On 8/8/2017 11:25 PM, Tom Eastep wrote:
> On 08/08/2017 11:06 AM, Matt Darfeuille wrote:
>> On 8/8/2017 1:34 AM, Tom Eastep wrote:
>>> It
>>> On 08/07/2017 03:35 PM, Matt Darfeuille wrote:
>>>>
>>>>
>>>> On 8/7/2017 10:51 PM, Tom Eastep wrote:
>>>>> On 08/07/2017 01:45 PM, Matt Darfeuille wrote:
>>>>>> Hi,
>>>>>>
>>>>>> My net interface gets it's ip address dinamically asigned by a dhcp
>>>>>> server.
>>>>>> Sometime I need that address for SNAT, DNAT rules and so on...
>>>>>> I use a variable throughout Shorewall that is defined in the params file.
>>>>>> Everytime that this ip change, I need to change it manually.
>>>>>>
>>>>>> I'm currently testing the following to let Shorewall know about that new
>>>>>> ip:
>>>>>>
>>>>>> I have a script in /etc/dhcp/dhclient-exit-hooks that do:
>>>>>>
>>>>>> case $reason in
>>>>>> bound)
>>>>>> echo $new_ip_address > /etc/shorewall/current_net_ip
>>>>>> shorewall reload
>>>>>> ;;
>>>>>> esac
>>>>>>
>>>>>> then in /etc/shorewall/params:
>>>>>>
>>>>>> CURRENT_NET_IP=$(cat /etc/shorewall/current_net_ip)
>>>>>>
>>>>>> then I can use 'CURRENT_NET_Ip' throughout Shorewall.
>>>>>>
>>>>>> I could clearly asign a fix address but for the sake of understanding...
>>>>>> Is there a better way to let shorewall know when my net interface gets a
>>>>>> new ip or fix address is the way to go?
>>>>>
>>>>> The best way is to use an address variable
>>>>> (http://www.shorewall.org/configuration_file_basics.htm#AddressVariables).
>>>>> You still need to use an exit-hook script though.
>>>>>
>>>>
>>>> Can I use address variable in the DEST column of the rules file?
>>>>
>>>> /etc/shorewall/init:
>>>>
>>>> NEW_IP_ADDRESS=<IP-ADDRESS>
>>>>
>>>> /etc/shorewall/rules.d/DNAT.rules:
>>>>
>>>> DNAT net:$REMOTE_MANAGEMENT_IP $FW:&{NEW_IP_ADDRESS} tcp 22
>>>>
>>>> $ shorewall check
>>>>
>>>> ERROR: Unknown Host (&{NEW_IP_ADDRESS})
>>>> /etc/shorewall/rules.d/DNAT.rules (line 14)
>>>> from /etc/shorewall/rules (line 25)
>>>> in
>>>> I'm tired so I could be rong!
>>>
>>> Address variables currently cannot be used in the DEST column of a DNAT
>>> rule. But to do what you want in that case, just use a REDIRECT rule.
>>>
Thanks Tom for implementing that in 5.1.6-RC1!
If I have the following in the rules file:
DNAT net:$REMOTE_MANAGEMENT_IP $FW:&enp1s0 tcp 22
I get the following:
Aug 14 14:43:47 ERROR: Can't determine the IP address of enp1s0
What do you recommend?:
- Keeping what I'm currently doing (echo the ip to a file then cat that
file).
- Delay the start of shorewall.
- An other approach.
>>
>> Assuming I got my redirect rule right:
>>
>> REDIRECT net:$REMOTE_MANAGEMENT_IP 22 tcp
>>
>> Rereading the docs, changing my configs and using the redirect rule as
>> you suggested I don't even need address variable.
>> Is it possible to expend address variable in a warning or info directives?:
>>
>> ?INFO New bound ip is &{NEW_IP_ADDRESS}
>>
>
> No, because the value of an address variable is determined at run-time
> while the ?INFO and ?WARNING directives are processed at compile-time.
>
Finally got it! :)
-Matt
--
Matt Darfeuille
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
