[Shorewall-users] SNAT

Tom Eastep teastep at shorewall.net
Thu Jul 3 23:20:33 PDT 2003


On Thu, 2003-07-03 at 15:16, Rodolfo Pilas wrote:
> El jue, 03 de 07 de 2003 a las 18:36, Tom Eastep escribió:
> > On Thu, 2003-07-03 at 14:34, Rodolfo Pilas wrote:
> > > I am migrating one of my old fw from ipchains to iptables/shorewall. Now
> > > I wish to configure a SNAT like this:
> > > 
> > > ipchains -A forward -p tcp -s 172.16.4.2 -d 0/0 53 -j MASQ
> > > 
> > > I have seen that the masq file enables me to do SNAT, but I wish to
> > > restrict it to the 53 port only.
> > > 
> > > Can you tell me how to do it?  Thank.
> > 
> > May I ask WHY you want SNAT only on tcp port 53?
> 
> Because I do not wish the 172.16.4.2 can access another outside port.

Then use the appropriate Shorewall mechanisms to do that.

e.g. - in /etc/shorewall/rules:

ACCEPT	loc:172.16.4.2	net	tcp	53
REJECT	loc:172.16.4.2	net	all

That way your firewall enforces your policy -- with your scheme, you are making the internet backbone routers enforce your policy for you.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list