Marc Mertes <[email protected]> wrote: >> after a few years of useing shorewall now, I run into a "special case" >> of a new masquerading need, and I´m not sure if this is possible. >> I´ve already browsed through the mail archive - but there is not exactly >> my case discussed, just some where close to - or I didn´t understand one >> of them correctly, >> or wasn´t able adapt it to my case. >> >> Shorewall Version 4.6.4.3 on debian jessie >> This is my masq config now: I masq everything to the external Iface ip: >> #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) >> IPSEC MARK USER/ SWITCH ORIGINAL >> eth3 131.xxx.xxx.0/24 >> >> What I now want to do is: >> Keep the masq as it is - with one exception. >> All traffic to our mailserver should not be masq. >> I mean it like "masq everything outgoing on eth3 EXCEPT outgoing >> traffic to emailserver on eth3" Hi Simon, thanks for that hint! > It's not that special, I have similar exclusions. Change "eth3" to > "eth3:!$MasqExcl" and in params define MasqExcl=a.b.c.d,w.x.y.z > That way, any addresses or subnets defined in MasqExcl are excluded from the > masq rule. > You can of course just put I have at the moment only one IP as exception, but to be "fit for future" I think i gonna use $MasqExcl
Just to be 100% sure - eth3:!$MasqExcl means that I have for DESTINATION $MasqExcl no masq, and all IPs on my local network are visible for $MasqExcl? > eth3:!a.b.c.d if there's a single address, using a parameter is a bit more > flexible and extensible. > > > ------------------------------------------------------------------------------ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
