Ok, I am getting myself alittle confused with Source NAT and Static Nat.. I believe what I want is STATIC nat.. where in my Three interface setup eth0 listens for an additional public IP and forwards those requests to a private IP located either on eth1 or eth2. Ok, so http://www.shorewall.net/NAT.htm says to add that information to the /etc/shorewall/nat file. I''m not sure if this is my problem or not, but the box that i''m setting up is not connected to any networks. When i entered in my information following the format described in the above page. I got an error right after it went to process nat and gave an IPTABLES error... I commented out the three entries I had there and everything started up correctly. Did this happen because I was not plugged into any networks? Also, what would i have to change to make shorewall wide open? Basically not being used, other than for its NAT.. I have a site that I want to install and test it at, but I want to work the other way around. Starting from an open system and then tighten it down. I know this is an odd request and would be defeating the purpose of a firewall, but for my current situation it would be the easiest way to implement it. Thanks Jayson
--On Tuesday, November 19, 2002 11:22:22 PM -0500 Jayson <web@saiforce.com> wrote:> > Ok, I am getting myself alittle confused with Source NAT and Static > Nat.. > I believe what I want is STATIC nat.. where in my Three interface setup > eth0 listens for an additional public IP and forwards those requests to a > private IP located either on eth1 or eth2. Ok, so > http://www.shorewall.net/NAT.htm says to add that information to the > /etc/shorewall/nat file. > I''m not sure if this is my problem or not, but the box that i''m setting > up is not connected to any networks. When i entered in my information > following the format described in the above page. I got an error right > after it went to process nat and gave an IPTABLES error... I commented > out the three entries I had there and everything started up correctly. > Did this happen because I was not plugged into any networks? > > Also, what would i have to change to make shorewall wide open? Basically > not being used, other than for its NAT.. I have a site that I want to > install and test it at, but I want to work the other way around. > Starting from an open system and then tighten it down. I know this is an > odd request and would be defeating the purpose of a firewall, but for my > current situation it would be the easiest way to implement it.If you don''t understand the different between static nat and source nat then you haven''t read and understood the basic information in the QuickStart Guides (primarily http://shorewall.sf.net/shorewall_setup_guide.htm). Posting on this list is not a substitute for reading and understanding the basic Shorewall documentation. If you have specific questions about material covered in those documents, feel free to post them here. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Tuesday, November 19, 2002 08:33:29 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> If you don''t understand the different between static nat and source nat > then you haven''t read and understood the basic information in the > QuickStart Guides (primarily > http://shorewall.sf.net/shorewall_setup_guide.htm). Posting on this list > is not a substitute for reading and understanding the basic Shorewall > documentation. > > If you have specific questions about material covered in those documents, > feel free to post them here. >Let me add something here. I''m not trying to give you a hard time. If you have read the Setup Guide (but just didn''t mention it) and you find that the Guide doesn''t adaquately explain the difference between SNAT and static NAT then the Guide needs fixing. When you have entries in the NAT table and have set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf, then Shorewall will try to add the external IP address to the external interface named in each entry; if the interface isn''t started then you will get an error. Also, to address your question of how to make Shorewall wide open -- remove the existing policies and add the single policy all all ACCEPT -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net