If I have the following SNAT rule in masq:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 192.168.122.0/24 1.1.4.5
How can I prevent SNATting for local subnets that are also reachable on
eth0? I can manually accomplish the goal with a:
# iptables -t nat -I eth0_masq -s 192.168.122.0/24 -d 192.168.0.0/24 -j RETURN
resulting in:
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 192.168.122.0/24
192.168.0.0/24
28 2176 SNAT all -- * * 192.168.122.0/24 0.0.0.0/0
to:1.1.4.5
IIRC, iptables accepts !192.168.0.0/24 in the destination of the SNAT
rule also, but I don''t know if/how that maps to shorewall.
Cheers,
b.
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
On 8/5/10 2:18 PM, Brian J. Murrell wrote:> If I have the following SNAT rule in masq: > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK > eth0 192.168.122.0/24 1.1.4.5 > > How can I prevent SNATting for local subnets that are also reachable on > eth0? I can manually accomplish the goal with a: > > # iptables -t nat -I eth0_masq -s 192.168.122.0/24 -d 192.168.0.0/24 -j RETURN > > resulting in: > > Chain eth0_masq (1 references) > pkts bytes target prot opt in out source destination > 0 0 RETURN all -- * * 192.168.122.0/24 192.168.0.0/24 > 28 2176 SNAT all -- * * 192.168.122.0/24 0.0.0.0/0 to:1.1.4.5 > > IIRC, iptables accepts !192.168.0.0/24 in the destination of the SNAT > rule also, but I don''t know if/how that maps to shorewall.man shorewall-exclusion -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On Thu, 2010-08-05 at 15:16 -0700, Tom Eastep wrote:> > man shorewall-exclusionYes, indeed. I think what I a missing however is how to apply that to *destination*s in the masq file. I can see source address matching in there but not destination address matching. Too many trees blocking the view of the forest for me perhaps? b. ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/5/10 3:27 PM, Brian J. Murrell wrote:> On Thu, 2010-08-05 at 15:16 -0700, Tom Eastep wrote: >> >> man shorewall-exclusion > > Yes, indeed. I think what I a missing however is how to apply that to > *destination*s in the masq file. I can see source address matching in > there but not destination address matching. Too many trees blocking the > view of the forest for me perhaps?Did you try searching the manpage for the word ''destination''? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On Thu, 2010-08-05 at 15:32 -0700, Tom Eastep wrote:> Did you try searching the manpage for the word ''destination''?Finally got a chance to try that and that did the trick. Thanx Tom! b. ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/10/10 7:54 PM, Brian J. Murrell wrote:> On Thu, 2010-08-05 at 15:32 -0700, Tom Eastep wrote: >> Did you try searching the manpage for the word ''destination''? > > Finally got a chance to try that and that did the trick. > > Thanx Tom!You are welcome, Brian -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev