Re: [Shorewall-users] how to do a "simple" port forwarding

Tue, 27 Mar 2018 14:21:42 -0700 

On 03/27/2018 02:15 PM, Farkas Levente wrote:
> On 03/27/2018 07:15 PM, Tom Eastep wrote:
>> On 03/27/2018 10:01 AM, Farkas Levente wrote:
>>> hi,
>>> we've got an old and a new server. each has one single public eth0
>>> interface on the net. i'd like to forward all traffic from the old
>>> server's 12345 port to the new server's 12345 port. how can i do that
>>> with shorewall (actually shorewall-lite)?
>>> i'd have to add a DNAT rules to the PREROUTING table but if i put a DNAT
>>> rule into the rules file the result will be in the POSTROUTING table. ie
>>> i'm not able to put anything in the PREROUTING. if i put a line into the
>>> nat file than i can't add a port.
>>> so is it possible with shorewall or should i've to manually add iptable
>>> rules?
>>
>> DNAT entries in the rules file generate a DNAT rule in the PREROUTING
>> table and an ACCEPT rule in the filter table.
> 
> i use shorewall-5.1.11-2
> 
> in the rules file this line:
> 
> DNAT     all   net:$TEST_IP:12345   tcp     12345
> 
> generate this firewall file:
> -------------------------------
> #
> # Generated by Shorewall 5.1.11.2 - Tue Mar 27 23:01:16 CEST 2018
> #
> *raw
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> -A OUTPUT -p 6 --dport 12345 -j DNAT --to-destination 1.2.3.4:12345
> -------------------------------
> and there is not any line in the filter table with 12345 port (or
> anywhere else the 12345 number).
> 

And I assume that your only zones are 'net' and 'fw'? If so, then that
rule is correct. Traffic originating from the firewall never goes
through the PREROUTING chain.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to