Shorewall users - Oct 2003 - Problem with 2 entries in ''nat'' table

Hello and thanks in advance for you help ...

Have installed Shorewall and it performs well in all respects but one:

When there are two entries in the ''nat'' file, only the entry
whose host
address part is lowest receives traffic.


It seems all nat, filter and mangle chains are reasonable.

After Shorewall is started, ''ip addr'' shows the IP for each
entry in ''nat''
on the external interface.

Have not issued any commands outside invoking Shorewall.  Er, why do the
''ip
add'' if they are already there?????

Have ''rtfm'' but, apparently, to no avail   :-(

Alan

uname -a
Linux fw 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux


Shorewall version:
1.4.7

ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:06:29:d3:d1:8f brd ff:ff:ff:ff:ff:ff
    inet 209.92.46.98/28 brd 209.92.46.111 scope global eth0
    inet 209.92.46.99/28 brd 209.92.46.111 scope global secondary eth0
    inet 209.92.46.100/28 brd 209.92.46.111 scope global secondary eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:09:5b:1f:36:ed brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:09:5b:20:56:ec brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth2

ip route show:
209.92.46.96/28 dev eth0  scope link
10.0.0.0/24 dev eth2  scope link
192.168.1.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 209.92.46.97 dev eth0

On Tue, 2003-10-21 at 12:32, Alan D. Snyder wrote:
> Hello and thanks in advance for you help ...
> 
> Have installed Shorewall and it performs well in all respects but one:
> 
> When there are two entries in the ''nat'' file, only the
entry whose host
> address part is lowest receives traffic.
> 
> 
> It seems all nat, filter and mangle chains are reasonable.
Have you looked at this problem using ethereal or tcpdump? If the
netfilter rules are correct and the external IP addresses have been
added to the external interface (as the following paragraphs seem to
suggest), then you need to see what is happening on the link to cause
these symptoms.

Since there are folks on the list with 100''s of entries in their nat
file (I personally use 2-4 depending on my mood), it is unlikely that
there is anything wrong with how Shorewall is setting up static NAT.
> 
> After Shorewall is started, ''ip addr'' shows the IP for
each entry in ''nat''
> on the external interface.
> 
> Have not issued any commands outside invoking Shorewall.  Er, why do the
''ip
> add'' if they are already there?????
If I read the first paragraph correctly, it seems that an ''ip
addr'' show
shows that the external IP addresses from your nat file have been added
to the external interface. This happens as a result of
ADD_IP_ALIASES=Yes in shorewall.conf.

The next paragraph seems to complain about something but I can''t
understand what it is. If you are complaining about the behavior of
ADD_IP_ALIASES=Yes, then by all means turn it off if you are adding the
addresses via some other means provided by your distribution.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom:  Let me try to be clearer.  ''shorewall.conf'' and
''nat'' follow:

nat:
############################################################################
##
#
# Shorewall 1.4  -- Network Address Translation Table
#
# /etc/shorewall/nat
#
# This file is used to define static Network Address Translation (NAT).
#
###$NET_WWW_IP $NET_IF  $DMZ_WWW_IP yes  yes
$NET_MAIL_IP $NET_IF  $DMZ_MAIL_IP yes  yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

shorewall.conf:
############################################################################
##
LOGFILE=/var/log/messages
LOGFORMAT=""
LOGRATELOGBURSTLOGUNCLEANBLACKLIST_LOGLEVELLOGNEWNOTSYNMACLIST_LOG_LEVELTCP_FLAGS_LOG_LEVELRFC1918_LOG_LEVEL=$LOGLEVEL
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE


In shorewall.conf, ADD_IP_ALIASES=Yes

This ''nat'' file comments out the first entry, our web server. 
With ''nat''
as above with WWW commented out when shorewall is started, traffic correctly
goes to the mail server.  If I remove the comment from the WWW line and
restart shorewall (as I did to generate the ''ip addr show''
data of first
post), traffic goes only to Apache but not to the mail server.

My problem is how do I get traffic to both mail server and web server?

Where would tcpdump output be most useful from?

Alan




----- Original Message -----
From: Tom Eastep
To: Shorewall Users Mailing List
Sent: Tuesday, October 21, 2003 3:59 PM
Subject: Re: [Shorewall-users] Problem with 2 entries in ''nat''
table


On Tue, 2003-10-21 at 12:32, Alan D. Snyder wrote:
> Hello and thanks in advance for you help ...
>
> Have installed Shorewall and it performs well in all respects but one:
>
> When there are two entries in the ''nat'' file, only the
entry whose host
> address part is lowest receives traffic.
>
>
> It seems all nat, filter and mangle chains are reasonable.
Have you looked at this problem using ethereal or tcpdump? If the
netfilter rules are correct and the external IP addresses have been
added to the external interface (as the following paragraphs seem to
suggest), then you need to see what is happening on the link to cause
these symptoms.

Since there are folks on the list with 100''s of entries in their nat
file (I personally use 2-4 depending on my mood), it is unlikely that
there is anything wrong with how Shorewall is setting up static NAT.
>
> After Shorewall is started, ''ip addr'' shows the IP for
each entry in ''nat''
> on the external interface.
>
> Have not issued any commands outside invoking Shorewall.  Er, why do the
''ip
> add'' if they are already there?????
If I read the first paragraph correctly, it seems that an ''ip
addr'' show
shows that the external IP addresses from your nat file have been added
to the external interface. This happens as a result of
ADD_IP_ALIASES=Yes in shorewall.conf.

The next paragraph seems to complain about something but I can''t
understand what it is. If you are complaining about the behavior of
ADD_IP_ALIASES=Yes, then by all means turn it off if you are adding the
addresses via some other means provided by your distribution.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

On Tue, 2003-10-21 at 13:38, Alan D. Snyder wrote:
> 
> My problem is how do I get traffic to both mail server and web server?
> 
> Where would tcpdump output be most useful from?
> 
Start with a tcpdump on your external interface and use the "-n" and
"-e" options.

Trace an attempt to connect to the mail server when both ''nat''
table
entries are present.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-10-21 at 13:38, Alan D. Snyder wrote:
> Tom:  Let me try to be clearer.  ''shorewall.conf'' and
''nat'' follow:
> 
> nat:
>
############################################################################
> ##
> #
> # Shorewall 1.4  -- Network Address Translation Table
> #
> # /etc/shorewall/nat
> #
> # This file is used to define static Network Address Translation (NAT).
> #
> ###$NET_WWW_IP $NET_IF  $DMZ_WWW_IP yes  yes
> $NET_MAIL_IP $NET_IF  $DMZ_MAIL_IP yes  yes
$DMZ_WWW_IP and $DMZ_MAIL_IP are distinct, right?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> $DMZ_WWW_IP and $DMZ_MAIL_IP are distinct, right?
yup

Tom - as embarassing as it is to say, when I got in this morning,  initiated
tcpdump, removed the comment from the WWW line in ''nat'' ,
restarted
Shorewall, issued my standard telnet www.yardley.com 80  and telnet
mailhost.yardley.com 110 from an external dial in, both IP''s received
traffic.

Before leaving yesterday, I removed some ALLOWS from ''rules''
and tightened
the policies down, but never thought that filtering had much to do with lost
traffic anyway as before reporting the problem did a bunch of tcpdumps and
traced chains, etc ....

I just don''t get it ...

So, for now all I can do is to appologize for the wasted bandwidth and time
and thank you for your prompt attention and not calling me an ...-... in
public  :-)

Best,
Alan






----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Tuesday, October 21, 2003 5:19 PM
Subject: Re: [Shorewall-users] Problem with 2 entries in ''nat''
table

> On Tue, 2003-10-21 at 13:38, Alan D. Snyder wrote:
>
> >
> > My problem is how do I get traffic to both mail server and web server?
> >
> > Where would tcpdump output be most useful from?
> >
>
> Start with a tcpdump on your external interface and use the "-n"
and
> "-e" options.
>
> Trace an attempt to connect to the mail server when both
''nat'' table
> entries are present.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Wed, 2003-10-22 at 08:53, Alan D. Snyder wrote:
> 
> I just don''t get it ...
> 
May have been a stale ARP cache in the upstream router. At any rate,
glad to hear that it''s working now.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net