Hi All, We currently have two ISP''s set up using QoS and other goodies being managed by Shorewall 4.0.4-1 (Perl). Everything is working nicely. However, we would like to port forward (destination NAT) a range of ports for one ISP only. The other ISP should not allow those specific ports to be forwarded. I''ve searched the documentation, but can''t seem to find the correct syntax to achieve the desired result. My /etc/shorewall/interfaces file looks like this: #ZONE INTERFACE BROADCAST OPTIONS lan $LAN_IF detect routeback dmz1 $DMZ1_IF detect - dmz2 $DMZ2_IF detect - net $NET_IF1 detect $NET1_OPTIONS net $NET_IF2 detect $NET2_OPTIONS So, any takers? Any further info required? Cheers, James -- It takes all kinds to fill the freeways. -- Crazy Charlie ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
James Gray wrote:> Hi All, > > We currently have two ISP''s set up using QoS and other goodies being managed > by Shorewall 4.0.4-1 (Perl). Everything is working nicely. However, we > would like to port forward (destination NAT) a range of ports for one ISP > only. The other ISP should not allow those specific ports to be forwarded. > > I''ve searched the documentation, but can''t seem to find the correct syntax to > achieve the desired result. > > My /etc/shorewall/interfaces file looks like this: > > #ZONE INTERFACE BROADCAST OPTIONS > lan $LAN_IF detect routeback > dmz1 $DMZ1_IF detect - > dmz2 $DMZ2_IF detect - > net $NET_IF1 detect $NET1_OPTIONS > net $NET_IF2 detect $NET2_OPTIONS > > So, any takers? Any further info required? > > Cheers,Use the "ORIGINAL DEST" column with your dnat rule in the rules file, with the ip from the provider that you wish to use as the "ORIGINAL DEST" see man shorewall-rules for more info. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
> > see man shorewall-rules for more info. >too fast with the send.... example #5 Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Thu, 8 Nov 2007 04:51:05 pm Jerry Vonau wrote:> > see man shorewall-rules for more info. > > too fast with the send.... > example #5 > > JerryAwsome Jerry, thank you. Simple when you actually RTFM! (I''ll crawl back under my rock now :P) James -- Aim for the moon. If you miss, you may hit a star. -- W. Clement Stone ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Thu, Nov 08, 2007 at 12:47:23AM -0500, Jerry Vonau wrote:> Use the "ORIGINAL DEST" column with your dnat rule in the rules file, > with the ip from the provider that you wish to use as the "ORIGINAL DEST"I would actually be inclined to put the two ISPs interfaces into different subzones of ''net''. The rules should be neater. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Andrew Suffield wrote:> On Thu, Nov 08, 2007 at 12:47:23AM -0500, Jerry Vonau wrote: >> Use the "ORIGINAL DEST" column with your dnat rule in the rules file, >> with the ip from the provider that you wish to use as the "ORIGINAL DEST" > > I would actually be inclined to put the two ISPs interfaces into > different subzones of ''net''. The rules should be neater. >One can also place "net:ethX" in the SOURCE column to limit the rule to connections entering the firewall on interface ''ethX''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/