Hi! Is it possible to create SNAT using /etc/shorewall/masq without pointing any outgoing interface? Please refer to below configuration. eth0 IP: 30.0.0.1/30; default gateway: 30.0.0.2/30 via eth0; my ISP; eth1 IP: 80.10.20.1/24; "the rest" of my public IP pool; eth2 IP: 10.0.2.1/24; private net - need to be entirely SNAT masked; eth3 IP: 10.0.3.1/24; private net - some hosts NAT 1-to-1 to 80.10.20.x /etc/shorewall/masq: eth1 eth2 80.10.20.2 eth0 eth2 80.10.20.3 /etc/shorewall/nat: 80.10.20.4 eth3 10.0.3.4 yes no iptables-save: -A PREROUTING -j nat_in -A POSTROUTING -j nat_out -A POSTROUTING -o eth0 -j eth0_masq -A POSTROUTING -o eth1 -j eth1_masq -A eth1_masq -s 10.0.2.0/255.255.255.0 -m policy --dir out --pol none -j SNAT --to-source 80.10.20.2 -A eth0_masq -s 10.0.2.0/255.255.255.0 -m policy --dir out --pol none -j SNAT --to-source 80.10.20.3 -A nat_in -d 80.10.20.4 -m policy --dir in --pol none -j DNAT --to-destination 10.0.3.4 -A nat_out -s 10.0.3.4 -m policy --dir out --pol none -j SNAT --to-source 80.10.20.4 As you can see, nat 1-to-1 creates SNAT rule which affect packet on any outgoing interface. So - if have several interfaces on my router running Shorewall (physical interfaces) - no matter which outgoing interface is choosen, source is always replaced. That''s what I want. I''d like to have same behaviour on my masquerade. Unfortunalety I can''t see appropriate option to define in /etc/shorewall/masq. Eventually, I might define several rules - one for each outgoinh interface - but as far as I know it would need to use many different IP''s. I may even explain why I need such a feature. Normally, I would have one "border" router. Without BGP. On this router there would have been two interfaces: one to my ISP with IP 30.0.0.1 and one to switch connected to the rest of my network with IP 80.10.20.1. The rest of my network would have consist of independent hosts connected to no-vlan switch. Each of them would have had IP address 80.10.20.x/24 and default gw set to 80.10.20.1 - I hope it''s clear. Some of these hosts would have been masquerading routers. Such a router would have had two interfaces: one with IP 80.10.20.x/24, second one with IP 10.0.y.x/24. In this situation any traffic travelling from 10.x.x.x host would have been masqueraded. Now I''d like to migrate above schema to one-router situation. Main idea is to get rid of switch (connecting border router with the rest of my network). So I''d like to setup Shorewall on my new "several-interfaces router" like this: a) one interface connects me to my ISP: it''s eth0 with IP 30.0.0.1/30; b) no additional routing tables - just main, local, default; c) default GW on router is 30.0.0.2/30 via eth0; d) network 10.0.2.0/24 connected via eth2 masked as 80.10.20.2; e) network 10.0.3.0/24 connected via eth3 masked as 80.10.20.3; f) next 10.0.N.0/24 network connected via next ethN interface; g) "the rest" of 80.10.20.0/24 network connected to eth1 (via switch); I''d like to have same behaviour in above schemas. So - when using one router, hosts connected to eth2, eth3, etc should appear to anyone outside their own networks as 80.10.20.x - it also means that hosts connected to eth2 shouldn''t be able to communicate with hosts on eth3, since eth3 should appear as masquerading router. In fact I have several masquerading routers. Now I''d like to migrate them, but I can''t migrate everything at the same time. I''m going to do this step by step. So: I replaced my two-interface router with several-interface router. At first I use only two of several interfaces. On first one I have my ISP connected, on second one I placed my switch (to which are masquerading routers connected). Migration step: swich off masquerading router, unplug it''s 80.10.20.x interface (connecting to main switch), unplug it''s 10.x.x.x interface patch-cord and plug it to one of several interfaces of new router, activate router''s interface. After above step, appropriate 80.10.20.x address should be visible on ethN of new router instead of some port of old switch. Is it possible to configure Shorewall this way? TIA; AdamLis; ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642