# shorewall - any idea how I can do this [SOLVED]

## nobspangle

I am running shorewall-perl 4.2.7.1

It's a basic 3 interface system, eth0 is LAN, eth1 is DMZ, eth2 is WAN

eth2 is connected to the Internet router and we have a /28 block of addresses 217.x.x.144/28, 217.x.x.145 is the router, 217.x.x.146 is assigned to the wan port of the linux box.

In the DMZ we have (amongst others) two servers running https based services. Server 1 hosts a couple of remote access apps, server 2 hosts a web application.

I am using one-one NAT setup using the /etc/shorewall/nat file mine looks like this

```

###############################################################################

#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL

#                                               INTERFACES

x.x.x.147 eth2            192.168.36.3    No              No

x.x.x.148 eth2            192.168.36.11   No              No

x.x.x.149 eth2            192.168.46.2    No              No

x.x.x.150 eth2            192.168.46.12   No              No

x.x.x.151 eth2            192.168.46.10   No              No

x.x.x.152 eth2            192.168.46.3    No              No

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
```

Does anyone know of a way that will allow me to direct incoming traffic on 443 and 80 to different internal IP addresses even though it arrives on the same external IP.

I tried using a DNAT rule in the rules file, problem is that directs incoming traffic on any IP address to the same internal server which is no good for me.Last edited by nobspangle on Sun Jun 14, 2009 8:51 am; edited 1 time in total

----------

## Bones McCracker

 *nobspangle wrote:*   

> I am running shorewall-perl 4.2.7.1
> 
> It's a basic 3 interface system, eth0 is LAN, eth1 is DMZ, eth2 is WAN
> 
> eth2 is connected to the Internet router and we have a /28 block of addresses 217.x.x.144/28, 217.x.x.145 is the router, 217.x.x.146 is assigned to the wan port of the linux box.
> ...

 

I think for the external IP address in question, you will have to remove the entry from the nat file, and handle all of its traffic using DNAT rules:

(let's assume the external address in question is x.x.x.153:

one rule that DNATs eth2 x.x.x..153 80, 443 traffic to 192.168.a.b

one rule that DNATs eth2 x.x.x..153 (all-ports) traffic to 192.168.c.d

----------

## Hu

Your goal is definitely supported by standard iptables.  I am unsure whether shorewall has a syntax to express your goal, though.  If it does not, you could run iptables by hand afterward to adjust the rules.  BoneKracker is on the right track with the implementation.

----------

## nobspangle

Thanks guys,

I posted the question on the shorewall mailing list. The solution is to use the original destination column in the rules file on the DNAT rule, I'd forgotten about that column so my rule was working on all external IP addresses. My nat file remains the same so my incoming 443 is handled by an ACCEPT rule and the 80 is handled by a DNAT as it needs to go to an alternate location.

----------

## Bones McCracker

That will work too, and it requires fewer changes to your existing configuration.  I suspect that approach is incrementally less efficient, because I think it would cause the header of some packets to being rewritten twice, instead of just once (to change the destination first according to the rules established by the nat file and then according to to the rules file).  But I could be wrong.  The mailing list is the best place to get advice.

----------

