[Shorewall-newbies] Dual DNAT and SNAT ?

Niels Kristian Jensen nkj at internetgruppen.dk
Sat Jan 3 18:19:28 PST 2004

Hi all,

I have three servers on my DMZ.

One is called "akela". It has one internal RFC1918 IP

It can be contacted from the outside on for most 
services, but it also (for historic reasons) answers DNS queries on

That's taken care of using three DNAT rules:

# BEGIN akela
# *************************************************************************
DNAT      net	dmz:	tcp 
ssh,ftp,ftp-data,pop3,smtp,notes,http -
DNAT      net	dmz:	tcp     domain 	-
DNAT      net	dmz:	udp     domain 	-

But, the server also sometimes need to contact the outside world. I've 
therefore made a rule:

ACCEPT	dmz:	net	tcp	smtp,notes

and added this to the "masq" file:


I guess that the setup will lead to any contact originating on akela to 
the "net" will seem to come from ?

I use the /32 subnet to single out this one server because I also have 
two more servers:


So the questions:

1) Will it work as I describe it?

2) Can I somehow make connections originating on akela for domain ports 
only SNAT to ?

Best regards,
Niels Kristian Jensen

More information about the Shorewall-newbies mailing list