On my shorewall router there is traffic entering on the tun0 interface and exiting the br-lan interface. Any packets entering from tun0 with a destination port of 23768 on a machine on the br-lan interface should be port-mapped to 5060.
I have the following in my shorewall rules file:
DNAT vpn2 10.75.22.8:5060 udp 23768
Where vpn2 is
vpn2 tun0:10.75.23.0/24,+foo
and 10.75.22.8 is the destination I want to remap from port 23768 to
port 5060. The iptables rule that gets installed is:
Chain PREROUTING (policy ACCEPT 611 packets, 33855 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- tun0 * 10.75.23.0/24 0.0.0.0/0
udp dpt:23768 to:10.75.22.8:5060
0 0 DNAT udp -- tun0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:23768 match-set foo src to:10.75.22.8:5060
Nothing seems to be getting port mapped however. On tun0 we can see:
08:06:18.541475 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:19.042057 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:20.047426 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:22.052565 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
and on br-lan we can see:
08:06:18.541685 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:18.541902 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768
unreachable, length 508
08:06:19.042266 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:19.042475 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768
unreachable, length 508
08:06:20.047639 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:20.047896 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768
unreachable, length 508
08:06:22.052788 IP 10.75.23.212.6060 > 10.75.22.8.23768: UDP, length 472
08:06:22.053093 IP 10.75.22.8 > 10.75.23.212: ICMP 10.75.22.8 udp port 23768
unreachable, length 508
What is it that I am missing?
As an aside, can I use REDIRECT here or is REDIRECT strictly for port-
mapping on the shorewall host itself? I thought I read otherwise...
that it could be used to map ports on remote (to shorewall) hosts also.
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
