Thanks that was my last option, if I could not make the rule which was an interface specific, so that I can avoid the duplicates in case, the same rule is configured on another interface and also avoid getting config w.r.t to the direction for the traffic flow like ( trusted to untrusted ) or ( untrusted to trusted) .
Thanks, Naveen On Fri, Jan 18, 2019 at 12:29 PM Tom Eastep <teas...@shorewall.net> wrote: > On 1/18/19 12:14 PM, Naveen Neelakanta wrote: > > No, I just have a single zone on that interface. > > > > cat /etc/shorewall/interfaces > > inet eth2 detect tcpflags,nosmurfs,logmartians > > > > I tried the Dnat action method I did not see it getting translated, > > below are the steps i did. > > > > /etc/shorewall/action.Dnat > > DNAT @1 @2 > > > > /etc/shorewall/rules > > Dnat(eth2,8.8.8.8) all!$FW all icmp - - 1.1.1.1/32 > > > > > > Chain ~comb0 (11 references) > > pkts bytes target prot opt in out source > > destination > > 0 0 DNAT icmp -- eth2 * 0.0.0.0/0 > > <http://0.0.0.0/0> 1.1.1.1 to:8.8.8.8 > > > > > > Since the traffic is coming from LAN and going out on eth2( WAN > > ) interface, I believe I need to get the eth2 to be on the out interface > > column, i tried few things to get the eth2 on the out column it did not > > help. > > > > Any other suggestions? > > > > If the traffic is coming from the LAN, then that should be the SOURCE > zone. Given that 8.8.8.8 is external to your site, the destination zone > is 'inet'. So, for 'ping', you would have: > > DNAT lan inet:8.8.8.8 icmp echo-request - 1.1.1.1 > > For DNS: > > DNAT lan inet:8.8.8.8 udp,tcp 53 - 1.1.1.1 > > Using the DNS macro: > > DNS(DNAT) lan inet:8.8.8.8 - - - 1.1.1.1 > > If your lan->inet policy is ACCEPT, you can replace 'DNAT' with 'DNAT-'. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \_______________________________________________ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
