Marc Mertes <[email protected]> wrote: > after a few years of useing shorewall now, I run into a "special case" > of a new masquerading need, and I´m not sure if this is possible. > I´ve already browsed through the mail archive - but there is not exactly > my case discussed, just some where close to - or I didn´t understand one > of them correctly, > or wasn´t able adapt it to my case. > > Shorewall Version 4.6.4.3 on debian jessie > This is my masq config now: I masq everything to the external Iface ip: > #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) > IPSEC MARK USER/ SWITCH ORIGINAL > eth3 131.xxx.xxx.0/24 > > What I now want to do is: > Keep the masq as it is - with one exception. > All traffic to our mailserver should not be masq. > I mean it like "masq everything outgoing on eth3 EXCEPT outgoing > traffic to emailserver on eth3"
It's not that special, I have similar exclusions. Change "eth3" to "eth3:!$MasqExcl" and in params define MasqExcl=a.b.c.d,w.x.y.z That way, any addresses or subnets defined in MasqExcl are excluded from the masq rule. You can of course just put eth3:!a.b.c.d if there's a single address, using a parameter is a bit more flexible and extensible. ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
