Oops.. forgot to post to list.
> -----Original Message-----
> From: Gilson Soares [mailto:g.soares@datacraft.com.br]
> Sent: Friday, November 08, 2002 11:50 AM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] Port forwarding with Nat
>
>
> I have a port forwarding that works fine:
>
> DNAT:info net:$TRUSTED loc:10.0.0.2 tcp 5800,5900
> Log:
> Shorewall:net2loc:DNAT:IN=eth1 OUT=eth0 SRC=200.162.4.16
> DST=10.0.0.2 ...
>
> as long as 10.0.0.2 have the default gateway to fw (10.0.0.1).
>
> I need to do the same with another internal host, but it has
> another GW, that I cannot change.
>
> Is there a way to do this, but having the fw to be the SRC
> for that packet; i.e., the reply will go to fw and then to
> destination ?
>
Tom showed me this trick the other day. It might apply to what your asking.
Given the following:
My Lan = 192.168.9.0/24
Firewall loc IP = 192.168.9.1
Firewall net IP = xx.xx.xx.xx
Remote Lan = 192.168.1.0/24
IP of remote system = 192.168.1.3
LAN''s are connected by a VPN between shorewall boxes. Remote lan is
referenced as a shorewall zone called ''vpn''
Goal: allow ssh access from internet on port 2200 but redirect the packet
across the vpn tunnel to 192.168.1.3 with a destination port of 22. To do
this, the source address must be changed to appear to come from my
firewall. Shorewall rule:
DNAT net vpn:192.168.1.3:22 tcp 2200 - xx.xx.xx.xx:192.168.9.1
Make the necessary changes to fit your network. If this does not work, then
I''m sure Tom will reply with a solution to your question.
Steve Cowles