Shorewall users - Nov 2002 - Problem with NAT

Dear all,
I''ve got problem with NAT, its doesnt work!
My Shorewall files configuration like this:
/etc/shorewall/interfaces
#ZONE      INTERFACE     BROADCAST OPTIONS
loc  eth0      detect
net   eth1          detect
dmz  eth2      detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

#/etc/shorewall/zones
#ZONE     DISPLAY        COMMENTS
net  Net       Internet
loc  Local          Local networks
dmz  DMZ       Demilitarized Zone
mta  Local          Local MTA
wsftp     Local          local ftp client
wsragus   local     agus

#/etc/shorewall/nat
#EXTERNAL INTERFACE INTERNAL  ALL INTERFACES  LOCAL
#LAST LINE     -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVES
#MTA static NAT
203.135.0.226  eth2 10.1.6.220
#WSFTP Client
203.135.0.212  eth1 10.1.4.23
203.135.0.213  eth1 10.1.4.67

#/etc/shorewall/masq
eth0 10.1.44.0/26   203.135.0.197
eth0 10.1.34.0/20   203.135.0.196
eth0 10.1.0.0/19         203.135.0.195

#/etc/shorewall/policy
#SOURCE   DEST      POLICY    LOG LEVEL  LIMIT:BRUSH
loc  net  ACCEPT    info
net  all  DROP      info
all  all  REJECT    info

#/etc/shorewall/rules
# I FOLLOW THREE INTERFACES SAMPLES but I add some rules.

# Email server rules Internet --> DMZ
ACCEPT    net  dmz  tcp  25
ACCEPT    net  dmz  udp  25
ACCEPT    dmz  net  tcp  25
ACCEPT    dmz  net  udp  25
# Email Server DMZ to MTA
ACCEPT    dmz  mta  tcp  25
ACCEPT    dmz  mta  udp  25
ACCEPT    loc  dmz  tcp  110
ACCEPT    loc  dmz  udp  110
ACCEPT    loc  net  tcp  www,https

My Problems are:
1. Why nat for ip 10.1.4.23&10.1.4.67 doesn''t work? it''s
cannot access to
internet but nat for 10.1.6.220 to DMZ it''s work!
2. How many static nat can I configure it? cause I have about 14 IP''s
local have
to translate to IP internet (Static Nat)
3. Thank you very much

Regards
/home/war$_

--On Monday, November 18, 2002 10:42:39 AM +0700 
"warsono@unitedtractors.com" <warsono@unitedtractors.com> wrote:
>
>
> Dear all,
> I''ve got problem with NAT, its doesnt work!
Translation: The way that you are using it doesn''t do what you expect
it to
do -- trust me, it DOES work!
> My Shorewall files configuration like this:
> /etc/shorewall/interfaces
># ZONE      INTERFACE     BROADCAST OPTIONS
> loc  eth0      detect
> net   eth1          detect
> dmz  eth2      detect
># LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
># /etc/shorewall/zones
># ZONE     DISPLAY        COMMENTS
> net  Net       Internet
> loc  Local          Local networks
> dmz  DMZ       Demilitarized Zone
> mta  Local          Local MTA
> wsftp     Local          local ftp client
> wsragus   local     agus
You don''t seem to have any definition of the ''mta'',
''wsftp'' and ''wsragus''
zones.
>
># /etc/shorewall/nat
># EXTERNAL INTERFACE INTERNAL  ALL INTERFACES  LOCAL
># LAST LINE     -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVES
># MTA static NAT
> 203.135.0.226  eth2 10.1.6.220
># WSFTP Client
> 203.135.0.212  eth1 10.1.4.23
> 203.135.0.213  eth1 10.1.4.67
I love how you follow the instructions about putting your entries above the 
''#LAST LINE'' entry...
>
># /etc/shorewall/masq
> eth0 10.1.44.0/26   203.135.0.197
> eth0 10.1.34.0/20   203.135.0.196
> eth0 10.1.0.0/19         203.135.0.195
>
># /etc/shorewall/policy
># SOURCE   DEST      POLICY    LOG LEVEL  LIMIT:BRUSH
> loc  net  ACCEPT    info
> net  all  DROP      info
> all  all  REJECT    info
>
># /etc/shorewall/rules
># I FOLLOW THREE INTERFACES SAMPLES but I add some rules.
>
># Email server rules Internet --> DMZ
> ACCEPT    net  dmz  tcp  25
> ACCEPT    net  dmz  udp  25
> ACCEPT    dmz  net  tcp  25
> ACCEPT    dmz  net  udp  25
># Email Server DMZ to MTA
> ACCEPT    dmz  mta  tcp  25
> ACCEPT    dmz  mta  udp  25
> ACCEPT    loc  dmz  tcp  110
> ACCEPT    loc  dmz  udp  110
> ACCEPT    loc  net  tcp  www,https
>
> My Problems are:
> 1. Why nat for ip 10.1.4.23&10.1.4.67 doesn''t work?
it''s cannot access to
> internet but nat for 10.1.6.220 to DMZ it''s work!
It''s very hard to understand what you are trying to do since your entry
for
10.1.6.220 is adding 203.135.0.226 to your DMZ interface while the other 
two NAT entries are being added to your internet interface????

You also haven''t told us which IP addresses you have assigned to you
local
net and which IP addresses you have assigned to your DMZ so it is difficult 
to evaluate the information that you have given us.
> 2. How many static nat can I configure it? cause I have about 14
IP''s
> local have to translate to IP internet (Static Nat)
That will work fine...

You also don''t mention whether you are adding the NATed IP addresses 
yourself or if you have set ADD_IP_ALIASES=Yes in 
/etc/shorewall/shorewall.conf.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://shorewall.sf.net
ICQ: #60745924  \ teastep@shorewall.net