From 2859b1aa6eca5a5b464825ce0ff33a5dbe25d664 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 19 May 2014 14:18:25 -0700 Subject: [PATCH] Add bridge instructions to Shorewall FAQ 2 Signed-off-by: Tom Eastep --- docs/FAQ.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 101d7ac19..4858fb016 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -746,6 +746,12 @@ DNAT loc loc:192.168.1.5 tcp www - + + If your local interface is a bridge, see FAQ 2e for additional configuration + steps. + + For optional interfaces, use the function find_first_interface_address_if_any() @@ -915,6 +921,58 @@ DNAT loc dmz:192.168.2.4 tcp 80 - /etc/shorewall/nat. + +
+ (FAQ 2e) I have the situation in FAQ 2 but my local interface + is a bridge and the solution in FAQ 2 doesn't work + + Answer: Assume that the bridge + is br0 and that eth1 is the bridge port that connects to the LAN + containing 192.168.1.5 + + In addition to the steps in FAQ 2, you also need to: + + + + Set the hairpin option on + eth1. + + brctl hairpin br0 eth1 on + + On Debian and derivitives, you can place that command in + /etc/network/interfaces as a post-up command: + + auto br0 +iface br0 inet static + bridge_ports eth1 + bridge_fd 0 + bridge_maxwait 0 + address 192.168.1.1 + netmask 255.255.255.0 + post-up /sbin/brctl hairpin br0 eth1 on + + + + Install ebtables if it is not already installed. + + + + Be sure that all traffic going out of eth1 has the correct + MAC address. + + ebtables -t nat -A POSTROUTING -o eth1 -j snat --to-source br0-MAC-address + + where br0-MAC-address is the MAC address of br0. + + Here's a working example of /etc/shorewall/start that + executes the above command. + + if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then + ebtables -t nat -A POSTROUTING -o eth1 -j snat --to-source 0:19:21:d0:61:65 +fi + + +