100 jamz tech support
2003-Jun-19 08:54 UTC
[Shorewall-users] Shorewall behind shorewall question
Well, I thought I knew what I was doing and that I had seen some of this discussed or documented, but I can''t seem to find things this morning and my experiments are failing. I have as shorewall box (box 1) connecting my internal stuff to the internet. Internal address 192.168.aaa.1 - it is masquerading the internal stuff. Behind this are two other shorewall boxes currently set up like this. box 2 - external ip 192.168.aaa.2 internal ip 192.168.bbb.1 - it is masquerading box 3 - external ip 192.168.aaa.4 internal ip 192.168.ccc.1 - it is masquerading I want to stop the masquerading on box 2 and box 3 and route all of the internal class Cs and just masq everything out of box 1. Is anyone doing this? Can you point me to some info? all the best, drew
On Thu, 2003-06-19 at 08:43, 100 jamz tech support wrote:> I want to stop the masquerading on box 2 and box 3 and route all of the > internal class Cs and just masq everything out of box 1. >a) Remove the entries in the /etc/shorewall/masq file on boxes 2 and 3. b) On box 1, add routes to the internal subnets gatewayed through boxes 2 and 3. c) Restart Shorewall on box 1 (this assumes that the /etc/shorewall/masq entry on box 1 has the name of the internal interface in the second column. In that case, Shorewall looks at the routing table to determine the subnetworks to be masqueraded). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-06-19 at 11:31, 100 jamz tech support wrote:> I tried your suggestion. It did not work.My suggestion wouldn''t work if you are running a Shorewall version older than 1.3.14. But given that you apparently tried explicitly listing the masqueraded networks twice where one time worked and the other didn''t, it''s hard to draw any conclusions either way. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net