shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] one-to-one nat and intern

Re: [Shorewall-users] one-to-one nat and internal hosts communicating trough external public IP

From: Tom Eastep <teastep_at_nospam>
Date: Fri Jan 13 2012 - 00:11:22 GMT
To: Shorewall Users <>

On Thu, 2012-01-12 at 14:46 -0800, Tom Eastep wrote:

> >
> > According the FAQ 2a, with this settings i should also set a masq (
> > eth1 eth1 ) to allow servers to use the public ip to connect
> > each other, meaning that all loc->loc traffic appear to originate on
> > the firewall, from the IP, and not from the public IP of the
> > real originating server... it's precisely what i would like to avoid
> > and the reason why i've set two explicit NAT rules...
> >
> > It's also confirmed by the page :
> > Specifying “Yes” in this column will not by itself allow systems on
> > the lower LAN to access each other using their public IP addresses.
> >
> You are correct. I'll add your method to the FAQ; thanks for the tip.

I've taken another look at this and I was correct and the FAQ is
wrong :-(.

Here is the critical part of the difference between the two methods
(both compiled with OPTIMIZE=31):

--A PREROUTING -d -j DNAT --to-destination
--A PREROUTING -d -j DNAT --to-destination
--A POSTROUTING -s -j SNAT --to-source
--A POSTROUTING -s -j SNAT --to-source
+:~comb0 - [0:0]
+:~comb1 - [0:0]
+-A PREROUTING -i eth0 -j ~comb0
+-A PREROUTING -i eth1 -j ~comb0
+-A POSTROUTING -o eth0 -j ~comb1
+-A POSTROUTING -o eth1 -j ~comb1
+-A ~comb0 -d -j DNAT --to-destination
+-A ~comb0 -d -j DNAT --to-destination
+-A ~comb1 -s -j SNAT --to-source
+-A ~comb1 -s -j SNAT --to-source

These two rulesets are equivalent, but the optimizer does a slightly
better job with my way than with yours.

I'll correct the FAQ.

-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car \________________________________________________

RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!

Shorewall-users mailing list