John Laur
2002-Jul-28 23:55 UTC
[Shorewall-users] Interface names support in ''nat'' EXTERNAL_INTERFACES?
Greetings. The account I have with my cable provider allows me to have 1 static IP and 5 dynamic IP''s. I manage all my traffic via shorewall running on a Soekris engineering Net4501 - a small router computer with three 10/100 ethernet ports. One port is plugged into the cable modem. Another services the DMZ (where the machine using the static IP resides), and the third interface handles the internal network masqueraded behind a DHCP address that is pulled by the firewall machine. -- A fairly standard setup. Anyway the time came when I wanted to do 1:1 nat for some internal machines using the 4 other DHCP address I pay for, so now I have the firewall machine pulling 5 total DHCP ip addresses on eth2, and eth2:0-3 I have set up the proper rules in /etc/shorewall/nat and 1:1 nat works fine -- until the external ip address changes (which does happen here from time to time even though the firewall is on and renewing IP''s all the time) So, the final question is, is there a way that i can specify the interface alias name (for instance eth2:0) in the EXTERNAL column of /etc/shorewall/nat rather than the IP address of eth2:0 and have shorewall configure an appropriate firewall rule so that my 1:1 nat does not break when the ip address changes? BTW I''m running the shorewall package distributed with debian/woody, but would be happy to upgrade if a newer version has a fix for this (the documentation seemed to indicate that it does not) My other approach is to have my dhcp client call a script that updates the shorewall/nat file and reloads the rules every time the address changes. I can set it up to do this, but it seems cleaner if shorewall could handle it... Thanks, John
Tom Eastep
2002-Jul-29 00:07 UTC
[Shorewall-users] Interface names support in ''nat'' EXTERNAL_INTERFACES?
On 28 Jul 2002, John Laur wrote:> So, the final question is, is there a way that i can specify the > interface alias name (for instance eth2:0) in the EXTERNAL column of > /etc/shorewall/nat rather than the IP address of eth2:0 and have > shorewall configure an appropriate firewall rule so that my 1:1 nat does > not break when the ip address changes? >No. The "eth2:0" notation is an artifact of the traditional net tools (ifconfig) and is not supported by iptables. It is only supported by iproute (ip) to the extent that ip can create these "aliases" -- it doesn''t need them for anything.> My other approach is to have my dhcp client call a script that updates > the shorewall/nat file and reloads the rules every time the address > changes. I can set it up to do this, but it seems cleaner if shorewall > could handle it...I''m afraid you are going to have to take that approach... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net