resolved. /etc/shorewall/masq
There is a long tradition of specifying an interface name in the SOURCE
column of this file.
Masquerading/SNAT occurs in the Netfilter POSTROUTING chain where an
incoming interface may not be specified in iptables rules. Consequently,
while processing the *shorewall start* and *shorewall restart* commands, the
generated script must examine the firewall''s main routing table to
determine
those networks that are routed out of the interface; the script then adds a
MASQUERADE/SNAT rule for connections from each of those networks. This
additional processing requires the named interface to be up and configured
when Shorewall starts or restarts.
Users often complain that Shorewall fails to start at boot time because a
VPN interface that is named as a masq SOURCE isn''t up and configured
during
boot.
To emphasize this restriction, if an interface is named in the SOURCE column
of one or more entries, a single warning is issued as follows:
*WARNING: Using an interface as the masq SOURCE requires the interface to be
up and configured when Shorewall starts/restarts*
To suppress this warning, replace the interface name with the list of
networks that are routed out of the interface.
Example.
Existing entry:
#INTERFACE SOURCE ADDRESS PROTO
PORT(S) IPSEC MARK USER/
#
GROUP
eth0 eth1
Current routing configuration:
gateway:~# ip route ls dev eth1*172.20.1.0/24* proto kernel scope
link src 172.20.1.254 224.0.0.0/4 scope link
gateway:~#
Replacement entry:
#INTERFACE SOURCE ADDRESS PROTO
PORT(S) IPSEC MARK USER/
#
GROUP
eth0 *172.20.1.0/24*
------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo