On 8/8/2017 1:34 AM, Tom Eastep wrote:
> It
> On 08/07/2017 03:35 PM, Matt Darfeuille wrote:
>>
>>
>> On 8/7/2017 10:51 PM, Tom Eastep wrote:
>>> On 08/07/2017 01:45 PM, Matt Darfeuille wrote:
>>>> Hi,
>>>>
>>>> My net interface gets it's ip address dinamically asigned by a dhcp server.
>>>> Sometime I need that address for SNAT, DNAT rules and so on...
>>>> I use a variable throughout Shorewall that is defined in the params file.
>>>> Everytime that this ip change, I need to change it manually.
>>>>
>>>> I'm currently testing the following to let Shorewall know about that new 
>>>> ip:
>>>>
>>>> I have a script in /etc/dhcp/dhclient-exit-hooks that do:
>>>>
>>>> case $reason in
>>>>     bound)
>>>>         echo $new_ip_address > /etc/shorewall/current_net_ip
>>>>         shorewall reload
>>>>         ;;
>>>> esac
>>>>
>>>> then in /etc/shorewall/params:
>>>>
>>>> CURRENT_NET_IP=$(cat /etc/shorewall/current_net_ip)
>>>>
>>>> then I can use 'CURRENT_NET_Ip' throughout Shorewall.
>>>>
>>>> I could clearly asign a fix address but for the sake of understanding...
>>>> Is there a better way to let shorewall know when my net interface gets a
>>>> new ip or fix address is the way to go?
>>>
>>> The best way is to use an address variable
>>> (http://www.shorewall.org/configuration_file_basics.htm#AddressVariables).
>>> You still need to use an exit-hook script though.
>>>
>>
>> Can I use address variable in the DEST column of the rules file?
>>
>> /etc/shorewall/init:
>>
>> NEW_IP_ADDRESS=<IP-ADDRESS>
>>
>> /etc/shorewall/rules.d/DNAT.rules:
>>
>> DNAT net:$REMOTE_MANAGEMENT_IP $FW:&{NEW_IP_ADDRESS} tcp 22
>>
>> $ shorewall check
>>
>>    ERROR: Unknown Host (&{NEW_IP_ADDRESS})
>> /etc/shorewall/rules.d/DNAT.rules (line 14)
>>       from /etc/shorewall/rules (line 25)
>> in 
>> I'm tired so I could be rong!
> 
> Address variables currently cannot be used in the DEST column of a DNAT
> rule. But to do what you want in that case, just use a REDIRECT rule.
> 

Assuming I got my redirect rule right:

REDIRECT net:$REMOTE_MANAGEMENT_IP 22 tcp

Rereading the docs, changing my configs and using the redirect rule as
you suggested I don't even need address variable.
Is it possible to expend address variable in a warning or info directives?:

?INFO New bound ip is &{NEW_IP_ADDRESS}

Thanks again for your help Tom.

-Matt
-- 
Matt Darfeuille

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to