On 1/18/19 12:14 PM, Naveen Neelakanta wrote: > No, I just have a single zone on that interface. > > cat /etc/shorewall/interfaces > inet eth2 detect tcpflags,nosmurfs,logmartians > > I tried the Dnat action method I did not see it getting translated, > below are the steps i did. > > /etc/shorewall/action.Dnat > DNAT @1 @2 > > /etc/shorewall/rules > Dnat(eth2,8.8.8.8) all!$FW all icmp - - 1.1.1.1/32 > > > Chain ~comb0 (11 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT icmp -- eth2 * 0.0.0.0/0 > <http://0.0.0.0/0> 1.1.1.1 to:8.8.8.8 > > > Since the traffic is coming from LAN and going out on eth2( WAN > ) interface, I believe I need to get the eth2 to be on the out interface > column, i tried few things to get the eth2 on the out column it did not > help. > > Any other suggestions? >
If the traffic is coming from the LAN, then that should be the SOURCE zone. Given that 8.8.8.8 is external to your site, the destination zone is 'inet'. So, for 'ping', you would have: DNAT lan inet:8.8.8.8 icmp echo-request - 1.1.1.1 For DNS: DNAT lan inet:8.8.8.8 udp,tcp 53 - 1.1.1.1 Using the DNS macro: DNS(DNAT) lan inet:8.8.8.8 - - - 1.1.1.1 If your lan->inet policy is ACCEPT, you can replace 'DNAT' with 'DNAT-'. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
