I sure hope you can help. Here''s the situation: I''m using Debian, and running shorewall, and I need to figure out what is going wrong. I know it has something to do with the routing. I''ve setup this box as a dhcp server, and that is working great, all the clients on the local interface receive their IP addresses fine. But its just not being routed past the debian box. Everything stops dead at the router, including trying to ssh into the router from the local subnet. From the console, and I can ping out just fine, (well, when I enable both the NIC''s for the net side, things break, but that''s not as important). I''m sorry if this seems sporadic, but I have a lot of info to explain. I''ll start from the beginning. I am trying to setup a Debian machine with 3 Ethernet adapters as a router for two different ISPs and load balance those for a local subnet, which it is also setting up. I don''t even know if I have the one-to-one NAT setup correctly, but according to the documentation on shorewall.net, I do, but as I said, that''s the step after this one. Currently, dhcp is working, (which I know has nothing to do with you guys), but the debian box isn''t routing anything. My first question is this, do the SNAT and DNAT entries in the shorewall config files do what''s necessary elsewhere in the system to make the routing from the local subnet to the Internet work? If it does, then I must have my config files done wrong, but I get no errors on shorewall''s startup. If it doesn''t, can anyone point me in the right direction? ~Jonathan Gnagy ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Jonathan Gnagy wrote:> My first question is > this, do the SNAT and DNAT entries in the shorewall config files do > what''s necessary elsewhere in the system to make the routing from the > local subnet to the Internet work? If it does, then I must have my > config files done wrong, but I get no errors on shorewall''s startup. If > it doesn''t, can anyone point me in the right direction?Jonathan, The first thing you need to do is re-read http://www.shorewall.net/support.htm and submit a proper problem report. And while you are waiting for our response, here''s a couple of things you need to look at: a) The Shorewall .deb does not enable IP forwarding by default. You need to set IP_FORWARDING=Yes in shorewall.conf. This is made clear in the QuickStart Guides but you may have missed it. b) I recommend that you [re-]read http://www.shorewall.net/Shorewall_and_Routing.html to fully understand the relationship between Shorewall configuration and routing. It will also point the way to getting your multiple ISP connections working. c) If you "shorewall clear", can you then SSH from the local net to the firewall? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>Jonathan, > >The first thing you need to do is re-read >http://www.shorewall.net/support.htm and submit a proper problem report. > >And while you are waiting for our response, here''s a couple of things >you need to look at: > >a) The Shorewall .deb does not enable IP forwarding by default. You need >to set IP_FORWARDING=Yes in shorewall.conf. This is made clear in the >QuickStart Guides but you may have missed it. > >I apologize for the irregularity if my question. That said, it looked like the simplest fix is the right one here. Your first point about ''IP_FORWARDING=Yes'' not being enabled in debian by default was the right one. Now routing to the Internet FROM the LAN connection is working and is being load-balanced properly. Only problem I am having now is using One-to-One NAT. I wish there was a more concise guide to setting up One-to-One NAT in shorewall, because the guide in the docs is not very helpful. I know what I want to achieve, but I''m not sure how to do it. That may end up being another email though. But I just wanted to say thank you for the informative and helpful response to my question. You guys seem to have great support! ~Jonathan Gnagy ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> Only problem I am having now is using > One-to-One NAT. I wish there was a more concise guide to setting up > One-to-One NAT in shorewall, because the guide in the docs is not very > helpful. I know what I want to achieve, but I''m not sure how to do it.Have you looked at the Shorewall Setup Guide (http://www.shorewall.net/shorewall_setup_guide.htm)? It contains a practical example of using one-to-one NAT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key