Hi, I''ve just got Shorewall up on our network, and most of it works just as it was supposed to do. Only one problem is left that I can''t figure out. I use NAT and port forward rules for several webservers on the inside, which I also made appropriate rules for as described in the Shorewall FAQ (2). The web servers seem to be correctly mapped for external clients AND for clients on the inside using static IP -- but not from clients using DHCP-assigned IP. Here is what I believe is the relevant configuration settings: masq: eth0 192.168.1.0/24 nat: .... xxx.yyy.zzz.100 eth0 192.168.1.100 yes yes xxx.yyy.zzz.101 eth0 192.168.1.101 yes yes rules: .... ACCEPT net local:192.168.1.100 tcp www - xxx.yyy.zzz.100 ACCEPT local local:192.168.1.100 tcp www - xxx.yyy.zzz.100 ACCEPT net local:192.168.1.101 tcp www - xxx.yyy.zzz.101 ACCEPT local local:192.168.1.101 tcp www - xxx.yyy.zzz.101 ... I can reach the web server with address xxx.yyy.zzz.101 (with proper DNS) from client/host 192.168.1.100, but not from, let''s say, client 192.168.1.80 which has a DHCP-configured IP-address. I''ve checked the DHCP-configuration, and clients are receiving the correct parameters and can reach any address on the outside. Anyone who can point me in the right direction here? Best regards, Hallvard
Wilhelm, ----- Original Message ----- From: "wilhelm reich" <wr@npk.no> To: <shorewall-users@shorewall.net> Sent: Tuesday, March 19, 2002 7:48 AM Subject: [Shorewall-users] Local to local port forwarding> I use NAT and port forward rules for several webservers on the > inside, which I also made appropriate rules for as described in > the Shorewall FAQ (2).Groan....> The web servers seem to be correctly > mapped for external clients AND for clients on the inside using > static IP -- but not from clients using DHCP-assigned IP. > > Here is what I believe is the relevant configuration settings: > > masq: > eth0 192.168.1.0/24So I''m guessing that eth0 is your internal interface?> > nat: > .... > xxx.yyy.zzz.100 eth0 192.168.1.100 yes yes > xxx.yyy.zzz.101 eth0 192.168.1.101 yes yesNo -- looks like eth0 is your external interface. So you should also have a masq entry like: eth1 192.168.1.0/24> > rules: > .... > ACCEPT net local:192.168.1.100 tcp www - xxx.yyy.zzz.100 > ACCEPT local local:192.168.1.100 tcp www - xxx.yyy.zzz.100 > ACCEPT net local:192.168.1.101 tcp www - xxx.yyy.zzz.101 > ACCEPT local local:192.168.1.101 tcp www - xxx.yyy.zzz.101 > ...Given that you have these rules, you don''t need the entries in /etc/shorewall/nat!!!> > I can reach the web server with address xxx.yyy.zzz.101 (with > proper DNS) from client/host 192.168.1.100, but not from, let''s > say, client 192.168.1.80 which has a DHCP-configured > IP-address. I''ve checked the DHCP-configuration, and clients > are receiving the correct parameters and can reach any address > on the outside.Well, I''m guessing that something is different about the DHCP-assigned configuration and the static one.> > Anyone who can point me in the right direction here? >tcpdump is your friend -- "tcpdump -ni eth1 192.168.1.80" then try to connect. Something obvious should show up. -Tom
wilhelm reich
2002-Mar-19 17:19 UTC
Re(2): [Shorewall-users] Local to local port forwarding
Hi Tom, I''m sorry I left you with all this guesswork, but it seems you are quite good in that respect anyway ;-) The missing entry for the internal interface eth1 in masq solved the problem -- quick and easy! I also got rid of those not needed entries in nat, and I''m quite sure I won''t miss them. Thanks a lot for the help! Hallvard teastep@shorewall.net writes:>Wilhelm, > >----- Original Message ----- >From: "wilhelm reich" <wr@npk.no> >To: <shorewall-users@shorewall.net> >Sent: Tuesday, March 19, 2002 7:48 AM >Subject: [Shorewall-users] Local to local port forwarding > > >> I use NAT and port forward rules for several webservers on >the >> inside, which I also made appropriate rules for as described >in >> the Shorewall FAQ (2). > >Groan.... > >> The web servers seem to be correctly >> mapped for external clients AND for clients on the inside >using >> static IP -- but not from clients using DHCP-assigned IP. >> >> Here is what I believe is the relevant configuration >settings: >> >> masq: >> eth0 192.168.1.0/24 > >So I''m guessing that eth0 is your internal interface? > >> >> nat: >> .... >> xxx.yyy.zzz.100 eth0 192.168.1.100 yes yes >> xxx.yyy.zzz.101 eth0 192.168.1.101 yes yes > >No -- looks like eth0 is your external interface. So you >should also have a >masq entry like: > >eth1 192.168.1.0/24 > >> >> rules: >> .... >> ACCEPT net local:192.168.1.100 tcp www - xxx.yyy.zzz.100 >> ACCEPT local local:192.168.1.100 tcp www - xxx.yyy.zzz.100 >> ACCEPT net local:192.168.1.101 tcp www - xxx.yyy.zzz.101 >> ACCEPT local local:192.168.1.101 tcp www - xxx.yyy.zzz.101 >> ... > >Given that you have these rules, you don''t need the entries in >/etc/shorewall/nat!!! > >> >> I can reach the web server with address xxx.yyy.zzz.101 (with >> proper DNS) from client/host 192.168.1.100, but not from, >let''s >> say, client 192.168.1.80 which has a DHCP-configured >> IP-address. I''ve checked the DHCP-configuration, and clients >> are receiving the correct parameters and can reach any >address >> on the outside. > >Well, I''m guessing that something is different about the >DHCP-assigned >configuration and the static one. > >> >> Anyone who can point me in the right direction here? >> > >tcpdump is your friend -- "tcpdump -ni eth1 192.168.1.80" then >try to >connect. Something obvious should show up. > >-Tom > >