Ville Walveranta wrote: > I have three NICs: > WAN (Internet), > LAN1 (primary LAN), > and LAN2 (link to a "legacy" LAN). > WAN-to-LAN is working inbound through NAT, and outbound through DNAT (set in > masq). > LAN2 should not (and currently does not) have access to the Internet through > this Shorewall instance (it has its own route to the Internet), and it should > not be able to access LAN1, but it should be accessible from LAN1.
I think all it should take is to put : $wan $lan1 in masq where $wan and $lan1 are the relevant interfaces. That will masq lan1 out though wan, but do nothing for lan2-wan or lan1-lan2 traffic. Then add the appropriate policies and rules. BUT, you will also need the right routes. It is not sufficient to have a route from LAn1 to Lan2, there must also be a route from LAN2 to LAN1. Assuming that this gateway is the default router for LAN1 then half of that is covered, but you must also to to the default router for LAN2 and add a static route to LAN1 via the LAN2 interface of this Shorewall box on LAN2. Without this static route, you can send traffic to LAN2 from LAN1, but you'll never see any replies - the default gateway on LAN2 will either drop it (not a routable address) or send it out via it's WAN connection (where it will be dropped as non-routeable). If you cannot add that route in LAN2's default gateway, then you'll have to masq LAN1 to LAN2 (add "$lan2 $lan1") so all the traffic appears to come from your gateway box. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
