On Thu, Jun 14, 2018 at 11:16:16AM -0700, Tom Eastep wrote: > On 06/14/2018 08:24 AM, Igor Sverkos wrote: > > Hi, > > > > I have a firewall host which has multiple IP addresses, i.e. > > > > - 1.2.3.4 > > - 1.2.3.5 > > - 1.2.3.6 > > > > I have different applications listening on same port 80 on IP 1.2.3.4 > > and 1.2.3.6. > > > > To access port 80 on these IPs, I have twp ACCEPT rules like > > > > ACCEPT(MyApp) net $FW:1.2.3.4 > > ACCEPT(MyApp2) net $FW:1.2.3.6 > > > > *MyApp" or "MyApp2" is a simple macro containing just > > > >> PARAM - - tcp 80 > > > > I now need to open MyApp2 on port 3080 in addition to port 80. > > However, I cannot tell the application to listen on both ports > > (application can only bind to one port) so I want to use a REDIRECT > > rule. But how do I do that? > > > > A simple > > > >> REDIRECT net $FW:1.2.3.6:80 tcp 3080 > > > > doesn't work (looks like I cannot specify an IP address in REDIRECT > > rules but plain iptables should support that, not?). > > > > But even without the ip address, i.e. like > > > >> REDIRECT net $FW::80 tcp 3080 > > > > it doesn't work. A "telnet 1.2.3.6 3080" doesn't end up in the REJECT > > (my default policy) like without the rule and I see > > > >> Chain PREROUTING (policy ACCEPT 177 packets, 8611 bytes) > >> pkts bytes target prot opt in out source > >> destination > >> 9 456 REDIRECT tcp -- eth0 * 0.0.0.0/0 > >> 0.0.0.0/0 tcp dpt:3080 redir ports 80 > > > > but the application listening on port 1.2.3.6:80 didn't get connection. > > > > How can I get this working? It is important that 3080 should only be > > opened on IP 1.2.3.6 and should redirect to 1.2.3.6:80 on the same > > host... > > > > Use DNAT rather than REDIRECT > > DNAT net $FW:1.2.3.6:80 tcp 3080 - 1.2.3.6
Would it work to have a rule that only applies for traffic to 1.2.3.6 that redirects port 3080 to port 80? -- Len Sorensen ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
