Hi I wonder if you can help... I have setup shorewall(2.2.3) under debian on a machine that has 4 network ports... the idea is that there is 1 WAN port, 1 DMZ port, and 2 LAN ports, 1 LAN port has static NAT setup for selected incoming connection from trusted sources, and the second LAN port I am trying to setup using masq NAT as it only requires outgoing connections, no incoming. the static NAT stuff I have working fine, but the problem is with the masq stuff... I can see from the logs, that from a machine on LAN2, if I try and access say www.cisco.com <http://www.cisco.com/> then the firewall allows the connection out, but the site is never brought up in the browser and there is no internet connectivity from LAN2 I have included that status.txt file as requested, anyone with any helpful advice it would be greatly appreciated. Thanks Andrew
On Monday 21 November 2005 00:11, Andrew Roden wrote:> Hi > I wonder if you can help... I have setup shorewall(2.2.3) under debian on > a machine that has 4 network ports... the idea is that there is 1 WAN port, > 1 DMZ port, and 2 LAN ports, 1 LAN port has static NAT setup for selected > incoming connection from trusted sources, and the second LAN port I am > trying to setup using masq NAT as it only requires outgoing connections, no > incoming. > the static NAT stuff I have working fine, but the problem is with the masq > stuff... I can see from the logs, that from a machine on LAN2, if I try and > access say www.cisco.com <http://www.cisco.com/> then the firewall allows > the connection out, but the site is never brought up in the browser and > there is no internet connectivity from LAN2 > I have included that status.txt file as requested, anyone with any helpful > advice it would be greatly appreciated.Your masquerading/snat setup is unfathomable. You appear to have this in /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth1 212.188.139.160/27 192.168.0.1 eth2 192.168.1.0/24 212.188.139.190 The first entry says that traffic from 212.188.139.160/27 being sent out of eth1 should have its source IP rewritten to 192.168.0.1. The second entry indicates that traffic from 192.168.1.0/24 being sent out of eth2 should have its source IP address written to 212.188.139.190. Given that in both cases, the SUBNET is the network associated with the INTERFACE, neither rule makes sense unless you are trying to deal with a ''routeback'' situation (Shorewall FAQ 2). I''m clueless about what you are trying to accomplish with the first entry; it would at least do *something* if it were rewritten as: eth0 212.188.139.160/27 192.168.0.1 That would cause traffic from 212.188.139.160/27 being sent out of eth0 to have its source IP address rewritten to 192.168.0.1 -- I don''t understand why that should be necessary though. The second entry would correct your lan2 internet access problem if it were changed to: eth1 192.168.1.0/24 212.188.139.190 ---- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Thanks for the response... I finally figured it out after a bit of sleep... 32 hours straight was taking it''s toll way too much... the problem was indeed that for LAN2 I had applied the entry to interface eth2 instead of eth1 but thanks for the response... Andrew On 11/21/05, Tom Eastep <teastep@shorewall.net> wrote:> > On Monday 21 November 2005 00:11, Andrew Roden wrote: > > Hi > > I wonder if you can help... I have setup shorewall(2.2.3) under debian > on > > a machine that has 4 network ports... the idea is that there is 1 WAN > port, > > 1 DMZ port, and 2 LAN ports, 1 LAN port has static NAT setup for > selected > > incoming connection from trusted sources, and the second LAN port I am > > trying to setup using masq NAT as it only requires outgoing connections, > no > > incoming. > > the static NAT stuff I have working fine, but the problem is with the > masq > > stuff... I can see from the logs, that from a machine on LAN2, if I try > and > > access say www.cisco.com <http://www.cisco.com> <http://www.cisco.com/> > then the firewall allows > > the connection out, but the site is never brought up in the browser and > > there is no internet connectivity from LAN2 > > I have included that status.txt file as requested, anyone with any > helpful > > advice it would be greatly appreciated. > > Your masquerading/snat setup is unfathomable. You appear to have this > in /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > eth1 212.188.139.160/27 <http://212.188.139.160/27> 192.168.0.1<http://192.168.0.1> > eth2 192.168.1.0/24 <http://192.168.1.0/24> 212.188.139.190<http://212.188.139.190> > > The first entry says that traffic from 212.188.139.160/27<http://212.188.139.160/27>being sent out of > eth1 should have its source IP rewritten to 192.168.0.1<http://192.168.0.1>. > The second entry > indicates that traffic from 192.168.1.0/24 <http://192.168.1.0/24> being > sent out of eth2 should have > its source IP address written to 212.188.139.190 <http://212.188.139.190>. > > Given that in both cases, the SUBNET is the network associated with the > INTERFACE, neither rule makes sense unless you are trying to deal with a > ''routeback'' situation (Shorewall FAQ 2). > > I''m clueless about what you are trying to accomplish with the first entry; > it > would at least do *something* if it were rewritten as: > > eth0 212.188.139.160/27 <http://212.188.139.160/27> 192.168.0.1<http://192.168.0.1> > > That would cause traffic from 212.188.139.160/27<http://212.188.139.160/27>being sent out of eth0 to > have its source IP address rewritten to 192.168.0.1 <http://192.168.0.1>-- I don''t understand why > that should be necessary though. > > The second entry would correct your lan2 internet access problem if it > were > changed to: > > eth1 192.168.1.0/24 <http://192.168.1.0/24> 212.188.139.190<http://212.188.139.190> > ---- > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >