diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 8c6a088a0..f2ae75f69 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -20,7 +20,7 @@ - 2001-2008 + 2001-2009 Thomas M. Eastep @@ -498,6 +498,24 @@ REDIRECT net 22 tcp 9022 you use a REDIRECT rule. +
+ (FAQ 8) I have several external IP addresses and use + /etc/shorewall/nat to associate them with systems in my DMZ. When I add + a DNAT rule, say for ports 80 and 443, Shorewall redirects connections + on those ports for all of my addresses. How can I restrict DNAT to only + a single address? + + Answer: Specify the external + address that you want to redirect in the ORIGINAL DEST column. + + Example: + + #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL +# PORT DEST. +DNAT net net:192.168.4.22 tcp 80,443 - 206.124.146.178 +
+
(FAQ 38) Where can I find more information about DNAT? diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index f112b859a..281a7549d 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -1071,18 +1071,17 @@ role="bold">!]limit[:mask] - Added in Shorewall-perl 4.2.1. May be used to limit the number - of simultaneous connections from each individual host to - limit connections. Requires connlimit - match in your kernel and iptables. While the limit is only checked - on rules specifying CONNLIMIT, the number of current connections is - calculated over all current connections from the SOURCE host. By - default, the limit is applied to each host but can be made to apply - to networks of hosts by specifying a - mask. The mask - specifies the width of a VLSM mask to be applied to the source - address; the number of current connections is then taken over all - hosts in the subnet + May be used to limit the number of simultaneous connections + from each individual host to limit + connections. Requires connlimit match in your kernel and iptables. + While the limit is only checked on rules specifying CONNLIMIT, the + number of current connections is calculated over all current + connections from the SOURCE host. By default, the limit is applied + to each host but can be made to apply to networks of hosts by + specifying a mask. The + mask specifies the width of a VLSM mask + to be applied to the source address; the number of current + connections is then taken over all hosts in the subnet source-address/mask. When is specified, the rule matches when the number of connection exceeds the @@ -1095,10 +1094,10 @@ timeelement[,timelement...] - Added in Shorewall-perl 4.2.1. May be used to limit the rule - to a particular time period each day, to particular days of the week - or month, or to a range defined by dates and times. Requires time - match support in your kernel and iptables. + May be used to limit the rule to a particular time period each + day, to particular days of the week or month, or to a range defined + by dates and times. Requires time match support in your kernel and + iptables. timeelement may be: