This is a multipart message in MIME format.
--=_alternative 00621AF1C1256C54_Content-Type: text/plain;
charset="US-ASCII"
i have a problem setting up a ALLIP <-> NAT Gateway ...
i asked already a lot of people , but nobody could help me , may be
somebody here can .
okay , my Problem is , i have to setup a router , that routes ALL ip''s
(from 1.0.0.0 - 255.255.255 ) to a WAN Router .
in Picture :
/^^^^^^^^^^^\
| internet |
\ /
|<-T1
+-------|---------------+
| Firewall |
| 18.1.1.1/24 |
+-------|---------------+
|
|
|-----------(Intranet Server 18.1.1.10/24)
|
+-------|- ----------------+
| eth0:0 (18.1.1.7) |
| eth1:1 (192.168.2.1) |
| Shorewall Linux Router |
+--------------------------+
|
|
+-------|----------------+
| Ethernet switch |-----\
+-------|----------------+ \
| | \
| | \
| | \
/^^^^^^^^^^^\ /^^^^^^^^^^^\ /^^^^^^^^^^^\
| My PC 1 | | My PC 2 | | My PC 3 |
| 23.4.5.48 | | 99.5.5.43 | |192.168.2.48|
\ / \ / \ /
So , what i like is that the Shorewall Router is Natting any Packet that
comes from All "MY PC''s"
to the Internet independent what ip address he has ...
Hopefully anybody could help me ...
Sven
Phone (+49)-6131-84-3151
Fax (+49)-6131-84-6708
Mobil (+49)-171-970-6664
E-Mail : oehmes@de.ibm.com
--=_alternative 00621AF1C1256C54_Content-Type: text/html;
charset="US-ASCII"
<br><font size=2 face="sans-serif">i have a problem
setting up a ALLIP
<-> NAT Gateway ...</font>
<br><font size=2 face="sans-serif">i asked already a lot
of people , but
nobody could help me , may be somebody here can .</font>
<br>
<br><font size=2 face="sans-serif">okay , my Problem is ,
i have to setup
a router , that routes ALL ip''s (from 1.0.0.0 - 255.255.255 ) to a WAN
Router .</font>
<br><font size=2 face="sans-serif">in Picture
:</font>
<br>
<br>
<br><font size=2 face="Courier">
/^^^^^^^^^^^\</font>
<br><font size=2 face="Courier"> |
internet |</font>
<br><font size=2 face="Courier"> \
/</font>
<br>
<br><font size=2 face="Courier">
|<-T1</font>
<br><font size=2
face="Courier"> +-------|---------------+</font>
<br><font size=2 face="Courier"> |
Firewall
|</font>
<br><font size=2 face="Courier"> |
18.1.1.1/24
|</font>
<br><font size=2
face="Courier"> +-------|---------------+</font>
<br><font size=2 face="Courier">
|</font>
<br><font size=2 face="Courier">
|</font>
<br><font size=2 face="Courier">
|-----------(Intranet
Server 18.1.1.10/24)</font>
<br><font size=2 face="Courier">
|</font>
<br><font size=2 face="Courier"> +-------|-
----------------+</font>
<br><font size=2 face="Courier"> |
eth0:0 (18.1.1.7)
|</font>
<br><font size=2 face="Courier"> |
eth1:1 (192.168.2.1)
|</font>
<br><font size=2 face="Courier"> | Shorewall
Linux Router |</font>
<br><font size=2
face="Courier"> +--------------------------+</font>
<br><font size=2 face="Courier">
|</font>
<br><font size=2 face="Courier">
|</font>
<br><font size=2
face="Courier"> +-------|----------------+</font>
<br><font size=2 face="Courier"> |
Ethernet switch
|-----\</font>
<br><font size=2
face="Courier"> +-------|----------------+
\</font>
<br><font size=2 face="Courier">
|
|
\</font>
<br><font size=2 face="Courier">
|
|
\</font>
<br><font size=2 face="Courier">
|
|
\ </font>
<br><font size=2 face="Courier">
/^^^^^^^^^^^\ /^^^^^^^^^^^\
/^^^^^^^^^^^\</font>
<br><font size=2 face="Courier"> | My
PC 1 |
| My PC 2 | | My PC 3
|</font>
<br><font size=2 face="Courier"> |
23.4.5.48 | |
99.5.5.43 | |192.168.2.48|</font>
<br><font size=2 face="Courier"> \
/ \
/ \
/</font>
<br>
<br>
<br><font size=2 face="Courier">So , what i like is that
the Shorewall
Router is Natting any Packet that comes from All "MY
PC''s" </font>
<br><font size=2 face="Courier">to the Internet
independent what ip address
he has ...</font>
<br>
<br><font size=2 face="Courier">Hopefully anybody could
help me ...</font>
<br>
<br><font size=2 face="Courier">Sven</font>
<br><font size=2 face="sans-serif"><br>
Phone (+49)-6131-84-3151<br>
Fax (+49)-6131-84-6708<br>
Mobil (+49)-171-970-6664<br>
E-Mail : oehmes@de.ibm.com</font>
--=_alternative 00621AF1C1256C54_=--
Sven Oehme wrote:> > i have a problem setting up a ALLIP <-> NAT Gateway ... > i asked already a lot of people , but nobody could help me , may be > somebody here can . > > okay , my Problem is , i have to setup a router , that routes ALL ip''s > (from 1.0.0.0 - 255.255.255 ) to a WAN Router . > in Picture : > > > /^^^^^^^^^^^\ > | internet | > \ / > > |<-T1 > +-------|---------------+ > | Firewall | > | 18.1.1.1/24 | > +-------|---------------+ > | > | > |-----------(Intranet Server 18.1.1.10/24) > | > +-------|- ----------------+ > | eth0:0 (18.1.1.7) | > | eth1:1 (192.168.2.1) | > | Shorewall Linux Router | > +--------------------------+ > | > | > +-------|----------------+ > | Ethernet switch |-----\ > +-------|----------------+ \ > | | \ > | | \ > | | \ > /^^^^^^^^^^^\ /^^^^^^^^^^^\ /^^^^^^^^^^^\ > | My PC 1 | | My PC 2 | | My PC 3 | > | 23.4.5.48 | | 99.5.5.43 | |192.168.2.48| > \ / \ / \ / > > > So , what i like is that the Shorewall Router is Natting any Packet that > comes from All "MY PC''s" > to the Internet independent what ip address he has ... > > Hopefully anybody could help me ... >I assume that you simply want to SNAT the outgoing traffic, right? a) Enable traffic control in /etc/shorewall/shorewall.conf (TC_ENABLED=Yes). b) In /etc/shorewall/tcrules: 25 eth1 0.0.0.0/0 all c) In /etc/shorewall/start: run_iptables -t nat -A POSTROUTING -m mark --mark 25 -j SNAT 18.1.1.7 Do NOT put any entries in /etc/shorewall/masq -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > > Sven Oehme wrote: > >> >> i have a problem setting up a ALLIP <-> NAT Gateway ... >> i asked already a lot of people , but nobody could help me , may be >> somebody here can . >> >> okay , my Problem is , i have to setup a router , that routes ALL ip''s >> (from 1.0.0.0 - 255.255.255 ) to a WAN Router . >> in Picture : >> >> >> /^^^^^^^^^^^\ >> | internet | >> \ / >> >> |<-T1 >> +-------|---------------+ >> | Firewall | >> | 18.1.1.1/24 | >> +-------|---------------+ >> | >> | >> |-----------(Intranet Server 18.1.1.10/24) >> | >> +-------|- ----------------+ >> | eth0:0 (18.1.1.7) | >> | eth1:1 (192.168.2.1) | >> | Shorewall Linux Router | >> +--------------------------+ >> | >> | >> +-------|----------------+ >> | Ethernet switch |-----\ >> +-------|----------------+ \ >> | | \ >> | | \ >> | | \ >> /^^^^^^^^^^^\ /^^^^^^^^^^^\ /^^^^^^^^^^^\ >> | My PC 1 | | My PC 2 | | My PC 3 | >> | 23.4.5.48 | | 99.5.5.43 | |192.168.2.48| >> \ / \ / \ / >> >> >> So , what i like is that the Shorewall Router is Natting any Packet >> that comes from All "MY PC''s" >> to the Internet independent what ip address he has ... >> >> Hopefully anybody could help me ... >> > > I assume that you simply want to SNAT the outgoing traffic, right? > > a) Enable traffic control in /etc/shorewall/shorewall.conf > (TC_ENABLED=Yes). > > b) In /etc/shorewall/tcrules: > > 25 eth1 0.0.0.0/0 all > > c) In /etc/shorewall/start: > > run_iptables -t nat -A POSTROUTING -m mark --mark 25 -j SNAT 18.1.1.7 >Oops -- typo. The above should be: run_iptables -t nat -A POSTROUTING -m mark --mark 25 -j SNAT --to-source \ 18.1.1.7 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 00748773C1256C54_Content-Type: text/plain;
charset="US-ASCII"
hy ,
i think this is not fixing my Problem , may be you miss understand me ...
you are now "source natting" every pc''s ip , that is in the
range of eth1
(e.g. 192.168.2.0/24) ,
but i like to nat EVERY pc , even if he has a valid ip address in this
range or not and what ever default gateway they have !!
so the router have to nat the MAC address , not the ip address ...
Sven
Phone (+49)-6131-84-3151
Fax (+49)-6131-84-6708
Mobil (+49)-171-970-6664
E-Mail : oehmes@de.ibm.com
Tom Eastep <teastep@shorewall.net>
16.10.2002 20:14
To: Sven Oehme/Germany/IBM@IBMDE
cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Expert Question about NAT
Tom Eastep wrote:>
>
> Sven Oehme wrote:
>
>>
>> i have a problem setting up a ALLIP <-> NAT Gateway ...
>> i asked already a lot of people , but nobody could help me , may be
>> somebody here can .
>>
>> okay , my Problem is , i have to setup a router , that routes ALL
ip''s
>> (from 1.0.0.0 - 255.255.255 ) to a WAN Router .
>> in Picture :
>>
>>
>> /^^^^^^^^^^^\
>> | internet |
>> \ /
>>
>> |<-T1
>> +-------|---------------+
>> | Firewall |
>> | 18.1.1.1/24 |
>> +-------|---------------+
>> |
>> |
>> |-----------(Intranet Server 18.1.1.10/24)
>> |
>> +-------|- ----------------+
>> | eth0:0 (18.1.1.7) |
>> | eth1:1 (192.168.2.1) |
>> | Shorewall Linux Router |
>> +--------------------------+
>> |
>> |
>> +-------|----------------+
>> | Ethernet switch |-----\
>> +-------|----------------+ \
>> | | \
>> | | \
>> | | \
>> /^^^^^^^^^^^\ /^^^^^^^^^^^\ /^^^^^^^^^^^\
>> | My PC 1 | | My PC 2 | | My PC 3 |
>> | 23.4.5.48 | | 99.5.5.43 | |192.168.2.48|
>> \ / \ / \ /
>>
>>
>> So , what i like is that the Shorewall Router is Natting any Packet
>> that comes from All "MY PC''s"
>> to the Internet independent what ip address he has ...
>>
>> Hopefully anybody could help me ...
>>
>
> I assume that you simply want to SNAT the outgoing traffic, right?
>
> a) Enable traffic control in /etc/shorewall/shorewall.conf
> (TC_ENABLED=Yes).
>
> b) In /etc/shorewall/tcrules:
>
> 25 eth1 0.0.0.0/0 all
>
> c) In /etc/shorewall/start:
>
> run_iptables -t nat -A POSTROUTING -m mark --mark 25 -j SNAT 18.1.1.7
>
Oops -- typo. The above should be:
run_iptables -t nat -A POSTROUTING -m mark --mark 25 -j SNAT --to-source \
18.1.1.7
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
--=_alternative 00748773C1256C54_Content-Type: text/html;
charset="US-ASCII"
<br><font size=2 face="sans-serif">hy , </font>
<br>
<br><font size=2 face="sans-serif">i think this is not
fixing my Problem
, may be you miss understand me ...</font>
<br><font size=2 face="sans-serif">you are now
"source natting"
every pc''s ip , that is in the range of eth1
(</font><font size=2><tt>e.g.
192.168.2.0/24</tt></font><font size=2
face="sans-serif">) , </font>
<br><font size=2 face="sans-serif">but i like to nat EVERY
pc , even if
he has a valid ip address in this range or not and what ever default gateway
they have !!</font>
<br>
<br><font size=2 face="sans-serif">so the router have to
nat the MAC address
, not the ip address ...</font>
<br>
<br><font size=2 face="sans-serif">Sven</font>
<br><font size=2 face="sans-serif"><br>
Phone (+49)-6131-84-3151<br>
Fax (+49)-6131-84-6708<br>
Mobil (+49)-171-970-6664<br>
E-Mail : oehmes@de.ibm.com</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<p><font size=1 face="sans-serif">16.10.2002
20:14</font>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To:
Sven
Oehme/Germany/IBM@IBMDE</font>
<br><font size=1 face="sans-serif">
cc:
shorewall-users@shorewall.net</font>
<br><font size=1 face="sans-serif">
Subject:
Re: [Shorewall-users] Expert Question
about NAT</font>
<br>
<br><font size=1 face="Arial">
</font></table>
<br>
<br><font size=2><tt><br>
<br>
Tom Eastep wrote:<br>
> <br>
> <br>
> Sven Oehme wrote:<br>
> <br>
>><br>
>> i have a problem setting up a ALLIP <-> NAT
Gateway ...<br>
>> i asked already a lot of people , but nobody could help me ,
may
be <br>
>> somebody here can .<br>
>><br>
>> okay , my Problem is , i have to setup a router , that routes
ALL ip''s <br>
>> (from 1.0.0.0 - 255.255.255 ) to a WAN Router .<br>
>> in Picture :<br>
>><br>
>><br>
>> /^^^^^^^^^^^\<br>
>> | internet |<br>
>> \
/<br>
>><br>
>>
|<-T1<br>
>> +-------|---------------+<br>
>> | Firewall
|<br>
>> | 18.1.1.1/24
|<br>
>> +-------|---------------+<br>
>>
|<br>
>>
|<br>
>>
|-----------(Intranet Server
18.1.1.10/24)<br>
>>
|<br>
>> +-------|- ----------------+<br>
>> | eth0:0 (18.1.1.7)
|<br>
>> | eth1:1 (192.168.2.1)
|<br>
>> | Shorewall Linux Router |<br>
>> +--------------------------+<br>
>>
|<br>
>>
|<br>
>> +-------|----------------+<br>
>> | Ethernet switch
|-----\<br>
>> +-------|----------------+
\<br>
>> |
|
\<br>
>> |
|
\<br>
>> |
|
\<br>
>> /^^^^^^^^^^^\
/^^^^^^^^^^^\ /^^^^^^^^^^^\<br>
>> | My PC 1 |
| My PC 2
| | My PC 3 |<br>
>> | 23.4.5.48 | |
99.5.5.43 | |192.168.2.48|<br>
>> \
/ \
/ \
/<br>
>><br>
>><br>
>> So , what i like is that the Shorewall Router is Natting any
Packet
<br>
>> that comes from All "MY
PC''s"<br>
>> to the Internet independent what ip address he has
...<br>
>><br>
>> Hopefully anybody could help me ...<br>
>><br>
> <br>
> I assume that you simply want to SNAT the outgoing traffic,
right?<br>
> <br>
> a) Enable traffic control in /etc/shorewall/shorewall.conf <br>
> (TC_ENABLED=Yes).<br>
> <br>
> b) In /etc/shorewall/tcrules:<br>
> <br>
> 25 eth1 0.0.0.0/0
all<br>
> <br>
> c) In /etc/shorewall/start:<br>
> <br>
> run_iptables -t nat -A POSTROUTING -m mark --mark 25 -j SNAT
18.1.1.7<br>
> <br>
<br>
Oops -- typo. The above should be:<br>
<br>
run_iptables -t nat -A POSTROUTING -m mark --mark 25 -j SNAT --to-source
\<br>
18.1.1.7<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
</tt></font>
<br>
--=_alternative 00748773C1256C54_=--
Sven Oehme wrote:> > hy , > > i think this is not fixing my Problem , may be you miss understand me ... > you are now "source natting" every pc''s ip , that is in the range of > eth1 (e.g. 192.168.2.0/24) ,No -- if you put the following entry in /etc/shorewall/masq, you would have that result: eth0 eth1> but i like to nat EVERY pc , even if he has a valid ip address in this > range or not and what ever default gateway they have !! > > so the router have to nat the MAC address , not the ip address ... >The solution that I gave you will SNAT all PCs trying to connect to the internet from eth1 no matter what IP address they have. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Sven Oehme wrote:> > so the router have to nat the MAC address , not the ip address ... >MAC addresses are only visible on a LAN segment -- it is meaningless to talk about natting them. Is Proxy ARP what you really want to do? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 0044F693C1256C55_Content-Type: text/plain;
charset="US-ASCII"
hy
what i mean is natting an proxy-arp ....
the client is for example coming with settings : fixed ip 10.0.0.8/24
gateway 10.0.0.1
the shorewall server in this local net has settings 172.168.0.1/24 and on
the other side a 172.168.200.8 that has a connection to the firewall
172.168.200.1 .
so the client has no valid ip for this lan . now i want that the proxy-arp
is taking all requests from the client nat this and send it to the next
firewall/router (172.168.200.1) ... the firewall sends it to the internet
........
but i don''t know how to configure it ..
Sven
Phone (+49)-6131-84-3151
Fax (+49)-6131-84-6708
Mobil (+49)-171-970-6664
E-Mail : oehmes@de.ibm.com
Tom Eastep <teastep@shorewall.net>
16.10.2002 23:21
To: Sven Oehme/Germany/IBM@IBMDE
cc: shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] Expert Question about NAT
Sven Oehme wrote:
>
> so the router have to nat the MAC address , not the ip address ...
>
MAC addresses are only visible on a LAN segment -- it is meaningless to
talk about natting them.
Is Proxy ARP what you really want to do?
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
--=_alternative 0044F693C1256C55_Content-Type: text/html;
charset="US-ASCII"
<br><font size=2 face="sans-serif">hy </font>
<br>
<br><font size=2 face="sans-serif">what i mean is natting
an proxy-arp
....</font>
<br>
<br><font size=2 face="sans-serif">the client is for
example coming with
settings : fixed ip 10.0.0.8/24 gateway 10.0.0.1</font>
<br><font size=2 face="sans-serif">the shorewall server in
this local net
has settings 172.168.0.1/24 and on the other side a 172.168.200.8
that has a connection to the firewall 172.168.200.1 .</font>
<br>
<br><font size=2 face="sans-serif">so the client has no
valid ip for this
lan . now i want that the proxy-arp is taking all requests from the client
nat this and send it to the next firewall/router (172.168.200.1) ...
the firewall sends it to the internet ........</font>
<br>
<br><font size=2 face="sans-serif">but i don''t
know how to configure it
..</font>
<br>
<br><font size=2 face="sans-serif">Sven</font>
<br>
<br><font size=2 face="sans-serif"><br>
Phone (+49)-6131-84-3151<br>
Fax (+49)-6131-84-6708<br>
Mobil (+49)-171-970-6664<br>
E-Mail : oehmes@de.ibm.com</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<p><font size=1 face="sans-serif">16.10.2002
23:21</font>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To:
Sven
Oehme/Germany/IBM@IBMDE</font>
<br><font size=1 face="sans-serif">
cc:
shorewall-users@shorewall.net</font>
<br><font size=1 face="sans-serif">
Subject:
Re: [Shorewall-users] Expert Question
about NAT</font>
<br>
<br><font size=1 face="Arial">
</font></table>
<br>
<br><font size=2><tt><br>
<br>
Sven Oehme wrote:<br>
<br>
> <br>
> so the router have to nat the MAC address , not the ip address
...<br>
> <br>
<br>
MAC addresses are only visible on a LAN segment -- it is meaningless to
<br>
talk about natting them.<br>
<br>
Is Proxy ARP what you really want to do?<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
</tt></font>
<br>
--=_alternative 0044F693C1256C55_=--
Sven Oehme wrote:> > hy > > what i mean is natting an proxy-arp .... > > the client is for example coming with settings : fixed ip 10.0.0.8/24 > gateway 10.0.0.1 > the shorewall server in this local net has settings 172.168.0.1/24 and > on the other side a 172.168.200.8 that has a connection to the firewall > 172.168.200.1 . > > so the client has no valid ip for this lan . now i want that the > proxy-arp is taking all requests from the client nat this and send it to > the next firewall/router (172.168.200.1) ... the firewall sends it to > the internet ........ > > but i don''t know how to configure it .. >Neither do I. Since the client has no valid IP for this LAN, it also hasn''t a clue how to route in this LAN. So what is going to make it talk to the Shorewall box in the first place? As I understand it, this is the sort of problem that IPv6 "Mobile IPs" are intended to solve; I know of no solution using IPv4. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 004A7F46C1256C55_Content-Type: text/plain;
charset="US-ASCII"
this is a flat lan , it is not routed ... like he has a crossover kabel
between the shorewall box and the client ...
sven
Phone (+49)-6131-84-3151
Fax (+49)-6131-84-6708
Mobil (+49)-171-970-6664
E-Mail : oehmes@de.ibm.com
Tom Eastep <teastep@shorewall.net>
17.10.2002 15:13
To: Sven Oehme/Germany/IBM@IBMDE
cc: Shorewall Users <shorewall-users@shorewall.net>
Subject: Re: [Shorewall-users] Expert Question about NAT
Sven Oehme wrote:>
> hy
>
> what i mean is natting an proxy-arp ....
>
> the client is for example coming with settings : fixed ip 10.0.0.8/24
> gateway 10.0.0.1
> the shorewall server in this local net has settings 172.168.0.1/24 and
> on the other side a 172.168.200.8 that has a connection to the firewall
> 172.168.200.1 .
>
> so the client has no valid ip for this lan . now i want that the
> proxy-arp is taking all requests from the client nat this and send it to
> the next firewall/router (172.168.200.1) ... the firewall sends it to
> the internet ........
>
> but i don''t know how to configure it ..
>
Neither do I. Since the client has no valid IP for this LAN, it also
hasn''t a clue how to route in this LAN. So what is going to make it
talk
to the Shorewall box in the first place?
As I understand it, this is the sort of problem that IPv6 "Mobile IPs"
are
intended to solve; I know of no solution using IPv4.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
--=_alternative 004A7F46C1256C55_Content-Type: text/html;
charset="US-ASCII"
<br><font size=2 face="sans-serif">this is a flat lan , it
is not routed
... like he has a crossover kabel between the shorewall box and the client
...</font>
<br>
<br><font size=2 face="sans-serif">sven</font>
<br><font size=2 face="sans-serif"><br>
Phone (+49)-6131-84-3151<br>
Fax (+49)-6131-84-6708<br>
Mobil (+49)-171-970-6664<br>
E-Mail : oehmes@de.ibm.com</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<p><font size=1 face="sans-serif">17.10.2002
15:13</font>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To:
Sven
Oehme/Germany/IBM@IBMDE</font>
<br><font size=1 face="sans-serif">
cc:
Shorewall Users
<shorewall-users@shorewall.net></font>
<br><font size=1 face="sans-serif">
Subject:
Re: [Shorewall-users] Expert Question
about NAT</font>
<br>
<br><font size=1 face="Arial">
</font></table>
<br>
<br><font size=2><tt><br>
<br>
Sven Oehme wrote:<br>
> <br>
> hy<br>
> <br>
> what i mean is natting an proxy-arp ....<br>
> <br>
> the client is for example coming with settings : fixed ip
10.0.0.8/24
<br>
> gateway 10.0.0.1<br>
> the shorewall server in this local net has settings 172.168.0.1/24
and <br>
> on the other side a 172.168.200.8 that has a connection to
the
firewall <br>
> 172.168.200.1 .<br>
> <br>
> so the client has no valid ip for this lan . now i want that the
<br>
> proxy-arp is taking all requests from the client nat this and send
it to <br>
> the next firewall/router (172.168.200.1) ... the firewall
sends
it to <br>
> the internet ........<br>
> <br>
> but i don''t know how to configure it ..<br>
> <br>
<br>
Neither do I. Since the client has no valid IP for this LAN, it also <br>
hasn''t a clue how to route in this LAN. So what is going to make it
talk
<br>
to the Shorewall box in the first place?<br>
<br>
As I understand it, this is the sort of problem that IPv6 "Mobile
IPs" are <br>
intended to solve; I know of no solution using IPv4.<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
</tt></font>
<br>
--=_alternative 004A7F46C1256C55_=--
Sven Oehme wrote:> > this is a flat lan , it is not routed ... like he has a crossover kabel > between the shorewall box and the client ... > >But each system will be configured with a default gateway -- if it is trying to talk to a system in its configured subnetwork, it will try to use ARP to learn that system''s MAC address. If it is trying to talk to a system outside of its configured subnetwork, it will try to ROUTE the request to its default gateway. Which will NOT be the Shorewall box, right? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is a multipart message in MIME format.
--=_alternative 004D49C4C1256C55_Content-Type: text/plain;
charset="US-ASCII"
hy ,
my understanding is , that the proxy- arp server takes ALL requests that
comes onto his interface , what ever ip adress that package have ..
so the package comes to the interfaces , but it is in a different subnet
and has a not valid ip , but teh proxy arp should send it outside on his
second interface ,
what is connected to his router , bit with the source ip of the original
sender .
so the package will go out , but the answer will never come back .
so here is where nat would help us , we encapsulate the original ip into
our ip package , the package will be send to the destination with the
shorewall source ip.
the sender makes a reply to the shorewall box and the shorewall prox-arp
knows the correct source (the client with the wrong ip) and send it to his
mac .
may be , we should better chat on icq , or i think this will be a never
ending mail ... :-)
my ICQnr. is :159316964
Sven
Phone (+49)-6131-84-3151
Fax (+49)-6131-84-6708
Mobil (+49)-171-970-6664
E-Mail : oehmes@de.ibm.com
Tom Eastep <teastep@shorewall.net>
17.10.2002 15:48
To: Sven Oehme/Germany/IBM@IBMDE
cc: Shorewall Users <shorewall-users@shorewall.net>
Subject: Re: [Shorewall-users] Expert Question about NAT
Sven Oehme wrote:>
> this is a flat lan , it is not routed ... like he has a crossover kabel
> between the shorewall box and the client ...
>
>
But each system will be configured with a default gateway -- if it is
trying to talk to a system in its configured subnetwork, it will try to
use ARP to learn that system''s MAC address. If it is trying to talk to
a
system outside of its configured subnetwork, it will try to ROUTE the
request to its default gateway. Which will NOT be the Shorewall box,
right?
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
--=_alternative 004D49C4C1256C55_Content-Type: text/html;
charset="US-ASCII"
<br><font size=2 face="sans-serif">hy , </font>
<br>
<br><font size=2 face="sans-serif">my understanding is ,
that the proxy-
arp server takes ALL requests that comes onto his interface , what
ever ip adress that package have .. </font>
<br><font size=2 face="sans-serif">so the package comes to
the interfaces
, but it is in a different subnet and has a not valid ip , but teh proxy
arp should send it outside on his second interface , </font>
<br><font size=2 face="sans-serif">what is connected to
his router , bit
with the source ip of the original sender . </font>
<br>
<br><font size=2 face="sans-serif">so the package will go
out , but the
answer will never come back . </font>
<br>
<br><font size=2 face="sans-serif">so here is where nat
would help us ,
we encapsulate the original ip into our ip package , the package will be
send to the destination with the shorewall source ip.</font>
<br><font size=2 face="sans-serif">the sender makes a
reply to the shorewall
box and the shorewall prox-arp knows the correct source (the client with
the wrong ip) and send it to his mac .</font>
<br>
<br><font size=2 face="sans-serif">may be , we should
better chat on icq
, or i think this will be a never ending mail ... :-)</font>
<br>
<br><font size=2 face="sans-serif">my ICQnr. is
:159316964</font>
<br>
<br><font size=2 face="sans-serif">Sven</font>
<br>
<br>
<br><font size=2 face="sans-serif"><br>
Phone (+49)-6131-84-3151<br>
Fax (+49)-6131-84-6708<br>
Mobil (+49)-171-970-6664<br>
E-Mail : oehmes@de.ibm.com</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<p><font size=1 face="sans-serif">17.10.2002
15:48</font>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To:
Sven
Oehme/Germany/IBM@IBMDE</font>
<br><font size=1 face="sans-serif">
cc:
Shorewall Users
<shorewall-users@shorewall.net></font>
<br><font size=1 face="sans-serif">
Subject:
Re: [Shorewall-users] Expert Question
about NAT</font>
<br>
<br><font size=1 face="Arial">
</font></table>
<br>
<br><font size=2><tt><br>
<br>
Sven Oehme wrote:<br>
> <br>
> this is a flat lan , it is not routed ... like he has a crossover
kabel <br>
> between the shorewall box and the client ...<br>
> <br>
><br>
<br>
But each system will be configured with a default gateway -- if it is <br>
trying to talk to a system in its configured subnetwork, it will try to
<br>
use ARP to learn that system''s MAC address. If it is trying to talk to
a <br>
system outside of its configured subnetwork, it will try to ROUTE the <br>
request to its default gateway. Which will NOT be the Shorewall box,
right?<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
</tt></font>
<br>
--=_alternative 004D49C4C1256C55_=--
Sven Oehme wrote:> > hy , > > my understanding is , that the proxy- arp server takes ALL requests > that comes onto his interface , what ever ip adress that package have .. > so the package comes to the interfaces , but it is in a different subnet > and has a not valid ip , but teh proxy arp should send it outside on his > second interface , > what is connected to his router , bit with the source ip of the original > sender . > > so the package will go out , but the answer will never come back . > > so here is where nat would help us , we encapsulate the original ip into > our ip package , the package will be send to the destination with the > shorewall source ip. > the sender makes a reply to the shorewall box and the shorewall prox-arp > knows the correct source (the client with the wrong ip) and send it to > his mac . > > may be , we should better chat on icq , or i think this will be a never > ending mail ... :-)From an ICQ conversation with Sven, he is looking for a solution whereby people with fixed-IP laptops could walk in and connect to the internet by simply connecting their laptop''s NIC to the local LAN. This seems like it requires something that behaves like a bridge on one side but like a Masquerading gateway on the other. I don''t know how to do that - does any one on the list have any ideas? Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep > Sent: Thursday, October 17, 2002 10:58 AM > To: Sven Oehme > Cc: Shorewall Users > Subject: Re: [Shorewall-users] Expert Question about NAT > > From an ICQ conversation with Sven, he is looking for a > solution whereby people with fixed-IP laptops could walk > in and connect to the internet by simply connecting their > laptop''s NIC to the local LAN. > > This seems like it requires something that behaves like a > bridge on one side but like a Masquerading gateway on the > other. I don''t know how to do that - does any one on the > list have any ideas?There was a thread on comp.os.linux.networking a few days ago with the subject of "Hotel Style IP Routing" that discussed what I believe the OP is asking about. Might be a good starting point. Steve Cowles