Re: [Shorewall-users] Adding postrouting ACCEPT rule to nat table

Fri, 17 Aug 2012 10:42:08 -0700 

On 08/17/2012 09:41 AM, Duarte Fernandes Rocha wrote:
> Hello,
>
> In iptables one could have this:
>
> ...
>
> *nat
>
> ...
>
> :POSTROUTING ACCEPT [0:0]
>
> ...
>
> -A POSTROUTING -i eth1 -o eth0 -s 10.10.10.0/24 -d 192.168.1.0/24 -j ACCEPT
>
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> ...
>
> This allows for some specific traffic (from network 10.10.10.0/24 to
> network 192.168.1.0/24 ) to not be masquerade, or source nated and just
> be simply routed.
>
> I can't find a way to do this with shorewall. I want all the traffic
> going out to be source nated except in that specific case.
>
> I might, use the start script for this, by adding the rule after the
> shorewall gets started, although it does not seems the right way.
>
> I could have overlooked the documentation, but I didn't find this
> specific case covered in any of the documentation pages.
>
> Thanks for all your help.

You cannot use '-i eth1' in the POSTROUTING chain.

        root@gateway:~# iptables -A POSTROUTING -i eth1 -o eth0 -s \
        10.10.10.0/24 -d 192.168.1.0/24 -j ACCEPT
        iptables v1.4.15: Can't use -i with POSTROUTING

        Try `iptables -h' or 'iptables --help' for more information.
        root@gateway:~#

Assuming that only 10.10.10.0/24 connections through eth1, you can

        eth0:!192.168.1.0/24    10.10.10.0/24

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to