My Configuration.....
------------
|ISP Router|
------------
|
|
-----------
|DSL Modem|
-----------
|
---------------
|Firewall eth0|
| |
|Firewall eth1|
---------------
|
|
--------------
| Switch |
--------------
| |
+------+ +-------+
| |
------------ ------------
|Computer-1| |computer-2| ......more computers....
------------ ------------
Linux Windows
I have 13 usable static IPs assigned to me by my ISP and I am trying to
map computers inside to the IPs outside.
I have followed the two interface quick setup modified to use static NAT
instead of MASQ.
The first computer is able to do as I expect it to do, but the second
computer I was trying to set up doesn''t work as it is supposed to. It
can get e-mail, DNS resolution, web pages, ftp connection, ssh
connection from eth1. It can also ping any inside computer, eth1, eth0;
but if I try to ping any outside address other than eth0 (including the
ISP router) or try any other type of outside access (ICQ, Web, FTP, SSH,
DNS, IRC, etc) it is unable to make any kind of connection. Ping gets
"Request timed out."
Below it the infomation that the web site says to post as well an
attachemnt that has the config files I modified and the status output.
CuZnDragon
Robin Cook
Shorewall version 1.4.4b
Linux phlare.wyrms.net 2.4.20 #1 Wed May 21 13:36:20 CDT 2003 i686
unknown
Linux phlare.wyrms.net 2.4.21-rc7-ac1 #1 Fri Jun 6 18:36:24 CDT 2003
i686 unknown
netfilter modules /lib/modules/2.4.21-rc7-ac1/kernel/net/ip4/netfilter
arptable_filter.o ip_nat_amanda.o iptable_mangle.o
ipt_ecn.o ipt_mac.o ipt_pkttype.o ipt_TOS.o
arp_tables.o ip_nat_ftp.o iptable_nat.o
ipt_ECN.o ipt_mark.o ipt_REDIRECT.o ipt_ttl.o
ip_conntrack_amanda.o ip_nat_irc.o ip_tables.o
ipt_esp.o ipt_MARK.o ipt_REJECT.o ipt_ULOG.o
ip_conntrack_ftp.o ip_nat_snmp_basic.o ipt_ah.o
ipt_helper.o ipt_MASQUERADE.o ipt_state.o ipt_unclean.o
ip_conntrack_irc.o ip_nat_tftp.o ipt_conntrack.o
ipt_length.o ipt_MIRROR.o ipt_tcpmss.o
ip_conntrack.o ip_queue.o ipt_dscp.o
ipt_limit.o ipt_multiport.o ipt_TCPMSS.o
ip_conntrack_tftp.o iptable_filter.o ipt_DSCP.o
ipt_LOG.o ipt_owner.o ipt_tos.o
root@phlare:~# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:04:05:85:37 brd ff:ff:ff:ff:ff:ff
inet 66.140.245.109/28 brd 66.140.245.111 scope global eth0
inet 66.140.245.97/28 brd 66.140.245.111 scope global secondary eth0
inet 66.140.245.98/28 brd 66.140.245.111 scope global secondary eth0
inet 66.140.245.99/28 brd 66.140.245.111 scope global secondary eth0
inet 66.140.245.100/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.101/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.102/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.103/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.104/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.105/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.106/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.107/28 brd 66.140.245.111 scope global secondary
eth0
inet 66.140.245.108/28 brd 66.140.245.111 scope global secondary
eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:04:04:cf:f5 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.254/24 brd 10.1.1.255 scope global eth1
root@phlare:~# ip route show
66.140.245.96/28 dev eth0 proto kernel scope link src 66.140.245.109
10.1.1.0/24 dev eth1 proto kernel scope link src 10.1.1.254
default via 66.140.245.110 dev eth0
root@phlare:~# lsmod
Module Size Used by Not tainted
ipt_TOS 1080 12 (autoclean)
ipt_LOG 3416 7 (autoclean)
ipt_REJECT 3256 4 (autoclean)
ipt_state 568 43 (autoclean)
iptable_mangle 2168 1 (autoclean)
ip_nat_irc 2832 0 (unused)
ip_nat_ftp 3824 0 (unused)
iptable_nat 23576 3 [ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 3216 1 [ip_nat_irc]
ip_conntrack_ftp 4400 1 [ip_nat_ftp]
ip_conntrack 29160 4 [ipt_state ip_nat_irc ip_nat_ftp
iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 1740 1 (autoclean)
ip_tables 14648 9 [ipt_TOS ipt_LOG ipt_REJECT ipt_state
iptable_mangle iptable_nat iptable_filter]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: conf-stat.tar.bz2
Type: application/x-bzip
Size: 13451 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030607/04f3d140/conf-stat.tar.bin
On 06 Jun 2003 22:49:06 -0500, Robin Cook <rcook@wyrms.net> wrote:> > I have 13 usable static IPs assigned to me by my ISP and I am trying to > map computers inside to the IPs outside. > > I have followed the two interface quick setup modified to use static NAT > instead of MASQ. >Please tell me how I can make the documentation clearer. From the QuickStart Guide page (http://www.shorewall.net/shorewall_quickstart_guide.htm): "The following guides are for users who have a single public IP address: ... Two-interface Linux System acting as a firewall/router for a small local network (Version Fran?aise) [ Linked to the two-interface QuickStart Guide] ... The Shorewall Setup Guide (See Index Below) outlines the steps necessary to set up a firewall where there are multiple public IP addresses involved or if you want to learn more about Shorewall than is explained in the single- address guides above." Given the above, why is it that people still continue to read and follow the two-interface guide even when they have more than a dozen public IP addresses? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On 07 Jun 2003 07:45:31 -0500, Robin Cook <rcook@wyrms.net> wrote:> I think you need to modify that section about arping and place it so it > does not seem to be a direct reference to proxy arp. Maybe note it as > warning for all moving machines from in front of the firewall to behind > it and using the multiple IPs on the firewall. > > ==== From Setup Guide and Proxy ARP Documents ======================> A word of warning is in order here. ISPs typically configure their > routers with a long ARP cache timeout. If you move a system from > parallel to your firewall to behind your firewall with Proxy ARP, it > will probably be HOURS before that system can communicate with the > internet. There are a couple of things that you can try: > ====================================================================>Good idea.> Once I realized that that section also applied to the static NAT and did > it I was able to get the other machine out on the net.Glad to hear that you got it working. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> From: Tom Eastep > Sent: Friday, June 06, 2003 9:03 PM<snip>> Please tell me how I can make the documentation clearer. From the > QuickStart Guide page > (http://www.shorewall.net/shorewall_quickstart_guide.htm): ><snip>> > Given the above, why is it that people still continue to read > and follow the two-interface guide even when they have more > than a dozen public IP addresses?I can only hazard a guess - in the docs I''ve written, I''ve noticed many people only read as far as they think they need to in order to answer their question (i.e they ''skim''). So people are reading as far as: "Two-interface Linux System acting as a firewall/router for a small local network" ...think ''ok, I have two interfaces, that must be the one I need'' and don''t read any further. So I''ve found it helps to keep that in mind - and break up the information, so it appears there''s less that needs to be absorbed. I would be happy to help with a little restructuring, if you''d like. Who knows if it''d be any clearer, but I''m willing to try. The least I can do to repay you for the time Shorewall has saved me... Paul
Maybe someone could write up documentation for a two interface system with multiple public IP addresses. I have run into a few people with such a need. It would be great to point them directly to such an example. Thanks, -- Steve Herber herber@thing.com work: 206-221-7262 Security Engineer, UW Medicine, IT Services home: 425-454-2399 On Fri, 6 Jun 2003, Tom Eastep wrote:> On 06 Jun 2003 22:49:06 -0500, Robin Cook <rcook@wyrms.net> wrote: > > > > > > I have 13 usable static IPs assigned to me by my ISP and I am trying to > > map computers inside to the IPs outside. > > > > I have followed the two interface quick setup modified to use static NAT > > instead of MASQ. > > > > Please tell me how I can make the documentation clearer. From the > QuickStart Guide page > (http://www.shorewall.net/shorewall_quickstart_guide.htm): > > "The following guides are for users who have a single public IP address: > ... > Two-interface Linux System acting as a firewall/router for a small local > network (Version Fran?aise) [ Linked to the two-interface QuickStart Guide] > ... > The Shorewall Setup Guide (See Index Below) outlines the steps necessary to > set up a firewall where there are multiple public IP addresses involved or > if you want to learn more about Shorewall than is explained in the single- > address guides above." > > Given the above, why is it that people still continue to read and follow > the two-interface guide even when they have more than a dozen public IP > addresses? > > -Tom >
On Sat, 7 Jun 2003 11:27:57 -0700 (PDT), Steve Herber <herber@thing.com> wrote:> Maybe someone could write up documentation for a two interface system > with multiple public IP addresses. I have run into a few people with > such a > need. It would be great to point them directly to such an example. >I wonder if carpenters have a separate handbook for building two-bedroom verses three-bedroom houses -- somehow I doubt it. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
We are not carpenters, but more like architects and architects have lots of plans on file for a wide range of structures, some with two room others with three rooms. I think most professions have cookie cutter plans for their most common configurations. After looking at common configurations you can pick the plan that most closely matches your needs. Then you start customizing. The current examples, which are great, do not cover the multiple IP address case. I would like to see at least two more examples covering the multiple static IP case, one using NAT and the other using Proxy ARP. I wonder if other Shorewall users have some examples that they could contribute? -- Steve Herber herber@thing.com work: 206-221-7262 Security Engineer, UW Medicine, IT Services home: 425-454-2399 On Sun, 8 Jun 2003, Tom Eastep wrote:> On Sat, 7 Jun 2003 11:27:57 -0700 (PDT), Steve Herber <herber@thing.com> > wrote: > > > Maybe someone could write up documentation for a two interface system > > with multiple public IP addresses. I have run into a few people with > > such a > > need. It would be great to point them directly to such an example. > > > > I wonder if carpenters have a separate handbook for building two-bedroom > verses three-bedroom houses -- somehow I doubt it. > > -Tom
On Sun, 8 Jun 2003 22:34:27 -0700 (PDT), Steve Herber <herber@thing.com> wrote:> We are not carpenters, but more like architects and architects have lots > of plans on file for a wide range of structures, some with two room > others with three rooms. I think most professions have cookie cutter > plans for their most common configurations. After looking at common > configurations you can pick the plan that most closely matches your > needs. > Then you start customizing. > > The current examples, which are great, do not cover the multiple IP > address case. I would like to see at least two more examples covering > the multiple static IP case, one using NAT and the other using Proxy ARP. > > I wonder if other Shorewall users have some examples that they could > contribute? >I think we are talking about different things here. I''m talking about the setup guide which I assert contains all of the information needed to set up a two-interface firewall with multiple public IPs. It uses a three- interface setup as an example because I believe that configuration is more common and contains the two-interface case as a proper subset. If someone wants to take that document and hack it to be two-interface specific, that''s fine. You seem to be talking about sample configurations complete with QuickStart Guides to match. Such samples/guides require ongoing maintenance with every Shorewall release so it''s not just a case of capturing some user''s contribution and publishing it. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 09 June 2003 16:01, Tom Eastep wrote:> On Sun, 8 Jun 2003 22:34:27 -0700 (PDT), Steve Herber <herber@thing.com> > > wrote: > > We are not carpenters, but more like architects and architects have lots > > of plans on file for a wide range of structures, some with two room > > others with three rooms. I think most professions have cookie cutter > > plans for their most common configurations. After looking at common > > configurations you can pick the plan that most closely matches your > > needs. > > Then you start customizing. > > > > The current examples, which are great, do not cover the multiple IP > > address case. I would like to see at least two more examples covering > > the multiple static IP case, one using NAT and the other using Proxy ARP. > > > > I wonder if other Shorewall users have some examples that they could > > contribute? > > I think we are talking about different things here. I''m talking about the > setup guide which I assert contains all of the information needed to set up > a two-interface firewall with multiple public IPs. It uses a three- > interface setup as an example because I believe that configuration is more > common and contains the two-interface case as a proper subset. If someone > wants to take that document and hack it to be two-interface specific, > that''s fine. > > You seem to be talking about sample configurations complete with QuickStart > Guides to match. Such samples/guides require ongoing maintenance with every > Shorewall release so it''s not just a case of capturing some user''s > contribution and publishing it.May be there is someone willing to take the time and do that maybe someone who has set this up. :-) I personanly do not have problems with setting a firewall up with the configuration guides and the A&Q. :-) They are quickly adaptive I find to most setups required. :-) Ian> > -Tom- -- A child of five would understand this. Send someone to fetch a child of five. Groucho Marx - ---------------------------------------------------- This mail has been scanned for virus by AntiVir for UNIX Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH. PGP ID: 589F8449 Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+5Jr5KiWi8VifhEkRAsHUAKCvFmFlzRPbx6vV3hX910cvhvvj/gCfXsbr aU35MNQrHHbfV8JQ6CjesSI=DBFg -----END PGP SIGNATURE-----