Shorewall users - Jul 2003 - Forwarding through multiple walls?

Remote System == DSL == [NET]FW1[LOC] == [NWL]FW2[JVC] == Local System

[NET]FW1: 213.212.33.18/28
FW1[LOC]: 192.168.221.7/24
[NWL]FW2: 192.168.221.205/24
FW2[JVC]: 10.200.47.0/24

Basically, I want to proxyarp an address from the "net" interface on
FW1, and forward TCP traffic on two ports to a system in the JVC-zone on
FW2

1. Can I use proxyarp for this (213.212.33.25 seems like a good IP), or
do I need to use the IP-adress of the [NET]FW1 interface?
2. Is it as simple as doing a 

[FW1]
DNAT	net:1.2.3.4/32 	loc:192.168.221.205	tcp	5631
DNAT	net:1.2.3.4/32	loc:192.168.221.205	udp	5632

[FW2]
DNAT	nwl:192.168.221.7	jvc:10.200.47.253		tcp
5631
DNAT	nwl:192.168.221.7	jvc:10.200.47.253		udp
5632

Or can i do it with a single command on FW1? Or must I do it some other
way?

Basically, I want to run PC-Anywhere from a remote user, and forward
that traffic through our network.

Jan,

On Thu, 2003-07-24 at 06:59, Jan Johansson wrote:
> Remote System == DSL == [NET]FW1[LOC] == [NWL]FW2[JVC] == Local System
> 
> [NET]FW1: 213.212.33.18/28
> FW1[LOC]: 192.168.221.7/24
> [NWL]FW2: 192.168.221.205/24
> FW2[JVC]: 10.200.47.0/24
Do you masquerade in FW2 or does it simply route? Because you suggest
DNAT rules on FW2 below I''ll assume masquerading.
> 
> Basically, I want to proxyarp an address from the "net" interface
on
> FW1, and forward TCP traffic on two ports to a system in the JVC-zone on
> FW2
> 
> 1. Can I use proxyarp for this (213.212.33.25 seems like a good IP), or
> do I need to use the IP-adress of the [NET]FW1 interface?
> 2. Is it as simple as doing a 
> 
> [FW1]
> DNAT	net:1.2.3.4/32 	loc:192.168.221.205	tcp	5631
> DNAT	net:1.2.3.4/32	loc:192.168.221.205	udp	5632
> 
> [FW2]
> DNAT	nwl:192.168.221.7	jvc:10.200.47.253		tcp
> 5631
> DNAT	nwl:192.168.221.7	jvc:10.200.47.253		udp
> 5632
> 
> Or can i do it with a single command on FW1?
You can if FW2 is doing straight routing rather than masquerading. But
see above.
> Or must I do it some other
> way?
> 
> Basically, I want to run PC-Anywhere from a remote user, and forward
> that traffic through our network.
> 
I would add the address 213.212.33.25 to the FW1 net interface then:

[FW1]
DNAT net:1.2.3.4/32 loc:192.168.221.205	tcp 5631 - 213.212.33.25
DNAT net:1.2.3.4/32 loc:192.168.221.205	udp 5632 - 213.212.33.25

[FW2] 
DNAT nwl:1.2.3.4/32 loc:10.200.47.253 tcp 5631
DNAT nwl:1.2.3.4/32 loc:10.200.47.253 udp 5632

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Quoting Tom Eastep <teastep@shorewall.net>:
> Do you masquerade in FW2 or does it simply route? Because you suggest
> DNAT rules on FW2 below I''ll assume masquerading.
Just routing. Crap, DNAT is not the correct thing then i just
realized.
> You can if FW2 is doing straight routing rather than masquerading. But
> see above.
> I would add the address 213.212.33.25 to the FW1 net interface then:
> 
> [FW1]
> DNAT net:1.2.3.4/32 loc:192.168.221.205	tcp 5631 - 213.212.33.25
> DNAT net:1.2.3.4/32 loc:192.168.221.205	udp 5632 - 213.212.33.25
> 
> [FW2] 
> DNAT nwl:1.2.3.4/32 loc:10.200.47.253 tcp 5631
> DNAT nwl:1.2.3.4/32 loc:10.200.47.253 udp 5632
Ill give it a spin tomorrow. Thankyou.


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

> I would add the address 213.212.33.25 to the FW1 net interface then:
COnfused over one thing: "Add" as in add an eth0:0 and just use
ifconfig, or
is there some shorewall way that i am not aware of here?

>I would add the address 213.212.33.25 to the FW1 net interface then:
All tried and working. But of course now they tell me that they need to
be able to reach any host in the FW2[JVC]-zone. (Well, any of the five
hosts that is there).

So, now I ask you all wise persons. Whats my best bet now? A PPTP server
on FW2 and forward the ports from FW1? Or can I solve this some other
way (Yes, all connecting systems will be Win2k)

> I would add the address 213.212.33.25 to the FW1 net interface then:
Tom and others,

Sorry to bother you. But i am a bit confused at this, should i just add a
eth0:1 or can i do this in som "shorewall specific" way?

I tried just doing ifconfig eth1:1 192.168.1.250 on a test system, but no
logical interface was set up. (Debian)

Could i Proxy arp 213.212.33.25 and use that interface? Im confused.

On Sun, 2003-07-27 at 10:01, j2 wrote:
> > I would add the address 213.212.33.25 to the FW1 net interface then:
> 
> Tom and others,
> 
> Sorry to bother you. But i am a bit confused at this, should i just add a
> eth0:1 or can i do this in som "shorewall specific" way?
> 
> I tried just doing ifconfig eth1:1 192.168.1.250 on a test system, but no
> logical interface was set up. (Debian)
> 
> Could i Proxy arp 213.212.33.25 and use that interface?
Proxy ARP doesn''t create an interface!!!
>  Im confused.
Surely Debian provides a way to add additional addresses to an
interface. Whatever mechanism is provided is what you should use.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 2003-07-27 at 10:01, j2 wrote:
> I tried just doing ifconfig eth1:1 192.168.1.250 on a test system, but no
> logical interface was set up. (Debian)
The correct command is:

	ifconfig eth1:1 192.168.1.250 up

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> > I tried just doing ifconfig eth1:1 192.168.1.250 on a test system, but
no
> > logical interface was set up. (Debian)
>
> The correct command is:
>
> ifconfig eth1:1 192.168.1.250 up
Actually no difference, cause if you leave out the "up" argument, that
is
the assumed action. It seems Debian/Testing is missing some kernel feature
in its stock distribution?

Can any Deb-head out there confirm/deny this.. or better yet, tell me what i
might be lacking?

> ifconfig eth1:1 192.168.1.250 up
Nevermind what i said about command not working. That wasnt a stock kernel,
it was all my misstake.

Now, this seem to work quite nicely, but call me stupid here, isnt this the
same as connecting two NIC''s on the same subnet to the same switch?
Need i
make any other considerations?

On Sun, 27 Jul 2003 23:06:07 +0200, j2 <spamfilter2@mupp.net> wrote:
>> ifconfig eth1:1 192.168.1.250 up
>
> Nevermind what i said about command not working. That wasnt a stock 
> kernel,
> it was all my misstake.
>
> Now, this seem to work quite nicely, but call me stupid here, isnt this 
> the
> same as connecting two NIC''s on the same subnet to the same
switch?
No -- this is two IP addresses with a since MAC address. Two interfaces 
would be two IP addresses and two MAC addresses.
> Need i make any other considerations?
No.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 27 Jul 2003 14:09:18 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:

>
> No -- this is two IP addresses with a since MAC address.
Make that "single MAC address"

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> ifconfig eth1:1 192.168.1.250 up
Another thing, now that i i have

eth0      Link encap:Ethernet  HWaddr 52:54:05:F4:CD:F9
          inet addr:213.212.33.18  Bcast:213.212.33.31  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44588612 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39245373 errors:0 dropped:0 overruns:0 carrier:0
          collisions:11884 txqueuelen:100
          RX bytes:3469818785 (3.2 GiB)  TX bytes:1189693620 (1.1 GiB)
          Interrupt:10 Base address:0xdc00

eth0:1    Link encap:Ethernet  HWaddr 52:54:05:F4:CD:F9
          inet addr:213.212.33.25  Bcast:213.212.33.31  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:10 Base address:0xdc00

and the following in interfaces

net     eth0    detect

Does that mean that eth0:1 is also part of the "net" zone or should i
use
eth0+?

On Sunday 27 July 2003 01:09 pm, Tom Eastep wrote:
> No -- this is two IP addresses with a since MAC address.
Whats a "since MAC address" ??

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

On Sun, 27 Jul 2003 23:12:23 +0200, j2 <spamfilter2@mupp.net> wrote:

> Does that mean that eth0:1 is also part of the "net" zone or
should i use
> eth0+?
>
>
Jan -- please read 
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> Jan -- please read 
> http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
Sorry, i had NO clue as to the fact that there was such a document. 

Thanks Tom.

On Mon, 28 Jul 2003 00:23:23 +0200, Jan Johansson <j2@mupp.net> wrote:
>> Jan -- please read 
>> http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
>
> Sorry, i had NO clue as to the fact that there was such a document.
>
No need to be sorry -- I just thought it would be more efficient for you to 
read the doc then to step through the questions that it answers one at a 
time :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net