On 06/14/2018 08:24 AM, Igor Sverkos wrote: > Hi, > > I have a firewall host which has multiple IP addresses, i.e. > > - 1.2.3.4 > - 1.2.3.5 > - 1.2.3.6 > > I have different applications listening on same port 80 on IP 1.2.3.4 > and 1.2.3.6. > > To access port 80 on these IPs, I have twp ACCEPT rules like > > ACCEPT(MyApp) net $FW:1.2.3.4 > ACCEPT(MyApp2) net $FW:1.2.3.6 > > *MyApp" or "MyApp2" is a simple macro containing just > >> PARAM - - tcp 80 > > I now need to open MyApp2 on port 3080 in addition to port 80. > However, I cannot tell the application to listen on both ports > (application can only bind to one port) so I want to use a REDIRECT > rule. But how do I do that? > > A simple > >> REDIRECT net $FW:1.2.3.6:80 tcp 3080 > > doesn't work (looks like I cannot specify an IP address in REDIRECT > rules but plain iptables should support that, not?). > > But even without the ip address, i.e. like > >> REDIRECT net $FW::80 tcp 3080 > > it doesn't work. A "telnet 1.2.3.6 3080" doesn't end up in the REJECT > (my default policy) like without the rule and I see > >> Chain PREROUTING (policy ACCEPT 177 packets, 8611 bytes) >> pkts bytes target prot opt in out source >> destination >> 9 456 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 >> tcp dpt:3080 redir ports 80 > > but the application listening on port 1.2.3.6:80 didn't get connection. > > How can I get this working? It is important that 3080 should only be > opened on IP 1.2.3.6 and should redirect to 1.2.3.6:80 on the same > host... >
Use DNAT rather than REDIRECT DNAT net $FW:1.2.3.6:80 tcp 3080 - 1.2.3.6 -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
