Re: [Shorewall-users] Adding postrouting ACCEPT rule to nat table

Tue, 21 Aug 2012 02:15:29 -0700 

On Monday 20 August 2012 18:14:05 Tom Eastep wrote:
> On 8/20/12 6:02 PM, Tom Eastep wrote:
> > On 8/20/12 5:39 PM, Tom Eastep wrote:
> >> Well, what I suggested is all that is currently available.
> > 
> > That having been said, the attached patch should allow you to place
> > CONTINUE in the ADDRESSES columm to generate an ACCEPT rule.
> 
> As I was documenting this change, I found that the existing 'NONAT'
> keyword in the ACCESS column already does what you want.
> 
> Sorry for the noise tonight.
> 
> -Tom

The NONAT is just what I was looking for. 

now I have this:

/etc/shorewall/masq

eth0:192.168.1.0/24     
10.1.6.0/24,10.0.0.0/24,10.0.6.0/23,10.1.1.0/24,10.5.0.0/24     NONAT
eth0    eth1

which results in :

-A eth0_masq -s 10.1.6.0/24 -d 192.168.1.0/24 -j RETURN
-A eth0_masq -s 10.5.6.0/24 -d 192.168.1.0/24 -j RETURN
-A eth0_masq -s 10.10.126.0/24 -d 192.168.1.0/24 -j RETURN
-A eth0_masq -s 10.10.206.0/24 -d 192.168.1.0/24 -j RETURN
-A eth0_masq -s 10.1.6.0/24 -j MASQUERADE
-A eth0_masq -s 10.5.6.0/24 -j MASQUERADE
-A eth0_masq -s 10.10.126.0/24 -j MASQUERADE
-A eth0_masq -s 10.10.206.0/24 -j MASQUERADE

previously I had it like this:
/etc/shorewall/masq

eth0:!192.168.1.0/24  10.1.6.0/24,10.5.6.0/24,10.10.126.0/24,10.10.206.0/24

which resulted in:

-A eth0_masq -s 10.1.6.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
-A eth0_masq -s 10.5.6.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
-A eth0_masq -s 10.10.126.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
-A eth0_masq -s 10.10.206.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

It worked for me, but with NONAT is easier to add exceptions.

regards,




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to