Version 7 (modified by ibaldin, 8 years ago)


SHOREWAL DNAT port-forwarding proxy


This proxy mechanism relies on dynamically manipulating firewall rules on a Linux host running Shorewall firewall management framework to install and remove firewall rules to remap internal IP addresses and ports of VMs (typically port 22 - SSH) to the publicly addressable IP address of the firewall host and a different port address. The additional scripts developed for Shorewall are independent of ORCA, however they help bridge the gap between Shorewall and ORCA handlers by providing a simple API that lets the user (remotely) add and remove DNAT port-forwarding rules for VMs.



Two modes are possible:

  • server-based - ensures that all commands are serialized and executed in order of arrival, but requires running a server on the NAT host
  • command-based - serialization is guaranteed but not the ordering of the commands


Be sure to allow tomcat connections (if ORCA tomcat is also running on the proxy host). Append the following to /etc/shorewall/rules:

# ORCA tomcat
ACCEPT          net             $FW             tcp     11080
ACCEPT          loc             $FW             tcp     11080