Hi fiolks,
I've been using Sorewall for more than a year, and I am happy with it.
I have a subnet that is router via the external interface of a linux router,
running shorewall.
The internal network is masqed. I want the internal network to be able
to reach the subnet (routed via the external interface) without masq. The rest
must remain masqed.
With iptables, I accomplish that with 1 line rule, placed BEFORE the NAT rule -
excluding destination 10.20.30.0/24:
iptables -A POSTROUTING -s 10.16.0.0/24 -d 10.20.30.0/24 -o bond0.3113
-m comment --comment "exclude destination 10.20.30.0/24 from NAT" -j
RETURN
How do I accomplish this with Shorewall? In the masq file, I can exclude
only source addresses, and I cannot state any destinations?
Some info:
altadmin@vn-frog-01:/share$ /sbin/shorewall version
4.4.26.1
altadmin@vn-frog-01:/share$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:1f:29:5e:5c:40 brd ff:ff:ff:ff:ff:ff
inet6 fe80::21f:29ff:fe5e:5c40/64 scope link
valid_lft forever preferred_lft forever
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN qlen 1000
link/ether 00:1f:29:5e:5c:41 brd ff:ff:ff:ff:ff:ff
inet 10.16.254.2/24 brd 10.16.254.255 scope global eth2
4: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1546 qdisc mq master
bond0 state UP qlen 1000
link/ether 00:1f:29:e9:e1:5c brd ff:ff:ff:ff:ff:ff
5: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1546 qdisc mq master
bond0 state UP qlen 1000
link/ether 00:1f:29:e9:e1:5c brd ff:ff:ff:ff:ff:ff
6: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1546 qdisc noqueue
state UP
link/ether 00:1f:29:e9:e1:5c brd ff:ff:ff:ff:ff:ff
inet6 fe80::21f:29ff:fee9:e15c/64 scope link
valid_lft forever preferred_lft forever
7: eth3.3214@eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP
link/ether 00:1f:29:5e:5c:40 brd ff:ff:ff:ff:ff:ff
inet 87.121.90.148/28 brd 87.121.90.159 scope global eth3.3214
inet 87.121.90.150/32 scope global eth3.3214:vrrp
inet6 fe80::21f:29ff:fe5e:5c40/64 scope link
valid_lft forever preferred_lft forever
8: bond0.1@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1546 qdisc noqueue
state UP
link/ether 00:1f:29:e9:e1:5c brd ff:ff:ff:ff:ff:ff
inet 10.16.0.2/24 brd 10.16.0.255 scope global bond0.1
inet 10.16.0.1/32 scope global bond0.1:vrrp
inet6 fe80::21f:29ff:fee9:e15c/64 scope link
valid_lft forever preferred_lft forever
9: bond0.2@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1546 qdisc noqueue
state UP
link/ether 00:1f:29:e9:e1:5c brd ff:ff:ff:ff:ff:ff
inet 10.248.0.2/24 brd 10.248.0.255 scope global bond0.2
inet 10.248.0.1/32 scope global bond0.2:vrrp
inet6 fe80::21f:29ff:fee9:e15c/64 scope link
valid_lft forever preferred_lft forever
10: bond0.3113@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP
link/ether 00:1f:29:e9:e1:5c brd ff:ff:ff:ff:ff:ff
inet 31.13.248.2/22 brd 31.13.251.255 scope global bond0.3113
inet 31.13.248.1/32 scope global bond0.3113:vrrp
inet6 fe80::21f:29ff:fee9:e15c/64 scope link
valid_lft forever preferred_lft forever
altadmin@vn-frog-01:/share$ ip route show
default via 87.121.90.147 dev eth3.3214 metric 100
10.16.0.0/24 dev bond0.1 proto kernel scope link src 10.16.0.2
10.16.254.0/24 dev eth2 proto kernel scope link src 10.16.254.2
10.20.30.0/24 via 87.121.90.151 dev eth3.3214
10.248.0.0/24 dev bond0.2 proto kernel scope link src 10.248.0.2
31.13.248.0/22 dev bond0.3113 proto kernel scope link src 31.13.248.2
87.121.90.144/28 dev eth3.3214 proto kernel scope link src 87.121.90.148
172.17.17.0/24 via 87.121.90.151 dev eth3.3214
192.168.127.0/24 via 87.121.90.151 dev eth3.3214
--
Thanks.
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho