Re: [Shorewall-users] Re: Shorewall-users Digest, Vol 31, Issue 48

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Sunday 26 June 2005 05:02, Derek Vincent wrote:
> On Friday 24 June 2005 20:57, Derek Vincent wrote:
> >>Hello all,
> >>
> >>I have shorewall setup with 3 SNAT entries for external IP address's to
> >>a single IP internal address. I am wondering how to limit access based
> >>on the source IP address.
> >>ex.
> >> EXT IP 1 access only to port 25
> >> EXT IP 2 access only to port 443
> >> EXT IP 3 access only to port 80
> >>
> >>I have the SNAT setup correctly and I have 3 accept line in the rules
> >>file (25,80,443) but I can hit all the services from all 3 external IP
> >>address (as expected).
> >>
> >>I though about using DNAT instead of ACCEPT but I am not sure if you can
> >>or are supposed to mix the DNAT and SNAT.
> >
> >Hi Derek,
> >
> >I can only guess, because I don't really understand the way you
> > implemented the SNAT (MASQ?)/Accept combination.
> >
> >But I think the correct way would be DNAT. Something like this in the
> > rules file:
> >
> >DNAT net:$EXT_IP1 loc:$INT_IP:PORT PROTO PORTS ORIG_DEST
> >
> >e.g.:
> >DNAT net:212.185.120.194 dmz:192.168.40.2 tcp http,https - =20
> > 194.231.186.177
> >
> >See the examples on top of the rules file and read FAQ30
> >http://www.shorewall.net/FAQ.htm#faq30
> >
> >HTH,
> >Alex
>
> Apologies, I am not using SNAT for this.
>
> What I have setup is just entries in the NAT table and the ACCEPTS in
> the rule file.
>
> snipit from NAT file:
> ## .132 =3D=3D webmail.clockwork.ca
> 207.35.34.132   eth0:0          192.168.111.17  no                      no
> ## .134 =3D=3D mail.clockwork.ca
> 207.35.34.134   eth0:2          192.168.111.17  no                      no
> ## .135 =3D=3D exposed.clockwork.ca (www)
> 207.35.34.135   eth0:3          192.168.111.17  no                      no
>
> And the following are the ACCEPT entries from RULES:
> ACCEPT  net             loc:192.168.111.17      tcp     443     -
> ACCEPT  net             loc:192.168.111.17      tcp     25      -
> ACCEPT  net             loc:192.168.111.17      tcp     80      -
>
> So what I am looking for is a way to control access to specific ports
> based on the external nated address.

Then your access rule should be something like this (Orig Destination colum=
n):

ACCEPT =A0net =A0 =A0 =A0 =A0 =A0 =A0 loc:192.168.111.17 =A0 =A0 =A0tcp =A0=
 =A0 80 =A0 =A0 =A0207.35.34.135

I haven't used one-to-one NAT by myself yet, so I'm not 100% sure.=20

Just a hint:
I would have used proxy-arp instead of one-to-one NAT for this kind of setu=
p.

HTH,
Alex