Michael Weickel - iQom Business Services GmbH
2010-Apr-15 17:27 UTC
Reply from nat zone with foreign source ip
Hi list, one of my clients is part of the same subnet as the local Shorewall interface. If this clients wants to got to the internet its masqueraded by masq entry and routed out of the egress interface. Beside the physical ip on the client there is a loopback with a public ip which is not known by shorewall. Now I want this packet - this time with the source ip of loopback interface - to go out the same egress interface. If I tcpdump on Shorewall local interface I see the packet with correct source and destination. If I tcpdump on egress interface I see nothing. In addition nothing is dropped or rejected by log file. This normally happens if someone forgot to add masq entry. The client source ip must be the same as the source ip once packet leaves the firewall on egress interface. I tried something like this in masq egress-if public-ip public-ip but it looks very confusing and of course it doesn''t work. So my question is: how can I route a packet - originated in a natted zone - with a different source ip as shorewall expects without changing its source ip once packet leaves the firewall on egress interface? So if someone asks himself what the hell I am doing here --> Its about loadbalancing and DIRECT SERVER RETURN. Any idea? Thanks for listening. Cheers Mike ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
On Thu, 2010-04-15 at 19:27 +0200, Michael Weickel - iQom Business Services GmbH wrote:> Hi list, > > one of my clients is part of the same subnet as the local Shorewall > interface. If this clients wants to got to the internet its masqueraded by > masq entry and routed out of the egress interface. Beside the physical ip on > the client there is a loopback with a public ip which is not known by > shorewall. Now I want this packet - this time with the source ip of loopback > interface - to go out the same egress interface. > > If I tcpdump on Shorewall local interface I see the packet with correct > source and destination. If I tcpdump on egress interface I see nothing. In > addition nothing is dropped or rejected by log file. This normally happens > if someone forgot to add masq entry. > > The client source ip must be the same as the source ip once packet leaves > the firewall on egress interface. > > I tried something like this in masq > > egress-if public-ip public-ip > > but it looks very confusing and of course it doesn''t work. > > So my question is: how can I route a packet - originated in a natted zone - > with a different source ip as shorewall expects without changing its source > ip once packet leaves the firewall on egress interface? >proxy-arp, maybe? http://www.shorewall.net/ProxyARP.htm> So if someone asks himself what the hell I am doing here --> Its about > loadbalancing and DIRECT SERVER RETURN. > > Any idea? Thanks for listening. > > > Cheers > Mike >Jerry ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Michael Weickel - iQom Business Services GmbH
2010-Apr-15 21:35 UTC
Re: Reply from nat zone with foreign source ip
Thanks for your idea. I just managed it in the same second as your e-mail arrived. I did it with the masq entry I wrote. The only thing I forgot was to give shorewall a static route to the loopback, reachable by physical ip of client. Now the direct server return works fine. Anyway, thanks for support! -----Ursprüngliche Nachricht----- Von: Jerry Vonau [mailto:jvonau@shaw.ca] Gesendet: Donnerstag, 15. April 2010 23:30 An: Shorewall Users Betreff: Re: [Shorewall-users] Reply from nat zone with foreign source ip Wichtigkeit: Hoch On Thu, 2010-04-15 at 19:27 +0200, Michael Weickel - iQom Business Services GmbH wrote:> Hi list, > > one of my clients is part of the same subnet as the local Shorewall > interface. If this clients wants to got to the internet its masqueraded by > masq entry and routed out of the egress interface. Beside the physical ipon> the client there is a loopback with a public ip which is not known by > shorewall. Now I want this packet - this time with the source ip ofloopback> interface - to go out the same egress interface. > > If I tcpdump on Shorewall local interface I see the packet with correct > source and destination. If I tcpdump on egress interface I see nothing. In > addition nothing is dropped or rejected by log file. This normally happens > if someone forgot to add masq entry. > > The client source ip must be the same as the source ip once packet leaves > the firewall on egress interface. > > I tried something like this in masq > > egress-if public-ip public-ip > > but it looks very confusing and of course it doesn''t work. > > So my question is: how can I route a packet - originated in a natted zone-> with a different source ip as shorewall expects without changing itssource> ip once packet leaves the firewall on egress interface? >proxy-arp, maybe? http://www.shorewall.net/ProxyARP.htm> So if someone asks himself what the hell I am doing here --> Its about > loadbalancing and DIRECT SERVER RETURN. > > Any idea? Thanks for listening. > > > Cheers > Mike >Jerry ---------------------------------------------------------------------------- -- Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev