Le 05/04/2023 à 08꞉43, Tuomo Soini a écrit :
REDIRECT does not change destination ip - you
need to change your software to listen all ip addresses for redirect to
work. DNAT is the way if you need to change destination ip.
I can't change the software unfortunately.
I tried this rule:

DNAT:INFO:mqtt          loc     $FW::1883               tcp 1883    -       &enp4s0

But that's basically a REDIRECT and does not work for a service bound to 127.0.0.1
So I tried this rule:

DNAT:INFO:mqtt          loc     $FW:127.0.0.1:1883 tcp     1883    -       &enp4s0

And it gives me the "martian sources" error that I already mentioned
I also tried this rule:

DNAT:INFO:mqtt          loc     lo::1883               tcp 1883    -       &enp4s0

But it gives me "unknown zone", so I defined it in the "zones" file like this:
lo              loopback

But this got me these messages:
WARNING: *** lo is an EMPTY ZONE *** /etc/shorewall/hosts (EOF)
ERROR: Rules may not override a NONE policy /etc/shorewall/rules

Fair enough, I went into interfaces and added this:
lo              lo                      loopback

No more warning, but still the same error that a rule cannot override a NONE policy. And I'm back to square one where I cannot find which NONE policy applies because I have no such thing in the policy file.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to