On 03/07/2016 04:42 AM, Mario Vittorio Guenzi wrote: > Goodmorning everyone, > at first sorry for my poor english, I have a situation like this in the > company, > 2 machines debian 7.x make a gateway firewall each on a different line > (obviously). > The two machines have internal IP respectively > perseo 192.168.2.240 > sangiorgio 192.168.2.237 > LAN is obviously 192.168.2.0/24 > EXTIF = eth0 WAN interface > INTIF = eth1 LAN interface > EXTIP = external static IP > INTIP = internal static IP > CHIMERA= 192.168.2.224 > on the two gateway runs heartbeat that raises 192.168.2.241 which is the > gateway Company to the Internet, the Master machine is perseo, and > sangiorgio intervenes only if the other side there 'line. > We have a number of VPN entering / leaving and for convenience I have > decided that VPN traffic must pass all on sangiorgio (slave machine). > Until today I made the firewall script manually, but after years of > modifications and additions they have become real monsters. > I would like to move to shorewall and have a management a little more > "simple" > > Currently I get the desired result with a "package" of rules > like this: > > $IPT -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ > -p tcp --dport 775 -j ACCEPT > $IPT -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIP --dport 775 -j DNAT > --to-destination $CHIMERA:775 > $IPT -A FORWARD -i $EXTIF -p tcp --dport 775 -o $INTIF -j ACCEPT > And after each group of rules for each VPN portVPN > I add this rule > $IPT -t nat -A POSTROUTING -o $INTIF -j SNAT --to $INTIP > > the last rule in particular is the one that assures me that all VPN > traffic passes through sangiorgio. > How I do such a thing to shorewall? > something like that might work? > /etc/shorewall/rules > DNAT net loc:192.168.2.224:775 tcp 775 > /etc/shorewall/masq > eth0 > 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 > 213.215.236.130 tcp 775 > Thanks in advance.
In /etc/shorewall/masq: $INTIF - $INTIP -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
