Tom Eastep wrote:> varun_saa@vsnl.net wrote:
>>Hello,
>> My server is Mandrake10.1
>>eth0 is WAN with static IP
>>eth1 is LAN
>>
>>I would like all traffic from 2 client - 192.168.0.253
>>and 192.168.0.248 on the lan to go straight to
>>outgoing interface.
>>
>>I am not sure whether to use DNAT or ACCEPT.
>>Can anybody clarify ?
>
> Read the SUBNET instructions in /etc/shorewall/masq carefully.
>
I assumed that you meant that you want to masquerade all traffic from
the LAN to the WAN except for traffic from these two hosts which you
only want to be able to connect to WAN hosts that know how to route back
to 192.168.0.0/24 -- is that correct?
Or do you want to masquerade all traffic from the LAN to the WAN but
disallow these two hosts to connect to the Internet? If the latter is
the case then I would have a LAN->WAN ACCEPT policy then just add this rule:
REJECT LAN:192.168.0.248,192.168.0.253 WAN
or whatever your zone names are.
Remember that MASQUERADE/SNAT is a mechanism for manipulating the source
IP address of outgoing packets -- it is _not_ an access control mechanism.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key