Hello to all. I have a problem for a specific configuration of shorewall.. I am a admin of a gamecenter and I am having problems with a arp-proxy configuration My server (firewall) has 2 interfaces eth0 (external) and eth1 internal. In the internal network I have configured (like in de docs) an real ip and make a arp-proxy configuration of this real ip from outside to the inside network. I am running a game server in that host and clients from outside can connect to this server without any problems. the problem is that the internal network is not able to connect to this server but can ping the ip.. I thing the problem is that the server is running as a internet server when an internal ip is trying to connect it refuse it. so I need to masquerade this ips so the game server things it is an internet client.. Please help I have been reading the hole documentation more than once and I am not finding any slution... Thanks in advance. Jan Meyer subcha@gmx.net P.S. I have 12 real IP''s in a subnet
On Thu, 2003-07-03 at 09:46, subcha wrote:> Hello to all. > I have a problem for a specific configuration of shorewall.. I am a > admin of a gamecenter and I am having problems with a arp-proxy > configuration > My server (firewall) has 2 interfaces eth0 (external) and eth1 internal. > In the internal network I have configured (like in de docs) an real ip > and make a arp-proxy configuration of this real ip from outside to the > inside network. > I am running a game server in that host and clients from outside can > connect to this server without any problems. the problem is that the > internal network is not able to connect to this server but can ping the > ip.. I thing the problem is that the server is running as a internet > server when an internal ip is trying to connect it refuse it. so I need > to masquerade this ips so the game server things it is an internet > client.. Please help I have been reading the hole documentation more > than once and I am not finding any solution... >You *really* should have the game server connected to a separate firewall interface; that would solve your problem and be more secure at the same time. Otherwise, your choices are: a) Add a second (local) IP address to the game server and arrange for your local hosts to connect to that IP rather than the public one. There are still problems associated with that (as I mentioned in a post just yesterday, it took me quite a while to sort them all out when I tried it -- I found that the complexity wasn''t worth the result). b) Masquerade access to the game server -- in /etc/shorewall/masq: eth1:<gameserver ip> <local network> <eth1 ip addr> You will also need to enable traffic to be routed back out the interface that it came in on. If you are running the current version of Shorewall, you do that by setting the "routeback" option on eth1. You are likely to run into other problems no matter which option you try. Good luck, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-07-03 at 10:02, Tom Eastep wrote:> > > > You *really* should have the game server connected to a separate > firewall interface; that would solve your problem and be more secure at > the same time. > > Otherwise, your choices are: > > a) Add a second (local) IP address to the game server and arrange for > your local hosts to connect to that IP rather than the public one. There > are still problems associated with that (as I mentioned in a post just > yesterday, it took me quite a while to sort them all out when I tried it > -- I found that the complexity wasn''t worth the result). > > b) Masquerade access to the game server -- in /etc/shorewall/masq: > > eth1:<gameserver ip> <local network> <eth1 ip addr> > > You will also need to enable traffic to be routed back out the interface > that it came in on. If you are running the current version of Shorewall, > you do that by setting the "routeback" option on eth1. > > You are likely to run into other problems no matter which option you > try. >As I read my response, I realized that I''m assuming that the ''local'' systems use RFC1918 addresses. Is that so? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net