Thanks Tom, after making the below changes snat and dnat worked for the outgoing traffic.
Because this done PREROUTING DNAT lan:0.0.0.0/0 inet:2.2.2.2 0 - - 1.1.1.1 Because this done in POSTROUTING SNAT(10.24.19.235) 192.168.7.50/32 eth2:2.2.2.2/32 0 # tcpdump -ni eth2 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes 22:34:22.109730 IP 10.24.19.235 > 2.2.2.2: ICMP echo request, id 29783, seq 1, length 64 So, i need to get which direction the rules as to be applied in order to configure the zone, maybe i can't take just the generic IP address rules. Thanks, Naveen On Mon, Jan 14, 2019 at 2:35 PM Tom Eastep <teas...@shorewall.net> wrote: > On 1/14/19 12:56 PM, Naveen Neelakanta wrote: > > Hi All, > > > > Is it possible to just configure the Source Nat and Destination nat > > rules without giving any zone informations or interface information and > > just configure IPs address? > > > > Also see that if DNAT Rules is configured, SNAT rules in snat file is > > being skipped, however, the masquerade is happening with the interface > > ip, but I want to change the source ip from a NAT pool that is > configured. > > > > When DNAT is applied on an incoming flow, SNAT rules are ignored because > the respose packet's source IP *must be* the destination IP in the > incoming packet. > > > snat file: > > SNAT(10.24.19.235)192.168.7.50/32 eth2:1.1.1.1/32 > > rules file: > > DNAT lan inet:2.2.2.2 0 - - 1.1.1.1 > > > > When I get the rule, I am not sure it belongs to which zone, i just get > > the ipaddress and interface name. > > I don't understand why you cannot determine the zone. The zone *must* be > known for Shorewall to generate the companion ACCEPT rule (remember that > Shorewall DNAT rules generate two ip[6]tables rules: a DNAT rule in the > nat table and an ACCEPT rule in the filter table). > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \_______________________________________________ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
