On 8/5/10 2:18 PM, Brian J. Murrell wrote: > If I have the following SNAT rule in masq: > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC > MARK > eth0 192.168.122.0/24 1.1.4.5 > > How can I prevent SNATting for local subnets that are also reachable on > eth0? I can manually accomplish the goal with a: > > # iptables -t nat -I eth0_masq -s 192.168.122.0/24 -d 192.168.0.0/24 -j RETURN > > resulting in: > > Chain eth0_masq (1 references) > pkts bytes target prot opt in out source > destination > 0 0 RETURN all -- * * 192.168.122.0/24 > 192.168.0.0/24 > 28 2176 SNAT all -- * * 192.168.122.0/24 0.0.0.0/0 > to:1.1.4.5 > > IIRC, iptables accepts !192.168.0.0/24 in the destination of the SNAT > rule also, but I don't know if/how that maps to shorewall.
man shorewall-exclusion -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
