[Shorewall-users] DNAT from localhost to other host

shacky Thu, 02 Dec 2021 10:11:49 -0800

Hi,
I'm trying to setup a DNAT which forwards requests originally directed to
127.0.0.1:8404 to 10.1.3.253:8404.


/etc/shorewall/zones:
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
lan     ipv4

/etc/shorewall/interfaces:
###############################################################################
#ZONE   INTERFACE       OPTIONS
lan     ens18
tcpflags,logmartians,nosmurfs,sourceroute=0,physical=ens18

/etc/shorewall/policy:
###############################################################################
#SOURCE DEST            POLICY          LOGLEVEL        RATE    CONNLIMIT
$FW     lan             ACCEPT
lan     all             ACCEPT          $LOG_LEVEL
# The FOLLOWING POLICY MUST BE LAST
all     all             REJECT          $LOG_LEVEL

/etc/shorewall/rules:
############################################################################################################################################################################
#ACTION         SOURCE          DEST                    PROTO   DEST
 SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT
      TIME            HEAD
#                                                               PORT
 PORT(S)         DEST            LIMIT           GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

# Drop packets in the INVALID state

Invalid(DROP)  lan              $FW                     tcp

# Drop Ping from the "bad" lan zone.. and prevent your log from being
flooded..

Ping(DROP)      lan             $FW

# Permit all ICMP traffic FROM the firewall TO the lan zone

ACCEPT          $FW             lan                     icmp

DNAT            $FW:127.0.0.1   lan:10.1.3.253:8404     tcp     8404
===================================================================

Check and start works good:

root@log:/etc/shorewall# shorewall check
Checking using Shorewall 5.2.3.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Adding Anti-smurf Rules
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking Accept Source Routing...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /etc/shorewall/conntrack...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Shorewall configuration verified
root@log:/etc/shorewall#

root@log:/etc/shorewall# shorewall start
Starting Shorewall....
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
done.

root@log:/etc/shorewall# shorewall status
Shorewall-5.2.3.2 Status at log - Thu 02 Dec 2021 07:08:14 PM CET

Shorewall is running
State:Started Thu 02 Dec 2021 07:08:05 PM CET from /etc/shorewall/
(/var/lib/shorewall/firewall compiled Thu 02 Dec 2021 06:35:26 PM CET by
Shorewall version 5.2.3.2)

Unfortunately the port forwarding does not work:

root@log:/etc/shorewall# telnet 127.0.0.1 8404
Trying 127.0.0.1...
(telnet hangs with no response)

Could you help me to understand where I'm wrong, please?

Thank you very much!
Bye

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DNAT from localhost to other host

Reply via email to