Indeed, the DNAT- rule worked like a charm. I wasn't too keen on using it
since it was already declared from the /etc/shorewall/nat file, and I was
convinced that it may have a been a question of priority in rules that
needed to be tweaked.
I am in fact in a multi-homed network, and dealing with 2 distinct firewalls
to make matters a little complex. So I only want to NAT when necessary for
dmz-wan communications, and conserve the internal IP's for routing purposes
between zoned and other networks & vpn's.
Thanks for the help!
Kris
On 11/10/07, Tom Eastep <[EMAIL PROTECTED]> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tom Eastep wrote:
> > Kristopher Lalletti wrote:
> >
> >> What would be the approach with shorewall? I tried various
> >> combinations with /etc/shorewall/masq but have failed miserably :(
> >>
> >
> > The Shorewall approach is to realize that if you have enough public IP
> > addresses to use 1-to-1 NAT for your Internet-accessible internal
> > servers then NAT is the wrong approach.
>
> But, if you want to continue to use NAT, then it sounds like you need to
> add some DNAT- rules.
>
> An entry in /etc/shorewall/nat is nearly equivalent to an SNAT rule and
> a DNAT- rule.
>
> Example:
>
> /etc/shorewall/nat
>
> 206.124.146.178 $EXT_IF:0 192.168.1.3
>
> where $EXT_IF is the wan interface is the same as
>
> /etc/shorewall/masq:
>
> $EXT_IF 192.168.1.3 206.124.146.178
>
> and /etc/shorewall/rules:
>
> DNAT- wan lan:192.168.1.3 - - - 206.124.146.178
>
> So if you wanted connection attempts from the dmz zone to
> 206.124.146.178 to be sent to 192.168.1.3, you could add:
>
> DNAT- dmz lan:192.168.1.3 - - - 206.124.146.178
>
> By using DNAT- rather than DNAT, you can then specify the traffic that
> you wish to allow using regular ACCEPT rules (DNAT would generate a
> blanket ACCEPT rule which is probably not what you want).
>
> HTH,
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ [EMAIL PROTECTED]
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.4-svn0 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
>
> iD8DBQFHNcecO/MAbZfjDLIRAjJhAKC2nUkoSrEx5FK+/x9wesM4CVb8SwCfah0L
> 6PDFmdR1MbHoqn9I/FV1pmM=
> =N0Yu
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
