Le 05/04/2023 à 08꞉43, Tuomo Soini a écrit :
REDIRECT does not change destination ip - you
need to change your software to listen all ip addresses for redirect to
work. DNAT is the way if you need to change destination ip.
I can't change the software unfortunately.
I tried this rule:
DNAT:INFO:mqtt loc $FW::1883 tcp 1883
- &enp4s0
But that's basically a REDIRECT and does not work for a service bound to
127.0.0.1
So I tried this rule:
DNAT:INFO:mqtt loc $FW:127.0.0.1:1883 tcp 1883
- &enp4s0
And it gives me the "martian sources" error that I already mentioned
I also tried this rule:
DNAT:INFO:mqtt loc lo::1883 tcp 1883
- &enp4s0
But it gives me "unknown zone", so I defined it in the "zones" file like
this:
lo loopback
But this got me these messages:
WARNING: *** lo is an EMPTY ZONE *** /etc/shorewall/hosts (EOF)
ERROR: Rules may not override a NONE policy /etc/shorewall/rules
Fair enough, I went into interfaces and added this:
lo lo loopback
No more warning, but still the same error that a rule cannot override a
NONE policy.
And I'm back to square one where I cannot find which NONE policy applies
because I have no such thing in the policy file._______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users