Shorewall users - Jul 2003 - SNAT

I am migrating one of my old fw from ipchains to iptables/shorewall. Now
I wish to configure a SNAT like this:

ipchains -A forward -p tcp -s 172.16.4.2 -d 0/0 53 -j MASQ

I have seen that the masq file enables me to do SNAT, but I wish to
restrict it to the 53 port only.

Can you tell me how to do it?  Thank.


-- 
Rodolfo Pilas <rodolfo@pilas.net>

On Thu, 2003-07-03 at 14:34, Rodolfo Pilas wrote:
> I am migrating one of my old fw from ipchains to iptables/shorewall. Now
> I wish to configure a SNAT like this:
> 
> ipchains -A forward -p tcp -s 172.16.4.2 -d 0/0 53 -j MASQ
> 
> I have seen that the masq file enables me to do SNAT, but I wish to
> restrict it to the 53 port only.
> 
> Can you tell me how to do it?  Thank.
May I ask WHY you want SNAT only on tcp port 53?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 2003-07-03 at 15:16, Rodolfo Pilas wrote:
> El jue, 03 de 07 de 2003 a las 18:36, Tom Eastep escribi?:
> > On Thu, 2003-07-03 at 14:34, Rodolfo Pilas wrote:
> > > I am migrating one of my old fw from ipchains to
iptables/shorewall. Now
> > > I wish to configure a SNAT like this:
> > > 
> > > ipchains -A forward -p tcp -s 172.16.4.2 -d 0/0 53 -j MASQ
> > > 
> > > I have seen that the masq file enables me to do SNAT, but I wish
to
> > > restrict it to the 53 port only.
> > > 
> > > Can you tell me how to do it?  Thank.
> > 
> > May I ask WHY you want SNAT only on tcp port 53?
> 
> Because I do not wish the 172.16.4.2 can access another outside port.
Then use the appropriate Shorewall mechanisms to do that.

e.g. - in /etc/shorewall/rules:

ACCEPT	loc:172.16.4.2	net	tcp	53
REJECT	loc:172.16.4.2	net	all

That way your firewall enforces your policy -- with your scheme, you are making
the internet backbone routers enforce your policy for you.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net