> *From:*Guilsson G [mailto:[email protected]] > *Sent:* Friday, October 18, 2013 4:51 PM > *To:* Shorewall Users > *Subject:* Re: [Shorewall-users] Specifying DNAT and SNAT in same rule > > > > I think it's missing one parameter. On 10/18/2013 5:27 PM, Tom Eastep wrote: > No, it is not.
First, I apologize for top-posting; I responded using Outlook. SNAT (modification of the source address) is done out of the nat table's POSTROUTING chain, and rules in that chain may not specify a source interface name. If you place 'eth0' in the SOURCE column, then the Shorewall-generated script will examine the main routing table and generate rules for traffic from every host/network routed out of that interface, *except* for those routed using a default route. Both the compiler and the generated script will issue WARNING messages; the compiler will complain that eth0 must be up and functional before the firewall will start, while the script will report that the default route out of eth0 is being ignored. Devices like printers have a primitive IP stack that does not support the notion of a default route. So *any* traffic sent to the printer from the firewall must have the address of eth1 as its source IP. As a consequence, making the SNAT rule unconditional is the proper and EASIEST thing to do. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
