On 8/5/20 9:30 AM, colony.three--- via Shorewall-users wrote: > Thank you Tom, but actually there is a DNS ACCEPT rule. > > I didn't make this clear enough but I am trying to dnat from net to local, > for example incoming port 51554 to local 10.2.20.51:554 . Here are my rules: > > # Cameras > ACCEPT net:10.2.1.4 $FW tcp 50554 - > DNAT net local:10.2.20.50:554 tcp 50554 - > ACCEPT net $FW tcp 51554 - > DNAT net local:10.2.20.51:554 tcp 51554 - > ACCEPT net:10.2.1.4 $FW udp 50554 - > DNAT net local:10.2.20.50:554 udp 50554 - > ACCEPT net:10.2.1.4 $FW udp 51554 - > DNAT net local:10.2.20.51:554 udp 51554 - > ACCEPT net:10.2.1.4 $FW tcp 50443 - > DNAT net local:10.2.20.50:443 tcp 50443 - > ACCEPT local $FW udp domain,ntp - > > ACCEPT net $FW tcp 51443 - > DNAT net local:10.2.20.51:443 tcp 51443 - > > ACCEPT net $FW tcp 5180 - > DNAT net local:10.2.20.51:80 tcp 5180 - > >
Again, is this a Shorewall-lite system, or are you compiling on the box itself? If on the box itself and you are including these rules from a directory other than /etc/shorewall/, beware of your AUTOMAKE setting. If the directory is a subdirectory of /etc/shorewall, then you need AUTOMAKE=no, AUTOMAKE=recursive or AUTOMAKE=n where n >= 2. If the directory is not a sub-directory of /etc/shorewall, then you must set AUTOMAKE=no or you must add that directory to CONFIG_PATH. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
