[Shorewall-users] routing thru shorewall
billd at emtex.com
Wed May 28 17:46:08 PDT 2003
hmmm, the doc you point to below has a dmz, I don't have a dmz,
I have two interfaces... it looks like this.
22.214.171.124/26 -- 126.96.36.199[linux box]188.8.131.52
normally 184.108.40.206 gets nat'd to 220.127.116.11... but
to selected hosts, I'd like to route it rather than nat.
so say there is a host, 18.104.22.168 and I need 22.214.171.124
to talk directly with it as 126.96.36.199... then I want to route
around the nat... normally, the last script I used, had to jump
to acccept in the PREROUTING chain. So 188.8.131.52 can see
184.108.40.206 and ping it etc.... Is there a way to do this
Thanks for your help.
Tom Eastep wrote:
> On Wed, 28 May 2003 13:47:51 +0100, Bill Dossett <billd at emtex.com> wrote:
>> On my network, I use real IP numbers for all of my
>> hosts. They all get nat'd at the gateway. I use
>> real IPs because sometimes someone needs to connect
>> directly to a host behind the firewall. With my old
>> firewall, I had a trusted-hosts file with trusted host
>> IP numbers in it. My hosts talking to external trusted
>> hosts would not have their IPs nat'd instead they were
>> routed and the external host was allowed thru the firewall.
>> How would I do this with shorewall? I've looked at tunnels
>> but I don't know what the tunnel type IP is? but it isn't
>> a real tunnel, I really want to route everything between
>> a host behind the firewall to a host outside the firewall
>> with no security between them... it's not like they are transmitting
>> any info of any use to anyone.
>> Also I am setting up VPNs... using freeswan and plain freeswan
>> does not like nat'd packets, so I also use the same technique
>> of poking a whole in the firewall and then running a vpn thru it.
>> I haven't fully tested the shorewall tunnel set up to do this,
>> but I really need to know how to make a hole in the firewall
>> first as I have to do this to some hosts... certainly at least
>> until they are ready to run ipsec on their endpoint anyway.
> Bill -- from the above description, I couldn't describe what problem you
> are trying to solve if my life depended on it.
>> From what I understand though, I think you started with the wrong
> QuickStart Guide -- in your other posts concerning FTP, you mention that
> you used the standard two-interface sample yet you are talking about
> using "real IP numbers". In that case, you should be using the Shorewall
> Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm). Go
> through that and see if things don't become clearer for you; if they
> don't then give us the details of your network.
More information about the Shorewall-users