I''m normally hiding the internal network behind the external firewall IP address, but I would like NOT to SNAT traffic for a specific TCP port. Is this possible? riccardo
rv wrote:> I''m normally hiding the internal network behind the external firewall IP > address, but I would like NOT to SNAT traffic for a specific TCP port. > Is this possible? >Create /etc/shorewall/start if it doesn''t already exist and in it place the following: run_iptables -t nat -I <extif>_net -p tcp --dport <port> -j RETURN Where <extif> is your external interface and <port> is the port number. For example, to not masquerade port 12 through eth0: run_iptables -t nat -I eth0_nat -p tcp --dport 12 -j RETURN -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> rv wrote: > >> I''m normally hiding the internal network behind the external firewall >> IP address, but I would like NOT to SNAT traffic for a specific TCP >> port. Is this possible? >>My previous response assumed that you wanted to allow the connection but didn''t want the source IP address modified. If you simply want to reject the request, just add a REJECT rule to /etc/shorewall/rules. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Yes, your assumption was correct; however I''m getting the following: Processing /etc/shorewall/start iptables: no chain/target/match with that name after which shorewall terminates. What could I be doing wrong? (I''m running the latest shorewall version) riccardo On Thursday, Feb 13, 2003, at 15:35 Europe/London, Tom Eastep wrote:> >> rv wrote: >>> I''m normally hiding the internal network behind the external >>> firewall IP address, but I would like NOT to SNAT traffic for a >>> specific TCP port. Is this possible? >>> > > My previous response assumed that you wanted to allow the connection > but didn''t want the source IP address modified. If you simply want to > reject the request, just add a REJECT rule to /etc/shorewall/rules. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > >
rv wrote:> Yes, your assumption was correct; however I''m getting the following: > > Processing /etc/shorewall/start > iptables: no chain/target/match with that name > > after which shorewall terminates. What could I be doing wrong? (I''m > running the latest shorewall version) >Oops -- I gave you the wrong chain name. My instructions should have read: Create /etc/shorewall/start if it doesn''t already exist and in it place the following: run_iptables -t nat -I <extif>_masq -p tcp --dport <port> -j RETURN Where <extif> is your external interface and <port> is the port number. For example, to not masquerade port 12 through eth0: run_iptables -t nat -I eth0_masq -p tcp --dport 12 -j RETURN Sorry, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net