AW: AW: [Shorewall-users] masquerade INCOMMING ip = :-|

Northe, Juergen jn at northe-online.de
Fri, 11 Oct 2002 03:01:15 +0200


>> 
>> /etc/shorewall/tcrules: (tried also to set mark = 9)
>> 1	ipsec0	172.20.0.0/16	
>> /etc/shorewall/start (also mark 1 -> 9)
>> run_iptables -t nat -A POSTROUTING -o eth0 --match mark --mark 1 -j 
>> SNAT --to-source 172.20.6.1
>> 
>> shorewall stop && shorewall clear &&
>> service ipsec restart && shorewall start
>> 
>> Result:
>> My notebook comes in the local net like before; with its own ip. I
set 
>> logging for every policy to info. Not a spot of bother.
>> 
>> Oct 11 01:52:18 dkmsrv2 kernel: Shorewall:vpn2loc:ACCEPT:IN=ipsec0
>> OUT=eth0 SRC=139.1.3.1 DST=172.20.5.1 LEN=48 TOS=0x00 PREC=0x00 
>> TTL=127 ID=7262 DF PROTO=TCP SPT=1331 DPT=10000 WINDOW=16384 RES=0x00

>> SYN URGP=0
>> 
>> #shorewall show tc
>> RTNETLINK answers: Invalid argument
>> Dump terminated
>> 
>> #iptables -L | grep "172.20.6.1"
>>  - no output.
>> 
>> hmm..          ?
>
>shorewall show nat | grep '172\.20\.6\.1'

looks good:

0   0 SNAT   all -- * eth0 0.0.0.0/0  0.0.0.0/0 MARK match 0x9
to:172.20.6.1

(also made with ' shorewall show nat | grep "172.20.6.1" ',.. but
correct is yours with the regexp !)

jn