Shorewall users - Apr 2004 - masq quest. Coming out as different ip address depending on port

Hi I have tried to figure this out and read the documentation but it does
not say anywhere how to do this, or at least I have overlooked it.

I want all traffic except for port 25 to come out as a certain ip address.

I already use /etc/shorewall/masq to acheive all traffic coming out as a
certain ip address, but I want traffic coming out on port 25 to appear to
come from a different ip address. Can someone explain how to do this, or
point to the right document.

Robin M. wrote:
> Hi I have tried to figure this out and read the documentation but it does
> not say anywhere how to do this, or at least I have overlooked it.
> 
> I want all traffic except for port 25 to come out as a certain ip address.
> 
> I already use /etc/shorewall/masq to acheive all traffic coming out as a
> certain ip address, but I want traffic coming out on port 25 to appear to
> come from a different ip address. Can someone explain how to do this, or
> point to the right document.
You will have to insert the appropriate rules using commands in your 
/etc/shorewall/start script. There is no way to do this using regular 
Shorewall configuration.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 30 Apr 2004, Tom Eastep wrote:
> Robin M. wrote:
>
> > Hi I have tried to figure this out and read the documentation but it
does
> > not say anywhere how to do this, or at least I have overlooked it.
> >
> > I want all traffic except for port 25 to come out as a certain ip
address.
> >
> > I already use /etc/shorewall/masq to acheive all traffic coming out as
a
> > certain ip address, but I want traffic coming out on port 25 to appear
to
> > come from a different ip address. Can someone explain how to do this,
or
> > point to the right document.
>
> You will have to insert the appropriate rules using commands in your
> /etc/shorewall/start script. There is no way to do this using regular
> Shorewall configuration.
>
Thanks Tom, can this be a feature request ?

Robin M. wrote:
> 
> Thanks Tom, can this be a feature request ?
> 
I''ll implement it when I can think of a clean way to do it.
I''ve made a
couple of false starts on it but neither was up to my standards.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 30 Apr 2004, Tom Eastep wrote:
> Robin M. wrote:
>
> > Hi I have tried to figure this out and read the documentation but it
does
> > not say anywhere how to do this, or at least I have overlooked it.
> >
> > I want all traffic except for port 25 to come out as a certain ip
address.
> >
> > I already use /etc/shorewall/masq to acheive all traffic coming out as
a
> > certain ip address, but I want traffic coming out on port 25 to appear
to
> > come from a different ip address. Can someone explain how to do this,
or
> > point to the right document.
>
> You will have to insert the appropriate rules using commands in your
> /etc/shorewall/start script. There is no way to do this using regular
> Shorewall configuration.
>
ok I have searched the net for documentation on how to do this using raw
iptables comands, and there is tons of info about forwarding ports to
different ip addresses on the inside, but not about masquerading outbound
traffic on different ports as different ip addresses. If you have an idea
about the command I can use I would appreciate it, otherwise I will keep
looking and post back my solution.

Robin M. wrote:

> 
> ok I have searched the net for documentation on how to do this using raw
> iptables comands, and there is tons of info about forwarding ports to
> different ip addresses on the inside, but not about masquerading outbound
> traffic on different ports as different ip addresses. If you have an idea
> about the command I can use I would appreciate it, otherwise I will keep
> looking and post back my solution.
When future scholars try to understand why our civilization failed, they 
will mark the invention of the Internet search engine as the crucial 
turning point.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 30 Apr 2004, Tom Eastep wrote:
>
> When future scholars try to understand why our civilization failed, they
> will mark the invention of the Internet search engine as the crucial
> turning point.
>
When future scholars try to understand why our civ failed, they will look
it up using a search engine, and when they can''t find the answer they
will try to figure it out for themselves.

Robin M. wrote:
> On Fri, 30 Apr 2004, Tom Eastep wrote:
> 
> 
>>When future scholars try to understand why our civilization failed, they
>>will mark the invention of the Internet search engine as the crucial
>>turning point.
>>
> 
> When future scholars try to understand why our civ failed, they will look
> it up using a search engine, and when they can''t find the answer
they
> will try to figure it out for themselves.
I hope so

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 30 Apr 2004, Tom Eastep wrote:
> Robin M. wrote:
> > On Fri, 30 Apr 2004, Tom Eastep wrote:
> >
> >>When future scholars try to understand why our civilization failed,
they
> >>will mark the invention of the Internet search engine as the
crucial
> >>turning point.
> >
> > When future scholars try to understand why our civ failed, they will
look
> > it up using a search engine, and when they can''t find the
answer they
> > will try to figure it out for themselves.
>
ok after trying a bunch of things I have made some progress.
(banging my head against a wall). I am sure Tom prefers it that way, but
now I can''t remember my wifes name. :)

Anyways I have come up with the following and emptied out
/etc/shorewall/masq

this is my snipppet from /etc/shorewall/start. I can now masquerade all
outbound smtp traffic as a different ip address.

<snip>
iptables -t nat -N eth0_masq
iptables -t nat -A POSTROUTING -o eth0 -j eth0_masq
iptables -t nat -A eth0_masq -s 192.168.0.0/255.255.255.0 -p tcp --dport \
         25 -j SNAT --to-source xx.x07.210.133
iptables -t nat -A eth0_masq -s 192.168.0.0/255.255.255.0 -j SNAT \
         --to-source xx.x07.210.130
</snip>

Robin M. wrote:
>>
> ok after trying a bunch of things I have made some progress.
> (banging my head against a wall). I am sure Tom prefers it that way, but
> now I can''t remember my wifes name. :)
:-)
> 
> Anyways I have come up with the following and emptied out
> /etc/shorewall/masq
> 
> this is my snipppet from /etc/shorewall/start. I can now masquerade all
> outbound smtp traffic as a different ip address.
> 
> <snip>
> iptables -t nat -N eth0_masq
> iptables -t nat -A POSTROUTING -o eth0 -j eth0_masq
> iptables -t nat -A eth0_masq -s 192.168.0.0/255.255.255.0 -p tcp --dport \
>          25 -j SNAT --to-source xx.x07.210.133
> iptables -t nat -A eth0_masq -s 192.168.0.0/255.255.255.0 -j SNAT \
>          --to-source xx.x07.210.130
Excellent! I''ll make an attempt to get formal support for this case
into
the upcoming 2.0.2 release.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> 
> Excellent! I''ll make an attempt to get formal support for this
case into
> the upcoming 2.0.2 release.
> 
The the Shorewall2/ CVS code now supports this feature -- release notes 
are attached.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

cool!

hi again tom
 you remember  this problem ?
when in the rules file ...

REDIRECT  lan   25      tcp     smtp    -

and the start file...

run_iptables -t nat -I lan_dnat -s 192.168.207.80 -d xxx.xxx.xxx.xxx -p
tcp --dport smtp -j RETURN

this new  support work for this case ?



El sáb, 01-05-2004 a las 10:10, Tom Eastep escribió:
> Robin M. wrote:
> 
> >>
> > ok after trying a bunch of things I have made some progress.
> > (banging my head against a wall). I am sure Tom prefers it that way,
but
> > now I can''t remember my wifes name. :)
> 
> :-)
> 
> > 
> > Anyways I have come up with the following and emptied out
> > /etc/shorewall/masq
> > 
> > this is my snipppet from /etc/shorewall/start. I can now masquerade
all
> > outbound smtp traffic as a different ip address.
> > 
> > <snip>
> > iptables -t nat -N eth0_masq
> > iptables -t nat -A POSTROUTING -o eth0 -j eth0_masq
> > iptables -t nat -A eth0_masq -s 192.168.0.0/255.255.255.0 -p tcp
--dport \
> >          25 -j SNAT --to-source xx.x07.210.133
> > iptables -t nat -A eth0_masq -s 192.168.0.0/255.255.255.0 -j SNAT \
> >          --to-source xx.x07.210.130
> 
> Excellent! I''ll make an attempt to get formal support for this
case into
> the upcoming 2.0.2 release.
> 
> -Tom

Rodrigo Cortes Cano wrote:
> cool!
> 
> hi again tom
>  you remember  this problem ?
> when in the rules file ...
> 
> REDIRECT  lan   25      tcp     smtp    -
> 
> and the start file...
> 
> run_iptables -t nat -I lan_dnat -s 192.168.207.80 -d xxx.xxx.xxx.xxx -p
> tcp --dport smtp -j RETURN
> 
> this new  support work for this case ?
The new support has nothing to do with that case.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net