From 3c4336da588a18f7325f740c25c41299057cb8c8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 7 Jan 2011 10:27:35 -0800 Subject: [PATCH] Enhance DNAT documentation again --- docs/FAQ.xml | 9 ++++++++- docs/three-interface.xml | 12 ++++++++++-- docs/two-interface.xml | 9 ++++++++- 3 files changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 12d8f3efe..c1793220a 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -223,7 +223,8 @@ it. Answer: The format of a - port-forwarding rule to a local system is as follows: + port-forwarding rule from the net to a local system + is as follows: #ACTION SOURCE DEST PROTO DEST PORT DNAT net loc:local-IP-address[:local-port] protocol port-number @@ -253,6 +254,12 @@ DNAT net:address loc:local-IP-addresslow-port:high-port. + + The above does not work for forwarding + from the local network. If you want to do that, see FAQ 2. + +
(FAQ 1a) Okay -- I followed those instructions but it doesn't work diff --git a/docs/three-interface.xml b/docs/three-interface.xml index 416bf8430..9b07a6630 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -829,7 +829,15 @@ Web(ACCEPT) loc dmz:10.10.11.2 When you are connecting to your server from your local systems, you must use the server's internal IP address - (10.10.11.2). + (10.10.11.2) or you + must use DNAT from the loc zone as well (see below). + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL +# PORT(S) PORT(S) DEST +Web(DNAT) loc dmz:10.10.11.2 - - - external-ip-address + + where external-ip-address is the + IP address of the firewall's external interface. @@ -839,7 +847,7 @@ Web(ACCEPT) loc dmz:10.10.11.2 http://w.x.y.z:5000 where w.x.y.z is your external IP).#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) -DNAT net dmz:10.10.11.2:80 tcp 80 5000 +DNAT net dmz:10.10.11.2:80 tcp 5000 diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 5c33da7dc..39c9e4c85 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -752,10 +752,17 @@ root@lists:~# class="directory">/etc/shorewall/rules file. - The general form of a simple port forwarding rule in For forwarding connections from the net zone to + a server in the loc zone, the general form of a + simple port forwarding rule in /etc/shorewall/rules is: #ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:<server local ip address>[:<server port>] <protocol> <port> + If you want to forward traffic from the + loc zone to a server in the + loc zone, see Shorewall + FAQ 2. + Be sure to add your rules after the line that reads SECTION NEW.