Shorewall users - Apr 2004 - dnat and one to one nat

Hi!

i have set  one dnat for ftp     wan ---> fw--->lan ip

but i need another ftp for another service. then one to one nat for
another internal machine
but nat dont work


when connect to ftp response ever the same first machine

why ?

i use shorewall 2.0.1

and nat file say   external_ip     eth_ext    internal_ip   no    no 

and in rules 

DNAT        wan    lan:first_ftp            tcp     ftp    -
ACCEPT     wan    lan:ip_second_ftp    tcp    ftp    -

Rodrigo Cortes Cano wrote:
> Hi!
> 
> i have set  one dnat for ftp     wan ---> fw--->lan ip
> 
> but i need another ftp for another service. then one to one nat for
> another internal machine
> but nat dont work
> 
> 
> when connect to ftp response ever the same first machine
> 
> why ?
> 
> i use shorewall 2.0.1
> 
> and nat file say   external_ip     eth_ext    internal_ip   no    no 
> 
> and in rules 
> 
> DNAT        wan    lan:first_ftp            tcp     ftp    -
> ACCEPT     wan    lan:ip_second_ftp    tcp    ftp    -
This report is impossible to answer in it''s current form. This is a 
technical help list, not a list for exchanging puzzles.

a) How do ''external_ip'' and ''internal_ip''
relate to ''first_ftp'' and
''ip_second_ftp''?
b) Is ''ip_second_ftp'' the IP address of a machine behind your
firewall
that uses SNAT/Masquerade to access the internet (an RFC1918 address)?
c) What IP address do you try to connect to for the first ftp server?
d) What IP address do you try to connect to for the second ftp server?
e) What is the setting of DETECT_DNAT_ADDRS in shorewall.conf?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Rodrigo Cortes Cano wrote:
> jejeje sorry 
> 
> again
> 
> 
> El lun, 26-04-2004 a las 15:37, Tom Eastep escribió:
> 
> 
>>Rodrigo Cortes Cano wrote:
>>
>>
>>>Hi!
>>>
>>>i have set  one dnat for ftp     wan ---> fw--->lan ip
>>>
>>>but i need another ftp for another service. then one to one nat for
>>>another internal machine
>>>but nat dont work
>>>
>>>
>>>when connect to ftp response ever the same first machine
>>>
>>>why ?
>>>
>>>i use shorewall 2.0.1
>>>
>>>and nat file say   external_ip     eth_ext    internal_ip   no    no
>>>
>>>and in rules 
>>>
>>>DNAT        wan    lan:first_ftp            tcp     ftp    -
>>>ACCEPT     wan    lan:ip_second_ftp    tcp    ftp    -
>>
>>This report is impossible to answer in it''s current form. This
is a
>>technical help list, not a list for exchanging puzzles.
>>
>>a) How do ''external_ip'' and
''internal_ip'' relate to ''first_ftp'' and
>>''ip_second_ftp''?
> 
> 
> my first external ip have one dnat to first internat ftp and de second
> external ip (one to one nat) to second internal ftp.
> 
> 
> 
>>b) Is ''ip_second_ftp'' the IP address of a machine
behind your firewall
>>that uses SNAT/Masquerade to access the internet (an RFC1918 address)?
> 
> 
> both ftp are behind FW
> 
> 
> 
>>c) What IP address do you try to connect to for the first ftp server?
> 
> 
> first ip are firewall ip
> 
> 
> 
>>d) What IP address do you try to connect to for the second ftp server?
> 
> 
>  second ip is one to one nat
> 
> 
>>e) What is the setting of DETECT_DNAT_ADDRS in shorewall.conf?
> 
> 
> 
> this setting is set to NO
> 
> 
> 
> when set to YES ftp work perfectly!!
> 
> but this set work fine when all interface is up, ths is the only way ?
As an alternative, you can change your DNAT rule to:

DNAT        wan    lan:first_ftp    tcp     ftp    -   <first fw ip>

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

jejeje sorry 

again


El lun, 26-04-2004 a las 15:37, Tom Eastep escribió:
> Rodrigo Cortes Cano wrote:
> 
> > Hi!
> > 
> > i have set  one dnat for ftp     wan ---> fw--->lan ip
> > 
> > but i need another ftp for another service. then one to one nat for
> > another internal machine
> > but nat dont work
> > 
> > 
> > when connect to ftp response ever the same first machine
> > 
> > why ?
> > 
> > i use shorewall 2.0.1
> > 
> > and nat file say   external_ip     eth_ext    internal_ip   no    no 
> > 
> > and in rules 
> > 
> > DNAT        wan    lan:first_ftp            tcp     ftp    -
> > ACCEPT     wan    lan:ip_second_ftp    tcp    ftp    -
> 
> This report is impossible to answer in it''s current form. This is
a
> technical help list, not a list for exchanging puzzles.
> 
> a) How do ''external_ip'' and
''internal_ip'' relate to ''first_ftp'' and
> ''ip_second_ftp''?
my first external ip have one dnat to first internat ftp and de second
external ip (one to one nat) to second internal ftp.

> b) Is ''ip_second_ftp'' the IP address of a machine behind
your firewall
> that uses SNAT/Masquerade to access the internet (an RFC1918 address)?
both ftp are behind FW

> c) What IP address do you try to connect to for the first ftp server?
first ip are firewall ip

> d) What IP address do you try to connect to for the second ftp server?
 second ip is one to one nat
> e) What is the setting of DETECT_DNAT_ADDRS in shorewall.conf?

this setting is set to NO



when set to YES ftp work perfectly!!

but this set work fine when all interface is up, ths is the only way ?



> 
> -Tom

Rodrigo Cortes Cano wrote:
>>>when set to YES ftp work perfectly!!
>>>
>>>but this set work fine when all interface is up, ths is the only way
?
>>
>>As an alternative, you can change your DNAT rule to:
>>
>>DNAT        wan    lan:first_ftp    tcp     ftp    -   <first fw
ip>
>>
> 
> 
> valid  only when DETECT_DNAT_ADDR is no ?
When you specify a specific ORIGINAL DEST, it always override the 
DETECT_DNAT_ADDR setting. So the setting of DETECT_DNAT_ADDR is irrelevant.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

El lun, 26-04-2004 a las 16:05, Tom Eastep escribió:
> Rodrigo Cortes Cano wrote:
> > jejeje sorry 
> > 
> > again
> > 
> > 
> > El lun, 26-04-2004 a las 15:37, Tom Eastep escribió:
> > 
> > 
> >>Rodrigo Cortes Cano wrote:
> >>
> >>
> >>>Hi!
> >>>
> >>>i have set  one dnat for ftp     wan ---> fw--->lan ip
> >>>
> >>>but i need another ftp for another service. then one to one nat
for
> >>>another internal machine
> >>>but nat dont work
> >>>
> >>>
> >>>when connect to ftp response ever the same first machine
> >>>
> >>>why ?
> >>>
> >>>i use shorewall 2.0.1
> >>>
> >>>and nat file say   external_ip     eth_ext    internal_ip   no 
no
> >>>
> >>>and in rules 
> >>>
> >>>DNAT        wan    lan:first_ftp            tcp     ftp    -
> >>>ACCEPT     wan    lan:ip_second_ftp    tcp    ftp    -
> >>
> >>This report is impossible to answer in it''s current form.
This is a
> >>technical help list, not a list for exchanging puzzles.
> >>
> >>a) How do ''external_ip'' and
''internal_ip'' relate to ''first_ftp'' and
> >>''ip_second_ftp''?
> > 
> > 
> > my first external ip have one dnat to first internat ftp and de second
> > external ip (one to one nat) to second internal ftp.
> > 
> > 
> > 
> >>b) Is ''ip_second_ftp'' the IP address of a machine
behind your firewall
> >>that uses SNAT/Masquerade to access the internet (an RFC1918
address)?
> > 
> > 
> > both ftp are behind FW
> > 
> > 
> > 
> >>c) What IP address do you try to connect to for the first ftp
server?
> > 
> > 
> > first ip are firewall ip
> > 
> > 
> > 
> >>d) What IP address do you try to connect to for the second ftp
server?
> > 
> > 
> >  second ip is one to one nat
> > 
> > 
> >>e) What is the setting of DETECT_DNAT_ADDRS in shorewall.conf?
> > 
> > 
> > 
> > this setting is set to NO
> > 
> > 
> > 
> > when set to YES ftp work perfectly!!
> > 
> > but this set work fine when all interface is up, ths is the only way ?
> 
> As an alternative, you can change your DNAT rule to:
> 
> DNAT        wan    lan:first_ftp    tcp     ftp    -   <first fw ip>
> 

valid  only when DETECT_DNAT_ADDR is no ?
> -Tom