Hello all.

I'm running Shorewall 1.3.11 on a box with 3 NICs. One NIC is connected to our cable modem (WAN), one to our campus network (LAN) and a third one is our psuedo-DMZ (I say psuedo because the machines in that zone are really just there so they are accessible from the net [webservers] and can selectively use each connection)

I want to route all http traffic to use eth1 (the LAN), leaving the cable bandwidth open for more specialized things. I've tried setting up a variety of rules, but I can't seem to find the right one. I've been successful in mapping MS Terminal Services through to the right machines and ports, so I know I'm not completely ignorant.

Here are the current rules :

#result client server proto port client_port address
ACCEPT fw wan tcp 53 -
ACCEPT fw wan udp 53 -
ACCEPT dmz wan udp 53 -
REJECT lan wan udp 53 -
ACCEPT lan fw tcp 22 -
DNAT:info lan dmz:192.168.1.87:80 tcp 87 -
DNAT:info wan dmz:192.168.1.87:80 tcp 87 -
ACCEPT lan fw tcp 8443 -
ACCEPT lan fw icmp 8 -
ACCEPT lan dmz icmp 8 -
ACCEPT dmz lan icmp 8 -
ACCEPT dmz fw icmp 8 -
ACCEPT fw dmz icmp 8 -
ACCEPT dmz lan tcp http -
ACCEPT lan wan tcp https -
ACCEPT lan wan tcp ssh -
ACCEPT lan wan tcp ftp -
ACCEPT lan wan tcp nntp -
ACCEPT fw wan udp ntp -
ACCEPT lan wan tcp imap -

The 2 DNAT rules redirect traffic that hits the WAN interface on port 87 to my webserver's port 80.

Is there a simple rule that could forward all DMZ -> any http traffic to the lan?

Thanks for any help.


(Oh, I know, having everything ACCEPT is probably a bad idea, but this is just for testing)