Hi! I''ve been searching the net for information about this topic, but I can''t find anything relevant to my problem or I don''t understand the answer completely. Please enlighten me... :-) I''m trying to replace a Cisco PIX firewall with a Linux Shorewall box. Today the users behind the Cisco FW is on a NAT-network and in the same network there are a couple of servers handling mail, web and ftp. Today the Cisco FW is setup using PAT and SNAT (as far as I''m correctly informed), meaning the servers can be reached from the outside using three different public IP''s, although their address behind the firewall is a private one in the IP-range 192.168.x.x. The servers can be reached from the Internet using the addresses below: 194.b.c.101 --> smtp 194.b.c.102 --> http 194.b.c.103 --> ftp The firewall itself is located on the address 194.b.c.100. Since the Cisco FW only have one interface connected to the Internet, it can somehow manage to answer on all the above mentioned public IP adresses. This is what I have understood is equal with PAT, correct? When the servers are communicating with something/someone on the Internet they''re using the same public IP address as they can be reached with from the Internet. It appears to the machine on the Internet communicating with the servers that they are communicating with one of the above mentioned public IP adresses. This differs from plain NAT where all the machines behind the firewall communicates using only one public IP address. The ability to communicate (outbound communication) using multiple public IP adresses through one interface is equal with SNAT, correct? My first questions regarding this set-up is: Is this set-up at all possible to accomplish in Shorewall? If so, from what version of Shorewall? If the set-up is possible in what Shorewall configuration files do I need to do what? Do I need to do any further configuration apart from Shorewall in order to accomplish the above? The Cisco FW appears not to be configured using a DMZ since all the users and the servers co-exist on the same interface and NAT-network. I would have separated the servers from the users using two internal interfaces on the Shorewall box and then the use for a NAT-network on the DMZ (where the servers reside) would be obsolete. I could use the same public addresses as the PAT and SNAT have to fix in the Cisco FW setup. I would really really like to know how to setup the above anyway, for future use, so please enlighten me on this subject. Thanks for any help... /Jonas
> My first questions regarding this set-up is: > > Is this set-up at all possible to accomplish in Shorewall?Yes.> If so, from what version of Shorewall?All supported versions.> If the set-up is possible in what Shorewall configuration files do I need to > do what? > Do I need to do any further configuration apart from Shorewall in order to > accomplish the above?See http://www.shorwall.net/shorewall_setup_guide.htm -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-06-20 at 02:23, Jonas Anderson wrote:> > The Cisco FW appears not to be configured using a DMZ since all the users > and the servers co-exist on the same interface and NAT-network. I would have > separated the servers from the users using two internal interfaces on the > Shorewall box and then the use for a NAT-network on the DMZ (where the > servers reside) would be obsolete. I could use the same public addresses as > the PAT and SNAT have to fix in the Cisco FW setup. I would really really > like to know how to setup the above anyway, for future use, so please > enlighten me on this subject.You can use both Static NAT and SNAT in the same zone as shown in the setup guide that I referred you to earlier. The ''loc'' zone in that guide uses that technique as does my own local zone (http://www.shorewall.net/myfiles.htm). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-06-20 at 07:38, Tom Eastep wrote:> > You can use both Static NAT and SNAT in the same zone as shown in the > setup guide that I referred you to earlier. The ''loc'' zone in that guide > uses that technique as does my own local zone > (http://www.shorewall.net/myfiles.htm).Finally -- the mechanism for doing PAT with Shorewall is undocumented. If you have a set of IP addresses that you want to use for PAT, they must be in a contiguous range and are specified in the ADDRESS column of /etc/shorewall/masq as a.b.c.d-w.x.y.z where a.b.c.d is the first address in the range and w.x.y.z is the last. You must set ADD_SNAT_ALIASES=No in shorewall.conf which means that Shorewall will be unable to configure these addresses for you. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-06-20 at 02:23, Jonas Anderson wrote:> > The firewall itself is located on the address 194.b.c.100. Since the Cisco > FW only have one interface connected to the Internet, it can somehow manage > to answer on all the above mentioned public IP adresses. This is what I have > understood is equal with PAT, correct?>From the Cisco docs, I understand PAT to be Pooled Address Translationwhich works somewhat like Netfilter''s SNAT when a set of SNAT addresses are configured. With Netfilter, a simple round-robin approach is used to assign external IP addresses to connections. This is the undocumented Shorewall feature that I mentioned in my previous post. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
hei, man. I was looking for a way of doing Pool Nat with shorewall for the last year and half - this surely should be documented... shorewall-users-bounces@lists.shorewall.net wrote on 20/06/2003 11:54:11:> On Fri, 2003-06-20 at 07:38, Tom Eastep wrote: > > > > > You can use both Static NAT and SNAT in the same zone as shown in the > > setup guide that I referred you to earlier. The ''loc'' zone in thatguide> > uses that technique as does my own local zone > > (http://www.shorewall.net/myfiles.htm). > > Finally -- the mechanism for doing PAT with Shorewall is undocumented. > If you have a set of IP addresses that you want to use for PAT, they > must be in a contiguous range and are specified in the ADDRESS column of > /etc/shorewall/masq as a.b.c.d-w.x.y.z where a.b.c.d is the first > address in the range and w.x.y.z is the last. You must set > ADD_SNAT_ALIASES=No in shorewall.conf which means that Shorewall will be > unable to configure these addresses for you. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Fri, 20 Jun 2003, Eduardo Ferreira wrote:> hei, man. I was looking for a way of doing Pool Nat with shorewall for > the last year and half - this surely should be documented...As I mentioned in a later post, what I describe isn''t quite like Cisco''s PAT as I understand it -- is rather a mechanism to round-robin the address used for SNAT among a set of addresses. Once all of the addresses are used it starts over again at the beginning. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
yeah, but it should be enough to simulate a n2n nat for those protocols (PPTP, for instance) that doesn''t know how to separate one session from another when it comes from the same IP. I''ll try it... shorewall-users-bounces@lists.shorewall.net wrote on 20/06/2003 15:20:29:> On Fri, 20 Jun 2003, Eduardo Ferreira wrote: > > > hei, man. I was looking for a way of doing Pool Nat with shorewallfor> > the last year and half - this surely should be documented... > > As I mentioned in a later post, what I describe isn''t quite like Cisco''s > PAT as I understand it -- is rather a mechanism to round-robin theaddress> used for SNAT among a set of addresses. Once all of the addresses areused> it starts over again at the beginning. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm