Michael Weickel - iQom Business Services GmbH
2010-Jan-17 02:04 UTC
ppp+ port forward from internal to external (FAQ 2)
Hi all, I try to solve FAQ2 scenario with multiple ppp+ interfaces as well as a network which has access through the same gateway as the ppp+ as well as the regular local zone. My ppp+ uses the network 10.251.255.0/24 and they come in through wan interface vlan3005 My regular local zone is 10.10.10.0/24 with local interface vlan200 My second local network is 10.100.100.0/24 The second local network is forwarded through several default gateways until it arrives at the firewalls interface vlan664 with ip 172.31.255.2/30 All these three networks exist in different routing tables but I have rules and routes which make it possible so that they share one and the same external interface vlan3003 1.2.3.4 which masquerades them all. My regular network can access the the outside interface exactly as described by faq 2. But regarding the ppp+ and second network I am a bite confused what do do. I tried as following. The internally www service runs on 10.10.10.79/24, the firewall interface in that zone is 10.10.10.20/24 #ZONE INTERFACE BROADCAST OPTIONS v3003 vlan3003 detect routeback v3005 vlan3005 detect v200 vlan200 10.10.10.255 v664 vlan664 172.31.255.3 - ppp+ - /etc/shorewall/hosts l0001 ppp+:10.251.255.0/24 In /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS PROTO PORT(S) vlan200:10.10.10.79 vlan664 10.10.10.20 tcp www vlan200:10.10.10.79 10.251.255.0/24 10.10.10.20 tcp www In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. DNAT v664 v200:10.10.10.79 tcp 80 - 1.2.3.4 DNAT l0001 v200:10.10.10.79 tcp 80 - 1.2.3.4 Im really not sure how I have to setup especially rules and masq file so that all hosts from l0001 and v664 (this is the zone for 10.100.100.0/24 as well). Is someone out there who can help me with this? Thanks a lot for comments on this. Cheers Mike ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world''s best and brightest in the field, creating opportunities for Conference attendees to learn about information security''s most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev
Michael Weickel - iQom Business Services GmbH wrote:> > Is someone out there who can help me with this?Not me... We specifically ask that you NOT send us your configuration files (see http://www.shorewall.net/support.htm). The reason that we do that is: a) You configuration is wrong -- otherwise, you wouldn''t be posting on the list. b) By sending us your configuration files, you are focusing our attention on a wrong solution to SOME problem; your configuration files don''t tell us what that problem is, they only show us your incorrect solution to it. c) We would rather that you send us the output of ''shorewall dump'' and tell us, in detail, what you are trying to accomplish and how it is failing. The ''shorewall dump'' output will give us a clear picture of your environment; that together with a precise problem description (see the above URL), will allow us to help you quickly solve your problem. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world''s best and brightest in the field, creating opportunities for Conference attendees to learn about information security''s most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev