Roberto C. Sánchez wrote: > > >I have several computers connected to the >> >internet through a DSL router that assigns >> >rfc1918 (192.168.1.x) addresses to the systems >> >connected. I have a server where shorewall is >> >installed with one interface eth0, with a static >> >ip ( <http://192.168.1.3>192.168.1.3). The >> >router is configured to forward all connections >> >from the internet to the linux server. >> > >> >I'd like to know how I can configure shorewall >> >to allow connections from the local network ( >> >192.168.1.x) to several services (smb mainly) > > >but not from the internet.
> > How about a rule saying : >> >> SMB/ACCEPT net:192.168.1.0/24 $FW >> > > Repeat for all services you want to make available. >Because if his DSL router is handing out the address 192.168.1.3 to his >Linux server, the router itself likely has the address 192.168.1.1 or >192.168.1.2. Thus, your rule would open up his Samba share to whole >world. No. Connections from the global internet will still have their public IPs as source address - only the destination address will have been re-written. Similarly, outgoing packets will have the global IP as destination address, and the internal source address will be re-written by the gateway to the global address. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
