-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I was previously using shorewall and doing DNAT, i had 2 ethernet interfaces, eth0 was external /24 and eth1 was 192.168.1.0/24 I moved the boxes to a different location and I am trying to figure out how to port my config. The addresses I have been assigned: I have been assigned an ip *.*.1.13 on a 255.255.255.0 subnet for my eth0(firewall) I have been assigned a *.*.105.192/27 for my servers. My servers are running on a 192.168.1.0/24 right now, I need to know how to setup my zones to route between 3 networks on 2 interfaces? I currently have my interfaces configured: #ZONE INTERFACE BROADCAST OPTIONS net eth0 *.*.1.255 internal lo *.*.105.223 dmz eth1 *.*.1.255 and have ported my config that did DNAT previously to somehow work .. but I had to change the policy file to allow all net2dmz, and I know this is bad and incorrect. Can someone enlighten me to the routing issues that I need to understand to get this working correctly? Thanks, - -asher -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9Z/KTAvdNfNYuUt8RAuX3AJ9bYo/8JQiq8pkrQEjRUMofkzshQgCeOFMQ LFuFBcs8PA3ttXao1aO9p2Y=3pMO -----END PGP SIGNATURE-----
On Saturday 24 August 2002 01:54 pm, Asher Yanich wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi, > > I was previously using shorewall and doing DNAT, i had 2 ethernet > interfaces, eth0 was external /24 and eth1 was 192.168.1.0/24 > > I moved the boxes to a different location and I am trying to figure out > how to port my config. > > The addresses I have been assigned: > I have been assigned an ip *.*.1.13 on a 255.255.255.0 subnet for my > eth0(firewall) I have been assigned a *.*.105.192/27 for my servers. > > My servers are running on a 192.168.1.0/24 right now, I need to know how > to setup my zones to route between 3 networks on 2 interfaces? > > I currently have my interfaces configured: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 *.*.1.255 > internal lo *.*.105.223 > dmz eth1 *.*.1.255I don''t know what you are trying to do there but that won''t work.> > and have ported my config that did DNAT previously to somehow work .. but > I had to change the policy file to allow all net2dmz, and I know this is > bad and incorrect. Can someone enlighten me to the routing issues that I > need to understand to get this working correctly? >What is the topology of your network? isp ---> eth0 FW eth1 ----> dmz? Is your ISP routing the 105.192/27 subnet through the 1.13 address? Do your servers still have their RFC 1918 addresses? If so, do you want to continue to use DNAT to redirect requests to them? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 isp --> eth0 FW eth1 --> 192.168.1.0/24 (was not called dmz in my previous config) Yes, my ISP routes the 105.192/27 subnet through the .1.13 address and that is what threw me off. Because now I had 3 networks and only 2 interfaces and that is why I got the idea that I needed to add ip addresses to the loopback or to a dummy interface. Yes, my servers still have RFC 1918 address. I would like to continue to use DNAT to redirect requests to them. I just need to figure out what my interfaces are so that I can properly port my rules. - -asher> What is the topology of your network? isp ---> eth0 FW eth1 ----> dmz? > Is your ISP routing the 105.192/27 subnet through the 1.13 address? > Do your servers still have their RFC 1918 addresses? > If so, do you want to continue to use DNAT to redirect requests to them? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9Z/3kAvdNfNYuUt8RAmw/AJ9AlMsXs+ACeqaHBcv88gh+h7knNACfUkjo ZGc4eyN8e9IZsQgq6Kqwuk8=rxo8 -----END PGP SIGNATURE-----
On Saturday 24 August 2002 02:42 pm, Asher Yanich wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > isp --> eth0 FW > eth1 --> 192.168.1.0/24 (was not called dmz in my previous config) > > > Yes, my ISP routes the 105.192/27 subnet through the .1.13 address and > that is what threw me off. Because now I had 3 networks and only 2 > interfaces and that is why I got the idea that I needed to add ip > addresses to the loopback or to a dummy interface. > > Yes, my servers still have RFC 1918 address. I would like to continue to > use DNAT to redirect requests to them. I just need to figure out what my > interfaces are so that I can properly port my rules.Your interfaces should look lie: net eth0 *.*.1.255,*.*.105.223 <options> dmz eth1 192.168.1.255 <options> and your DNAT rules should look like: DNAT net dmz:192.168.1.x <proto> y - *.*.105.zzz -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Saturday 24 August 2002 02:57 pm, Tom Eastep wrote:> On Saturday 24 August 2002 02:42 pm, Asher Yanich wrote:> > Your interfaces should look lie: > > net eth0 *.*.1.255,*.*.105.223 <options>The second broadcast address here is questionable -- it depend on whether your ISP expects to be able to broadcast to your router on that IP. If they don''t, then you can remove the .233 address from the broadcast list and use it as a DNAT ''ORIGINAL DEST'' address. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ah, I guess I didnt understand that I could add ips on a different network to my eth0:* aliases. Right? so eth0 -> *.*.1.13 eth0:0 -> *.*.105.193 .. in the ifcfg-eth0:* file should I put a GATEWAY=*.*.1.13 This will simplify the mess I have right now. - -asher On Sat, 24 Aug 2002, Tom Eastep wrote:> > Your interfaces should look lie: > > net eth0 *.*.1.255,*.*.105.223 <options> > dmz eth1 192.168.1.255 <options> > > and your DNAT rules should look like: > > DNAT net dmz:192.168.1.x <proto> y - *.*.105.zzz >-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9aEImAvdNfNYuUt8RAjhBAJ95WVMNj34kXrK4Hn0PS8i/2N5VoQCfWM5X XUNPQzjp0Na4YZzbMFTfkKA=pZSg -----END PGP SIGNATURE-----
On Saturday 24 August 2002 07:34 pm, Asher Yanich wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Ah, I guess I didnt understand that I could add ips on a different network > to my eth0:* aliases. Right? > > so eth0 -> *.*.1.13 > eth0:0 -> *.*.105.193 ..Not if your ISP is routing the *.*.105.193 through your *.*.1.13 address! IN THAT CASE, YOU DON''T HAVE TO DO ANYTHING!!!! Your are trying to make this way too hard............ Sorry but it''s 7:30 PM here and I don''t have the energy to teach IP routing 101 this evening. Try looking at the routing stuff at http://www.shorewall.net/shorewall_setup_guide.htm. -Tom> > > in the ifcfg-eth0:* file should I put a > GATEWAY=*.*.1.13 > > This will simplify the mess I have right now. > > - -asher > > On Sat, 24 Aug 2002, Tom Eastep wrote: > > Your interfaces should look lie: > > > > net eth0 *.*.1.255,*.*.105.223 <options> > > dmz eth1 192.168.1.255 <options> > > > > and your DNAT rules should look like: > > > > DNAT net dmz:192.168.1.x <proto> y - *.*.105.zzz > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > > iD8DBQE9aEImAvdNfNYuUt8RAjhBAJ95WVMNj34kXrK4Hn0PS8i/2N5VoQCfWM5X > XUNPQzjp0Na4YZzbMFTfkKA> =pZSg > -----END PGP SIGNATURE------- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net