On 09/25/2012 06:37 AM, Tom Eastep wrote: > > Currently, the only way to achieve what you are asking is to replace > each entry in /etc/shorewall/nat with an entry in /etc/shorewall/masq > and a DNAT- entry in /etc/shorewall/rules. > > I'll add a way to allow DNAT to preempt /etc/shorewall/nat in the 4.5.9 > release.
David -- which version of Shorewall are you running? As I went to look at this problem, I see the following in a test configuration using Shorewall 4.5.8: *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :eth0_in - [0:0] :eth0_masq - [0:0] :eth0_out - [0:0] :net_dnat - [0:0] :wlan0_in - [0:0] :wlan0_masq - [0:0] :wlan0_out - [0:0] -A PREROUTING -i eth0 -j net_dnat -A PREROUTING -i wlan0 -j net_dnat -A PREROUTING -i eth0 -j eth0_in -A PREROUTING -i wlan0 -j wlan0_in -A POSTROUTING -o eth0 -j eth0_out -A POSTROUTING -o eth0 -j eth0_masq -A POSTROUTING -o wlan0 -j wlan0_out -A POSTROUTING -o wlan0 -j wlan0_masq -A eth0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1 -A eth0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177 -A eth0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2 -A net_dnat -p 6 --dport 9999 -j DNAT --to-destination 1.2.3.4 -A wlan0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1 -A wlan0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177 -A wlan0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2 COMMIT As you can see, the jumps from PREROUTING to the net_dnat chain are before the jumps to the <interface>_in chains. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
