Version 15 (modified by vjo, 8 years ago)


SHOREWAL DNAT port-forwarding proxy


This proxy mechanism relies on dynamically manipulating firewall rules on a Linux host running Shorewall firewall management framework to install and remove firewall rules to remap internal IP addresses and ports of VMs (typically port 22 - SSH) to the publicly addressable IP address of the firewall host and a different port address. The additional scripts developed for Shorewall are independent of ORCA, however they help bridge the gap between Shorewall and ORCA handlers by providing a simple API that lets the user (remotely) add and remove DNAT port-forwarding rules for VMs.


  • Install and configure Shorewall on the NAT host.
  • Download additional Shorewall-DNAT scripts (grab the latest tag)
    $ svn co shorewall-dnat
  • Follow INSTALL installation instructions in the release.


Two modes are possible:

  • server-based - ensures that all commands are serialized and executed in order of arrival, but requires running a server on the NAT host
  • command-based - serialization is guaranteed but not the ordering of the commands

See README file in the release for more information.

ORCA integration

Once installed and tested, details of the installation should be configured in file.


Be sure to allow tomcat connections (if ORCA tomcat is also running on the proxy host). Append the following to /etc/shorewall/rules:

# ORCA tomcat
ACCEPT          net             $FW             tcp     11080
ACCEPT          loc             $FW             tcp     11080