Good Afternoon, In our WAN, some ips accept only from certain ip ranges, for example, 192.168.4.1 accepts only from 192.168.1.0/24 range. I have 3 networks: 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 I have a shorewall box which has IP addresses: 192.168.1.1 eth0 192.168.2.1 eth1 192.168.3.1 eth2 and shorewall do firewall and routing between this 3 networks. in /etc/shorewall/hosts, i specified 192.168.4.1 as a seperate host loc eth0:192.168.1.0/24 net eth0:192.168.4.1 To access WAN address 192.168.4.1, i have in /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth0 eth1 eth0 eth2 which makes 192.168.4.1 accept the connection from eth1 and eth2 since the connection was masked as 192.168.1.1 Problem is connections from eth1 and eth2 are still masked within our local lan (eth0 192.168.1.0/24) or connections from 192.168.2.0/24 and 192.168.3.0/24 were masked as 192.168.1.1 when connecting to network 192.168.1.0/24. Is there a way to only mask connections when connecting to WAN ip 192.168.4.1 and not 192.168.1.0/24? Thanks and best regards, Kenneth Oncinian
On Tue, 2003-09-16 at 02:16, Kenneth Oncinian wrote:> Good Afternoon, > > In our WAN, some ips accept only from certain ip ranges, for example, > 192.168.4.1 accepts only from 192.168.1.0/24 range. > > I have 3 networks: > 192.168.1.0/24 > 192.168.2.0/24 > 192.168.3.0/24 > > I have a shorewall box which has IP addresses: > 192.168.1.1 eth0 > 192.168.2.1 eth1 > 192.168.3.1 eth2 > and shorewall do firewall and routing between this 3 networks. > > in /etc/shorewall/hosts, i specified 192.168.4.1 as a seperate host > loc eth0:192.168.1.0/24 > net eth0:192.168.4.1Get rid of those entries -- you don''t need them to do what you want.> > To access WAN address 192.168.4.1, i have in /etc/shorewall/masq: > #INTERFACE SUBNET ADDRESS > eth0 eth1 > eth0 eth2 > > which makes 192.168.4.1 accept the connection from eth1 and eth2 since the > connection was masked as 192.168.1.1 > > Problem is connections from eth1 and eth2 are still masked within our local > lan (eth0 192.168.1.0/24) or connections from 192.168.2.0/24 and > 192.168.3.0/24 were masked as 192.168.1.1 when connecting to network > 192.168.1.0/24. > > Is there a way to only mask connections when connecting to WAN ip 192.168.4.1 > and not 192.168.1.0/24? >eth0:192.168.4.1 eth1 eth0:192.168.4.1 eth2 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Good Afternoon, Thank you very much, it works =). and thanks for shorewall, the best firewall program out there! with kind regards, Kenneth Oncinian On Tuesday 16 September 2003 10:51 pm, Tom Eastep wrote:> On Tue, 2003-09-16 at 02:16, Kenneth Oncinian wrote: > > Good Afternoon, > > > > In our WAN, some ips accept only from certain ip ranges, for example, > > 192.168.4.1 accepts only from 192.168.1.0/24 range. > > > > I have 3 networks: > > 192.168.1.0/24 > > 192.168.2.0/24 > > 192.168.3.0/24 > > > > I have a shorewall box which has IP addresses: > > 192.168.1.1 eth0 > > 192.168.2.1 eth1 > > 192.168.3.1 eth2 > > and shorewall do firewall and routing between this 3 networks. > > > > in /etc/shorewall/hosts, i specified 192.168.4.1 as a seperate host > > loc eth0:192.168.1.0/24 > > net eth0:192.168.4.1 > > Get rid of those entries -- you don''t need them to do what you want. > > > To access WAN address 192.168.4.1, i have in /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS > > eth0 eth1 > > eth0 eth2 > > > > which makes 192.168.4.1 accept the connection from eth1 and eth2 since > > the connection was masked as 192.168.1.1 > > > > Problem is connections from eth1 and eth2 are still masked within our > > local lan (eth0 192.168.1.0/24) or connections from 192.168.2.0/24 and > > 192.168.3.0/24 were masked as 192.168.1.1 when connecting to network > > 192.168.1.0/24. > > > > Is there a way to only mask connections when connecting to WAN ip > > 192.168.4.1 and not 192.168.1.0/24? > > eth0:192.168.4.1 eth1 > eth0:192.168.4.1 eth2 > > -Tom