Sorry guys if this has made it before to the list, I just subscribed. Here is my situation: ISP Gateway: 111.111.111.253 My gateway : 111.111.111.254 subnets routed from ISP to 111.111.111.254 : 222.222.222.144/29, 333.333.333.192/27 and 444.444.444.128/26 I have three internal networks that I don''t want them to see each other but I want a way of seeing them all: 192.168.3.0/24, 192.168.4.0/24 and 192.168.253.0/24 all these internal networks are running either web, mail or other kind of services that needs to have one to one nat with a public address. now I''m running as follows: first linux box: eth0: 111.111.111.254 eth1: 222.222.222.145, 333.333.333.193 and 444.444.444.129 no protection at all, don''t know how to do it second liunux box: eth0: all the above public IP addresses eth1: 192.168.3.1, 192.168.4.1, 192.168.253.1 shorewall is doing all the natting and dnatting ..etc. this setup is working fine except not able to protect the first box. The question is: Is there a way in shorewall setup to do all with one box, or if not, how to protect the first box and keep the traffic flowing? Thanks for any advises in advance. Ibrahim Hamouda -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Ibrahim Hamouda wrote:> Sorry guys if this has made it before to the list, I just subscribed. > > Here is my situation: > > ISP Gateway: 111.111.111.253 > My gateway : 111.111.111.254 > > subnets routed from ISP to 111.111.111.254 : 222.222.222.144/29, > 333.333.333.192/27 and 444.444.444.128/26 > > I have three internal networks that I don''t want them to see each other > but I want a way of seeing them all: 192.168.3.0/24, 192.168.4.0/24 and > 192.168.253.0/24 > > all these internal networks are running either web, mail or other kind > of services that needs to have one to one nat with a public address. > > now I''m running as follows: > > first linux box: > > eth0: 111.111.111.254 > eth1: 222.222.222.145, 333.333.333.193 and 444.444.444.129 > > no protection at all, don''t know how to do it > > second liunux box: > eth0: all the above public IP addresses > eth1: 192.168.3.1, 192.168.4.1, 192.168.253.1 > > shorewall is doing all the natting and dnatting ..etc. > > this setup is working fine except not able to protect the first box. > > The question is: Is there a way in shorewall setup to do all with one > box, or if not, how to protect the first box and keep the traffic > flowing?To do it on one box: a) On the second box, remove all of the public IP addresses from eth0. b) On the second box, add 111.111.111.254 to eth0. c) Remove the first box d) On the second box, ''arping -U -I eth0 111.111.111.254'' (be sure your ''arping'' is the one from the iputils package by Alexey Kuznetsov (Debian package iputils-arping) Hint: To use 1:1 NAT, it is only necessary that the external IP address be routed to the gateway by the upstream router. The address does not need to be configured on the gateway itself. -------------------------------------------------------------------------- To protect the first box. Follow the two-interface quickstart guide but instead of adapting /etc/shorewall/masq to your configuration, simple remove the entry from that file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Ibrahim Hamouda
2009-Oct-21 18:59 UTC
Re: multi external subnets and multo internal subnets
Thanks Tom Will test tonight and report back On Wed, 2009-10-21 at 11:03 -0700, Tom Eastep wrote:> Ibrahim Hamouda wrote: > > Sorry guys if this has made it before to the list, I just subscribed. > > > > Here is my situation: > > > > ISP Gateway: 111.111.111.253 > > My gateway : 111.111.111.254 > > > > subnets routed from ISP to 111.111.111.254 : 222.222.222.144/29, > > 333.333.333.192/27 and 444.444.444.128/26 > > > > I have three internal networks that I don''t want them to see each other > > but I want a way of seeing them all: 192.168.3.0/24, 192.168.4.0/24 and > > 192.168.253.0/24 > > > > all these internal networks are running either web, mail or other kind > > of services that needs to have one to one nat with a public address. > > > > now I''m running as follows: > > > > first linux box: > > > > eth0: 111.111.111.254 > > eth1: 222.222.222.145, 333.333.333.193 and 444.444.444.129 > > > > no protection at all, don''t know how to do it > > > > second liunux box: > > eth0: all the above public IP addresses > > eth1: 192.168.3.1, 192.168.4.1, 192.168.253.1 > > > > shorewall is doing all the natting and dnatting ..etc. > > > > this setup is working fine except not able to protect the first box. > > > > The question is: Is there a way in shorewall setup to do all with one > > box, or if not, how to protect the first box and keep the traffic > > flowing? > > To do it on one box: > > a) On the second box, remove all of the public IP addresses from eth0. > b) On the second box, add 111.111.111.254 to eth0. > c) Remove the first box > d) On the second box, ''arping -U -I eth0 111.111.111.254'' (be sure your > ''arping'' is the one from the iputils package by Alexey Kuznetsov > (Debian package iputils-arping) > > Hint: To use 1:1 NAT, it is only necessary that the external IP address > be routed to the gateway by the upstream router. The address does not > need to be configured on the gateway itself. > > -------------------------------------------------------------------------- > > To protect the first box. > > Follow the two-interface quickstart guide but instead of adapting > /etc/shorewall/masq to your configuration, simple remove the entry from > that file. > > -Tom-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom Eastep wrote:> > -------------------------------------------------------------------------- > > To protect the first box. > > Follow the two-interface quickstart guide but instead of adapting > /etc/shorewall/masq to your configuration, simple remove the entry from > that file.Actually, you need to do a bit more. You need to add a ''net loc ACCEPT'' policy as well so that all traffic routed to the second box is accepted''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference