Hi all,
I've been using Shorewall since 1.x and I must say, its probably the most
comprehensive and flexible firewall abstraction layer to
iptables. Thumbs-up Tom!
Now, to business..
All my hosts which I'm doing 1:1 NAT from eth0 (wan) to eth2(windows-dmz) or
eth3(unix-dmz), and I have to keep the "ALL Interfaces" parameter set to NO,
because whenever I have a host transiting from one interface to another on
the firewall I want to preserve its original internal address instead of
translating it to the IP address thats on eth0. But at the same time, I
need to source-nat all connections to the DNAT IP's because occasionally (in
other words, having ALL Interfaces set to YES) some applications don't use
proper DNS, and I want to be able to loop-through the firewall instead of
having the connection fail.
So, in essence,
HostA (10.10.10.10/eth2)---> HostB (10.10.11.10/eth3), host B should see the
IP of hostA, so no DNAT/SNAT.
HostA (10.10.10.10/eth2)---> HostA-WANIP (123.123.123.10/eth0), should SNAT
as Firewall (123.123.123.1/eth0), in order to DNAT back to 10.10.10.10/eth2.
I manage to do this pretty regularly on Sonicwall's since I can specify the
source & destination interface for NAT pattern-matching, an consequently,
the NAT is done as desired.
What would be the approach with shorewall? I tried various combinations
with /etc/shorewall/masq but have failed miserably :(
Ideas?
Many thanks
Kris
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
