The shorewall script doesn''t care about real interface when AUTO ADD ALIASES feature is enabled. I think the problem come from the script. There isn''t any checking in the delete_nat() and not enough in set_nat() function when the script do a ip addr del.... ( on existence of <shorewall home>/nat is checked in delete_nat() function ) Any idea about a bug fix in a short time ? Alain Degreffe eczema@ecze.com
Alain, Please tell me what the problem is that you are seeing -- from your description, it is not at all clear. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > eczema@ecze.com > Sent: Monday, February 25, 2002 2:26 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Aliases problem > > > The shorewall script doesn''t care about real interface when > AUTO ADD ALIASES > feature is enabled. > > I think the problem come from the script. There isn''t any > checking in the > delete_nat() and not enough in set_nat() function when the > script do a ip > addr del.... ( on existence of <shorewall home>/nat is checked in > delete_nat() function ) > > Any idea about a bug fix in a short time ? > > Alain Degreffe > > eczema@ecze.com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Well,
A) Sniff why only forwarded traffic....
B) Generated on my firewall of course.
C) I''ve read a lot about this. No solution because the packet is
generated by an application not the OS himself.
Thx for your very very very quick answer.... ( Do you sleep sometimes ?)
I continue to have a doubt in your function delete_nat()
=20
################################################################################
# Delete existing Static NAT and Port Forwarding #
################################################################################
delete_nat() {
run_iptables -t nat -F PREROUTING
run_iptables -t nat -F POSTROUTING
run_iptables -t nat -F OUTPUT
[ -f ${STATEDIR}/nat ] && while read external interface; do // here
shorewall don''t control $ADD_IP_ALIASES variable !!!
qt ip addr del $external dev $interface
done < ${STATEDIR}/nat
}
Alain
>Several things:
>
>a) Shorewall NAT is designed to do SNAT and DNAT for forwarded
>connections. It is not designed to do SNAT only.
>b) When you say "Locally Generated" do you mean generated in your
local
>network or on the firewall itself?
>c) I haven''t heard of other people with a setup like yours having
>problems with packet source addresses -- perhaps there''s something
else
>you are overlooking. Unfortunately, I haven''t set up a two-ISP
system so
>I can''t speak authoritatively.
>
>If you simply want to get the SNAT part of what Shorewall does with
>entries in the /etc/shorewall/nat file then create /etc/shorewall/start
>and add the following to it:
>
> run_iptables -t nat -A POSTROUTING -o <first interface> -j SNAT
>--to-source <first ip>
> run_iptables -t nat -A POSTROUTINE -o <second interface> -j SNAT
>--to-source <second ip>
>
>-Tom
>--
>Tom Eastep \ Shorewall -- iptables made easy
>AIM: tmeastep \ http://www.shorewall.net=20
>ICQ: #60745924 \ teastep@shorewall.net=20
> -----Original Message----- > From: Alain Degreffe [mailto:adegreffe@europarl.eu.int] > Sent: Monday, February 25, 2002 9:24 AM > To: shorewall-users@shorewall.net; teastep@shorewall.net > Subject: RE: [Shorewall-users] Aliases problem > > > Well, > > A) Sniff why only forwarded traffic....Because Netfilter NAT in the OUTPUT chain is currently totally broken so there is nothing that Shorewall can do to make that work right.> > B) Generated on my firewall of course. > > C) I''ve read a lot about this. No solution because the packet > is generated by an application not the OS himself. > > Thx for your very very very quick answer.... ( Do you sleep > sometimes ?) > > I continue to have a doubt in your function delete_nat()> ############################################################## > ################## > # Delete existing Static NAT and Port Forwarding > # > ############################################################## > ################## > delete_nat() { > run_iptables -t nat -F PREROUTING > run_iptables -t nat -F POSTROUTING > run_iptables -t nat -F OUTPUT > > [ -f ${STATEDIR}/nat ] && while read external interface; > do // here shorewall don''t control $ADD_IP_ALIASES variable !!! > qt ip addr del $external dev $interface > done < ${STATEDIR}/natLook at the name of the file that''s being read!!!! It is only created if ADD_IP_ALIASES=Yes!!!! The problem is that you put the primary IP address of an interface in the /etc/shorewall/nat file -- the next time that shorewall is stopped or restarted, that address gets deleted. That''s the way that it works and that is the way that it is going to continue to work. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net