I have a firewall set up with these (same :-) 3 zones: "net" - external adress 212.1.1.1 (fixed IP) network = 212.1.1.0/24 ... all IP''s are useable on the firewall "loc" zone with adress 31.10.5.1 network 31.10.5.0/24 "dsl" zone with adress 10.10.10.10 network 10.10.10.0/24 Now, on the zone "loc" I have a host 31.10.5.126 running a webserver on port 80... I wanted to SNAT the (NEW) internet IP adress 212.1.1.2 to this host... So I changed the /etc/shorewall/nat file #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 212.1.1.2 eth0 31.10.5.126 yes yes Now it''s forwarding 212.1.1.2 to local adress 31.10.5.126 (all ports all protocols) And IT Works! Now I wanted to REJECT some protocols/ports, So I edited the /etc/shorewall/rules file and tried everything, but I din''t even get to block only one TCP port! For example block TCP I tried several things REJECT net net:212.1.1.2 tcp REJECT net loc:31.10.5.1 tcp Or block TCP port 80 I tried REJECT net loc:212.1.1.2:80 tcp Nothing worked..... Question: What is the correct rule in this config?
Oops... Made a stupid mistake... The NEW question is now... How do I GRANT access to some ports on a IP adress which is SNAT''ted to an internal interface? Thx.! Niels -----Original Message----- From: niels@wxn.nl [mailto:niels@wxn.nl] Sent: 29 July 2002 14:20 To: shorewall-users@shorewall.net Subject: [Shorewall-users] (S)NAT Question I have a firewall set up with these (same :-) 3 zones: "net" - external adress 212.1.1.1 (fixed IP) network = 212.1.1.0/24 ... all IP''s are useable on the firewall "loc" zone with adress 31.10.5.1 network 31.10.5.0/24 "dsl" zone with adress 10.10.10.10 network 10.10.10.0/24 Now, on the zone "loc" I have a host 31.10.5.126 running a webserver on port 80... I wanted to SNAT the (NEW) internet IP adress 212.1.1.2 to this host... So I changed the /etc/shorewall/nat file #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 212.1.1.2 eth0 31.10.5.126 yes yes Now it''s forwarding 212.1.1.2 to local adress 31.10.5.126 (all ports all protocols) And IT Works!
On Mon, 29 Jul 2002, niels@wxn.nl wrote:> Oops... Made a stupid mistake... > > The NEW question is now... How do I GRANT access to some ports on a IP > adress which is SNAT''ted to an internal interface? > > Thx.! Niels >Before you post any more questions, I suggest that you read http://www.shoreall.net/shorewall_setup_guide.htm from front to back -- I think you''ll have a lot fewer problems. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net