Thanks. I was experimenting on my own and had come up with the following: 1) I'm masquerading the entire 192.168.1.0/24 subnet to my "primary" external IP, including the Exchange server which I want to DNAT to a different IP address. Here's the line currently in masq (eth1 is my external interface while eth0 is my internal interface):
eth1 eth0 66.159.230.119 2) In rules I inserted the following: DNAT net loc:192.168.1.200 tcp www,https - 66.159.230.120 I only need to DNAT the regular and secure http protocols. >From reading your email, I think my approach is mistaken in point #1 because I >shouldn't nat the Exchange server to the primary external IP when I'm DNATing >the secondary IP to that same server. I think I need to change my masq entry >to the following: eth1 eth0:!192.168.1.200 66.159.230.119 But if I do that won't the Exchange server be unable to access the internet because it won't be masqueraded? Or can that be fixed by adding the following to masq: eth1 eth0:192.168.1.200 66.159.230.120 Separately, what does generating the ACCEPT rule (from my DNAT entry in rules) do that excluding it (by changing DNAT to DNAT-) would fix? - Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Eastep Sent: Friday, September 05, 2008 10:34 AM To: Shorewall Users Subject: Re: [Shorewall-users] 1:1 NAT Question Mark A. Olbert wrote: > Tom, > > Being a novice vis-à-vis shorewall, would you mind sharing what the > equivalent rule and entry would be? > Assuming that eth0 is the 'net' interface: In /etc/shorewall/nat: 206.124.146.177 eth0 192.168.1.44 Is equivalent to: /etc/shorewall/rules: DNAT- net loc:192.168.1.44 - - - 206.124.146.177 and /etc/shorewall/masq: eth0 192.168.1.44 206.124.146.177 In Shorewall 4.2, you can leave the 'loc:' out of the DNAT- rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key __________ Information from ESET NOD32 Antivirus, version of virus signature database 3419 (20080905) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3419 (20080905) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
