-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/30/2017 12:16 PM, Robert Grizilo wrote: > My setup: > > +-------------------------------------------+ | | | 5.6.7.8 > (some remote server) | | | | INTERNET > | | | | eth0 (1.2.3.4/24) eth0:0 (1.2.3.5/24) | | | > +-----------------+-------------------------+ | | > +--------+--------+ | SHOREWALL | +--+---+---+------+ | | > | | | +- eth1 ofc - 192.168.10.1/24 | | | +- eth2 vip > - 10.0.0.194/30 <----------------------------> 10.0.0.193/30 | +- > eth3 hom - 192.168.0.1/24 > > +-----------------+ +--------------+ +--------------+ | > :interfaces | | :zones | | :masq | | net eth0 > detect | | fw firewall | | eth0 eth1 | | ofc eth1 detect | | > net ipv4 | | eth0 eth3 | | vip eth2 detect | | ofc ipv4 | > +--------------+ | hom eth3 detect | | vip ipv4 | > +-----------------+ | hom ipv4 | +--------------+ > +---------------------+ > +------------------------------------------+ | :policy | | :rules | > | fw all ACCEPT | | ACCPET net fw:1.2.3.4 tcp 22 - - 3/min:9 > | | ofc all ACCEPT | > +------------------------------------------+ | hom fw ACCEPT | | > hom net ACCPET | | | | net all DROP info > | | all all REJECT info | +---------------------+ > > i need: > > on 1.2.3.5 incoming only from 5.6.7.8 is allowed all proto comming > from 5.6.7.8 to 1.2.3.5 snat as 10.0.0.194 and send it to > 10.0.0.193
/etc/shorewall/rules: DNAT net:5.6.7.8 xxx:10.0.0.193 - - 1.2.3.5 DROP:yyy net fw:1.2.3.5 xxx is the zone that 10.0.0.193 is in and yyy is whatever log level you choose to log other traffic to 1.2.3.5 at. /etc/shorewall/masq: eth?:10.0.0.193 5.6.7.8 10.0.0.194 Where eth? is the interface to 10.0.0.193. > all proto comming from 10.0.0.193 to 10.0.0.194 snat as 1.2.3.5 > and send it to 5.6.7.8 /etc/shorewall/rules: DNAT xxx:10.0.0.193 net:5.6.7.8 - - 10.0.0.194 /etc/shorewall/masq: eth0:5.6.7.8 10.0.0.193 1.2.3.5 > > (and if possible when restarting shorewall dont break active > connections between them) > Shouldn't be an issue. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYj9PiAAoJEJbms/JCOk0QlL8QALAdqFsFZaprfDMOoBKi8EyV uc0PximthtKP0P58tzZpoaIhluxG1NeF9oQVRx41Urr8PUBXXTu79HEkGqDMtxGB u135/+S3VVcFSAlvWbR0Znrs02981PFfqg0QDJn5u2Cb9x6iqHherjtoYxUJQbYg hsnpY6PTEPL7vGlxwWkyDrkLKbDE6RFC6haHmBIbQuzXOqHrwVZNr7bheRR3JdIH ZXZ5/6JIXP93vs12MNkSBTh4d+xbCNFmoBCRv/YYq/l/ZSMMDfTeMS9ljEgJ6Tjg IZVMj8HKUCzKH/iwRAZnqI3WgKCuGAHJYIXvnk0X02/4/Nq99KdnhUyu34LKG7Jp mOYyZBgfCisIhZ8JjVvx6tJjXmrkU5Ymj+hvfKtQ3ZSqo6YYy+g6yJ/LizniJyTo BsyVy8h9iX8ZItpEBXThXcziR+41X1XSlTGfoZd3g3BrYxRd95Og+61qsqnlZoBY gi07Q8/kdn+8zhh4Zz7JAL/jc4fReGv876MBoaVQkfBNhXheacy2e2/Z712H4NHu kLl635i8xKuIiPzxR4uSEMNsGoyb462Ns9wZwnI0bPByaW5xk5XVryFX0KDDbMHm nmdQ7/Q0rsJhBhPkApg2wVrOFqN7MYewA2Q4VGvMulMstZWj/4HHpZ8k4afcxyEz x9StFEmZ3Qb7HdI9QOi6 =R/HM -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
