thr3ads.net - Shorewall users - [Shorewall-users] Masq to def.gw but not to its subnet [Jul 2003]

If this information is useful, please help other people find it:
Share via:

Rodolfo Pilas

2003-Jul-14 15:10 UTC

[Shorewall-users] Masq to def.gw but not to its subnet

HOST A -> SHOREWALL -----------------------> DEFAULT GW -> Internet
                          |         |
                        HOST Y     HOST Z

When HOST-A wish to reach DEFAULT-GW->Internet I masq their address
through SHOREWALL /etc/shorewall/masq file.

But when HOST-A wish to reach HOST-Y or HOST-Z, into the same subnet of
the DEFAULT-GW, I wish to ACCEPT connection without masquerading.

(I understand that the masquerade must be into the DEFAULT GW but I can
administer it).

This is very simple to me with my actual ipchains fw:

    ipchains -A forward -p tcp -s 0/0 -d DEFAULT-GW 339 -j MASQ


I would like to know the appropriate Shorewall mechanisms to do that.

Thank you. 

-- 
Rodolfo Pilas <rodolfo@pilas.net>

Tom Eastep

2003-Jul-14 15:29 UTC

head link

[Shorewall-users] Masq to def.gw but not to its subnet

On Mon, 2003-07-14 at 15:17, Rodolfo Pilas wrote:
>     ipchains -A forward -p tcp -s 0/0 -d DEFAULT-GW 339 -j MASQ
> 
> 
> I would like to know the appropriate Shorewall mechanisms to do that.
> 
There isn''t one. You will have to create your own iptables commands in
/etc/shorewall/start.

See http://www.shorewall.net/shorewall_extensions_scripts.htm.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Jul-14 15:44 UTC

head link

[Shorewall-users] Masq to def.gw but not to its subnet

On Mon, 2003-07-14 at 15:29, Tom Eastep wrote:
> 
> See http://www.shorewall.net/shorewall_extensions_scripts.htm.
Sorry -- make that
     http://www.shorewall.net/shorewall_extension_scripts.htm

-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Jul-15 08:32 UTC

head link

[Shorewall-users] Masq to def.gw but not to its subnet

On Mon, 2003-07-14 at 15:29, Tom Eastep wrote:> On Mon, 2003-07-14 at 15:17, Rodolfo Pilas wrote:
> 
> >     ipchains -A forward -p tcp -s 0/0 -d DEFAULT-GW 339 -j MASQ
> > 
> > 
> > I would like to know the appropriate Shorewall mechanisms to do that.
> > 
> 
> There isn''t one. You will have to create your own iptables
commands in
> /etc/shorewall/start.
> 
Some more information that may be helpful.

Where an interface appears in the first column in an entry in
/etc/shorewall/masq, Shorewall will create a chain in the nat table with
the name <interface>_masq.

To exclude destination address a.b.c.d from being masqueraded out of
eth0, in /etc/shorewall/start add:

run_iptables -t nat -I eth0_masq -d a.b.c.d -j RETURN

To exclude additional destinations, simply add additional similar
commands.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Jul 2003 - Masq to def.gw but not to its subnet

[Shorewall-users] Masq to def.gw but not to its subnet

[Shorewall-users] Masq to def.gw but not to its subnet

[Shorewall-users] Masq to def.gw but not to its subnet

[Shorewall-users] Masq to def.gw but not to its subnet