Discussion:
[Shorewall-users] Howto redirect external ip:port to internal ip:port
Dario Lesca
2002-03-05 13:13:29 UTC
Permalink
Hi!

I use the shorewall 1.2.8 an I want config this:

I have one Pubblic ip 1.2.3.4 on eth1 and internal network 10.1.1.0/24 on
eth0

how to do this?:

1) redirect all request on 1.2.3.4:80
to internal server 10.1.1.1:80

2) redirect all request on 1.2.3.4:81
to internal server 10.1.1.2:80

3) redirect request only from external net 4.3.2.0/24 on external ip
1.2.3.4:21,
to internal server 10.1.1.3:21

Please, someone show me how to this using the shorewall configurations files

Many Thank ... and sorry for my bad english, I am Italian.

-------
Dario Lesca (***@ivrea.osra.it)
Scott Merrill
2002-03-05 14:20:46 UTC
Permalink
Post by Dario Lesca
Hi!
Hi!
Post by Dario Lesca
1) redirect all request on 1.2.3.4:80
to internal server 10.1.1.1:80
2) redirect all request on 1.2.3.4:81
to internal server 10.1.1.2:80
3) redirect request only from external net 4.3.2.0/24 on external ip
1.2.3.4:21,
to internal server 10.1.1.3:21
/etc/shorewall/rules should contain something like this:
# redirect incoming http requests to internal web server:
ACCEPT net loc:10.1.1.1:80 tcp 80 - 1.2.3.4
ACCEPT net loc:10.1.1.2:80 tcp 81 - 1.2.3.4
#
# redirect incoming ftp from 4.3.2.0/24 to internal ftp server
ACCEPT net:4.3.2.0/24 loc:10.1.1.2:21 tcp 21 - 1.2.3.4
#
Dario Lesca
2002-03-05 14:38:58 UTC
Permalink
----- Original Message -----
Post by Scott Merrill
ACCEPT net loc:10.1.1.1:80 tcp 80 - 1.2.3.4
ACCEPT net loc:10.1.1.2:80 tcp 81 - 1.2.3.4
Thankyou! probably this is the correct solutions

Now I test it!

Many Thank at all

-------
Dario Lesca (***@ivrea.osra.it)
Dario Lesca
2002-03-05 14:30:25 UTC
Permalink
----- Original Message -----
Ciao Dario,
It looks like you need simple masquerading and port forwarding. Here
is how
#INTERFACE SUBNET
eth1 10.1.1.0/24
The firewall must be the default gateway for this to work, then your
## for web you will need
ACCEPT net local:10.1.1.1 tcp 80 -
all
ACCEPT net local:10.1.1.2 tcp 81 -
all
change the config for 10.1.1.2 to listen on port 81 instead of port 80 for
this
to work
it also makes it easier to troubleshoot
Thank you for the fast response, but unforunatly, for many reason,
I can't change the listen port on 10.1.1.2 (I use 81 for simplify but is
another)
then: from internet IP to 1.2.3.4:81, I must port forward to internal
10.1.1.2:80

I hoped that the shorewall do this form me, (iptables can do it).

... some suggest?

Many Thank

Dario Lesca (***@ivrea.osra.it)
Paul Gear
2002-03-05 20:15:49 UTC
Permalink
Post by Dario Lesca
...
Thank you for the fast response, but unforunatly, for many reason,
I can't change the listen port on 10.1.1.2 (I use 81 for simplify but is
another)
then: from internet IP to 1.2.3.4:81, I must port forward to internal
10.1.1.2:80
I hoped that the shorewall do this form me, (iptables can do it).
... some suggest?
There are detailed instructions about this in the shorewall documentation. In
fact, it's FAQ #1. Check out http://shorewall.net/FAQ.htm#faq1.

Paul
http://paulgear.webhop.net

Cowles, Steve
2002-03-05 14:28:38 UTC
Permalink
-----Original Message-----
Sent: Tuesday, March 05, 2002 7:13 AM
To: Shorewall Firewall
Subject: [Shorewall-users] Howto redirect external ip:port to internal
ip:port
Hi!
I have one Pubblic ip 1.2.3.4 on eth1 and internal network
10.1.1.0/24 on eth0
1) redirect all request on 1.2.3.4:80
to internal server 10.1.1.1:80
This example is the first one listed in your /etc/shorewall/rules...
ACCEPT net loc:10.1.1.1 tcp www - all
2) redirect all request on 1.2.3.4:81
to internal server 10.1.1.2:80
ACCEPT net loc:10.1.1.2:80 tcp 81 - all
3) redirect request only from external net 4.3.2.0/24 on external ip
1.2.3.4:21, to internal server 10.1.1.3:21
I haven't tried this, but I think I'm close...
ACCEPT net:4.3.2.0/24 loc:10.1.1.3 tcp ftp - all

You can always change the "all" to your external ip address (1.2.3.4), but
since you only have one external ip, I don't believe it necessary.

Steve Cowles
Loading...