thr3ads.net - Shorewall users - [Shorewall-users] multiple IP addrs for DNAT ? [May 2003]

If this information is useful, please help other people find it:
Share via:

Josh Fryman

2003-May-13 12:51 UTC

[Shorewall-users] multiple IP addrs for DNAT ?

hi,

i''m just trying Shorewall for the first time. i''ve been
running gShield, but
that doesn''t handle the situation i''ve migrated into.  so, in
short, please
flame lightly for my ignorance and stupidity.

this is a RH7.3 + errata fixes box.  it''s the current Shorewall-1.4.2.
i downloaded and modified the two-interface example from the shorewall
web site.  i tried to follow the install, setup, and two-interface
guides.  iptables is version 1.2.5.

the network picture:

  UUnet --(T1)-- Cisco (65.222.81.33) ---> Switch
                                            |  |
                         65.222.81.34 ------+  +---- 65.222.81.35
                        Production FW1                Testing FW2
                          10.100.x.1                  10.100.x.2
                             |                             |
                             +------(switches/VLANs)-------+
                                           |
                                    Many local systems
                                   on separate subnets
                                     10.100.1.0/255
                                     10.100.2.0/255
                                     10.100.3.0/255
                                     10.100.4.0/255
                                     10.100.5.0/255
                                     10.100.6.0/255
                                    10.100.200.0/255
                                    10.100.201.0/255
                                    10.100.202.0/255
                                    10.100.203.0/255
                                    10.100.204.0/255

the reason for all the subnets is due to the recent explosion of the
corporate network.  currently, they''re sharing the same core switch,
but in the next few months, each segment will become fully isolated,
and additional firewalls will be installed.  that aside, the problem
is what to do for now.  both FW1 and FW2 are aliased on each subnet.
eth0 is the ''public'' (net) interface.  eth1 and its many
aliases are
the ''internal'' (loc) interface.

the production FW works fine.  it''s running gShield at the moment.  the
issue is that due to customer support, we need to have a new block of
public IPs map directly into the internal network.  this block has been
purchased, and it''s 65.199.221.97-126 ... the address "97"
has already
been bound into the Cisco unit, and we can ping that fine from the
world at large.

what we want to do is setup Shorewall on FW2 to route the other public
IP addrs (65.199.221.x) to specific internal machines.  for now, i''m
only trying to make this work on the first such pair:

   65.199.221.98 -> 10.100.201.11

once that works, we''ll add our normal rules to FW2, test it for a
while,
and then make it FW1.  the usual live-switching in case something goes
wrong we have FW1 still there.

ok, with all that background, here''s what happens.  i can see via
tcpdump the FW2 box responds to the ARP query; it then receives the
incoming traffic for 65.199.221.98.  it receives ping/telnet/ftp/www
traffic just fine... but never responds.  instead, the log fills with
the "all2all:DROP" message.  i''ve checked the FAQs and such,
but
i don''t see how i''ve set this up wrong.  since i''m
just starting
out, can anyone point me in the right path?  (note: i''ve read the
"Shorewall & IP Aliases" FAQ, the install guide, etc --
i''m doing
exactly what they say to, afaics.)  below are the various bits and
pieces requested for getting meaningful help.

thanks, 

-josh

Log Message:
------------------
May 13 15:16:17 fw35 root: Shorewall Restarted
May 13 15:18:25 fw35 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:a0:cc:21:e9:ac:00:08:a3:b7:8a:20:08:00 SRC=12.119.32.145
DST=65.199.221.98 LEN=56 TOS=0x00 PREC=0x00 TTL=247 ID=62908 PROTO=ICMP TYPE=3
CODE=13 [SRC=65.199.221.98 DST=207.46.134.94 LEN=48 TOS=0x00 PREC=0x00 TTL=125
ID=52311 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:18:28 fw35 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:a0:cc:21:e9:ac:00:08:a3:b7:8a:20:08:00 SRC=12.119.32.145
DST=65.199.221.98 LEN=56 TOS=0x00 PREC=0x00 TTL=247 ID=62931 PROTO=ICMP TYPE=3
CODE=13 [SRC=65.199.221.98 DST=207.46.134.94 LEN=48 TOS=0x00 PREC=0x00 TTL=125
ID=52823 DF PROTO=TCP INCOMPLETE [8 bytes] ]

---------------------
Policy File:
--------------------
loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

---------------------
NAT File
---------------------
65.199.221.98   eth0:0          10.100.201.11   no                      no


---------------------
Rules File
---------------------
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
ACCEPT          loc             fw              tcp     53
ACCEPT          loc             fw              udp     53
#
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
#
# For the aliased/extra public IPs... how to handle...
#
DNAT            net             loc:10.100.201.11       all     -      
65.199.221.98
ACCEPT          net             loc:10.100.201.11       all

---------------------
Kernel Info
---------------------
[root@fw35 shorewall]# uname -a
Linux fw35.unix.futura 2.4.18-27.7.x #1 Fri Mar 14 06:44:53 EST 2003 i686
unknown
[root@fw35 shorewall]# lsmod
Module                  Size  Used by    Not tainted
ipt_TOS                 1760  12  (autoclean)
ip_nat_irc              3392   0  (unused)
ip_nat_ftp              4064   0  (unused)
ip_conntrack_irc        3552   0  (unused)
ip_conntrack_ftp        4768   0  (unused)
ipt_state               1248  30  (autoclean)
ipt_REJECT              3744   2  (autoclean)
ipt_LOG                 4384   7  (autoclean)
ipt_limit               1696   0  (autoclean)
iptable_nat            19700   3  (autoclean) [ip_nat_irc ip_nat_ftp]
ip_conntrack           20300   4  (autoclean) [ip_nat_irc ip_nat_ftp
ip_conntrack_irc ip_conntrack_ftp ipt_state iptable_nat]
iptable_mangle          2944   1  (autoclean)
iptable_filter          2464   1  (autoclean)
ip_tables              13952  10  [ipt_TOS ipt_state ipt_REJECT ipt_LOG
ipt_limit iptable_nat iptable_mangle iptable_filter]
autofs                 11172   0  (autoclean) (unused)
3c59x                  28456   1 
tulip                  41344   1 
ide-cd                 30144   0  (autoclean)
cdrom                  31936   0  (autoclean) [ide-cd]
usb-uhci               24324   0  (unused)
usbcore                71072   1  [usb-uhci]
ext3                   64768   2 
jbd                    47892   2  [ext3]

---------------------
"ip" addr + route info
---------------------
[root@fw35 shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:cc:21:e9:ac brd ff:ff:ff:ff:ff:ff
    inet 65.222.81.35/29 brd 65.222.81.39 scope global eth0
    inet 65.199.221.98/29 brd 65.222.81.39 scope global eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:08:ca:38:ce brd ff:ff:ff:ff:ff:ff
    inet 10.100.1.2/24 brd 10.100.1.255 scope global eth1
    inet 10.100.2.2/24 brd 10.100.2.255 scope global eth1:0
    inet 10.100.3.2/24 brd 10.100.3.255 scope global eth1:1
    inet 10.100.4.2/24 brd 10.100.4.255 scope global eth1:2
    inet 10.100.5.2/24 brd 10.100.5.255 scope global eth1:3
    inet 10.100.6.2/24 brd 10.100.6.255 scope global eth1:4
    inet 10.100.200.2/24 brd 10.100.200.255 scope global eth1:5
    inet 10.100.201.2/24 brd 10.100.201.255 scope global eth1:6
    inet 10.100.202.2/24 brd 10.100.202.255 scope global eth1:7
    inet 10.100.203.2/24 brd 10.100.203.255 scope global eth1:8
    inet 10.100.204.2/24 brd 10.100.204.255 scope global eth1:9
[root@fw35 shorewall]# ip route show
65.222.81.32/29 dev eth0  scope link 
65.199.221.96/29 dev eth0  proto kernel  scope link  src 65.199.221.98 
10.100.203.0/24 dev eth1  proto kernel  scope link  src 10.100.203.2 
10.100.202.0/24 dev eth1  proto kernel  scope link  src 10.100.202.2 
10.100.201.0/24 dev eth1  proto kernel  scope link  src 10.100.201.2 
10.100.200.0/24 dev eth1  proto kernel  scope link  src 10.100.200.2 
10.100.204.0/24 dev eth1  proto kernel  scope link  src 10.100.204.2 
10.100.5.0/24 dev eth1  proto kernel  scope link  src 10.100.5.2 
10.100.4.0/24 dev eth1  proto kernel  scope link  src 10.100.4.2 
10.100.6.0/24 dev eth1  proto kernel  scope link  src 10.100.6.2 
10.100.1.0/24 dev eth1  scope link 
10.100.3.0/24 dev eth1  proto kernel  scope link  src 10.100.3.2 
10.100.2.0/24 dev eth1  proto kernel  scope link  src 10.100.2.2 
127.0.0.0/8 dev lo  scope link 
default via 65.222.81.33 dev eth0 

--------------------------
Shorewall STATUS
--------------------------
[root@fw35 shorewall]# shorewall status
Shorewall-1.4.2 Status at fw35.unix.futura - Tue May 13 15:44:32 EDT 2003

Counters reset Tue May 13 15:16:17 EDT 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   50  2860 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  420 24144 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
  172 14510 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    3   228 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  275 49192 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
   47  2632 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0            65.222.81.39
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.100.1.255

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  172 14510 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
  172 14510 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
  172 14510 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   50  2860 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
   50  2860 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
  420 24144 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
  420 24144 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
  275 49192 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    3   228 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
  420 24144 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   47  2632 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
   47  2632 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
   47  2632 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   228 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
   47  2632 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
  172 14510 ACCEPT     all  --  *      *       0.0.0.0/0           
10.100.201.11      state NEW
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0           
10.100.201.11      state NEW
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (8 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable

Chain rfc1918 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0
    0     0 logdrop    all  --  *      *       172.16.0.0/12        0.0.0.0/0
    0     0 logdrop    all  --  *      *       192.0.2.0/24         0.0.0.0/0
    0     0 logdrop    all  --  *      *       192.168.0.0/16       0.0.0.0/0
    0     0 logdrop    all  --  *      *       0.0.0.0/7            0.0.0.0/0
    0     0 logdrop    all  --  *      *       2.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       5.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       7.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       10.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       23.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       27.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       31.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       36.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       39.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       41.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       42.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       49.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       50.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       58.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       60.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       70.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       72.0.0.0/5           0.0.0.0/0
    0     0 logdrop    all  --  *      *       83.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       84.0.0.0/6           0.0.0.0/0
    0     0 logdrop    all  --  *      *       88.0.0.0/5           0.0.0.0/0
    0     0 logdrop    all  --  *      *       96.0.0.0/3           0.0.0.0/0
    0     0 logdrop    all  --  *      *       127.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       197.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       198.18.0.0/15        0.0.0.0/0
    0     0 logdrop    all  --  *      *       201.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       240.0.0.0/4          0.0.0.0/0

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

May 13 15:33:46 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=21124 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:34:20 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=21636 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:34:23 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=22148 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:34:29 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=22404 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:34:41 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=22660 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:38:25 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=23684 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:38:28 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=24196 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:38:34 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=24452 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:38:46 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.134.30
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=24708 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:39:20 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=25476 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:39:23 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=25988 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:39:29 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=26244 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:39:41 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=26500 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:43:25 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=27524 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:43:28 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=28036 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:43:34 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=28292 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:43:46 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=28548 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:44:20 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=29060 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:44:23 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=29572 DF PROTO=TCP INCOMPLETE [8 bytes] ]
May 13 15:44:29 net2all:DROP:IN=eth0 OUT= SRC=65.199.221.98 DST=207.46.249.61
LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=29828 DF PROTO=TCP INCOMPLETE [8 bytes] ]

NAT Table

Chain PREROUTING (policy ACCEPT 1737 packets, 240K bytes)
 pkts bytes target     prot opt in     out     source               destination
   13  1259 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   11  1127 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 257 packets, 19746 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   228 eth0_out   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    3   228 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 272 packets, 19484 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   132 DNAT       all  --  *      *       0.0.0.0/0           
65.199.221.98      to:10.100.201.11

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.100.203.0/24      0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.202.0/24      0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.201.0/24      0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.200.0/24      0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.204.0/24      0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.5.0/24        0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.4.0/24        0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.6.0/24        0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.1.0/24        0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.3.0/24        0.0.0.0/0   
to:65.222.81.35
    0     0 SNAT       all  --  *      *       10.100.2.0/24        0.0.0.0/0   
to:65.222.81.35

Chain eth0_out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.100.201.11        0.0.0.0/0   
to:65.199.221.98

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
   11  1127 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
to:10.100.201.11

Mangle Table

Chain PREROUTING (policy ACCEPT 66441 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination
  172 14510 man1918    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
state NEW
 1084 80231 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 62814 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 1935 packets, 162K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 57799 packets, 5609K bytes)
 pkts bytes target     prot opt in     out     source               destination
  516 89148 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 59611 packets, 5762K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain man1918 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
169.254.0.0/16
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
172.16.0.0/12
    0     0 logdrop    all  --  *      *       0.0.0.0/0            192.0.2.0/24
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
192.168.0.0/16
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            2.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            5.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            7.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            23.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            27.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            31.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            36.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            39.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            41.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            42.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            49.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            50.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            58.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            60.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            70.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            72.0.0.0/5
    0     0 logdrop    all  --  *      *       0.0.0.0/0            83.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            84.0.0.0/6
    0     0 logdrop    all  --  *      *       0.0.0.0/0            88.0.0.0/5
    0     0 logdrop    all  --  *      *       0.0.0.0/0            96.0.0.0/3
    0     0 logdrop    all  --  *      *       0.0.0.0/0            127.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            197.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
198.18.0.0/15
    0     0 logdrop    all  --  *      *       0.0.0.0/0            201.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            240.0.0.0/4

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
  513 88920 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
  657 33624 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 431999 ESTABLISHED src=10.100.1.5 dst=10.100.1.2 sport=39581 dport=22
src=10.100.1.2 dst=10.100.1.5 sport=22 dport=39581 [ASSURED] use=1
[root@fw35 shorewall]#

Tom Eastep

2003-May-13 16:50 UTC

head link

[Shorewall-users] multiple IP addrs for DNAT ?

On Tue, 13 May 2003 15:50:40 -0400, Josh Fryman <fryman@cc.gatech.edu> 
wrote:

> #
> # For the aliased/extra public IPs... how to handle...
> #
> DNAT            net             loc:10.100.201.11       all     -       
> 65.199.221.98
The above rule is:

a) Unnecessary -- it duplicates the function of the entry in the NAT file.
b) It is wrong (It has one too few columns and Shorewall ignores the CLIENT 
PORT(S) column when the protocol is all).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Josh Fryman

2003-May-13 17:27 UTC

head link

[Shorewall-users] multiple IP addrs for DNAT ?

hi tom,
> > DNAT            net             loc:10.100.201.11       all     -
> > 65.199.221.98
ok, thanks.  i removed the offending line from the rules file, and 
restarted shorewall.

now i see a different problem, which again doesn''t seem to make any
sense.
eth0 = net, eth1 = loc, everything as before except the line above removed.

doing a ping on the target address from my home cablemodem, i see on
eth0 the following via tcpdump:

20:13:15.372664 68-117-214-134.charterga.net > gandalf.futuraintl.com: icmp:
echo request (DF)
20:13:16.371707 68-117-214-134.charterga.net > gandalf.futuraintl.com: icmp:
echo request (DF)
[etc, etc]

watching on eth1, looking for the target machine, i see this:

20:13:15.372751 68-117-214-134.charterga.net > kbennett.ofc.futura: icmp:
echo request (DF)
20:13:16.371796 68-117-214-134.charterga.net > kbennett.ofc.futura: icmp:
echo request (DF)
[etc, etc]

but i never see any kind of reply.  now, if i ping directly from fw2 to 
the target machine, i get what i expect:

20:12:56.242996 10.100.201.2 > kbennett.ofc.futura: icmp: echo request (DF)
20:12:56.243220 kbennett.ofc.futura > 10.100.201.2: icmp: echo reply (DF)

i read the "ping policy" of shorewall document, but i don''t
quite follow
whether i need to explicitly state permittivity of the icmp -- isn''t my
nat line for allowing "all" doing this already? (it looks like it
does..)

checking the log, i see (literally) no entries about this.

-josh

Tom Eastep

2003-May-13 17:36 UTC

head link

[Shorewall-users] multiple IP addrs for DNAT ?

On Tue, 13 May 2003 20:27:41 -0400, Josh Fryman <fryman@cc.gatech.edu> 
wrote:

> checking the log, i see (literally) no entries about this.
Check the routing on the target machine -- is the default gateway set to 
the internal IF of FW2?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Josh Fryman

2003-May-23 18:22 UTC

head link

[Shorewall-users] multiple IP addrs for DNAT ?

hi tom et al,

again, a big thank you for shorewall and all your hard work supporting it!

i fixed the routing on the target device (you were correct, it was pointing
to the wrong fw... doh!).  but now i have a different problem, and i''ve
tried fixing it as per the docs on multiple subnets.

to recall the basic network setup:

   fw2 eth0 = net.  fw2 has two different blocks of IP addresses assigned
                    to it that it needs to handle.  
                      #1: 65.221.81.32 - .39 (.32 net, .39 bcast).  
                      #2: 65.199.221.96 - .127 (.96 net, .127 bcast).
                    the regular inteface is in block #1 -- see "eth0" 
                    below.  the second block is used for DNAT to internal
                    (10.100.200.x) addresses of select machines.
       eth1 = loc.  responds to 10.100.200.x and 10.100.201.x (masks are 24).

the problem is that most "forwards" in the second block work fine. 
some,
however, don''t -- like the target 65.199.221.103 (maps to
10.100.200.15).
the thing that makes me suspicious is the broadcast address for the 
second block of IPs matches the bcast address from the first block.  this
doesn''t seem quite right.  see below for "eth0:0" alias
created by
shorewall with the info.  the others are the same, except of course the
inet addr is +N ...

the pattern according to tcpdump is this:

  21:00:40.888598 arp who-has 65.199.221.103 tell elrond.futuraintl.com
  21:00:43.866667 arp who-has 65.199.221.103 tell elrond.futuraintl.com

eg, the T1 switch is looking for who will respond to that IP.  the fw2
machine never responds -- it seems to be getting lost in the broadcast?
it responds well to the other IPs currently under fw2''s DNAT
management.
any ideas?  below are my current nat, interfaces, hosts, and rules files.
did i screw something up?

thanks,

-josh

ifconfig:
------------
eth0      Link encap:Ethernet  HWaddr 00:A0:CC:21:E9:AC  
          inet addr:65.222.81.35  Bcast:65.222.81.39  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2636012 errors:1 dropped:0 overruns:0 frame:0
          TX packets:1956344 errors:3 dropped:0 overruns:0 carrier:3
          collisions:0 txqueuelen:100 
          RX bytes:2267051800 (2162.0 Mb)  TX bytes:205478159 (195.9 Mb)
          Interrupt:5 Base address:0xd000 

eth0:0    Link encap:Ethernet  HWaddr 00:A0:CC:21:E9:AC  
          inet addr:65.199.221.98  Bcast:65.222.81.39  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5 Base address:0xd000 

-------------
interfaces
-------------
net     eth0            65.222.81.39,65.199.221.127     routefilter,norfc1918
loc     eth1            detect

-------------
hosts
-------------
net             eth0:65.222.81.32/29
net             eth0:65.199.221.96/27

-------------
nat
-------------
65.199.221.98   eth0:0          10.100.200.14   no                      no
65.199.221.99   eth0:1          10.100.200.13   no                      no
65.199.221.100  eth0:2          10.100.200.12   no                      no
65.199.221.101  eth0:3          10.100.200.11   no                      no
65.199.221.102  eth0:4          10.100.200.10   no                      no
65.199.221.103  eth0:5          10.100.200.15   no                      no
65.199.221.104  eth0:6          10.100.200.16   no                      no

-------------
rules
-------------
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
ACCEPT          loc             fw              tcp     53
ACCEPT          loc             fw              udp     53
#
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
#
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
#
# For the aliased/extra public IPs... how to handle...
#
ACCEPT          net             loc:10.100.200.10       tcp     5631
ACCEPT          net             loc:10.100.200.10       tcp     5632
ACCEPT          net             loc:10.100.200.10       udp     5631
ACCEPT          net             loc:10.100.200.10       udp     5632
ACCEPT          net             loc:10.100.200.11       tcp     5631
ACCEPT          net             loc:10.100.200.11       tcp     5632
ACCEPT          net             loc:10.100.200.11       udp     5631
ACCEPT          net             loc:10.100.200.11       udp     5632
ACCEPT          net             loc:10.100.200.12       tcp     5631
ACCEPT          net             loc:10.100.200.12       tcp     5632
ACCEPT          net             loc:10.100.200.12       udp     5631
ACCEPT          net             loc:10.100.200.12       udp     5632
ACCEPT          net             loc:10.100.200.13       tcp     5631
ACCEPT          net             loc:10.100.200.13       tcp     5632
ACCEPT          net             loc:10.100.200.13       udp     5631
ACCEPT          net             loc:10.100.200.13       udp     5632
ACCEPT          net             loc:10.100.200.14       tcp     5631
ACCEPT          net             loc:10.100.200.14       tcp     5632
ACCEPT          net             loc:10.100.200.14       udp     5631
ACCEPT          net             loc:10.100.200.14       udp     5632
ACCEPT          net             loc:10.100.200.15       tcp     5631
ACCEPT          net             loc:10.100.200.15       tcp     5632
ACCEPT          net             loc:10.100.200.15       udp     5631
ACCEPT          net             loc:10.100.200.15       udp     5632

Tom Eastep

2003-May-23 19:00 UTC

head link

[Shorewall-users] multiple IP addrs for DNAT ?

On Fri, 23 May 2003 21:22:01 -0400, Josh Fryman <fryman@cc.gatech.edu> 
wrote:
>
> hi tom et al,
>
> again, a big thank you for shorewall and all your hard work supporting 
> it!
>
> i fixed the routing on the target device (you were correct, it was 
> pointing
> to the wrong fw... doh!).  but now i have a different problem, and
i''ve
> tried fixing it as per the docs on multiple subnets.
>
You must have missed the part where the docs say that Shorewall only knows 
how to add addresses to the same subnet AS THE PRIMARY ADDRESS ON THE 
INTERFACE.

If you need to add addresses in other subnets, you must do it yourself.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - May 2003 - multiple IP addrs for DNAT ?

[Shorewall-users] multiple IP addrs for DNAT ?

[Shorewall-users] multiple IP addrs for DNAT ?

[Shorewall-users] multiple IP addrs for DNAT ?

[Shorewall-users] multiple IP addrs for DNAT ?

[Shorewall-users] multiple IP addrs for DNAT ?

[Shorewall-users] multiple IP addrs for DNAT ?