I have a pretty straightforward shorewall (v 2.0.12) setup in my Phoenix office. IP addresses on the firewall eth0 172.16.10.249 eth1 12.47.198.100 eth1:1 12.47.198.108 eth1:2 12.47.198.101 eth2 172.16.11.249 interfaces: loc eth0 detect net eth1 detect blacklist dmz eth2 detect vpn1 tun1 192.168.124.255 zones net Net Internet loc Local Local networks dmz DMZ Demilitarized zone vpn1 Tunnel1 Tunnel to LA masq eth1 eth0 To allow the Phoenix DNS server to respond, I added the following to rules: DNAT net loc:172.16.10.241 udp 53 - 12.47.198.108 DNAT net loc:172.16.10.241 tcp 53 - 12.47.198.108 This works fine except that notifies from the Phoenix DNS server to otehrs appear to be from 12.47.198.100 instead of 12.47.198.108. I tried adding the following to rules but the masquerade rule was applied anyway. DNAT loc net:12.47.198.108 udp 53 - 172.16.10.241 DNAT loc net:12.47.198.108 tcp 53 - 172.16.10.241 There has to be a way to get the outgoing DNS traffic to appear on 12.47.198.108 but I''m just not seeing it. -- Stephen Carville Unix and Network Adminstrator Nationwide-Totalflood 6033 W.Century Blvd. Los Angeles, CA 90045 310-342-3602
Stephen Carville wrote:> > To allow the Phoenix DNS server to respond, I added the following to rules: > > DNAT net loc:172.16.10.241 udp 53 - 12.47.198.108 > DNAT net loc:172.16.10.241 tcp 53 - 12.47.198.108 > > This works fine except that notifies from the Phoenix DNS server to otehrs > appear to be from 12.47.198.100 instead of 12.47.198.108. > > I tried adding the following to rules but the masquerade rule was applied > anyway. > > DNAT loc net:12.47.198.108 udp 53 - 172.16.10.241 > DNAT loc net:12.47.198.108 tcp 53 - 172.16.10.241 >/etc/shorewall/masq: eth1 172.16.10.241 12.47.198.108 udp 53 eth1 172.16.10.241 12.47.198.108 tcp 53 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue January 25 2005 1:14 pm, Tom Eastep wrote:> Stephen Carville wrote: > > To allow the Phoenix DNS server to respond, I added the following to > > rules: > > > > DNAT net loc:172.16.10.241 udp 53 - 12.47.198.108 > > DNAT net loc:172.16.10.241 tcp 53 - 12.47.198.108 > > > > This works fine except that notifies from the Phoenix DNS server to > > otehrs appear to be from 12.47.198.100 instead of 12.47.198.108. > > > > I tried adding the following to rules but the masquerade rule was applied > > anyway. > > > > DNAT loc net:12.47.198.108 udp 53 - 172.16.10.241 > > DNAT loc net:12.47.198.108 tcp 53 - 172.16.10.241 > > /etc/shorewall/masq: > > eth1 172.16.10.241 12.47.198.108 udp 53 > eth1 172.16.10.241 12.47.198.108 tcp 53That did the trick. Thank you. -- Stephen Carville Unix and Network Adminstrator Nationwide-Totalflood 6033 W.Century Blvd. Los Angeles, CA 90045 310-342-3602