[Shorewall-users] SNAT & DNAT

Simon Matter simon.matter at ch.sauter-bc.com
Sun Aug 3 22:40:32 PDT 2003


> Simon,
> Thanks! that looks like that will work fine, I will try it. But what IF
> I get another block of class c addresses, i.e. another network? For
> example:
> class c block number 1: 1.2.3.4/24
> class c block number 2: 1.2.5.6/24
>
> Is Shorewall capable of handling that?

Unfortunately I don't know. Tom should be back tomorrow, he's the one who
knows it for sure.
But then, why would you want to do that? I don't see a real benefit.
Usually when you have a class c net, you only use a few adresses for
client connections and the other ones are dedicated for servers using
static nat, proxy arp or whatever is appropriate.

Simon

>
> Thanks in advance!
>
> Terry
>
> Simon Matter wrote:
>
>> Hi,
>>
>> IIRC what is called PAT on a Cisco PIX is what is called Masquerading in
>> the Linux world.
>> If I understand correctly, you want your 10.0.0.0/8 network to have
>> access
>> to the internet. In the easiest configuration, you'll only need one
>> public
>> IP address for this to work. Connection tracking in the Linux kernel
>> will
>> manage to make things work for almost every protocol. For complicated
>> protocols like FTP will need additional kernel modules for this to work.
>> This is something Shorewall usually cares about.
>> Now, If you have too much open connections because maybe thousands of
>> clients have several connections open at the same time, you may need
>> more
>> public IPs for it to work. Looks like the latest snapshot release of
>> Shorewall have support for this too. You can configure this in the file
>> /etc/shorewall/masq like this:
>>
>> eth0    10.0.0.0/8    206.124.146.177-206.124.146.180
>>
>> or
>>
>> eth0    eth1          206.124.146.177-206.124.146.180
>>
>> HTH
>> Simon
>>
>>
>>>Hello,
>>>
>>>I am looking at/testing Shorewall and have gone through most if not all
>>>of the documentation. I believe I understand most of how to set up
>>>Shorewall with no problem. However, I am unclear if a particular feature
>>>is available.
>>>
>>>I have a block of class C addresses, a full 254. i.e. 1.2.3.4/24.
>>>
>>>I also have non-routable addresses on my private/internal network i.e.
>>>10.0.0.0 , for my local hosts.
>>>
>>>I am unclear in the documentation if I can use Shorewall to use all/most
>>>of the Class C addresses, for outbound requests similar to how a PIX
>>>firewall uses them in a 'Global' pool and PAT.
>>>
>>>For example, is it possible to have my private hosts have their private
>>>IP addresses translated to a public IP address, that is taken from a
>>>range of public IP addresses 'tracked' by Shorewall and then Shorewall
>>>keeps track of the host's internal IP address for the return back. For
>>>example, an internal host makes a web request, 'finds' an available
>>>class C address uses that and then gets translated back to the internal
>>>hosts IP address.
>>>
>>>The problem I have is that if I have more than 254 hosts needing an
>>>Internet/routable address at the same time then is there a feature
>>>similar to Port Address Translation, similar to a PIX firewall?
>>>
>>>Is that part of the DNAT or maybe SNAT feature on Shorewall?
>>>
>>>Or to do this would I need to get another block of Class C addresses
>>>from my ISP and if I need to get another block of class C addresses does
>>>Shorewall support more than one CIDR block on the same firewall?
>>>
>>>Would I need to set up another switch and Shorewall firewall for each
>>>1.2.3.4/24 block?
>>>
>>>If it is in the documentation I have not yet found how to do it. If
>>>someone could point to the area of the documentation where it explains
>>>this it would be great.
>>>
>>>Thanks for your time in advance.
>>>
>>>terry
>>>
>>>_______________________________________________
>>>Shorewall-users mailing list
>>>Post: Shorewall-users at lists.shorewall.net
>>>Subscribe/Unsubscribe:
>>>http://lists.shorewall.net/mailman/listinfo/shorewall-users
>>>Support: http://www.shorewall.net/support.htm
>>>FAQ: http://www.shorewall.net/FAQ.htm
>>>
>>
>>
>
>



More information about the Shorewall-users mailing list