Shawn Wright wrote: > Hello, Hello Shawn.
Haven't heard from you in quite a while. > > We are using several DNAT rules for incoming traffic to our network, and > several > more MASQ rules for outgoing traffic. Now, I have a request for a mechanical > controls system which needs a DNAT for a single UDP port, but also needs a > MASQ rule for accessing web traffic. The machine will be a private IP inside > our > LAN, routed by our Cisco router to the firewall running shorewall. > > ie: > > I have this in rules: > > DNAT net sls:10.2.251.10:21068 udp 21068 - x.x.x.x > (x.x.x.x = firewall eth1 address) So let's see if I understand the problem. You want to: a) Forward UDP port 21068 to 10.2.251.10; and b) You want to masquerade 10.2.241.10 to the internet. If that's correct, then we need to know: a) Does the Shorewall box have a route to 10.2.243.10 via the Cicso? b) Is the Cisco doing any form of NAT on behalf of 10.2.251.10? I assume that the firewall has a route via the Cisco for the 10.2.254.10/xx network? > > and this in masq: > eth1 $VLAN251 64.251.72.14 > > I'm guessing this won't work. Without knowing what the contents of $VLAN251 are, we have no way of telling. Is there another way to achieve this without adding > another external IP to the firewall? If the Shorewall box has a route to 10.2.254.10 via the cisco and $VLAN251 includes 10.2.254.10, and if 10.2.254.10 has a default route through the cisco and if the cisco has a default route through the Shorewalll box then it should work with the rules that you have. I suggest that you read http://www.shorewall.net/Multiple_Zones.html since it covers your network topology. > > shorewall version 2.2.0 (I know, it's old) Old! That ancient thing went out of support between Thanksgiving day and Christmas in 2005! Given that is the case, I don't know how much help we (or the current Shorewall documents) will be. > two nics as follows: > > eth1 (net) <-> [fw] <-> eth0 (int) <-> [Cisco] <-> local 10.x.x.x subnets > > both eth1 and eth0 are on public routable networks, everything behind the > Cisco > is private. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
