On 8/8/2017 1:34 AM, Tom Eastep wrote: > It > On 08/07/2017 03:35 PM, Matt Darfeuille wrote: >> >> >> On 8/7/2017 10:51 PM, Tom Eastep wrote: >>> On 08/07/2017 01:45 PM, Matt Darfeuille wrote: >>>> Hi, >>>> >>>> My net interface gets it's ip address dinamically asigned by a dhcp server. >>>> Sometime I need that address for SNAT, DNAT rules and so on... >>>> I use a variable throughout Shorewall that is defined in the params file. >>>> Everytime that this ip change, I need to change it manually. >>>> >>>> I'm currently testing the following to let Shorewall know about that new >>>> ip: >>>> >>>> I have a script in /etc/dhcp/dhclient-exit-hooks that do: >>>> >>>> case $reason in >>>> bound) >>>> echo $new_ip_address > /etc/shorewall/current_net_ip >>>> shorewall reload >>>> ;; >>>> esac >>>> >>>> then in /etc/shorewall/params: >>>> >>>> CURRENT_NET_IP=$(cat /etc/shorewall/current_net_ip) >>>> >>>> then I can use 'CURRENT_NET_Ip' throughout Shorewall. >>>> >>>> I could clearly asign a fix address but for the sake of understanding... >>>> Is there a better way to let shorewall know when my net interface gets a >>>> new ip or fix address is the way to go? >>> >>> The best way is to use an address variable >>> (http://www.shorewall.org/configuration_file_basics.htm#AddressVariables). >>> You still need to use an exit-hook script though. >>> >> >> Can I use address variable in the DEST column of the rules file? >> >> /etc/shorewall/init: >> >> NEW_IP_ADDRESS=<IP-ADDRESS> >> >> /etc/shorewall/rules.d/DNAT.rules: >> >> DNAT net:$REMOTE_MANAGEMENT_IP $FW:&{NEW_IP_ADDRESS} tcp 22 >> >> $ shorewall check >> >> ERROR: Unknown Host (&{NEW_IP_ADDRESS}) >> /etc/shorewall/rules.d/DNAT.rules (line 14) >> from /etc/shorewall/rules (line 25) >> in >> I'm tired so I could be rong! > > Address variables currently cannot be used in the DEST column of a DNAT > rule. But to do what you want in that case, just use a REDIRECT rule. >
Assuming I got my redirect rule right: REDIRECT net:$REMOTE_MANAGEMENT_IP 22 tcp Rereading the docs, changing my configs and using the redirect rule as you suggested I don't even need address variable. Is it possible to expend address variable in a warning or info directives?: ?INFO New bound ip is &{NEW_IP_ADDRESS} Thanks again for your help Tom. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users