Laszlo G. Szijarto
2003-Mar-26 10:28 UTC
[Shorewall-users] DNAT problem with dual firewalls
Hello, Everyone, Thank you in advance for your help. I''m rather new to Shorewall. We have a T1 line and a DSL line for backup, since our connection is fairly critical. T1 has a different set of external IPs than the DSL. Internally, one shows up at 192.168.0.1 and the other as 192.168.0.2. Now we need to DNAT our 80 and 443 ports into a couple web servers at 192.168.0.226 and 192.168.0.227. I cannot get both these DNATs working at the same time. Should I set up multiple default gateways on these internal machines to send traffic back out the way it came? Is that the proper way to do it? So, for example, both the .226 and .227 machine would have default gateways of BOTH 192.168.0.1 and 192.168.0.2 and traffic can go back the way it came. I thought, pardon the newbieness, that the server just responded to a TCP/IP stream set up from the firewall and sent traffic back to whichever firewall it came from. Thank you so much for the help, Laszlo Szijarto
On Wed, 26 Mar 2003, Laszlo G. Szijarto wrote:> Hello, Everyone, > > Thank you in advance for your help. I''m rather new to Shorewall. We have a T1 line and a DSL line for backup, since our connection is fairly critical. T1 has a different set of external IPs than the DSL. Internally, one shows up at 192.168.0.1 and the other as 192.168.0.2. Now we need to DNAT our 80 and 443 ports into a couple web servers at 192.168.0.226 and 192.168.0.227. > > I cannot get both these DNATs working at the same time. Should I set up > multiple default gateways on these internal machines to send traffic > back out the way it came? Is that the proper way to do it? So, for > example, both the .226 and .227 machine would have default gateways of > BOTH 192.168.0.1 and 192.168.0.2 and traffic can go back the way it > came. I thought, pardon the newbieness, that the server just responded > to a TCP/IP stream set up from the firewall and sent traffic back to > whichever firewall it came from.Please see section 4.2.1 of the LARTC (URL available on the Shorewall "Useful Links" page). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net