[Firehol-support] nat redirect-to

Phil Whineray phil.whineray at gmail.com
Wed Sep 5 21:56:47 BST 2012 

Hi

On Wed, Sep 05, 2012 at 10:58:10AM -0400, Tony Peña wrote:
> i try to put this into my server with old-radius to can redirect all thouse
> packages to back a new server version
> and the syntaxs is ok because firehol try works fine.. but i see in the old
> server continues packages comming as nothing happend..

So you are trying to write a firehol config to refirect traffic coming
in to the client and make it go to a different machine? I don't think
you can do that with redirect-to; it only redirects to a new port on the
local machine.

> now my problem.
[snip]
I filled in the blanks and used this as a complete config:

version 5

NAS_IPS="10.0.0.1 10.0.0.2"
NEWIP=10.0.0.99

nat redirect-to 1812 inface eth0 src "$NAS_IPS" proto udp $NEWIP dport 1812
nat redirect-to 1813 inface eth0 src "$NAS_IPS" proto udp $NEWIP dport 1813

interface eth0 inet
   policy drop
   client all accept

However I get two syntax errors which look like this:
ERROR #: 1
WHAT   : Creating chain 'nat.1' under 'PREROUTING' in table 'nat'
WHY    : Cannot understand directive '10.0.0.99'.
COMMAND: nat redirect-to 1812 inface eth0 src 10.0.0.1\ 10.0.0.2 proto
udp 10.0.0.99 dport 1812 
SOURCE : line 6 of x.conf


> and nothing happens,..
> remember 1812 is for autorization/authentication and 1813 is accounting. so
> need redirecto both ports to new server.

Are you sure you are loading the rules? You could try "firehol status" to
look at the generated iptables, but I don't think the syntax is correct
or that the command you are using is right.

"nat to-destination" may do what you want. I think you will need to define
a router also. I gave the below a quick test (using netcat, since I
don't have any radius servers to hand):

version 5

NAS_IPS="10.0.0.1 10.0.0.2"
NEWIP=10.0.0.99

nat to-destination $NEWIP inface eth0 src "$NAS_IPS" proto udp dport 1812
nat to-destination $NEWIP inface eth0 src "$NAS_IPS" proto udp dport 1813

interface eth0 inet
   policy drop
   client all accept

router redirector inface eth0 outface eth0
   route radius accept

Hope that helps somewhat
Phil

More information about the Firehol-support mailing list