On 07/10/2018 12:32 PM, Naveen Neelakanta wrote: > Hi All, > > How can I achieve, the below zone based connection tracking, using > Shorewall so that a new connection entry gets created when the traffic > is routed to another internet interface. > > These are manually added command : > iptables -A PREROUTING -i eth3 -j CT --zone 1 -t raw > iptables -A OUTPUT -o eth3 -j CT --zone 1 -t raw > > cat /proc/net/nf_conntrack | grep zone=| grep 192.168.103.1 | grep > 192.168.55.1 > ipv4 2 icmp 1 29 src=192.168.55.1 dst=192.168.103.1 type=8 > code=0 id=4391 src=192.168.103.1 dst=192.168.103.2 type=0 code=0 id=4391 > mark=0 zone=1 > > > I have the existing below-configured zones. > > # cat /etc/shorewall/zones > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > lan ipv4 > vpn ipsec > inet ipv4 > > # cat /etc/shorewall/interfaces > #ZONE INTERFACE OPTIONS > lan eth4 detect tcpflags,nosmurfs,logmartians > inet eth5 detect tcpflags,nosmurfs,logmartians > inet eth3 detect tcpflags,nosmurfs,logmartians > lan eth0 detect tcpflags,nosmurfs,logmartians >
In /etc/shorewall/conntrack: IPTABLES(CT --zone 1) eth3 - IPTABLES(CT --zone 1):O 0.0.0.0/0 eth3 -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
