Hi All, I''m using the Mandrake Linux MultiNetwork Firewall which is a web based interface to the shorewall firewall. I have an internal ip address of 172.25.38.1 which I am try to nat to a public address so that the client pc can ftp to the internet I have add the following in the nat file: 168.10.10.1 eth3 172.25.38.1 No No And this to rules: ACCEPT lan:172.25.38.1 wan tcp 0:65535 - - ACCEPT wan lan:168.10.10.1 tcp 0:65535 - I''ve accepted all ports just to try and get it working and will then narrow it down to ftp, I cannot seem to get the nat to work, am I missing something? Any help will be greatly appreciated. Raymond
If you''re talking about allowing a machine behind the firewall to get access to an ftp server on the outside world, you should be using IP Masquerading. On the other hand, if you''re bound and determined to use NAT, you should use DNAT instead of ACCEPT in your rules On Fri, 25 Feb 2005 06:27:05 +0200, Raymond Orchison <raymondo@unibase.co.za> wrote:> Hi All, > > I''m using the Mandrake Linux MultiNetwork Firewall which is a web based > interface to the shorewall firewall. > > I have an internal ip address of 172.25.38.1 which I am try to nat to a > public address so that the client pc can ftp to the internet > > I have add the following in the nat file: > 168.10.10.1 eth3 172.25.38.1 No No > > And this to rules: > ACCEPT lan:172.25.38.1 wan tcp 0:65535 - - > ACCEPT wan lan:168.10.10.1 tcp 0:65535 - > > I''ve accepted all ports just to try and get it working and will then > narrow it down to ftp, I cannot seem to get the nat to work, am I > missing something? > > Any help will be greatly appreciated. > > Raymond > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Hi Gary, Thanks for the response, I have added the following to masq file: #interface subnet address eth3:196.41.3.167 172.25.38.1 168.10.10.1 196.41.3.167 is the remote ftp my internal ip needs to connect to, when I try to connect to the outside I see no packets been matched in iptables -t nat Raymond On Fri, 2005-02-25 at 06:56, Gary Buckmaster wrote:> If you''re talking about allowing a machine behind the firewall to get > access to an ftp server on the outside world, you should be using IP > Masquerading. > > On the other hand, if you''re bound and determined to use NAT, you > should use DNAT instead of ACCEPT in your rules > > > On Fri, 25 Feb 2005 06:27:05 +0200, Raymond Orchison > <raymondo@unibase.co.za> wrote: > > Hi All, > > > > I''m using the Mandrake Linux MultiNetwork Firewall which is a web based > > interface to the shorewall firewall. > > > > I have an internal ip address of 172.25.38.1 which I am try to nat to a > > public address so that the client pc can ftp to the internet > > > > I have add the following in the nat file: > > 168.10.10.1 eth3 172.25.38.1 No No > > > > And this to rules: > > ACCEPT lan:172.25.38.1 wan tcp 0:65535 - - > > ACCEPT wan lan:168.10.10.1 tcp 0:65535 - > > > > I''ve accepted all ports just to try and get it working and will then > > narrow it down to ftp, I cannot seem to get the nat to work, am I > > missing something? > > > > Any help will be greatly appreciated. > > > > Raymond > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Richard, You''re making this WAY too hard on yourself. The format of the masq file is: <external interface> <internal interface> OR <external interface> <internal network/CIDR netmask> So going with what I suspect is your setup eth3 172.25.38.1/24 You do not need any additional entries into your rules files to get this to work. On Fri, 25 Feb 2005 07:08:00 +0200, Raymond Orchison <raymondo@unibase.co.za> wrote:> Hi Gary, > > Thanks for the response, I have added the following to masq file: > #interface subnet address > eth3:196.41.3.167 172.25.38.1 168.10.10.1 > > 196.41.3.167 is the remote ftp my internal ip needs to connect to, when > I try to connect to the outside I see no packets been matched in > iptables -t nat > > Raymond > > On Fri, 2005-02-25 at 06:56, Gary Buckmaster wrote: > > If you''re talking about allowing a machine behind the firewall to get > > access to an ftp server on the outside world, you should be using IP > > Masquerading. > > > > On the other hand, if you''re bound and determined to use NAT, you > > should use DNAT instead of ACCEPT in your rules > > > > > > On Fri, 25 Feb 2005 06:27:05 +0200, Raymond Orchison > > <raymondo@unibase.co.za> wrote: > > > Hi All, > > > > > > I''m using the Mandrake Linux MultiNetwork Firewall which is a web based > > > interface to the shorewall firewall. > > > > > > I have an internal ip address of 172.25.38.1 which I am try to nat to a > > > public address so that the client pc can ftp to the internet > > > > > > I have add the following in the nat file: > > > 168.10.10.1 eth3 172.25.38.1 No No > > > > > > And this to rules: > > > ACCEPT lan:172.25.38.1 wan tcp 0:65535 - - > > > ACCEPT wan lan:168.10.10.1 tcp 0:65535 - > > > > > > I''ve accepted all ports just to try and get it working and will then > > > narrow it down to ftp, I cannot seem to get the nat to work, am I > > > missing something? > > > > > > Any help will be greatly appreciated. > > > > > > Raymond > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > >
> So going with what I suspect is your setup > > eth3 172.25.38.1/24 >Won''t this allow 172.25.38.1 to connect to anything on the internet?
Raymond Orchison wrote:>>So going with what I suspect is your setup >> >>eth3 172.25.38.1/24 >> > > Won''t this allow 172.25.38.1 to connect to anything on the internet?SNAT/MASQUERADE is not an access control mechanism!!!! You define SNAT/MASQUERADE to describe how you wish packet source addresses to be rewritten and you define policies and rules to describe which traffic you want to allow. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Gary Buckmaster wrote:> Richard, > > You''re making this WAY too hard on yourself. The format of the masq file is: > > <external interface> <internal interface> > > OR > > <external interface> <internal network/CIDR netmask> > > So going with what I suspect is your setup > > eth3 172.25.38.1/24 >For just the single host, that would be: eth3 172.25.38.1 or eth3 172.25.38.1/32 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key