User manual

ManualsBrandsvirtual access ManualsComputer equipmentGW1000

131

132

133

134

135

136

137

138

139

140

20: Configuring firewall

_______________________________________________________________________________________________________

The iptables rules generated for this section rely on the state match which needs

connection tracking to work. At least one of the src or dest zones needs to have

connection tracking enabled through either the masq or the conntrack option.

20.4 Redirects

Port forwardings (DNAT) are defined by redirect sections. All incoming traffic on

the specified source zone which matches the given rules will be directed to the

specified internal host.

The options described in the table below are valid for redirects:

Name Type Required Default Description

src

zone

name

yes for

DNAT

target

(none)

Specifies the traffic source zone, must refer

to one of the defined zone names. For typical

port forwards, this is usually wan.

rc_ip

address

no (none)

Matches incoming traffic from the specified

source IP address.

src_dip

address

yes for

SNAT

target

(none)

For DNAT, matches incoming traffic directed

at the given destination ip address. For SNAT

rewrites the source address to the given

address.

src_mac

mac

address

no (none)

Matches incoming traffic from the specified

mac address.

src_port

port or

range

no (none)

Matches incoming traffic originating from the

given source port or port range on the client

host.

src_dport

port or

range

no (none)

For DNAT, matches incoming traffic directed

at the given destination port or port range on

this host. For SNAT rewrites the source ports

to the given value.

proto

protocol

name or

number

yes tcpudp

Matches incoming traffic using the given

protocol.

dest

zone

name

yes for

SNAT

target

(none)

Specifies the traffic destination zone, must

refer to one of the defined zone names.

dest_ip

address

yes for

DNAT

target

(none)

For DNAT, redirects matched incoming traffic

to the specified internal host. For SNAT,

matches traffic directed at the given address.

dest_port

port or

range

no (none)

For DNAT, redirects matched incoming traffic

to the given port on the internal host. For

SNAT, matches traffic directed at the given

ports.

target string no DNAT

NAT target (DNAT or SNAT) to use when

generating the rule.

family string no any

Protocol family (ipv4, ipv6 or any) to

generate iptables rules for.

reflection boolean no 1

Disables NAT reflection for this redirect if set

to 0 - applicable to DNAT targets.

_______________________________________________________________________________________________________

GW1000 Series User Manual

Issue: 2.4 Page 131 of 255