On 06/14/2018 11:52 AM, Lennart Sorensen wrote: > On Thu, Jun 14, 2018 at 11:16:16AM -0700, Tom Eastep wrote: >> On 06/14/2018 08:24 AM, Igor Sverkos wrote: >>> Hi, >>> >>> I have a firewall host which has multiple IP addresses, i.e. >>> >>> - 1.2.3.4 >>> - 1.2.3.5 >>> - 1.2.3.6 >>> >>> I have different applications listening on same port 80 on IP 1.2.3.4 >>> and 1.2.3.6. >>> >>> To access port 80 on these IPs, I have twp ACCEPT rules like >>> >>> ACCEPT(MyApp) net $FW:1.2.3.4 >>> ACCEPT(MyApp2) net $FW:1.2.3.6 >>> >>> *MyApp" or "MyApp2" is a simple macro containing just >>> >>>> PARAM - - tcp 80 >>> >>> I now need to open MyApp2 on port 3080 in addition to port 80. >>> However, I cannot tell the application to listen on both ports >>> (application can only bind to one port) so I want to use a REDIRECT >>> rule. But how do I do that? >>> >>> A simple >>> >>>> REDIRECT net $FW:1.2.3.6:80 tcp 3080 >>> >>> doesn't work (looks like I cannot specify an IP address in REDIRECT >>> rules but plain iptables should support that, not?). >>> >>> But even without the ip address, i.e. like >>> >>>> REDIRECT net $FW::80 tcp 3080 >>> >>> it doesn't work. A "telnet 1.2.3.6 3080" doesn't end up in the REJECT >>> (my default policy) like without the rule and I see >>> >>>> Chain PREROUTING (policy ACCEPT 177 packets, 8611 bytes) >>>> pkts bytes target prot opt in out source >>>> destination >>>> 9 456 REDIRECT tcp -- eth0 * 0.0.0.0/0 >>>> 0.0.0.0/0 tcp dpt:3080 redir ports 80 >>> >>> but the application listening on port 1.2.3.6:80 didn't get connection. >>> >>> How can I get this working? It is important that 3080 should only be >>> opened on IP 1.2.3.6 and should redirect to 1.2.3.6:80 on the same >>> host... >>> >> >> Use DNAT rather than REDIRECT >> >> DNAT net $FW:1.2.3.6:80 tcp 3080 - 1.2.3.6 > > Would it work to have a rule that only applies for traffic to 1.2.3.6 > that redirects port 3080 to port 80? >
The above rule does that. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
