On Thu, 2012-01-12 at 14:46 -0800, Tom Eastep wrote: > > > > > According the FAQ 2a, with this settings i should also set a masq ( > > eth1 eth1 1.1.1.1 ) to allow servers to use the public ip to > > connect > > each other, meaning that all loc->loc traffic appear to originate on > > the firewall, from the 1.1.1.1 IP, and not from the public IP of the > > real originating server... it's precisely what i would like to avoid > > and the reason why i've set two explicit NAT rules... > > > > It's also confirmed by the http://www.shorewall.net/NAT.htm page : > > Specifying “Yes” in this column will not by itself allow systems on > > the lower LAN to access each other using their public IP addresses. > > > > You are correct. I'll add your method to the FAQ; thanks for the tip.
I've taken another look at this and I was correct and the FAQ is wrong :-(. Here is the critical part of the difference between the two methods (both compiled with OPTIMIZE=31): --A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 10.1.1.2 --A PREROUTING -d 1.1.1.3 -j DNAT --to-destination 10.1.1.3 --A POSTROUTING -s 10.1.1.2 -j SNAT --to-source 1.1.1.2 --A POSTROUTING -s 10.1.1.3 -j SNAT --to-source 1.1.1.3 +:~comb0 - [0:0] +:~comb1 - [0:0] +-A PREROUTING -i eth0 -j ~comb0 +-A PREROUTING -i eth1 -j ~comb0 +-A POSTROUTING -o eth0 -j ~comb1 +-A POSTROUTING -o eth1 -j ~comb1 +-A ~comb0 -d 1.1.1.2 -j DNAT --to-destination 10.1.1.2 +-A ~comb0 -d 1.1.1.3 -j DNAT --to-destination 10.1.1.3 +-A ~comb1 -s 10.1.1.2 -j SNAT --to-source 1.1.1.2 +-A ~comb1 -s 10.1.1.3 -j SNAT --to-source 1.1.1.3 These two rulesets are equivalent, but the optimizer does a slightly better job with my way than with yours. I'll correct the FAQ. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
