Hi, I recently installed shorewall and perused the documentation... I have a situation that is similar to FAQ #14, where I have a "modem" connected to the external interface of my firewall and it has an RFC1918 address. Anyhow, I have only a single external IP as it stands currently, so I specify masquerading for my entire internal net to my static IP. So, when I try to ping my modem from my internal network, the addresses get translated, and then the modem never seems to respond (or the responses go off into the ether, according to tcpdump). My current fix for this is to specify eth0:10.0.0.1 192.168.100.0/24 10.0.0.2 in the shorewall masq file... This is rather unclean, IMO, and I was wondering if there is a more elegant solution, whereby I can just simply request that packets addressed to the 10.0.0.0/8 network do not get translated. I have tried specifying eth0:!10.0.0.0/8 in the masq file, but thus far, no luck. Thanks.
On Sun, 8 Sep 2002, pfnguyen wrote:> Hi, > > I recently installed shorewall and perused the documentation... I have > a situation that is similar to FAQ #14, where I have a "modem" connected > to the external interface of my firewall and it has an RFC1918 address. > > Anyhow, I have only a single external IP as it stands currently, so I > specify masquerading for my entire internal net to my static IP. So, > when I try to ping my modem from my internal network, the addresses get > translated, and then the modem never seems to respond (or the responses > go off into the ether, according to tcpdump). >Where are you running tcpdump? Firewall?> My current fix for this is to specify eth0:10.0.0.1 192.168.100.0/24 > 10.0.0.2 in the shorewall masq file... This is rather unclean, IMO,I can''t comment since so far, it is totally unclear what the problem is. a) Is your external IP reserved by RFC1918? b) If not, are you specifying ''norfc1918'' on your external interface? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Monday, September 09, 2002 8:03 AM > To: pfnguyen > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] Specifying no masq for destinations> On Sun, 8 Sep 2002, pfnguyen wrote:> > Hi,> > Where are you running tcpdump? Firewall?Tcpdump runs on firewall, yes.> > My current fix for this is to specify eth0:10.0.0.1 > 192.168.100.0/24 > > 10.0.0.2 in the shorewall masq file... This is rather unclean, IMO,> I can''t comment since so far, it is totally unclear what the > problem is.> a) Is your external IP reserved by RFC1918? > b) If not, are you specifying ''norfc1918'' on your external interface?A) no, it is not an rfc1918 address B) yes, I specify norfc1918 on my external interface My setup is as follows: Interface eth0 has 2 addresses: a routable, external address, and an rfc1918 address (in 10.0.0.0/8) for my Alcatel DSL "modem". My internal network is within 192.168.0.0/16 as defined by rfc1918. In my Shorewal masq file, I have 192.168.0.0/16 masquerade over eth0 as my external address, and in rfc1918 I have the appropriate return rules for the modem and eth0 addresses. When I attempt to communicate with my modem from my internal network, the packets reach my modem as my external address. Because the modem does not have a gateway specified, it cannot respond to these translated packets. I would like to know if there is an option that prevents translation for specified destination addresses, and if there isn''t such an option currently, if I could make it a feature request. My current workaround is to specify masq from 192.168.0.0/16 to show up as 10.0.0.X (my eth0 rfc1918 address). Another option is to specify a gateway on my modem; both are "ugly" solutions, IMO. Thanks.
On Sunday 08 September 2002 07:28 pm, pfnguyen wrote:> Hi, > > I recently installed shorewall and perused the documentation... I have > a situation that is similar to FAQ #14, where I have a "modem" connected > to the external interface of my firewall and it has an RFC1918 address. > > Anyhow, I have only a single external IP as it stands currently, so I > specify masquerading for my entire internal net to my static IP. So, > when I try to ping my modem from my internal network, the addresses get > translated, and then the modem never seems to respond (or the responses > go off into the ether, according to tcpdump). > > My current fix for this is to specify eth0:10.0.0.1 192.168.100.0/24 > 10.0.0.2 in the shorewall masq file... This is rather unclean, IMO, and > I was wondering if there is a more elegant solution, whereby I can just > simply request that packets addressed to the 10.0.0.0/8 network do not > get translated. I have tried specifying eth0:!10.0.0.0/8 in the masq > file, but thus far, no luck. >Note: This response takes into consideration additional information supply by the original poster in subsequent posts. To not masquerade to 10.0.0.1, simply replace your MASQ/SNAT rule with: eth0:!10.0.0.1 192.168.100.0/24 [ <external.ip> ] I don''t think that will do you any good though since if your stupid Alcatel can''t route to your external IP, it probably can''t route to 192.168.100.0/24 either.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Perry F. Nguyen
2002-Sep-11 23:21 UTC
[Shorewall-users] Specifying no masq for destinations
> To not masquerade to 10.0.0.1, simply replace your MASQ/SNAT > rule with: > > eth0:!10.0.0.1 192.168.100.0/24 [ <external.ip> ] > > I don''t think that will do you any good though since if your > stupid Alcatel > can''t route to your external IP, it probably can''t route to > 192.168.100.0/24 > either.... > > -TomDoh! You bring up a good point, I''d totally forgotten about that *slap self*--I wonder how I had it working in my old setup with ipchains... Oh well, that box is gone now can''t look at it. I guess I''ll just leave the NAT in place for my internal net to the modem, cleaner than defining a default route on it. Thanks for the answer.