[Shorewall-users] routing thru shorewall

Bill Dossett billd at emtex.com
Wed May 28 17:46:08 PDT 2003


hmmm, the doc you point to below has a dmz, I don't have a dmz,
I have two interfaces... it looks like this.


   my network
193.243.232.0/26 -- 193.243.232.1[linux box]193.243.232.68 
--router--Internet

normally 193.243.232.0 gets nat'd to 193.243.232.68... but
to selected hosts, I'd like to route it rather than nat.

so say there is a host, 213.253.143.253  and I need 193.243.232.5
to talk directly with it as 193.243.232.5... then I want to route
around the nat... normally, the last script I used, had to jump
to acccept in the PREROUTING chain.    So 213.253.143.253 can see
193.243.232.5 and ping it etc.... Is there a way to do this
with shorewall?

Thanks for your help.

Bill


Tom Eastep wrote:
> On Wed, 28 May 2003 13:47:51 +0100, Bill Dossett <billd at emtex.com> wrote:
> 
>> Hi,
>>
>> On my network, I use real IP numbers for all of my
>> hosts.  They all get nat'd at the gateway.  I use
>> real IPs because sometimes someone needs to connect
>> directly to a host behind the firewall.  With my old
>> firewall, I had a trusted-hosts file with trusted host
>> IP numbers in it.  My hosts talking to external trusted
>> hosts would not have their IPs nat'd  instead they were
>> routed and the external host was allowed thru the firewall.
>>
>> How would I do this with shorewall?  I've looked at tunnels
>> but I don't know what the tunnel type IP is?  but it isn't
>> a real tunnel, I really want to route everything between
>> a host behind the firewall to a host outside the firewall
>> with no security between them... it's not like they are transmitting
>> any info of any use to anyone.
>>
>> Also I am setting up VPNs... using freeswan and plain freeswan
>> does not like nat'd packets, so I also use the same technique
>> of poking a whole in the firewall and then running a vpn thru it.
>> I haven't fully tested the shorewall tunnel set up to do this,
>> but I really need to know how to make a hole in the firewall
>> first as I have to do this to some hosts... certainly at least
>> until they are ready to run ipsec on their endpoint anyway.
>>
> 
> Bill -- from the above description, I couldn't describe what problem you 
> are trying to solve if my life depended on it.
> 
>> From what I understand though, I think you started with the wrong 
> 
> QuickStart Guide -- in your other posts concerning FTP, you mention that 
> you used the standard two-interface sample yet you are talking about 
> using "real IP numbers". In that case, you should be using the Shorewall 
> Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm). Go 
> through that and see if things don't become clearer for you; if they 
> don't then give us the details of your network.
> 
> -Tom




More information about the Shorewall-users mailing list