Hi,
first, at http://shorewall.net/1.4/Shorewall_Doesnt.html there is a link
about experimental shorewall bridge code that is invalid.
Second, is it possible to MASQ between two aliased interfaces on one
physical eth device? So that the computer has one ethernet card with two
IP addresses: a public IP/32 and a 172.16.0.1/16? The 172.16.x.y WAP
traffic would arrive to the MASQ computer, unmask to the public IP and
run out to the public IP gateway? I doubt this would work but a friend
of mine asks for it.
public IP gateway ------------+------------- WAP public IPs & 172.16.x.y
|
|
eth0 & eth0:0
MASQ machine, 172.16.x.y gateway
Thanks.
Petr
On Monday 15 March 2004 05:29 am, Petr Stehlik wrote:> Hi, > > first, at http://shorewall.net/1.4/Shorewall_Doesnt.html there is a link > about experimental shorewall bridge code that is invalid.> > Second, is it possible to MASQ between two aliased interfaces on one > physical eth device? So that the computer has one ethernet card with two > IP addresses: a public IP/32 and a 172.16.0.1/16? The 172.16.x.y WAP > traffic would arrive to the MASQ computer, unmask to the public IP and > run out to the public IP gateway? I doubt this would work but a friend > of mine asks for it. >The basic setup described at http://shorewall.net/Multiple_Zones.html#OneArmed. The /etc/shorewall/masq entry would look like: eth0:!192.168.1.0/24 192.168.1.0/24 [ <external ip> ] I''ll add that to the above document. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Monday 15 March 2004 07:02 am, Tom Eastep wrote:> On Monday 15 March 2004 05:29 am, Petr Stehlik wrote: > > Hi, > > > > first, at http://shorewall.net/1.4/Shorewall_Doesnt.html there is a link > > about experimental shorewall bridge code that is invalid. > >I''ve corrected that link - thanks.> > > > > > Second, is it possible to MASQ between two aliased interfaces on one > > physical eth device? So that the computer has one ethernet card with two > > IP addresses: a public IP/32 and a 172.16.0.1/16? The 172.16.x.y WAP > > traffic would arrive to the MASQ computer, unmask to the public IP and > > run out to the public IP gateway? I doubt this would work but a friend > > of mine asks for it. > > The basic setup described at > http://shorewall.net/Multiple_Zones.html#OneArmed. The /etc/shorewall/masq > entry would look like: > > eth0:!192.168.1.0/24 192.168.1.0/24 [ <external ip> ] > > I''ll add that to the above document. >The masq entry has been added to the document. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
V Po, 15. 03. 2004 v 16:02, Tom Eastep píše:> > Second, is it possible to MASQ between two aliased interfaces on one > > physical eth device?> The basic setup described at > http://shorewall.net/Multiple_Zones.html#OneArmedAhh, my fault. I spent all time by reading the http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html. Maybe that adding a small link to OneArmed multiple zones would be helpful there (just like the OneArmed document provides a helpful link to Aliased Interfaces).> eth0:!192.168.1.0/24 192.168.1.0/24 [ <external ip> ]Works like a charm, thank you! Originally I thought it would be task for a bridge setup, I am glad the OneArmed solution works as well. Though traffic shaping for the 192.168.1.x is probably impossible in this schema, right? The bridge becomes necessary for that. Or is there a trick? Petr
On Monday 15 March 2004 11:19 am, Petr Stehlik wrote:> > Though traffic shaping for the 192.168.1.x is probably impossible in > this schema, right? The bridge becomes necessary for that. Or is there a > trick?Traffic Shaping would be difficult in this environment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
V Po, 15. 03. 2004 v 20:29, Tom Eastep píše:> > Though traffic shaping for the 192.168.1.x is probably impossible in > > this schema, right? The bridge becomes necessary for that. Or is there a > > trick? > > Traffic Shaping would be difficult in this environment.Difficult? I thought it would be simply impossible as tc does not want to work on eth0:0 (there is no such device - you explain it in the Aliased document). Petr
On Monday 15 March 2004 11:39 am, Petr Stehlik wrote:> V Po, 15. 03. 2004 v 20:29, Tom Eastep píše: > > > Though traffic shaping for the 192.168.1.x is probably impossible in > > > this schema, right? The bridge becomes necessary for that. Or is there > > > a trick? > > > > Traffic Shaping would be difficult in this environment. > > Difficult? I thought it would be simply impossible as tc does not want > to work on eth0:0 (there is no such device - you explain it in the > Aliased document). >You could still shape traffic on eth0 and use address matching/packet marking to classify the traffic. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
V Po, 15. 03. 2004 v 20:41, Tom Eastep píše:> > Difficult? I thought it would be simply impossible as tc does not want > > to work on eth0:0 (there is no such device - you explain it in the > > Aliased document).> You could still shape traffic on eth0that would have to be ingres, right? At least for the direction public->private IPs. Since real shaping occurs on outgoing interface which is not eth0 in this case. Well, hmhmhm, it is actually also outgoing, physically. The eth0 is both incoming and outgoing? That''s a mess :) I am wondering if I manage to mark the traffic properly (considering the masq nat). Petr
On Mon, 15 Mar 2004, Petr Stehlik wrote:> V Po, 15. 03. 2004 v 20:41, Tom Eastep pí¹e: > > > Difficult? I thought it would be simply impossible as tc does not want > > > to work on eth0:0 (there is no such device - you explain it in the > > > Aliased document). > > > You could still shape traffic on eth0 > > that would have to be ingres, right? At least for the direction > public->private IPs. Since real shaping occurs on outgoing interface > which is not eth0 in this case. Well, hmhmhm, it is actually also > outgoing, physically. The eth0 is both incoming and outgoing? That''s a > mess :) I am wondering if I manage to mark the traffic properly > (considering the masq nat). >It would be a challenge. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net