On 09/26/2012 10:49 AM, Tom Eastep wrote:
> On 09/25/2012 06:37 AM, Tom Eastep wrote:
>>
>> Currently, the only way to achieve what you are asking is to replace
>> each entry in /etc/shorewall/nat with an entry in /etc/shorewall/masq
>> and a DNAT- entry in /etc/shorewall/rules.
>>
>> I'll add a way to allow DNAT to preempt /etc/shorewall/nat in the 4.5.9
>> release.
>
> David -- which version of Shorewall are you running? As I went to look
> at this problem, I see the following in a test configuration using
> Shorewall 4.5.8:
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :eth0_in - [0:0]
> :eth0_masq - [0:0]
> :eth0_out - [0:0]
> :net_dnat - [0:0]
> :wlan0_in - [0:0]
> :wlan0_masq - [0:0]
> :wlan0_out - [0:0]
> -A PREROUTING -i eth0 -j net_dnat
> -A PREROUTING -i wlan0 -j net_dnat
> -A PREROUTING -i eth0 -j eth0_in
> -A PREROUTING -i wlan0 -j wlan0_in
> -A POSTROUTING -o eth0 -j eth0_out
> -A POSTROUTING -o eth0 -j eth0_masq
> -A POSTROUTING -o wlan0 -j wlan0_out
> -A POSTROUTING -o wlan0 -j wlan0_masq
> -A eth0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1
> -A eth0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177
> -A eth0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2
> -A net_dnat -p 6 --dport 9999 -j DNAT --to-destination 1.2.3.4
> -A wlan0_in -d 172.16.1.2 -j DNAT --to-destination 192.168.111.1
> -A wlan0_masq -s 192.168.1.0/24 -j SNAT --to-source 206.124.146.177
> -A wlan0_out -s 192.168.111.1 -j SNAT --to-source 172.16.1.2
> COMMIT
>
> As you can see, the jumps from PREROUTING to the net_dnat chain are
> before the jumps to the <interface>_in chains.
Okay -- I've tracked this down.
The problem was corrected in Shorewall 4.5.6. In earlier versions, you
can reorder these statements in Misc.pm function add_interface_jumps():
addnatjump 'PREROUTING' , 'nat_in';
addnatjump 'POSTROUTING' , 'nat_out';
addnatjump 'PREROUTING', 'dnat';
to this:
addnatjump 'PREROUTING', 'dnat';
addnatjump 'PREROUTING' , 'nat_in';
addnatjump 'POSTROUTING' , 'nat_out';
Roberto: This defect is still present in the version currently in Wheezy.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
