Gilson Soares
2003-Feb-14 09:22 UTC
[Shorewall-users] NATing two subnets with the same numbering
I played with IPIP/GRE support in Linux/Shorewall and worked VERY fine. I connected my home DSL (10.0.0.0/24) to another two locations (172.16.0.0/24 and 10.0.1.0/24). But now I need to connect to another site that has the same subnet as mine (10.0.0.0/24). A guy in my office said me he had the same problem in a Cisco router. It solved creating a local ''virtual'' numbering (ex: 10.10.10.0/24 for the remote server, and some others remote machines) using the Cisco IOS commands NAT INSIDE/NAT OUTSIDE. I need, for example, ping 10.10.10.2 from my PC (10.0.0.2); this ping will go thru my firewall (10.0.0.1) and go to 10.0.0.2 in the remote network. I didn''t find hints on Shorewall documentation how to acopplish this. Is there a way to do the same in Shorewall ? -Gilson
Tom Eastep
2003-Feb-14 09:32 UTC
[Shorewall-users] NATing two subnets with the same numbering
Gilson Soares wrote:> > I didn''t find hints on Shorewall documentation how to acopplish this. > Is there a way to do the same in Shorewall ? >No. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Feb-14 09:41 UTC
[Shorewall-users] NATing two subnets with the same numbering
Tom Eastep wrote:> Gilson Soares wrote: > >> >> I didn''t find hints on Shorewall documentation how to acopplish this. >> Is there a way to do the same in Shorewall ? >> > > No. >There is a patch in the Netfilter patch-o-matic collection that does this and if and when that patch is available in standard kernels, I''ll add the appropriate Shorewall support. You should be able to apply the patch yourself though and add the appropriate nat table rule(s) in your /etc/shorewall/start file. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Gilson Soares
2003-Feb-14 09:44 UTC
[Shorewall-users] NATing two subnets with the same numbering
At 2/14/2003 02:32 PM, Tom Eastep wrote:>Gilson Soares wrote: > >>I didn''t find hints on Shorewall documentation how to acopplish this. >>Is there a way to do the same in Shorewall ? > >No. > >-TomAnd what about using IPtables directly ? -Gilson
Tom Eastep
2003-Feb-14 09:54 UTC
[Shorewall-users] NATing two subnets with the same numbering
Gilson Soares wrote:> At 2/14/2003 02:32 PM, Tom Eastep wrote:> > > And what about using IPtables directly ? >Actually, now that I look at your requirements I''m not sure if the thingy in patch-o-matic will solve it or not. You''ll have to look... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Eduardo Ferreira
2003-Feb-14 10:15 UTC
[Shorewall-users] NATing two subnets with the same numbering
Seems to me you''re using to many addressess. Do you really need a /8 mask network on both sides? abs, Eduardo Ferreira shorewall-users-bounces@lists.shorewall.net wrote on 14/02/2003 15:54:05:> Gilson Soares wrote: > > At 2/14/2003 02:32 PM, Tom Eastep wrote: > > > > > > > And what about using IPtables directly ? > > > > Actually, now that I look at your requirements I''m not sure if the > thingy in patch-o-matic will solve it or not. You''ll have to look... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2003-Feb-14 10:40 UTC
[Shorewall-users] NATing two subnets with the same numbering
Tom Eastep wrote:> Actually, now that I look at your requirements I''m not sure if the > thingy in patch-o-matic will solve it or not. You''ll have to look...It''s called NETMAP and it simply provides a shorthand method of statically natting one subnet to another. In other words, it''s not directly applicable to what you want to do. While it _may_ be possible with iptables and ''ip'' policy routing (I have a vague idea how to go about it), renumbering one of the networks is going to be faster to get running... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Gilson Soares
2003-Feb-14 10:56 UTC
[Shorewall-users] NATing two subnets with the same numbering
At 2/14/2003 03:15 PM, Eduardo Ferreira wrote:>Seems to me you''re using to many addressess. Do you really need a /8 mask >network on both sides? > >abs, > >Eduardo FerreiraRead my first post. All subnets are /24. -Gilson>I connected my home DSL (10.0.0.0/24) to another two locations >(172.16.0.0/24 and 10.0.1.0/24). >But now I need to connect to another site that has the same subnet as mine >(10.0.0.0/24).