From: Tom E. <te...@sh...> - 2002-03-28 14:03:07
|
----- Original Message ----- From: "Tom Eastep" <te...@sh...> To: "Nerijus Baliunas" <ne...@us...> Sent: Thursday, March 28, 2002 5:58 AM Subject: Re: Re[5]: [Shorewall-users] routing problem > > ----- Original Message ----- > From: "Nerijus Baliunas" <ne...@us...> > To: <sho...@sh...> > Sent: Thursday, March 28, 2002 1:43 AM > Subject: Re[5]: [Shorewall-users] routing problem > > > > On Wed, 27 Mar 2002 17:21:39 -0800 Tom Eastep <te...@sh...> > wrote: > > > > TE> > Tried the following config unsuccessfully: > > TE> > rules: > > TE> > ACCEPT dmz loc:192.168.56.21:161 udp 163 - > 213.197.143.57 > > TE> > > > TE> > I.e. connection from dmz to 213.197.143.57 port 163 should be > forwarded to > > TE> > loc:192.168.56.21:161. Is it impossible to forward udp packets? > > TE> > > > TE> > > TE> The rule that you have written says: > > TE> > > TE> For connections from the DMZ to UDP port 163 on 213.197.143.57, > forward the > > TE> connection to the loc zone, host 192.168.56.21 port 161. I don't think > > TE> that's what you wanted is it? > > > > It is what I wanted, but it doesn't work. I forward ports 162, 163 and 164 > to > > 3 different hubs (port 161). > > Is port 161 enough for mrtg to work? > > Er: > > a) The rule that you posted is forwarding port 163 to port 161 and that's > all!!! > b) Port 161 -> port 161 is ALL that's required for MRTG to work (look at my > config files at http://www.shorewall.net/myfiles.htm). > > > > > TE> It is perfectly possible to forward udp packets given the proper rule. > > TE> Again, the (simplified) format of port forwarding rule is: > > TE> > > TE> ACCEPT <src zone> <dest zone>:<server ip>[:<server port>] <protocol> > <port> > > TE> [ <client ports> | - [ <dest ip> | all ] ] > > > > My rule is OK, isn't it? > > > > Well, it isn't what I would have written if I wanted to port forward port > 161. Just so we are clear on your network topology, 213.197.143.57 is the IP > address of the firewall's interface to the DMZ right? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ te...@sh... > > > |