forked from extern/shorewall_code
Add bridge instructions to Shorewall FAQ 2
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
6d3b1d80d4
commit
2859b1aa6e
58
docs/FAQ.xml
58
docs/FAQ.xml
@ -746,6 +746,12 @@ DNAT loc loc:192.168.1.5 tcp www - <emph
|
|||||||
DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
|
DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
|
||||||
time that you get a new IP address.</para>
|
time that you get a new IP address.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>If your local interface is a bridge, see <link
|
||||||
|
linkend="faq2e">FAQ 2e</link> for additional configuration
|
||||||
|
steps.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>For optional interfaces, use the function <emphasis
|
<para>For optional interfaces, use the function <emphasis
|
||||||
role="bold">find_first_interface_address_if_any()</emphasis>
|
role="bold">find_first_interface_address_if_any()</emphasis>
|
||||||
@ -915,6 +921,58 @@ DNAT loc dmz:192.168.2.4 tcp 80 - <emph
|
|||||||
INTERFACES column of each entry in <ulink
|
INTERFACES column of each entry in <ulink
|
||||||
url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
|
url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section id="faq2e">
|
||||||
|
<title>(FAQ 2e) I have the situation in FAQ 2 but my local interface
|
||||||
|
is a bridge and the solution in FAQ 2 doesn't work</title>
|
||||||
|
|
||||||
|
<para><emphasis role="bold">Answer</emphasis>: Assume that the bridge
|
||||||
|
is br0 and that eth1 is the bridge port that connects to the LAN
|
||||||
|
containing 192.168.1.5</para>
|
||||||
|
|
||||||
|
<para>In addition to the steps in FAQ 2, you also need to:</para>
|
||||||
|
|
||||||
|
<orderedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Set the <firstterm>hairpin</firstterm> option on
|
||||||
|
eth1.</para>
|
||||||
|
|
||||||
|
<programlisting>brctl hairpin br0 eth1 on</programlisting>
|
||||||
|
|
||||||
|
<para>On Debian and derivitives, you can place that command in
|
||||||
|
/etc/network/interfaces as a post-up command:</para>
|
||||||
|
|
||||||
|
<programlisting>auto br0
|
||||||
|
iface br0 inet static
|
||||||
|
bridge_ports eth1
|
||||||
|
bridge_fd 0
|
||||||
|
bridge_maxwait 0
|
||||||
|
address 192.168.1.1
|
||||||
|
netmask 255.255.255.0
|
||||||
|
<emphasis role="bold">post-up /sbin/brctl hairpin br0 eth1 on</emphasis></programlisting>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Install ebtables if it is not already installed.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Be sure that all traffic going out of eth1 has the correct
|
||||||
|
MAC address.</para>
|
||||||
|
|
||||||
|
<programlisting>ebtables -t nat -A POSTROUTING -o eth1 -j snat --to-source <emphasis>br0-MAC-address</emphasis> </programlisting>
|
||||||
|
|
||||||
|
<para>where br0-MAC-address is the MAC address of br0.</para>
|
||||||
|
|
||||||
|
<para>Here's a working example of /etc/shorewall/start that
|
||||||
|
executes the above command.</para>
|
||||||
|
|
||||||
|
<programlisting>if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then
|
||||||
|
<emphasis role="bold">ebtables -t nat -A POSTROUTING -o eth1 -j snat --to-source 0:19:21:d0:61:65</emphasis>
|
||||||
|
fi</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user