Displaying 20 results from an estimated 5000 matches similar to: "Docs Issue - IP Masq vs. SNAT"
2004 Oct 06
4
SNAT is less expensive than MASQ
hi,
in the masq file''s documentation, there is a sentence:
"If you have a static IP on that interface, listing it here makes
processing of output packets a little less expensive for the firewall."
this realy means that SNAT to the primary address is less expensive than
a MASQ rules in the netfilter? is this documented anywhere in
iptables/netfilter?
thanks.
--
Levente
2005 Jan 07
3
masq or static nat
Hello,
> My server is on Mandrake 10.1 off.
> eth0 is WAN with static IP connected 512 DSL
> eth1 is LAN.
I am little confused about NAT.
I have a static IP from ISP
I want to do a NAT on eth0.
What should I use in shorewall masquerading or static nat ?
Thanks
Varun
2002 Aug 06
8
converting MASQ from ipchains
Hello,
on my old system I''m using ipchains. Can anyone help me with converting rule
/sbin/ipchains -A forward -j MASQ -s source_addr -d destination_addr 443 -p tcp
to shorewall. I know that I can write
eth0 source_addr
to /etc/shorewall/masq file
but I can''t found where I can specify the destination address.
The reason for this is to allow one user (computer) access only to
2005 May 31
2
DNAT "without" SNAT?
Hi!
First of all, let me say a big "thank you" to Tom for creating
shorewall. I''ve been using it for a few months now and it''s such a
relief to not have to resort to OpenBSD''s pf (which is so much more sane
than Linux'' iptables madness) for the most basic firewalling tasks.
I have a question that I didn''t seem to be able to find in the FAQ.
2002 Sep 29
11
Iptables, SNAT/MASQ, Multiple gateways
I have a dual-homed firewall. It has 2 Internet connections, provided by
different ISPs (each with an associated IP address). The 2 Internet
connections are connected to the same physical interface. The 2 Internet
connections do NOT have equal bandwidth
How do I configure the SNAT/MASQ and ensure sharing of the gateways with
the correct ratio of usage and with the correct source IP address?
I
2006 Sep 16
1
[Bug 9] locally bound udp port can still be used for MASQ/SNAT
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=9
------- Additional Comments From kaber@trash.net 2006-09-16 14:45 MET -------
I guess this is obsolete now that we don't exclude locally originating packets
from MASQUERADE anymore .. in the end all ports will be unique.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are
2006 Nov 14
2
NAT/MASQ with multiple external static IPs
Hello everyone,
really not sure if this is a LARTC question or not, but I have several
hundred users all MASQ''d behind a single static IP. Users are reporting
that certain websites are blacklisting that single static external IP
for various reasons.
What I would like to do is use several external IP''s and have a MASQ''d
user getting a random one each time.
Here is
2012 Mar 05
0
masq and snat
Hi!
Progress is much better now with my new install with not many problems left!
I just have a simple - I hope - question.
I have a few users that need access to the net via masquerade rules. The rest
have to go via squid on the firewall. That all works well.
I also have two windows servers that also need access to the net but they have
to each use a specific outgoing ip address.
I add two
2005 Jan 23
15
Idea: permit /etc/shorewall/masq to contain zones, as well as interfaces
Dear All,
Firstly, thank you very much - shorewall is great. I''m not a member of
this list, and please forgive me if I am suggesting something stupid, but
the following occurs to me, and I thought it might be useful.
Why no make it possible to specify zones as well as interfaces in the
/etc/shorewall/masq file ?
Eg: instead of:
eth0 eth1
one might write:
net loc (or masq in
2004 Nov 20
5
Differences in masq from 1.4 -> 2.0?
In the panic of replacing our firewall(s) earlier in the week, we ended up
moving our original shorewall 1.4 config onto a machine with 2.0.10
already installed, overwriting all the 2.0.10 config files.
Most things seem to work fine, except for our masq entries. I''ve examined
the default 2.0.10 files compared with our 1.4 files, and can''t spot the
problem. What am I missing?
2009 Aug 12
6
Shorewall (Openswan) IPSEC VPN MASQ Problem
Hi,
I have setup a IPSEC VPN using Openswan to connect a Draytek router to a
CentOS 5.2/Shorewall 4.2.9 firewall. The VPN establishes OK but I''m
getting a problem with packets from the left hand subnet getting
masqueraded rather than routed down the IPSEC VPN as though they were
going out onto the net. I''ve spent the last day searching Google and so
far I''ve hit a
2009 Mar 17
1
masqing a zone connected _via_ a tun.
Folk,
My network is described and illustrated here.
http://carnot.yi.org/NetworksPage.html
To allow Cantor and Dalton, in the vpn zone connected to
Joule through tun0, to SMTP to my ISP, I tried this in
/etc/shorewall/masq.
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 tun0
Shorewall complains.
07:21:58 Setting up Masquerading/SNAT...
07:21:58 To 0.0.0.0/0
2003 Feb 04
1
Totally SNAT confused :)
Hi !
I have setup a complete shorewall now with DMZ, and Private zones and
masq, rules, port-forwarding etc. worx like expected.
BUT
I have a wish to use a couple of more public IP''s and relate those to
inernal servers on the DMZ zone and i am now so confused about it. I have
searched this archive for SNAT port allow
Setup:
3 public adresses on the WAN nic. lets call them 80.80.80.80 -
2003 Feb 23
1
RTSP problems (and SNAT questions)
I am having problems making RTSP connections to a Windows Streaming Media
Server (ie "connecting to media...." but WMP never connects). There are no
error messages in /var/log/messages. It was suggested to me that SNAT might
perform better than MASQ in this respect.
I edited my shorewall/masq file as such:
eth0 eth1 12.34.56.78
or should it be?
eth0 10.0.0.0/24
2010 May 10
4
Port Masquerading
Hi,
I am wondering if it is possible to do the following with shorewall.
I operate a network with some additional IP''s that are SNAT''d to various server machines on my network.
One of my machines is a Terminal server.
I need to be able to RDP to various servers for clients, that are IP locked for RDP on my PtP address, not the SNAT address of my Terminal server.
Can I
2004 Nov 27
3
/etc/shorewall/masq
In /etc/shorewall/masq I have:
eth0 eth1
eth0 vmnet1
eth0 vmnet8
-------------
eth0 is my default route to the Linksys
router connected to the cable modem.
eth1 is my connection to 192.168.1 subnet
and it is the gateway for all other machines
on this subnet.
My routing table is:
# netstat -nr
Kernel IP routing table
Destination
2005 Jan 24
2
Migrate rules from iptables to shorewall - SNAT
Hi all,
I''m using Shorewall since one year (1.4, then 2.0)
I''m trying to migrate a linux firewall from iptables rules to shorewall.
The firewall has three zones
- net internet
- loc1 lan
- loc2 second lan
I have a lot of rules like this, to SNAT the ip addresses of some
computers on loc1 (192.168.16.0/24) when they connect to loc2 (10.0.0.0/8)
iptables -v -t nat -I
2009 Oct 23
9
sip/iax problem - udp conntrack entries not getting destroyed
Hello all,
I have an asterisk sip/iax peer behind a linux gateway doing nat. I''m using
pppoe with a dynamic ip that changes frequently.
The problem is when the line drops the sip/iax registrations drop as well,
and they don''t register thereafter. When I check the conntrack entries, I
noticed the entries still have the old wan ip address and because of
keepalive (i''m
2005 Jun 24
1
SNAT multiple IP to single internal IP and limiting access based on external IP
Hello all,
I have shorewall setup with 3 SNAT entries for external IP address''s to
a single IP internal address. I am wondering how to limit access based
on the source IP address.
ex.
EXT IP 1 access only to port 25
EXT IP 2 access only to port 443
EXT IP 3 access only to port 80
I have the SNAT setup correctly and I have 3 accept line in the rules
file (25,80,443) but I can hit
2005 May 21
10
pb with iptables snat script
hi list,
oh it''s not really a problem.
Each time i fire shorewall, i run a custom iptables script:
(for the openvpn machines to have route back from my bridge/fw -
$SOURCEIP is the ip of my OpenVPN/Fw/bridge)
iptables -A POSTROUTING -t nat -s 10.8.0.0/16 -j SNAT --to-source
$SOURCEIP
i wish to better integrate it within shorewall, so is there any config
files that could achieve the