[Shorewall-users] Is this possible with shorewall?

Eduardo Ferreira duda at icatu.com.br
Mon Dec 1 13:47:45 PST 2003


hi Tom & all,

I need to have nat enabled in a special condition: only from a specific IP 
in my local zone and to a specific Host/net.  every other connection can't 
be natted.  I'm doing this with a couple of iptable commands that needs to 
be issued in the start script:

run_iptables -t nat -I POSTROUTING -s 10.1.20.1 -d 172.21.4.1 -j SNAT 
--to-source 172.21.4.51
run_iptables -t nat -I PREROUTING -s 172.21.4.1 -d 172.21.4.51 -j DNAT 
--to-destination 10.1.20.1

is there a way of doing this using the configuration files?  For all I 
read, the answer is no.  But, why couldn't the nat configuration file be 
zone enabled?(eg if a connection from zoneA goes to zoneB, nat it.  every 
other case, don't nat it).  Something like:

#EXTERNAL       INTERFACE       INTERNAL        ALL LOCAL
#                                               INTERFACES
zoneB                   eth0                ZoneA               -  -

and may be a new column to indicate the address to be used...

cheers,

Eduardo



More information about the Shorewall-users mailing list