In sites A and B, I have: -------------------------- REDIRECT net 161 udp 16100 -------------------------- with net-snmp listening on port 161 In site C (10.10.10.10, shorewall-1.4.10c), I have ----------------------------------------------------- DNAT loc:10.10.10.1 net:200.232.120.180:16100 udp 161 #site A DNAT loc:10.10.10.1 net:200.162.212.217:16100 udp 161 #site B ----------------------------------------------------- On 10.10.10.1, when I try to gather SNMP data from site A, works like a charm. Ie: the request from 10.10.10.1 is translated in 10.10.10.10 to port 16100. Arriving site A on port 16100 is then redirected to local port 161. The answer returns fine. But when I try to gather data from site B, all requests go directly to site A. The second rule to site B is ''ignored''. Do I missed something ? -Gilson Soares
On Tuesday 02 March 2004 05:47 am, Gilson Soares wrote:> In sites A and B, I have: > -------------------------- > REDIRECT net 161 udp 16100 > -------------------------- > with net-snmp listening on port 161 > > > In site C (10.10.10.10, shorewall-1.4.10c), I have > ----------------------------------------------------- > DNAT loc:10.10.10.1 net:200.232.120.180:16100 udp 161 #site A > DNAT loc:10.10.10.1 net:200.162.212.217:16100 udp 161 #site B > ----------------------------------------------------- > > On 10.10.10.1, when I try to gather SNMP data from site A, works like a > charm. Ie: the request from 10.10.10.1 is translated in 10.10.10.10 to port > 16100. Arriving site A on port 16100 is then redirected to local port 161. > The answer returns fine. > > But when I try to gather data from site B, all requests go directly to site > A. The second rule to site B is ''ignored''. > > Do I missed something ?Well, it is working as designed if that is what you are asking. Your first rule says that any UDP packet to port 161 to any IP address from 10.10.10.1 is redirected to 200.232.120.180 port 16100. So your first rule completely masks your second rule which has exactly the same match conditions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net
At 2/3/2004 12:08, you wrote:>On Tuesday 02 March 2004 05:47 am, Gilson Soares wrote: > > In sites A and B, I have: > > -------------------------- > > REDIRECT net 161 udp 16100 > > -------------------------- > > with net-snmp listening on port 161 > > > > > > In site C (10.10.10.10, shorewall-1.4.10c), I have > > ----------------------------------------------------- > > DNAT loc:10.10.10.1 net:200.232.120.180:16100 udp 161 #site A > > DNAT loc:10.10.10.1 net:200.162.212.217:16100 udp 161 #site B > > ----------------------------------------------------- > > > > On 10.10.10.1, when I try to gather SNMP data from site A, works like a > > charm. Ie: the request from 10.10.10.1 is translated in 10.10.10.10 to port > > 16100. Arriving site A on port 16100 is then redirected to local port 161. > > The answer returns fine. > > > > But when I try to gather data from site B, all requests go directly to site > > A. The second rule to site B is ''ignored''. > > > > Do I missed something ? > >Well, it is working as designed if that is what you are asking. > >Your first rule says that any UDP packet to port 161 to any IP address from >10.10.10.1 is redirected to 200.232.120.180 port 16100. So your first rule >completely masks your second rule which has exactly the same match >conditions.Well, in fact, I would like: - If there is a UDP packet to site A, port 161, change de destination port - If there is a UDP packet to site B, port 161, change de destination port - If there is a UDP packet to somewhere else don''t change de destination port. Is it possible ? -Thanks -Gilson Soares
On Tuesday 02 March 2004 10:44 am, Gilson Soares wrote:> At 2/3/2004 12:08, you wrote: > >On Tuesday 02 March 2004 05:47 am, Gilson Soares wrote: > > > In sites A and B, I have: > > > -------------------------- > > > REDIRECT net 161 udp 16100 > > > -------------------------- > > > with net-snmp listening on port 161 > > > > > > > > > In site C (10.10.10.10, shorewall-1.4.10c), I have > > > ----------------------------------------------------- > > > DNAT loc:10.10.10.1 net:200.232.120.180:16100 udp 161 #site A > > > DNAT loc:10.10.10.1 net:200.162.212.217:16100 udp 161 #site B > > > ----------------------------------------------------- > > > > > > On 10.10.10.1, when I try to gather SNMP data from site A, works like a > > > charm. Ie: the request from 10.10.10.1 is translated in 10.10.10.10 to > > > port 16100. Arriving site A on port 16100 is then redirected to local > > > port 161. The answer returns fine. > > > > > > But when I try to gather data from site B, all requests go directly to > > > site A. The second rule to site B is ''ignored''. > > > > > > Do I missed something ? > > > >Well, it is working as designed if that is what you are asking. > > > >Your first rule says that any UDP packet to port 161 to any IP address > > from 10.10.10.1 is redirected to 200.232.120.180 port 16100. So your > > first rule completely masks your second rule which has exactly the same > > match conditions. > > Well, in fact, I would like: > - If there is a UDP packet to site A, port 161, change de destination port > - If there is a UDP packet to site B, port 161, change de destination port > - If there is a UDP packet to somewhere else don''t change de destination > port. > > Is it possible ?Yes: DNAT loc:10.10.10.1 net:200.232.120.180:16100 udp 161 - 200.232.120.180 DNAT loc:10.10.10.1 net:200.162.212.217:16100 udp 161 - 200.162.212.217 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net
At 2/3/2004 15:46, you wrote:>On Tuesday 02 March 2004 10:44 am, Gilson Soares wrote: > > At 2/3/2004 12:08, you wrote: > > >On Tuesday 02 March 2004 05:47 am, Gilson Soares wrote: > > > > In sites A and B, I have: > > > > -------------------------- > > > > REDIRECT net 161 udp 16100 > > > > -------------------------- > > > > with net-snmp listening on port 161 > > > > > > > > > > > > In site C (10.10.10.10, shorewall-1.4.10c), I have > > > > ----------------------------------------------------- > > > > DNAT loc:10.10.10.1 net:200.232.120.180:16100 udp 161 #site A > > > > DNAT loc:10.10.10.1 net:200.162.212.217:16100 udp 161 #site B > > > > ----------------------------------------------------- > > > > > > > > On 10.10.10.1, when I try to gather SNMP data from site A, works like a > > > > charm. Ie: the request from 10.10.10.1 is translated in 10.10.10.10 to > > > > port 16100. Arriving site A on port 16100 is then redirected to local > > > > port 161. The answer returns fine. > > > > > > > > But when I try to gather data from site B, all requests go directly to > > > > site A. The second rule to site B is ''ignored''. > > > > > > > > Do I missed something ? > > > > > >Well, it is working as designed if that is what you are asking. > > > > > >Your first rule says that any UDP packet to port 161 to any IP address > > > from 10.10.10.1 is redirected to 200.232.120.180 port 16100. So your > > > first rule completely masks your second rule which has exactly the same > > > match conditions. > > > > Well, in fact, I would like: > > - If there is a UDP packet to site A, port 161, change de destination port > > - If there is a UDP packet to site B, port 161, change de destination port > > - If there is a UDP packet to somewhere else don''t change de destination > > port. > > > > Is it possible ? > >Yes: > >DNAT loc:10.10.10.1 net:200.232.120.180:16100 udp 161 - 200.232.120.180 >DNAT loc:10.10.10.1 net:200.162.212.217:16100 udp 161 - 200.162.212.217Worked. Thanks -Gilson Soares