[Firehol-support] nat redirect-to

Phil Whineray phil.whineray at gmail.com
Wed Sep 5 22:56:47 CEST 2012


On Wed, Sep 05, 2012 at 10:58:10AM -0400, Tony Peña wrote:
> i try to put this into my server with old-radius to can redirect all thouse
> packages to back a new server version
> and the syntaxs is ok because firehol try works fine.. but i see in the old
> server continues packages comming as nothing happend..

So you are trying to write a firehol config to refirect traffic coming
in to the client and make it go to a different machine? I don't think
you can do that with redirect-to; it only redirects to a new port on the
local machine.

> now my problem.
I filled in the blanks and used this as a complete config:

version 5


nat redirect-to 1812 inface eth0 src "$NAS_IPS" proto udp $NEWIP dport 1812
nat redirect-to 1813 inface eth0 src "$NAS_IPS" proto udp $NEWIP dport 1813

interface eth0 inet
   policy drop
   client all accept

However I get two syntax errors which look like this:
ERROR #: 1
WHAT   : Creating chain 'nat.1' under 'PREROUTING' in table 'nat'
WHY    : Cannot understand directive ''.
COMMAND: nat redirect-to 1812 inface eth0 src\ proto
udp dport 1812 
SOURCE : line 6 of x.conf

> and nothing happens,..
> remember 1812 is for autorization/authentication and 1813 is accounting. so
> need redirecto both ports to new server.

Are you sure you are loading the rules? You could try "firehol status" to
look at the generated iptables, but I don't think the syntax is correct
or that the command you are using is right.

"nat to-destination" may do what you want. I think you will need to define
a router also. I gave the below a quick test (using netcat, since I
don't have any radius servers to hand):

version 5


nat to-destination $NEWIP inface eth0 src "$NAS_IPS" proto udp dport 1812
nat to-destination $NEWIP inface eth0 src "$NAS_IPS" proto udp dport 1813

interface eth0 inet
   policy drop
   client all accept

router redirector inface eth0 outface eth0
   route radius accept

Hope that helps somewhat

More information about the Firehol-support mailing list