Shorewall users - Aug 2003 - NAT + MASQ address.

I tried some various attempts to have a system behind my
firewall that has a nat entry like as follows.

#EXTERNAL    INTERFACE INTERNAL  ALL INTERFACES LOCAL
123.123.12.3 eth0      10.2.33.1 no             no

 This will allow outside to enter and talk to 10.2.33.1 
via an external ip of 123.123.12.3 ok simple enough works
wonders use this all the time.. 

 Now lets say I want this internal box to start talking
to the outside world and any connections outbound from this
box I want to originate from a different ip address of my
choice such that anyone looking at this ip from the outside
will end up on a different box behind the firewall..

 In my masq file i have the following
#INTERFACE SUBNET  ADDRESS
eth0       eth1    225.225.22.121

 So any systems initiating connections outbound will have 
an address of 225.225.22.121

I have attempted add this to the masq file:

#INTERFACE SUBNET    ADDRESS
eth0       10.2.33.1 225.225.22.121

 but I still end up with the 225.225.22.121 src address
when I ping an outside system from 10.2.33.1

 What would be most helpful would be to do this by port.
This way if an outbound connection is done on port 80
it''s reverse or source ip can be a different box this would
better mask where systems are located and send the curious
to look at less interesting systems.

 If i messed up on any of the examples here I am sorry
I hope the idea is conveyed and someone has an idea how
this can be done. One way would be to bind another internal ip
10.2.33.2 to the internal box and maybe work it that way
but I stopped in my tracks in that attempt because I realize
I can not control what src address the system will use
to create the outbound connection..

 Best Regards
 Sean M

--
 Regards
  Sean Mathews Nu Tech CTO

struct SoftwareProfessional {
   double salary;
   long   lunches;
   float  jobs;
   char   unstable;
   void   work;
   short  tempers;
};
--

On Tue, 12 Aug 2003 20:57:25 -0700, Sean <mathewss@nutech.com> wrote:

>
> In my masq file i have the following
> #INTERFACE SUBNET  ADDRESS
> eth0       eth1    225.225.22.121
>
> So any systems initiating connections outbound will have an address of 
> 225.225.22.121
>
> I have attempted add this to the masq file:
>
> #INTERFACE SUBNET    ADDRESS
> eth0       10.2.33.1 225.225.22.121
>
> but I still end up with the 225.225.22.121 src address
> when I ping an outside system from 10.2.33.1
>
Yes -- if you specify static NAT, you can''t override it with SNAT.
> What would be most helpful would be to do this by port.
> This way if an outbound connection is done on port 80
> it''s reverse or source ip can be a different box this would
> better mask where systems are located and send the curious
> to look at less interesting systems.
>
You can do this with an extension script -- Shorewall is unlikely to ever 
have this capability.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

No problem unfortunatly im not realy sure I would know where
to put this script and what commands it would have to do this.

Could you spare a few hints to get me on the correct path please :c)...

 Thanks in advance..

ps.. pat on the back for you. I have been using shorewall for over a year now on
my own ever improving lrp distro and i i am very impressed
with your work. in a nut shell it just Works like a champ only thing that has
been hard is keeping up with the new revs :c)



---------- Original Message ----------------------------------
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 12 Aug 2003 21:12:03 -0700
>On Tue, 12 Aug 2003 20:57:25 -0700, Sean <mathewss@nutech.com> wrote:
>
>
>>
>> In my masq file i have the following
>> #INTERFACE SUBNET  ADDRESS
>> eth0       eth1    225.225.22.121
>>
>> So any systems initiating connections outbound will have an address of 
>> 225.225.22.121
>>
>> I have attempted add this to the masq file:
>>
>> #INTERFACE SUBNET    ADDRESS
>> eth0       10.2.33.1 225.225.22.121
>>
>> but I still end up with the 225.225.22.121 src address
>> when I ping an outside system from 10.2.33.1
>>
>
>Yes -- if you specify static NAT, you can''t override it with SNAT.
>
>> What would be most helpful would be to do this by port.
>> This way if an outbound connection is done on port 80
>> it''s reverse or source ip can be a different box this would
>> better mask where systems are located and send the curious
>> to look at less interesting systems.
>>
>
>You can do this with an extension script -- Shorewall is unlikely to ever 
>have this capability.
>
>-Tom
>-- 
>Tom Eastep    \ Shorewall - iptables made easy
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>

On Tue, 2003-08-12 at 23:02, Sean wrote:
>  No problem unfortunatly im not realy sure I would know where
> to put this script and what commands it would have to do this.
> 
> Could you spare a few hints to get me on the correct path please :c)...
First hint: Look up "Extension Scripts" in the documentation index.

Second hint: If you are going modify Shorewall using extension scripts,
you have to have some knowledge of iptables because you may have to
adjust your commands when new versions of Shorewall are introduced.
> 
>  Thanks in advance..
> 
> ps.. pat on the back for you. I have been using shorewall for over a year
now
> on my own ever improving lrp distro and i i am very impressed
> with your work. in a nut shell it just Works like a champ only thing
> that has been hard is keeping up with the new revs :c)
Thanks :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net