Shorewall users - Nov 2003 - NAT/masq

Hello,

I want to use shorewall on a 3-hole-firewall.

I defined three nets:

net eth0
dmz eth1
loc eth2

The servers within the DMZ are using different public IPs (x.y.z.192/27).
The local net is using 168.192.0.0/16. This net has to be masqeraded.
The IP of the eth0 is 10.0.0.1. This NIC is directly connected to the
router of our ISP (the router has 10.0.0.2). 

The traffic loc<->dmz and dmz<->net are fine, but loc<->net
dosn''t
work, because of the right NAT-configuration. Which are the correct
configurations of the .../masq and .../nat configfiles?

Greetings,

  Jan

-- 
==================================================  Jan Grothkast  Ritterstrasse
7  70199 Stuttgart
             E-Mail:  jan@grothkast.de
---------------------------------------------------
     2 + 2 = 5 for suitably large values of 2.
===================================================

On Tue, 2003-11-18 at 14:21, Jan Grothkast wrote:
> Hello,
> 
> I want to use shorewall on a 3-hole-firewall.
> 
> I defined three nets:
> 
> net eth0
> dmz eth1
> loc eth2
> 
> The servers within the DMZ are using different public IPs (x.y.z.192/27).
> The local net is using 168.192.0.0/16. This net has to be masqeraded.
> The IP of the eth0 is 10.0.0.1. This NIC is directly connected to the
> router of our ISP (the router has 10.0.0.2). 
> 
> The traffic loc<->dmz and dmz<->net are fine, but
loc<->net dosn''t
> work, because of the right NAT-configuration. Which are the correct
> configurations of the .../masq and .../nat configfiles?
Neither if your DMZ systems are using public IP addresses. You may need
to use Proxy ARP instead. Start with
http://shorewall.net/shorewall_setup_guide.htm.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-11-18 at 14:33, Tom Eastep wrote:
> On Tue, 2003-11-18 at 14:21, Jan Grothkast wrote:
> > 
> > router of our ISP (the router has 10.0.0.2). 
> > 
> > The traffic loc<->dmz and dmz<->net are fine, but
loc<->net dosn''t
> > work, because of the right NAT-configuration. Which are the correct
> > configurations of the .../masq and .../nat configfiles?
> 
> Neither if your DMZ systems are using public IP addresses. You may need
> to use Proxy ARP instead. Start with
> http://shorewall.net/shorewall_setup_guide.htm.
> 
I read your post again -- Is the router at 10.0.0.2 routing the public
IP addresses via 10.0.0.1? If not, what is it doing with packets
addressed to those destinations?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hello,

On Tue, Nov 18, 2003 at 03:48:01PM -0800, Tom Eastep
wrote:
> On Tue, 2003-11-18 at 14:33, Tom Eastep wrote:
> > On Tue, 2003-11-18 at 14:21, Jan Grothkast wrote:
> > > 
> > > router of our ISP (the router has 10.0.0.2). 
> > > 
> > > The traffic loc<->dmz and dmz<->net are fine, but
loc<->net dosn''t
> > > work, because of the right NAT-configuration. Which are the
correct
> > > configurations of the .../masq and .../nat configfiles?
> > 
> > Neither if your DMZ systems are using public IP addresses. You may
need
> > to use Proxy ARP instead. Start with
> > http://shorewall.net/shorewall_setup_guide.htm.
> > 
> 
> I read your post again -- Is the router at 10.0.0.2 routing the public
> IP addresses via 10.0.0.1? If not, what is it doing with packets
> addressed to those destinations?
The router (a small cisco) provided by the ISP is placed in our
office and it is directly connectet to the eth0 (10.0.0.1) of the shorewall.
All incoming requests to our public IPs are routed correctly via
10.0.0.1 . I don''t have problems with the routing DMZ -> net as
well.

Jan


-- 
==================================================  Jan Grothkast  Ritterstrasse
7  70199 Stuttgart
             E-Mail:  jan@grothkast.de
---------------------------------------------------
     2 + 2 = 5 for suitably large values of 2.
===================================================

On Tue, 2003-11-18 at 17:21, Jan Grothkast wrote:
> Hello,
> 
> I want to use shorewall on a 3-hole-firewall.
> 
> I defined three nets:
> 
> net eth0
> dmz eth1
> loc eth2
> 
> The servers within the DMZ are using different public IPs (x.y.z.192/27).
> The local net is using 168.192.0.0/16. This net has to be masqeraded.
> The IP of the eth0 is 10.0.0.1. This NIC is directly connected to the
> router of our ISP (the router has 10.0.0.2). 
> 
> The traffic loc<->dmz and dmz<->net are fine, but
loc<->net dosn''t
> work, because of the right NAT-configuration. Which are the correct
> configurations of the .../masq and .../nat configfiles?
> 
> Greetings,
> 
>   Jan
>From what you are describing, it sounds like you are wanting the
''loc''
zone to be masqueraded out the ''net'' zone, a very typical
scenario.  For
this, add a line to the masq file like so:
eth0	eth2

This will NAT all traffic out from eth2 to the ip of eth0.

Hello,

On Wed, Nov 19, 2003 at 07:16:47AM -0500, David T Hollis
wrote:
> On Tue, 2003-11-18 at 17:21, Jan Grothkast wrote:
> > Hello,
> > 
> > I want to use shorewall on a 3-hole-firewall.
> > 
> > I defined three nets:
> > 
> > net eth0
> > dmz eth1
> > loc eth2
> > 
> > The servers within the DMZ are using different public IPs
(x.y.z.192/27).
> > The local net is using 168.192.0.0/16. This net has to be masqeraded.
> > The IP of the eth0 is 10.0.0.1. This NIC is directly connected to the
> > router of our ISP (the router has 10.0.0.2). 
> > 
> > The traffic loc<->dmz and dmz<->net are fine, but
loc<->net dosn''t
> > work, because of the right NAT-configuration. Which are the correct
> > configurations of the .../masq and .../nat configfiles?
> > 
> > Greetings,
> > 
> >   Jan
> >From what you are describing, it sounds like you are wanting the
''loc''
> zone to be masqueraded out the ''net'' zone, a very typical
scenario.  For
> this, add a line to the masq file like so:
> eth0	eth2
> 
> This will NAT all traffic out from eth2 to the ip of eth0.
Yes, but the eth0 ist configured with a private IP (10.0.0.1), the
traffic of eth2 has to be NATed with a public IP.

Jan

-- 
==================================================  Jan Grothkast  Ritterstrasse
7  70199 Stuttgart
             E-Mail:  jan@grothkast.de
---------------------------------------------------
     2 + 2 = 5 for suitably large values of 2.
===================================================

> > > Hello,
> > >
> > > I want to use shorewall on a 3-hole-firewall.
> > >
> > > I defined three nets:
> > >
> > > net eth0
> > > dmz eth1
> > > loc eth2
> > >
> > > The servers within the DMZ are using different public
IPs (x.y.z.192/27).

Just to clarify, you have one subnet from your isp, or more
than one?
> > > The local net is using 168.192.0.0/16. This net has to
be masqeraded.
> > > The IP of the eth0 is 10.0.0.1. This NIC is directly
connected to the
> > > router of our ISP (the router has 10.0.0.2).
> > >
> > > The traffic loc<->dmz and dmz<->net are fine, but
loc<->net dosn''t
> > > work, because of the right NAT-configuration. Which
are the correct
> > > configurations of the .../masq and .../nat
configfiles?
> > >
> > > Greetings,
> > >
> > >   Jan
> > >From what you are describing, it sounds like you are
wanting the ''loc''
> > zone to be masqueraded out the ''net'' zone, a very
typical scenario.  For
> > this, add a line to the masq file like so:
> > eth0 eth2
> >
> > This will NAT all traffic out from eth2 to the ip of
eth0.
>
> Yes, but the eth0 ist configured with a private IP
(10.0.0.1), the
> traffic of eth2 has to be NATed with a public IP.
>
> Jan
Your isp is routing the subnet (x.y.z.192/27) though the
cisco, the
net <> dmz works fine, correct? Your using proxyarp for the
dmz,
correct? If so then it sounds like you just need to use one
of your
unused public ip addresses on eth0. You have an unused
address?

Jerry Vonau

Hello,

On Wed, Nov 19, 2003 at 08:14:51AM -0600, Jerry Vonau
wrote:
> > > > The servers within the DMZ are using different public
> IPs (x.y.z.192/27).
> 
> Just to clarify, you have one subnet from your isp, or more
> than one?
Yes, we have au /27 subnet (.192 .. .223).

> > Jan
> 
> Your isp is routing the subnet (x.y.z.192/27) though the
> cisco, the
> net <> dmz works fine, correct? 
Yes this subnet is routed by the ISP trough the cisco.
>  Your using proxyarp for the
> dmz,
> correct?
I don''t need to use proxyarp. I use one of the public IPs on eth1 (DMZ)
> If so then it sounds like you just need to use one
> of your
> unused public ip addresses on eth0. You have an unused
> address?
Yes, I have free adresses. But the eth0 is already configured to 10.0.0.1

Jan



-- 
==================================================  Jan Grothkast  Ritterstrasse
7  70199 Stuttgart
             E-Mail:  jan@grothkast.de
---------------------------------------------------
     2 + 2 = 5 for suitably large values of 2.
===================================================

On Wed, 2003-11-19 at 06:31, Jan Grothkast wrote:
> 
> Yes, I have free adresses. But the eth0 is already configured to 10.0.0.1
That''s irrelevant.

In /etc/shorewall/masq:

	eth0	eth2	<one of your free addresses>

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net