If anyone has implemented anything remotely similar to this, I'd appreciate any pointers.
Several people have reported success. I've tried to capture their experience in Shorewall FAQ #32.
Since I doubt this is a common setup :), I'll throw out a few key questions someone might be able to help with:
- How does the masquerading code determine the source IP of the masqueraded packets?
It is dependent on which interface is used for egress. As shown in the above FAQ, there are two MASQUERADE/SNAT rules for each internal private network (one for each internet interface).
- How do the advanced routing rules interact with the firewall rules (ie: order in which iptables rules are processed vs. advanced routing rules and routing table selection).
If you want to use fwmark to control routing, the easiest way to ensure that marking occurs before routing is to use the ":P" modifier in the first column of the tcrules file entry. That causes marking to occur in the PREROUTING chain.
For DNAT rules, the destination address-rewriting occurs before routing (as is also the case with one-to-one nat).
For SNAT/MASQUERADE, the source address is rewritten post-routing (so the output interface is known). (one-to-one NAT also rewrites the source address post-routing).
Filter rules (ACCEPT, DROP, REJECT) occur post-routing.
The page http://shorewall.net/NetfilterOverview.html may help you to visualize all of this...
I think the (somewhat) easy way to do this is to add another NIC to my firewall and route everything from that interface out the cable-modem, and the (really) easy way to do this is to just build another firewall, but I'd really like to have the new mirror system on my internal lan if possible.
Have a look at FAQ 32 and if you have more questions, I'll try to answer (realizing that I haven't acutally done this but I've helped a couple of folks with it).
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
