Hi Shorewall, I have a server running a private virtual machine dmz on br0 which has address 192.168.123.1 and usually VIP (i'm using VRRP) 192.168.123.253. The public if (NET_IF) is 203.0.113.1 with VIP: 203.0.113.253 My /etc/shorewall/masq currently has:
NET_IF:1 192.168.123.0/24 203.0.113.253 which works perfectly, and assures that in conjunction with a DNAT rule in /etc/shorewall/rules like: DNAT net dmz:192.168.123.22 tcp ssh - 203.0.113.253 that packets on port 22 to the public VIP get directed to a machine like: 192.168.123.22 and that machine's connections outbound appear to come from that VIP too. Note: that virtual machine uses 192.168.123.253 as it's gateway. The problem: I'd like to add two more VIP's, namely a public one: 203.0.113.254 and 192.168.123.254 (a private one on br0), and if the gateway in the virtual machine is set to .253 use the first VIP for SNAT and if it's 254 use the second VIP. The following rules didn't work, how do I get this to work please? I was unable to ping 8.8.8.8 from inside my VM but I was able to ping the gateway (192.168.123.253) (of course). NET_IF:1 192.168.123.253 203.0.113.253 NET_IF:2 192.168.123.254 203.0.113.254 Note the :1 and :2 correspond to the legacy labels that VRRP sets. Thank you in advance, sorry for the long read, James ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
