thr3ads.net - Shorewall users - [Shorewall-users] IP Alias Problems. [Jun 2003]

If this information is useful, please help other people find it:
Share via:

Joshua Schmidlkofer

2003-Jun-18 07:43 UTC

[Shorewall-users] IP Alias Problems.

Tom,

  redhat 7.2, iptables 1.2.7a, iproute2 2.4.7.  

   I cannot figure out what I am screwing up, but after upgrading to
1.4.4 {from 1.3x} I cannot get any of my aliases working.  I have tried
a variety of rules, and read a lot of the mailing list.   I just need
help.

Provider1:
x.x.x.83   = eth1
x.x.x.86   = eth1:0

Provider2:
x.x.x.226  = eth2
x.x.x.227  = eth2:0


I need to redirect port 80, and port 3389 on x.x.x.227, and x.x.x.83 to
10.1.1.252, and 10.1.1.242 respectively.

10.1.1.252 <-> x.x.x.227
10.1.1.242 <-> x.x.x.86


I have tried this w/ and w/o using static NAT.  I have the interfaces
defined via the redhat network config tool. [So the aliases are managed
by the system.]

I continually see traffic to the aliases dropped by the verizon2all, or
the xocomm2all policy.

any tips, or need more info?

js





ACCEPT		loc		fw		tcp	80,10000,8081
ACCEPT		loc		fw		udp	69
#	Accept DNS connections from the firewall to the network
#

#  Verizon Rules
# 
ACCEPT		fw		verizon		tcp	53
ACCEPT		fw		verizon		udp	53

ACCEPT		verizon		fw		tcp	http
ACCEPT		fw		verizon		tcp	http

DNAT		verizon		loc:10.1.1.242  tcp	http	-	x.x.x.86
DNAT		verizon		loc:10.1.1.242  tcp	3389	-	x.x.x.86

DNAT		verizon		loc:10.1.1.254  tcp	smtp	-	x.x.x.83
DNAT		verizon		loc:10.1.1.254  tcp	pop3	-	x.x.x.83
DNAT		verizon		loc:10.1.1.254  tcp	imap	-	x.x.x.83

ACCEPT		verizon		fw:x.x.x.83	tcp	https,http,smtp,pop3,imap
ACCEPT		verizon		fw:x.x.x.83	udp	https,http,smtp,pop3,imap


#  XO Communications Line Rules
#
ACCEPT		fw		xocomm		tcp	53
ACCEPT		fw		xocomm		udp	53

ACCEPT		xocomm		fw		tcp	http
ACCEPT		fw		xocomm		tcp	http

ACCEPT		xocomm		loc		tcp	http,3389
DNAT		xocomm		loc:10.1.1.252  tcp	http,3389	-	65.104.34.227

DNAT		xocomm		loc:10.1.1.254 	tcp	smtp,pop3,imap	-	65.104.34.226

ACCEPT		xocomm		fw:65.104.34.226 tcp	https,http,smtp,pop3,imap
ACCEPT		xocomm		fw:65.104.34.226 udp	https,http,smtp,pop3,imap


#	Accept SSH connections from the local network for administration
#
ACCEPT		loc		fw		tcp	22

#	Allow Ping To And From Firewall
#
ACCEPT		loc		fw		icmp	8
ACCEPT		verizon		fw		icmp	8
ACCEPT		xocomm		fw		icmp	8
ACCEPT		fw		loc		icmp	8
ACCEPT		fw		verizon		icmp	8
ACCEPT		fw		xocomm		icmp	8

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Tom Eastep

2003-Jun-18 08:24 UTC

head link

[Shorewall-users] IP Alias Problems.

On Mon, 2003-06-16 at 12:03, Joshua Schmidlkofer wrote:> Tom,
> 
>   redhat 7.2, iptables 1.2.7a, iproute2 2.4.7.  
> 
>    I cannot figure out what I am screwing up, but after upgrading to
> 1.4.4 {from 1.3x} I cannot get any of my aliases working.  I have tried
> a variety of rules, and read a lot of the mailing list.   I just need
> help.
> 
Did you look at:

	http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html


> Provider1:
> x.x.x.83   = eth1
> x.x.x.86   = eth1:0
> 
> Provider2:
> x.x.x.226  = eth2
> x.x.x.227  = eth2:0
> 
> 
> I need to redirect port 80, and port 3389 on x.x.x.227, and x.x.x.83 to
> 10.1.1.252, and 10.1.1.242 respectively.
> 
> 10.1.1.252 <-> x.x.x.227
> 10.1.1.242 <-> x.x.x.86
> 
> 
> I have tried this w/ and w/o using static NAT.  I have the interfaces
> defined via the redhat network config tool. [So the aliases are managed
> by the system.]
The changes to go from 1.3 to 1.4 are rather minor -- did you check out
http://www.shorewall.net/upgrade_issues.htm?
> 
> I continually see traffic to the aliases dropped by the verizon2all, or
> the xocomm2all policy.
> 
> any tips, or need more info?
Since you have multiple providers, how have you set up the routing on
your firewall? Do you have multiple providers?

Also, please follow the instructions at
http://www.shorewall.net/support.htm under the red bold heading "If you
have connection problems of any king then:"

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Jun-18 08:26 UTC

head link

[Shorewall-users] IP Alias Problems.

On Wed, 2003-06-18 at 08:24, Tom Eastep wrote:
> 
> Since you have multiple providers, how have you set up the routing on
> your firewall? Do you have multiple providers?
I meant that to read "Do you have multiple routing tables?"

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Jun 2003 - IP Alias Problems.

[Shorewall-users] IP Alias Problems.

[Shorewall-users] IP Alias Problems.

[Shorewall-users] IP Alias Problems.