Re: [Shorewall-users] Snat to Dnat questions

Tom Eastep Sat, 10 Nov 2007 07:00:55 -0800

But, if you want to continue to use NAT, then it sounds like you need to
add some DNAT- rules.

An entry in /etc/shorewall/nat is nearly equivalent to an SNAT rule and
a DNAT- rule.

Example:

/etc/shorewall/nat

        206.124.146.178         $EXT_IF:0               192.168.1.3

where $EXT_IF is the wan interface is the same as

/etc/shorewall/masq:

        $EXT_IF 192.168.1.3     206.124.146.178

and /etc/shorewall/rules:

        DNAT-    wan    lan:192.168.1.3 - - -   206.124.146.178

So if you wanted connection attempts from the dmz zone to
206.124.146.178 to be sent to 192.168.1.3, you could add:

        DNAT-   dmz     lan:192.168.1.3 - - -   206.124.146.178

By using DNAT- rather than DNAT, you can then specify the traffic that
you wish to allow using regular ACCEPT rules (DNAT would generate a
blanket ACCEPT rule which is probably not what you want).

HTH,
- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFHNcecO/MAbZfjDLIRAjJhAKC2nUkoSrEx5FK+/x9wesM4CVb8SwCfah0L
6PDFmdR1MbHoqn9I/FV1pmM=
=N0Yu
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Snat to Dnat questions

Reply via email to
