Hi, I''d like to have local servers connect to the firewall external ip and have the traffic routed back to the local network. It works manually, but I can''t figure out how to make this work through shorewall: This works: iptables -t nat -A POSTROUTING -d 10.10.5.242 -s 10.10.0.0/16 -p tcp -- dport 80 -j SNAT --to 10.10.3.12 And looks like this: iptables -L -t nat Chain POSTROUTING (policy ACCEPT) target prot opt source destination bond0_masq 0 -- anywhere anywhere SNAT tcp -- 10.10.0.0/16 10.10.5.242 tcp dpt:www to:10.10.3.12 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain bond0_masq (1 references) target prot opt source destination SNAT 0 -- 10.10.0.0/16 anywhere to: 77.66.16.1 This does not work: /etc/shorewall/masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK bond0:10.10.5.242 10.10.0.0/16 10.10.3.12 tcp 80 Looks like: Chain POSTROUTING (policy ACCEPT) target prot opt source destination bond0_masq 0 -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain bond0_masq (1 references) target prot opt source destination SNAT tcp -- 10.10.0.0/16 10.10.5.242 tcp dpt:www to:10.10.3.12 Any help is greatly appreciated... Regards Kristoffer ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
This, I believe, is Shorewall FAQ 2. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Kristoffer Egefelt wrote:> Hi, > > I''d like to have local servers connect to the firewall external ip and > have the traffic routed back to the local network. It works manually, > but I can''t figure out how to make this work through shorewall: > > *This works:* > iptables -t nat -A POSTROUTING -d 10.10.5.242 -s 10.10.0.0/16 -p tcp > --dport 80 -j SNAT --to 10.10.3.12 >In /etc/shorewall/masq: <iface>:10.10.5.242 10.10.0.0/16 10.10.3.12 tcp 80 Where <iface> is the interface to 10.10.5.242. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Robert K Coffman Jr. -Info From Data Corp. wrote:> This, I believe, is Shorewall FAQ 2.Very true, -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> Kristoffer Egefelt wrote: >> Hi, >> >> I''d like to have local servers connect to the firewall external ip >> and >> have the traffic routed back to the local network. It works manually, >> but I can''t figure out how to make this work through shorewall: >> >> *This works:* >> iptables -t nat -A POSTROUTING -d 10.10.5.242 -s 10.10.0.0/16 -p tcp >> --dport 80 -j SNAT --to 10.10.3.12 >> > > In /etc/shorewall/masq: > > <iface>:10.10.5.242 10.10.0.0/16 10.10.3.12 tcp 80 > > Where <iface> is the interface to 10.10.5.242.Thanks - it works :D Only thing is that the <iface> is cust:vlan5@bond0 which /etc/ shorewall/masq won''t recognize. It seems that I have to define interface vlan5 to /etc/shorewall/ interfaces which I hope I can avoid. This is the current interfaces: net bond0 detect tcpflags,routefilter,nosmurfs cust vlan+ detect routeback Is it possible to refer the "cust:vlan5@bond0" in the masq file without having to specify seperate entries in the interfaces, zone and policy files? What I mean is if I add: vlan5 vlan5 detect routeback to the interfaces file - then I can use vlan5 for <iface> in the masq file, but I''d rather use something like cust:vlan5@bond to minimize amount of interfaces I have to type/add. Regards Kristoffer ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Kristoffer Egefelt wrote:> > Is it possible to refer the "cust:vlan5@bond0" in the masq file > without having to specify seperate entries in the interfaces, zone and > policy files? > > What I mean is if I add: > > vlan5 vlan5 detect routeback > > to the interfaces file - then I can use vlan5 for <iface> in the masq > file, but I''d rather use something like cust:vlan5@bond to minimize > amount of interfaces I have to type/add.I think that you will find that you can place vlan5 in the masq file if you upgrade to Shorewall-perl 4.2.0. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
It works with v4.2 :) Thanks Kristoffer >> Is it possible to refer the "cust:[EMAIL PROTECTED]" in the masq file >> without having to specify seperate entries in the interfaces, zone and >> policy files? >> >> What I mean is if I add: >> >> vlan5 vlan5 detect routeback >> >> to the interfaces file - then I can use vlan5 for <iface> in the masq >> file, but I''d rather use something like cust:[EMAIL PROTECTED] to minimize >> amount of interfaces I have to type/add. >I think that you will find that you can place vlan5 in the masq file if >you upgrade to Shorewall-perl 4.2.0. > >-Tom >-- ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/