Hello, I''d like to translate (spoof) source addresses when connecting from LAN to DMZ (so that my LAN IPs won''t be seen properly on DMZ servers). I understand that when I need to rewrite a single source addrss, I can just specify it after a column in the Destination field of DNAT rule. But how can I change the range of source addresses, say from 10.1.1.* to 10.8.8.*, so that 10.1.1.25 will be seen as 10.8.8.25 ? Probably I just missed it in the documentation... Thanks, Ivan _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
On Tuesday 03 February 2004 03:13 pm, i g wrote:> Hello, > > I''d like to translate (spoof) source addresses when connecting from LAN to > DMZ (so that my LAN IPs won''t be seen properly on DMZ servers). I > understand that when I need to rewrite a single source addrss, I can just > specify it after a column in the Destination field of DNAT rule. But how > can I change the range of source addresses, say from 10.1.1.* to 10.8.8.*, > so that 10.1.1.25 will be seen as 10.8.8.25 ? > Probably I just missed it in the documentation... >Shorewall does not provide such support. There is an experimental target (named NETMAP if I recall correctly) in netfilter Patch-O-Matic that does what you want but you would have to configure it yourself using one of the Shorewall extension scripts (probably /etc/shorewall/start). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
>From: Tom Eastep <teastep@shorewall.net> >To: Mailing List for Experienced Shorewall Users ><shorewall-users@lists.shorewall.net>,"i g" <gostev2@hotmail.com> >Subject: Re: [Shorewall-users] Source Address range translation >Date: Tue, 3 Feb 2004 15:29:44 -0800 > >On Tuesday 03 February 2004 03:13 pm, i g wrote: > > Hello, > > > > I''d like to translate (spoof) source addresses when connecting from LAN >to > > DMZ (so that my LAN IPs won''t be seen properly on DMZ servers). I > > understand that when I need to rewrite a single source addrss, I can >just > > specify it after a column in the Destination field of DNAT rule. But how > > can I change the range of source addresses, say from 10.1.1.* to >10.8.8.*, > > so that 10.1.1.25 will be seen as 10.8.8.25 ? > > Probably I just missed it in the documentation... > > > >Shorewall does not provide such support. > >There is an experimental target (named NETMAP if I recall correctly) in >netfilter Patch-O-Matic that does what you want but you would have to >configure it yourself using one of the Shorewall extension scripts >(probably >/etc/shorewall/start). > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >Tom, Thank you very much. I am not an expert in iptables rules, shorewall is just an excellent interface for me. This rule was projected just as an extra security measure and is not critical. Ivan Gostev Toronto gostev2.hotmail.com _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom, I thought that you could do something like this in your masq file? Atleast I thought I remeber experimenting when I had a DMZ setup because I needed a host on Eth1 to be seen as being within the same DMZ network to have the ability to telenet to it. If this is wrong below then flame on. I thought for sure I had my setup temporarily similar too: eth0= DSL: Public IP via DHCP (internet) eht1= Loc-LAN: 192.168.100.1/24 eth2= DMZ: 10.0.10.1/24 My "/etc/shorewall/masq" file looked like: eth0 eth1 eth2 eth1 All traffic originating from Eth1 going too the internet left with Eth0''s public ip address in the header of the packets. (Normal). All traffic originating from Eth1 going too the DMZ left with Eth2''s Private ip address of 10.0.10.1 in the header of the packets. If this didn''t work then I thought for sure that you could setup somekind of One to One nat senario from Eth1 to DMZ. But then again there weren''t a whole lot of specifics included with this persons senario. Joshua Banks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIHEkp9X7q/XgeyYRAgzhAJwOte8jYf5BYJUeg8ileSnDmBhBZQCfYoVb gBFEc7XlmEsAIzKBiAzyT1I=r0mn -----END PGP SIGNATURE-----
On Tue, 3 Feb 2004, Joshua Banks wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom, I thought that you could do something like this in your masq file? >Of course you can -- if you want 256 entries on your /etc/shorewall/masq file to cover the class C network that the original poster wants to SNAT 1-1 to a different class C network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 03 February 2004 08:29 pm, Tom Eastep wrote:> Of course you can -- if you want 256 entries on your > /etc/shorewall/masq file to cover the class C network that the > original poster wants to SNAT 1-1 to a different class C network.Thanks. So if the original poster only actually needed to masq Local connections to the DMZ the poster could alternatively just simply use: eth2 eth1 ....in his masq file, and all connections would appear as if they were originating from eht2''s ip address? (using the setup below as example) eth0= DSL: Public IP via DHCP (internet) eht1= Loc-LAN: 192.168.100.1/24 eth2= DMZ: 10.0.10.1/24 My "/etc/shorewall/masq" file looked like: eth0 eth1 eth2 eth1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAIJC9p9X7q/XgeyYRAuIqAJ9Ac1gUm/mPYhTJHD2qK0Q+3E+9ogCgmoD6 0hYCyC5OlUOEJV/wtqwog1E=/o4p -----END PGP SIGNATURE-----