Hi all, I''m using Shorewall since one year (1.4, then 2.0) I''m trying to migrate a linux firewall from iptables rules to shorewall. The firewall has three zones - net internet - loc1 lan - loc2 second lan I have a lot of rules like this, to SNAT the ip addresses of some computers on loc1 (192.168.16.0/24) when they connect to loc2 (10.0.0.0/8) iptables -v -t nat -I POSTROUTING -s 192.168.16.40/32 -d 10.150.30.100/32 -j SNAT --to 10.108.5.5 I''m not sure what is the best way to migrate this rules. From reading docs I thought the best way should be to put some entries in /etc/shorewall/nat file ############################################################################## #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES 10.108.5.5 eth1 192.168.16.40 no no but I notice this way I can''t specify the destination address the nat applies to. Am I on the wrong way? Thanks a lot in advance to those who can help me Bye Mattia
Mattia wrote:> I have a lot of rules like this, to SNAT the ip addresses of some > computers on loc1 (192.168.16.0/24) when they connect to loc2 (10.0.0.0/8) > > iptables -v -t nat -I POSTROUTING -s 192.168.16.40/32 -d > 10.150.30.100/32 -j SNAT --to 10.108.5.5 > > I''m not sure what is the best way to migrate this rules. > From reading docs I thought the best way should be to put some entries > in /etc/shorewall/nat file > > but I notice this way I can''t specify the destination address the nat > applies to. > Am I on the wrong way?Yes -- you should be using /etc/shorewall/masq to specify your SNAT rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep ha scritto:> Mattia wrote: > > >>I have a lot of rules like this, to SNAT the ip addresses of some >>computers on loc1 (192.168.16.0/24) when they connect to loc2 (10.0.0.0/8) >> >>iptables -v -t nat -I POSTROUTING -s 192.168.16.40/32 -d >>10.150.30.100/32 -j SNAT --to 10.108.5.5 >> >>I''m not sure what is the best way to migrate this rules. >>From reading docs I thought the best way should be to put some entries >>in /etc/shorewall/nat file >> >>but I notice this way I can''t specify the destination address the nat >>applies to. >>Am I on the wrong way? > > > Yes -- you should be using /etc/shorewall/masq to specify your SNAT rules. > > -TomThaks a lot. It works fine Bye Mattia