On 3/18/20 1:13 PM, Andrey Andreev wrote: > am beginning to get it, it is the waterfall situation. So I have to > exchange lines order to: > > /etc/shorewall/snat > SNAT(!9.9.9.9) 12.12.12.12/29 enp2s0 # exclude IPSec traffic: > 9.9.9.9 > SNAT(11.11.11.11) 0.0.0.0/0 enp2s0 # local server WAN IP > > Tomorrow will test it at the site. > What is the effect of line 1 above: "All traffic only from LAN range > 12.12.12.12/29 going out of enp2s0 will have its source changed to 'not > 9.9.9.9' " ?? > LAN range 12.12.12.12/29 needs IPSec & internet, what happens to the > outgoing traffic which should not be tunneled?
The effect will be that you will get an error: ERROR: Invalid IP Address (!9.9.9.9) /etc/shorewall/snat (line 10) I had overlooked that you were using address exclusion. What are you trying to accomplish? If you don't want IPSEC traffic to be SNATed, the proper thing is to have this single rule: SNAT(11.11.11.11) 0.0.0.0/0 enp2s0 By default, Shorewall creates an iptables rule that excludes IPSEC traffic, unless you have something other than '-' in the IPSEC column. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
