hi Tom & all, I need to have nat enabled in a special condition: only from a specific IP in my local zone and to a specific Host/net. every other connection can''t be natted. I''m doing this with a couple of iptable commands that needs to be issued in the start script: run_iptables -t nat -I POSTROUTING -s 10.1.20.1 -d 172.21.4.1 -j SNAT --to-source 172.21.4.51 run_iptables -t nat -I PREROUTING -s 172.21.4.1 -d 172.21.4.51 -j DNAT --to-destination 10.1.20.1 is there a way of doing this using the configuration files? For all I read, the answer is no. But, why couldn''t the nat configuration file be zone enabled?(eg if a connection from zoneA goes to zoneB, nat it. every other case, don''t nat it). Something like: #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES zoneB eth0 ZoneA - - and may be a new column to indicate the address to be used... cheers, Eduardo
On Mon, 2003-12-01 at 07:47, Eduardo Ferreira wrote:> I''m doing this with a couple of iptable commands that needs to > be issued in the start script: > > run_iptables -t nat -I POSTROUTING -s 10.1.20.1 -d 172.21.4.1 -j SNAT > --to-source 172.21.4.51 > run_iptables -t nat -I PREROUTING -s 172.21.4.1 -d 172.21.4.51 -j DNAT > --to-destination 10.1.20.1 > > is there a way of doing this using the configuration files?/etc/shorewall/masq: <if1>:172.21.4.1 10.1.20.1 172.21.4.51 /etc/shorewall/rules: DNAT <z1>:172.21.4.1 <z2>:10.1.20.1 all - - 172.21.4.51 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
oh, my! oh, my! repeat 100 times: I will read the documentation next time. I will read the documentation next time [... snip ...] [ no joke mode:] What happened was that I was just looking to the nat file, because, with that name, it narrowed my view... I just didn''t look around... thanks a lot! Eduardo shorewall-users-bounces+duda=icatu.com.br@lists.shorewall.net wrote on 01/12/2003 14:01:16:> On Mon, 2003-12-01 at 07:47, Eduardo Ferreira wrote: > > I''m doing this with a couple of iptable commands that needs to > > be issued in the start script: > > > > run_iptables -t nat -I POSTROUTING -s 10.1.20.1 -d 172.21.4.1 -j SNAT > > --to-source 172.21.4.51 > > run_iptables -t nat -I PREROUTING -s 172.21.4.1 -d 172.21.4.51 -j DNAT> > --to-destination 10.1.20.1 > > > > is there a way of doing this using the configuration files? > > /etc/shorewall/masq: > > <if1>:172.21.4.1 10.1.20.1 172.21.4.51 > > /etc/shorewall/rules: > > DNAT <z1>:172.21.4.1 <z2>:10.1.20.1 all - - 172.21.4.51 > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm