[Shorewall-newbies] Dual DNAT and SNAT ?

Niels Kristian Jensen nkj at internetgruppen.dk
Sat Jan 3 18:19:28 PST 2004


Hi all,

I have three servers on my DMZ.

One is called "akela". It has one internal RFC1918 IP 192.168.2.11

It can be contacted from the outside on 194.192.161.164 for most 
services, but it also (for historic reasons) answers DNS queries on 
194.192.161.168

That's taken care of using three DNAT rules:

*************************************************************************
# BEGIN akela
# *************************************************************************
DNAT      net	dmz:192.168.2.11	tcp 
ssh,ftp,ftp-data,pop3,smtp,notes,http - 194.192.161.164
DNAT      net	dmz:192.168.2.11	tcp     domain 	- 	194.192.161.168
DNAT      net	dmz:192.168.2.11	udp     domain 	- 	194.192.161.168




But, the server also sometimes need to contact the outside world. I've 
therefore made a rule:

ACCEPT	dmz:192.168.2.11	net	tcp	smtp,notes

and added this to the "masq" file:

eth0:4		192.168.2.11/32		194.192.161.164


I guess that the setup will lead to any contact originating on akela to 
the "net" will seem to come from 194.192.161.164 ?


I use the /32 subnet to single out this one server because I also have 
two more servers:

eth0:5		192.168.2.165/32	194.192.161.165
eth0:6		192.168.2.112/32	194.192.161.166



So the questions:

1) Will it work as I describe it?

2) Can I somehow make connections originating on akela for domain ports 
only SNAT to 194.192.161.168 ?

Best regards,
Niels Kristian Jensen
Denmark



More information about the Shorewall-newbies mailing list