Joshua Banks
2003-Aug-01 00:20 UTC
[Shorewall-users] Differences between SNAT and Dynamic Nat?
Lets say that I have 6 usable static public ip addresses assigned by my ISP off of ETH0. (205.16.202.1/24-.6) The .1 is assigned to ETH0. And I have 4 RFC1918 subnets in my "Local Zone". A,B,C & D. SNAT? When applying "SNAT", this will allow me to specify that when connections are initiated from Subnet "A" I want them to be seen as ETH0''s .1 public address as they go out to the internet. I want Subnet "B" to be seen as ETH0''s .2 public address as they go out to the internet. And my "masq file" would look something like this: #INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 #Subnet A (?is this Dynamic Nat?) eth0:0 192.168.2.0/24 #Subnet B (?is this SNAT?) Is this what SNAT allows me to do, assuming that I have .2 bound to my ETHO Nic card as well or have set the "ADD_SNAT_ALIASES=Yes" in /etc/shorewall/shorewall.conf? If my description above is correct, what is the limitation on how many subnets I can SNAT? Sorry for all the questions but I am a little confused on the subtile differences of Dynamic Nat and SNAT. Thanks, Joshua Banks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Ed Greshko
2003-Aug-01 01:56 UTC
[Shorewall-users] Differences between SNAT and Dynamic Nat?
On Fri, 2003-08-01 at 15:19, Joshua Banks wrote:> Sorry for all the questions but I am a little confused > on the subtile differences > of Dynamic Nat and SNAT.Have a read of: http://shorewall.greshko.com/shorewall_setup_guide.htm#SNAT and http://shorewall.greshko.com/shorewall_setup_guide.htm#DNAT Does this help to clear the confusion? -- http://www.shorewall.net Shorewall, for all your firewall needs
Joshua Banks
2003-Aug-01 02:35 UTC
[Shorewall-users] Differences between SNAT and Dynamic Nat?
Hi Ed, Yes I''ve read this. I understand DNAT for the most part. What I''m getting confused with is Dynamic Nat (not DNAT) and an SNAT setting within the same Shorewall "Masq file" This is what the top of the "Masq file" says: "Use this file to define dynamic NAT (Masquerading) and to define Source NAT(SNAT)." This gives me the impression that the dynamic NAT and SNAT within this same file have some kind of subtile difference. Thanks Ed, JBanks --- Ed Greshko <Ed.Greshko@greshko.com> wrote:> On Fri, 2003-08-01 at 15:19, Joshua Banks wrote: > > > Sorry for all the questions but I am a little > confused > > on the subtile differences > > of Dynamic Nat and SNAT. > > Have a read of: > >http://shorewall.greshko.com/shorewall_setup_guide.htm#SNAT> > and > >http://shorewall.greshko.com/shorewall_setup_guide.htm#DNAT> > Does this help to clear the confusion? > > > -- > http://www.shorewall.net Shorewall, for all > your firewall needs >__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-Aug-01 06:59 UTC
[Shorewall-users] Differences between SNAT and Dynamic Nat?
On Fri, 2003-08-01 at 00:19, Joshua Banks wrote: This is really complex. For each entry in the /etc/shorewall/masq file: Is the third column empty? - Yes -> Dynamic SNAT | (Masquerading) No | v Static SNAT Dynamic SNAT is for people whose external IP address is dynamic. The source address for outbound packets changes along with the IP address. Static SNAT allows you to do what you suggested in your post but you had best read http://shorewall.net/Shorewall_and_Aliased_Interfaces.html to get the entries right. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Joshua Banks
2003-Aug-01 15:21 UTC
[Shorewall-users] Differences between SNAT and Dynamic Nat?
Thanks for the reply Tom, My "Masq file" reads, **************************** #INTERFACE SUBNET ADDRESS ppp0 eth0 **************************** So your explanation helps. And just to clarify.... Depending how my connection is negotiated to the ISP, either Static or Dynamic ip''s, shorewall will only do one or the other (dynamic snat)-(static snat) but never both at the same time??? My problem is the fact that I worked for WatchGuard Technologies as 3rd tier Tech Suppt Analyst. I don''t know if your familar with them, but they make several different firewalls and are based out of Seattle. Anyways, so how I''ve learned about Dynamic Nat, Static Nat, Proxy Arp and One to One nat is different, to say the least. Concepts are same but different at the same time. Which is why I''m trying to get an understanding of the way Shorewall works. Please bare with me. I''m sure that I will have more preculiar questions to come. I think the other thing that has happened is I''m running Mandrake 9.0 and implemented the internet connection sharing module which obviously set up the shorewall settings for me. Thanks for all the time and patients that you put into Shorewall. I''ts an awesome learning experience and a very fun firewall. Thanks, JBanks --- Tom Eastep <teastep@shorewall.net> wrote:> On Fri, 2003-08-01 at 00:19, Joshua Banks wrote: > > This is really complex. For each entry in the > /etc/shorewall/masq file: > > Is the third column empty? - Yes -> Dynamic SNAT > | (Masquerading) > No > | > v > Static SNAT > > Dynamic SNAT is for people whose external IP address > is dynamic. The > source address for outbound packets changes along > with the IP address. > Static SNAT allows you to do what you suggested in > your post but you had > best read > > >http://shorewall.net/Shorewall_and_Aliased_Interfaces.html> > to get the entries right. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net >__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-Aug-01 15:35 UTC
[Shorewall-users] Differences between SNAT and Dynamic Nat?
On Fri, 2003-08-01 at 15:21, Joshua Banks wrote:> Thanks for the reply Tom, > > My "Masq file" reads, > **************************** > #INTERFACE SUBNET ADDRESS > ppp0 eth0 > **************************** > > So your explanation helps. And just to clarify.... > Depending how my connection is negotiated to the ISP, > either Static or Dynamic ip''s, shorewall will only do > one or the other (dynamic snat)-(static snat) but > never both at the same time???The third column (ADDRESS) in your entry is empty; therefore, you are using Masquerading (dynamic SNAT). Each entry in the file either has an empty third column or it doesn''t -- so each entry in the file defines either dynamic or static SNAT. But you can have multiple entries in the file. Suppose that your ISP has assigned you IP addresses 206.124.146.176 and 206.124.146.177 and that your ppp0 interface always has the first address (but traffic for the second interface is also routed down the PPPoE). If you have two computers behind the firewall (192.168.1.1 and 192.168.1.2), you could: #INTERFACE SUBNET ADDRESS ppp0 192.168.1.1 #Dynamic -- this computer will use # 206.124.146.176 ppp0 192.168.1.2 206.124.146.177 The above example uses individual host addresses in the second column; you can of course use network addresses as well.> > My problem is the fact that I worked for WatchGuard > Technologies as 3rd tier Tech Suppt Analyst. I don''t > know if your familar with them,I''m familiar with them.> > I think the other thing that has happened is I''m > running Mandrake 9.0 and implemented the internet > connection sharing module which obviously set up the > shorewall settings for me.It would still be a good idea for you to go through http://shorewall.net/two-interface.htm to see how to set up a two-interface environment from the samples (beware the fact that the Mandrake zone naming/usage is a bit brain-damaged).> > Thanks for all the time and patients that you put into > Shorewall. I''ts an awesome learning experience and a > very fun firewall.You are welcome. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net