Version 8 (modified by ibaldin, 8 years ago)


SHOREWAL DNAT port-forwarding proxy


This proxy mechanism relies on dynamically manipulating firewall rules on a Linux host running Shorewall firewall management framework to install and remove firewall rules to remap internal IP addresses and ports of VMs (typically port 22 - SSH) to the publicly addressable IP address of the firewall host and a different port address. The additional scripts developed for Shorewall are independent of ORCA, however they help bridge the gap between Shorewall and ORCA handlers by providing a simple API that lets the user (remotely) add and remove DNAT port-forwarding rules for VMs.



Two modes are possible:

  • server-based - ensures that all commands are serialized and executed in order of arrival, but requires running a server on the NAT host
  • command-based - serialization is guaranteed but not the ordering of the commands

See this README file for more information.


Be sure to allow tomcat connections (if ORCA tomcat is also running on the proxy host). Append the following to /etc/shorewall/rules:

# ORCA tomcat
ACCEPT          net             $FW             tcp     11080
ACCEPT          loc             $FW             tcp     11080