Shorewall users - Oct 2003 - Question on sNAT for multiple external subnets

I''m wondering if the following is possible under recent versions of 
shorewall:

1. We have several class-C networks from both UUNet and Internap, both of 
which are actually routed over a single inbound ethernet line from UUNet 
at our colocation facility: 204.176.148.0/23 and 216.52.83.0/24. This 
gives us a total of 3 class-C subnets. All packets for these three subnets 
would land on the ''eth0'' interface of our shorwall host.

     -----------------
     |  UUNet Switch |
     -----------------
              | 204.176.76.222/30
              |
              | eth0:204.176.76.221/30
     ------------------
     | shorewall host |
     ------------------
            | eth1:192.168.0.1/16
            |
            |  private network
        ------------------------------
        |              |             |
    ---------       ---------    ---------
    | host1 |       | host2 |    | host3 |
    ---------       ---------    ---------


2. What I would like to do, but am not sure if it is possible, is to have 
shorewall do static NAT (or possibly proxy-ARP) for IPs in all three of 
our public Class-C networks, mapping them to to host addresses in the 
192.168.0.0/16 network.

I imagine my ''nat'' file looking something like this:

#EXTERNAL      INTERFACE   INTERNAL       ALL INTERFACES      LOCAL
204.176.148.5  eth0:0      192.168.10.11  no no
204.176.149.12 eth0:1      192.168.11.12  no no
216.52.83.45   eth0:2      192.168.12.13  no no

Will this ''just work''? Or are there other settings that I
would need to
add to my ''interfaces'' file to indicate that it will be
receiving traffic
for all three Class-C networks, in addition to the 204.176.76.222/30 
network that is it''s primary address?

Thanks for any pointers.

-jason

On Fri, 2003-10-17 at 14:57, Jason L. Buberel wrote:
> I''m wondering if the following is possible under recent versions
of
> shorewall:
> 
> 1. We have several class-C networks from both UUNet and Internap, both of 
> which are actually routed over a single inbound ethernet line from UUNet 
> at our colocation facility: 204.176.148.0/23 and 216.52.83.0/24. This 
> gives us a total of 3 class-C subnets. All packets for these three subnets 
> would land on the ''eth0'' interface of our shorwall host.
Are they all routed through 204.176.76.221?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom-

Yes. UUNet''s routes all three of those subnets (including the class-C 
owned by internap) to 204.176.76.221. That''s what I meant when I said
that
all packets for those three subnets will land on ''eth0'' of the
shorewall
host. Sorry if that wasn''t the best way to state things.

-jason

On Fri, 17 Oct 2003 15:04:21 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Fri, 2003-10-17 at 14:57, Jason L. Buberel wrote:
>> I''m wondering if the following is possible under recent
versions of
>> shorewall:
>>
>> 1. We have several class-C networks from both UUNet and Internap, both 
>> of
>> which are actually routed over a single inbound ethernet line from
UUNet
>> at our colocation facility: 204.176.148.0/23 and 216.52.83.0/24. This
>> gives us a total of 3 class-C subnets. All packets for these three 
>> subnets
>> would land on the ''eth0'' interface of our shorwall
host.
>
> Are they all routed through 204.176.76.221?
>
> -Tom

On Fri, 2003-10-17 at 15:12, Jason L. Buberel wrote:
> Tom-
> 
> Yes. UUNet''s routes all three of those subnets (including the
class-C
> owned by internap) to 204.176.76.221. That''s what I meant when I
said that
> all packets for those three subnets will land on ''eth0''
of the shorewall
> host. Sorry if that wasn''t the best way to state things.
Ok. What you propose then will "just work" but I sure
wouldn''t do it
that way. There is a NETMAP target in Patch-O-Matic that I would use
instead. NETMAP allows you to map each class C into a corresponding
class C in the RFC1918 range *with a single rule*. That way, you end up
with 6 NETMAP rules (three in and three out) rather than 384k rules (3
class C networks).

I understand that NETMAP has been released for inclusion into the
standard kernels. When it appears in a 2.4.*-pre version (and when I
have the time), I''ll add Shorewall support for it.

Until then, it would be easy to add the appropriate iptables commands in
/etc/shorewall/start.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

It is probably worth noting that we are not using all 65,000 hosst 
addresses on our 192.168.0.0/16 network, nor are we using all 764 
addresses on our 3 Class-C networks. In fact, we plan at some point to 
give back the Internap Class C.

Thanks for your help. My biggest concern was about having to do special 
configuration on the ''eth0'' entry in the
''interfaces'' file to make this
work (listing netmasks for the other subnets, for example), and that does 
not appear to be necessary.

Thanks also for the work you put into Shorewall. I did look for a PayPal 
donation link on shorewall.net before I sent my initial email :)

-jason

On Fri, 17 Oct 2003 15:22:31 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Fri, 2003-10-17 at 15:12, Jason L. Buberel wrote:
>> Tom-
>>
>> Yes. UUNet''s routes all three of those subnets (including the
class-C
>> owned by internap) to 204.176.76.221. That''s what I meant when
I said
>> that
>> all packets for those three subnets will land on
''eth0'' of the shorewall
>> host. Sorry if that wasn''t the best way to state things.
>
> Ok. What you propose then will "just work" but I sure
wouldn''t do it
> that way. There is a NETMAP target in Patch-O-Matic that I would use
> instead. NETMAP allows you to map each class C into a corresponding
> class C in the RFC1918 range *with a single rule*. That way, you end up
> with 6 NETMAP rules (three in and three out) rather than 384k rules (3
> class C networks).
>
> I understand that NETMAP has been released for inclusion into the
> standard kernels. When it appears in a 2.4.*-pre version (and when I
> have the time), I''ll add Shorewall support for it.
>
> Until then, it would be easy to add the appropriate iptables commands in
> /etc/shorewall/start.
>
> -Tom

On Fri, 2003-10-17 at 15:29, Jason L. Buberel wrote:
> 
> Thanks for your help. My biggest concern was about having to do special 
> configuration on the ''eth0'' entry in the
''interfaces'' file to make this
> work (listing netmasks for the other subnets, for example), and that does 
> not appear to be necessary.
Just be sure that you have ADD_IP_ALIASES=No in shorewall.conf.
> 
> Thanks also for the work you put into Shorewall. I did look for a PayPal 
> donation link on shorewall.net before I sent my initial email :)
There''s a Donation link on the Shorewall home page if you would like to
donate to my charity of choice.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net