Shorewall users - Aug 2002 - NAT exceptions

I was wondering if there is a way to make exceptions to NAT entries.  For=20
example,=20

#external       interface       internal        all     local
63.174.xxx.xx   eth1    =09192.x.x.x        Yes     No

Now I want 63.174.xxx.xx:1645 to forward to 192.x.x.y

But it looks like the NAT is processed before the rules, so it will always be=20
NATed, and not portforwarded.

Am I looking at this right, or is there a way around this?

--=20
Regards

Joseph =09                      http://www.datakota.com

On Sat, 17 Aug 2002, Joseph T Watson wrote:
>
> I was wondering if there is a way to make exceptions to NAT entries.  For
> example,
>
> #external       interface       internal        all     local
> 63.174.xxx.xx   eth1    	192.x.x.x        Yes     No
>
> Now I want 63.174.xxx.xx:1645 to forward to 192.x.x.y
>
> But it looks like the NAT is processed before the rules, so it will always
be
> NATed, and not portforwarded.
>
> Am I looking at this right, or is there a way around this?
>
You might investigate the NAT_BEFORE_RULES variable in shorewall.conf.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Thanks Tom,

=09I must have had some stale code from a mandrake rpm, but they had a new
one=20
and now the NAT_BEFORE_RULES works like it is suppost to!!  :)

The more I use Shorewall the more I like it.=20

Great product
Thanks

--=20
Regards

Joseph =09                      http://www.datakota.com

On Saturday 17 August 2002 12:39 pm, Tom Eastep wrote:
> On Sat, 17 Aug 2002, Joseph T Watson wrote:
> > I was wondering if there is a way to make exceptions to NAT entries. 
For
> > example,
> >
> > #external       interface       internal        all     local
> > 63.174.xxx.xx   eth1    =09192.x.x.x        Yes     No
> >
> > Now I want 63.174.xxx.xx:1645 to forward to 192.x.x.y
> >
> > But it looks like the NAT is processed before the rules, so it will
> > always be NATed, and not portforwarded.
> >
> > Am I looking at this right, or is there a way around this?
>
> You might investigate the NAT_BEFORE_RULES variable in shorewall.conf.
>
> -Tom

On Sat, 17 Aug 2002, Joseph T Watson wrote:
> Thanks Tom,
>
> 	I must have had some stale code from a mandrake rpm, but they had a new
one
> and now the NAT_BEFORE_RULES works like it is suppost to!!  :)
>
Yep -- I broke NAT_BEFORE_RULES and re-enabled it in a later release :-(
> The more I use Shorewall the more I like it.
>
> Great product
I''m pleased...

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net