On Thu, 2010-04-15 at 19:27 +0200, Michael Weickel - iQom Business Services GmbH wrote: > Hi list, > > one of my clients is part of the same subnet as the local Shorewall > interface. If this clients wants to got to the internet its masqueraded by > masq entry and routed out of the egress interface. Beside the physical ip on > the client there is a loopback with a public ip which is not known by > shorewall. Now I want this packet - this time with the source ip of loopback > interface - to go out the same egress interface. > > If I tcpdump on Shorewall local interface I see the packet with correct > source and destination. If I tcpdump on egress interface I see nothing. In > addition nothing is dropped or rejected by log file. This normally happens > if someone forgot to add masq entry. > > The client source ip must be the same as the source ip once packet leaves > the firewall on egress interface. > > I tried something like this in masq > > egress-if public-ip public-ip > > but it looks very confusing and of course it doesn't work. > > So my question is: how can I route a packet - originated in a natted zone - > with a different source ip as shorewall expects without changing its source > ip once packet leaves the firewall on egress interface? >
proxy-arp, maybe? http://www.shorewall.net/ProxyARP.htm > So if someone asks himself what the hell I am doing here --> Its about > loadbalancing and DIRECT SERVER RETURN. > > Any idea? Thanks for listening. > > > Cheers > Mike > Jerry ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
