Goodmorning everyone, at first sorry for my poor english, I have a situation like this in the company, 2 machines debian 7.x make a gateway firewall each on a different line (obviously). The two machines have internal IP respectively perseo 192.168.2.240 sangiorgio 192.168.2.237 LAN is obviously 192.168.2.0/24 EXTIF = eth0 WAN interface INTIF = eth1 LAN interface EXTIP = external static IP INTIP = internal static IP CHIMERA= 192.168.2.224 on the two gateway runs heartbeat that raises 192.168.2.241 which is the gateway Company to the Internet, the Master machine is perseo, and sangiorgio intervenes only if the other side there 'line. We have a number of VPN entering / leaving and for convenience I have decided that VPN traffic must pass all on sangiorgio (slave machine). Until today I made the firewall script manually, but after years of modifications and additions they have become real monsters. I would like to move to shorewall and have a management a little more "simple"
Currently I get the desired result with a "package" of rules like this: $IPT -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp --dport 775 -j ACCEPT $IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 775 -j DNAT --to-destination $CHIMERA:775 $IPT -A FORWARD -i $EXTIF -p tcp --dport 775 -o $INTIF -j ACCEPT And after each group of rules for each VPN portVPN I add this rule $IPT -t nat -A POSTROUTING -o $INTIF -j SNAT --to $INTIP the last rule in particular is the one that assures me that all VPN traffic passes through sangiorgio. How I do such a thing to shorewall? something like that might work? /etc/shorewall/rules DNAT net loc:192.168.2.224:775 tcp 775 /etc/shorewall/masq eth0 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 213.215.236.130 tcp 775 Thanks in advance. -- Mario Vittorio Guenzi E-mail jcl...@tiscali.it Si vis pacem, para bellum +--------------------+ | Linux User #286828 | +--------------------+
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
