Am 01.06.2014 um 23:08 schrieb Michael Kress: > > OK, all things solved, thanks for pointing me to the right docs. >
Uhm, one case has added to my config and I cannot make it work. One host in the DMZ zone (192.168.0.15) which is connected over eth0 (192.168.0.1) should go out over tun1 (vpn) masqueraded as x.x.x.245, with all protocols and ports. I've tried to accomplish that by adding one line in masq as a first line in order to do SNAT: tun1 192.168.0.15 x.x.x.245 Analyzing the packets with tcpdump, I see them arriving on eth0, but they go out the wan route eth1 (192.168.2.251). The above masq line doesn't apply anymore. My mangle file: #ACTION SOURCE DEST 1:P 0.0.0.0/0 1 $FW providers file: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY tonline 1 1 - eth1 192.168.2.1 track ipev 2 2 - tun1 x.x.x.245 track rtrules file: #SOURCE DEST PROVIDER PRIORITY MARK - x.x.x.18/32 tonline 1000 - x.x.x.245/28 ipev 1001 192.168.0.15 - ipev 20000 192.168.0.0/24 - tonline 20001 1 192.168.5.0/24 - tonline 20001 1 192.168.0.0/24 - tonline 20002 192.168.5.0/24 - tonline 20002 zones file: fw firewall lan ipv4 wan ipv4 vpn ipv4 dmz ipv4 Current policy: Everything goes out over tonline, some things come in over ipev. I've tried playing with the mark column in the masq file, but that didn't help either, there seems to be no match. I've also tried with a mangle/masq set, without success: mangle: 2:TC 192.168.0.15 masq: tun1 192.168.0.15 x.x.x.245 ; mark=2:C How can I deeper analyze that and solve that in order to get SNAT working? TIA Regards Michael ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
