Shorewall users - Jun 2005 - SNAT multiple IP to single internal IP and limiting access based on external IP

Hello all,

I have shorewall setup with 3 SNAT entries for external IP address''s to
a single IP internal address. I am wondering how to limit access based 
on the source IP address.
ex.
 EXT IP 1 access only to port 25
 EXT IP 2 access only to port 443
 EXT IP 3 access only to port 80

I have the SNAT setup correctly and I have 3 accept line in the rules 
file (25,80,443) but I can hit all the services from all 3 external IP 
address (as expected).

I though about using DNAT instead of ACCEPT but I am not sure if you can 
or are supposed to mix the DNAT and SNAT.

Cheers,

  Derek

On Friday 24 June 2005 20:57, Derek Vincent wrote:
> Hello all,
>
> I have shorewall setup with 3 SNAT entries for external IP
address''s to
> a single IP internal address. I am wondering how to limit access based
> on the source IP address.
> ex.
>  EXT IP 1 access only to port 25
>  EXT IP 2 access only to port 443
>  EXT IP 3 access only to port 80
>
> I have the SNAT setup correctly and I have 3 accept line in the rules
> file (25,80,443) but I can hit all the services from all 3 external IP
> address (as expected).
>
> I though about using DNAT instead of ACCEPT but I am not sure if you can
> or are supposed to mix the DNAT and SNAT.
Hi Derek,

I can only guess, because I don''t really understand the way you
implemented
the SNAT (MASQ?)/Accept combination.

But I think the correct way would be DNAT. Something like this in the rules 
file:

DNAT net:$EXT_IP1 loc:$INT_IP:PORT PROTO PORTS ORIG_DEST

e.g.:
DNAT net:212.185.120.194 dmz:192.168.40.2 tcp http,https -   194.231.186.177

See the examples on top of the rules file and read FAQ30 
http://www.shorewall.net/FAQ.htm#faq30

HTH,
Alex