dmz machines like this: DNAT net loc:10.20.30.21:22 tcp 30021 DNAT net loc:10.20.30.22:22 tcp 30022 ... and so on. Each solution has it's pros and cons, so you will have to decide for yourself what to do. Good luck! /Martin ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
