Hi, I´m trying use conntrackd, shorewall and keepalived. Conntrackd (now know as conntrack-tools) is working ok, keepalived too, but i don´t know how to put some iptables rules in shorewall. eth0 is the local area (192.168.0.0/24) eth1 is the net area (192.168.1.0/24) [1] iptables -P FORWARD DROP [2] iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED - j ACCEPT [3] iptables -A FORWARD -i eth1 -p tcp --syn -m state --state NEW -j ACCEPT [4] iptables -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED - j ACCEPT [5] iptables -I FORWARD -j LOG [6] iptables -I POSTROUTING -t nat -s 192.168.0.3 -j SNAT --to 192.168.1.100 I guess in masq eth1 eth0 192.168.1.100 Can someting help me ? Israel Santana Alemán Consultor Sistemas isantana@inerza.com Tfno.: +34 928 300 505 - Ext.: 6675 Avda. de los Consignatarios, s/n. 35008 - Las Palmas de GC www.inerza.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Israel Santana wrote:> Hi, > > I´m trying use conntrackd, shorewall and keepalived. > > Conntrackd (now know as conntrack-tools) is working ok, keepalived too, > but i don´t know how to put some iptables rules in shorewall. > > eth0 is the local area (192.168.0.0/24) > eth1 is the net area (192.168.1.0/24) > > [1] iptables -P FORWARD DROP > [2] iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j > ACCEPT > [3] iptables -A FORWARD -i eth1 -p tcp --syn -m state --state NEW -j ACCEPT > [4] iptables -A FORWARD -i eth1 -p tcp -m state --state ESTABLISHED -j > ACCEPT > [5] iptables -I FORWARD -j LOG > [6] iptables -I POSTROUTING -t nat -s 192.168.0.3 -j SNAT --to > 192.168.1.100 > I guess in masq > eth1 eth0 192.168.1.100 > > > Can someting help me ? >/etc/shorewall/policy net loc DROP info /etc/shorewall/rules: ACCEPT net loc tcp:syn /etc/shorewall/nat (Your rule would also work). eth1 192.168.0.3 192.168.1.100 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/