In the old days, the DNAT rule parameter:
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
<<<SNIP>>>
# The address (list) may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
It was VERY easy to change the source address of that DNAT connection.
DNAT net loc:$PRINTER-INTERNAL:443 tcp https -
$PRINTER-EXTERNAL:$FW-ETH1-INTERNAL
In current version, what the EASY approach ?
Thanks.
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
On 10/18/2013 8:20 AM, Guilsson G wrote:> In the old days, the DNAT rule parameter: > > #ORIGINAL DEST(0ptional -- only allowed if ACTION is DNAT[-] or > <<<SNIP>>> > #The address (list) may optionally be followed by > #a colon (":") and a second IP address. This causes > #Shorewall to use the second IP address as the source > #address in forwarded packets. See the Shorewall > #documentation for restrictions concerning this feature. > #If no source IP address is given, the original source > #address is not altered. > > It was VERY easy to change the source address of that DNAT connection. > > DNAT net loc:$PRINTER-INTERNAL:443 tcp https - > $PRINTER-EXTERNAL:$FW-ETH1-INTERNAL > > In current version, what the EASY approach ?In the current version, the ONLY way is to add an entry to /etc/shorewall/masq: eth1:$PRINTER-INTERNAL - tcp https -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
I think it''s missing one parameter. eth1:$PRINTER-INTERNAL eth0 $FW-ETH1-INTERNAL tcp https Correct ? On Fri, Oct 18, 2013 at 1:37 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 10/18/2013 8:20 AM, Guilsson G wrote: > > In the old days, the DNAT rule parameter: > > > > #ORIGINAL DEST(0ptional -- only allowed if ACTION is DNAT[-] or > > <<<SNIP>>> > > #The address (list) may optionally be followed by > > #a colon (":") and a second IP address. This causes > > #Shorewall to use the second IP address as the source > > #address in forwarded packets. See the Shorewall > > #documentation for restrictions concerning this feature. > > #If no source IP address is given, the original source > > #address is not altered. > > > > It was VERY easy to change the source address of that DNAT connection. > > > > DNAT net loc:$PRINTER-INTERNAL:443 tcp https - > > $PRINTER-EXTERNAL:$FW-ETH1-INTERNAL > > > > In current version, what the EASY approach ? > > In the current version, the ONLY way is to add an entry to > /etc/shorewall/masq: > > eth1:$PRINTER-INTERNAL - tcp https > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
No, it is not. Tom <mailto:teastep@shorewall.net> teastep@shorewall.net <http://www.shorewall.net/> http://www.shorewall.net From: Guilsson G [mailto:guilsson@gmail.com] Sent: Friday, October 18, 2013 4:51 PM To: Shorewall Users Subject: Re: [Shorewall-users] Specifying DNAT and SNAT in same rule I think it''s missing one parameter. eth1:$PRINTER-INTERNAL eth0 $FW-ETH1-INTERNAL tcp https Correct ? On Fri, Oct 18, 2013 at 1:37 PM, Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net> > wrote: On 10/18/2013 8:20 AM, Guilsson G wrote:> In the old days, the DNAT rule parameter: > > #ORIGINAL DEST(0ptional -- only allowed if ACTION is DNAT[-] or > <<<SNIP>>> > #The address (list) may optionally be followed by > #a colon (":") and a second IP address. This causes > #Shorewall to use the second IP address as the source > #address in forwarded packets. See the Shorewall > #documentation for restrictions concerning this feature. > #If no source IP address is given, the original source > #address is not altered. > > It was VERY easy to change the source address of that DNAT connection. > > DNAT net loc:$PRINTER-INTERNAL:443 tcp https - > $PRINTER-EXTERNAL:$FW-ETH1-INTERNAL > > In current version, what the EASY approach ?In the current version, the ONLY way is to add an entry to /etc/shorewall/masq: eth1:$PRINTER-INTERNAL - tcp https -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031 <http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk> &iu=/4140/ostg.clktrk_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net <mailto:Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> *From:*Guilsson G [mailto:guilsson@gmail.com] > *Sent:* Friday, October 18, 2013 4:51 PM > *To:* Shorewall Users > *Subject:* Re: [Shorewall-users] Specifying DNAT and SNAT in same rule > > > > I think it''s missing one parameter.On 10/18/2013 5:27 PM, Tom Eastep wrote:> No, it is not.First, I apologize for top-posting; I responded using Outlook. SNAT (modification of the source address) is done out of the nat table''s POSTROUTING chain, and rules in that chain may not specify a source interface name. If you place ''eth0'' in the SOURCE column, then the Shorewall-generated script will examine the main routing table and generate rules for traffic from every host/network routed out of that interface, *except* for those routed using a default route. Both the compiler and the generated script will issue WARNING messages; the compiler will complain that eth0 must be up and functional before the firewall will start, while the script will report that the default route out of eth0 is being ignored. Devices like printers have a primitive IP stack that does not support the notion of a default route. So *any* traffic sent to the printer from the firewall must have the address of eth1 as its source IP. As a consequence, making the SNAT rule unconditional is the proper and EASIEST thing to do. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk