teastep at shorewall.net
Thu Jul 3 23:20:33 PDT 2003
On Thu, 2003-07-03 at 15:16, Rodolfo Pilas wrote:
> El jue, 03 de 07 de 2003 a las 18:36, Tom Eastep escribió:
> > On Thu, 2003-07-03 at 14:34, Rodolfo Pilas wrote:
> > > I am migrating one of my old fw from ipchains to iptables/shorewall. Now
> > > I wish to configure a SNAT like this:
> > >
> > > ipchains -A forward -p tcp -s 172.16.4.2 -d 0/0 53 -j MASQ
> > >
> > > I have seen that the masq file enables me to do SNAT, but I wish to
> > > restrict it to the 53 port only.
> > >
> > > Can you tell me how to do it? Thank.
> > May I ask WHY you want SNAT only on tcp port 53?
> Because I do not wish the 172.16.4.2 can access another outside port.
Then use the appropriate Shorewall mechanisms to do that.
e.g. - in /etc/shorewall/rules:
ACCEPT loc:172.16.4.2 net tcp 53
REJECT loc:172.16.4.2 net all
That way your firewall enforces your policy -- with your scheme, you are making the internet backbone routers enforce your policy for you.
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users