Timothy Murphy wrote:
I have shorewall working perfectly on my little home LAN,
using the two-interfaces configuration
(from <http://www.shorewall.net/two-interface.htm>).
Now I'd like to allow access to a web-server (httpd)
on my shorewall machine - a desktop computer
connected to the internet through an ADSL modem.
I'm finding this surprisingly difficult;
I've added the two lines
DNAT net loc:192.168.1.1 tcp 80 - 86.43.71.228
DNAT net loc:192.168.1.1 tcp www
to the shorewall rules (and re-started shorewall and httpd)
You may not want to run a webserver on your firewall from a security
standpoint, but that aside...
The firewall interfaces are part of the fw zone, not the local zone.
From the Shorewall "Some Things to Keep in Mind" section:
"All IP addresses configured on firewall interfaces are in the $FW (fw)
zone. If 192.168.1.254 is the IP address of your internal interface then
you can write “$FW:192.168.1.254” in a rule but you may not write
“loc:192.168.1.254”. Similarly, it is nonsensical to add 192.168.1.254
to the loc zone using an entry in /etc/shorewall/hosts."
Setting the rule to reflect your firewall zone will probably work.
-J
