I have two/three PPTP servers on my network and each one of them are on their own subnet and I want to be able to send traffic to each and everyone. My rules file entry is as follows DNAT net loc:1.1.1.1 tcp 1723 DNAT net loc:1.1.1.1 47 and DNAT net loc:2.2.2.2 tcp 1723 DNAT net loc:2.2.2.2 47 however all the traffic only goes to 1.1.1.1 because its the first DNAT entry. I tried the option DETECT_DNAT_IP=Yes did not help either. Any ideas? Krish
tkrishna@iyka.com wrote:> > I tried the option DETECT_DNAT_IP=Yes did not help either. > > Any ideas?So exactly what criteria is the firewall to apply to decide which server to connect to? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> tkrishna@iyka.com wrote: > > >> >> I tried the option DETECT_DNAT_IP=Yes did not help either. >> >> Any ideas? > > > So exactly what criteria is the firewall to apply to decide which server > to connect to?If my answer sounds flippant, you need to go back and read your post from the point of view of those of us who know nothing about your configuration other than what you have shown us. a) Your "rules" are using obviously fake IP addresses (WHY??? IP addresses are not state secrets). b) We therefore don''t know if these addresses are RFC 1918 addresses or not. c) You are showing us DNAT rules which implies rewriting the destination IP address. d) So if all of the original destination addresses are the same, how can the firewall do anything different than what it is currently doing????? e) If the original IP addresses are different, and you really want DNAT (as opposed to just ACCEPT -- see FAQ 30), then your rules need to specify the original destination IP address in the appropriate column. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> tkrishna@iyka.com wrote: > > >> >> I tried the option DETECT_DNAT_IP=Yes did not help either. >> >> Any ideas? > > So exactly what criteria is the firewall to apply to decide which server > to connect to?Use the IP address as the criteria. Each server has different IP address Krishnan> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
> Tom Eastep wrote: > >> tkrishna@iyka.com wrote: >> >> >>> >>> I tried the option DETECT_DNAT_IP=Yes did not help either. >>> >>> Any ideas? >> >> >> So exactly what criteria is the firewall to apply to decide which >> server to connect to? > > If my answer sounds flippant, you need to go back and read your post > from the point of view of those of us who know nothing about your > configuration other than what you have shown us. > > a) Your "rules" are using obviously fake IP addresses (WHY??? IP > addresses are not state secrets). >IP address are not state secrets but that does mean that I have to disclose IP address. Again I did not put in the actual public IP address but the truth is the IP address are real routable valid IP address.> b) We therefore don''t know if these addresses are RFC 1918 addresses or > not. >The IP address are valid so RFC 1918 does not apply for this. Its a 207.24.x.x address so its a actual address.> c) You are showing us DNAT rules which implies rewriting the destination > IP address. >I need to be able to access two different PPTP servers. That is the only requirement. One of the server is in the 207.24.x.x network and the other is in 207.24.y.y network. Other than DNAT I am not sure if there is a way to route the call to the PPTP server. The PPTP server takes two ports 1723 and 47. The Shorewall looks at the rules file and applies the very first entry for all PPTP connections. What I am telling is that if I have a rule such as DNAT net loc:207.24.x.1 tcp 1723 DNAT net loc:207.24.x.1 47 and another rule below it stating DNAT net loc:207.24.y.2 tcp 1723 DNAT net loc:207.24.y.2 47 When a user requests a PPTP connection to 207.24.y.2 the request should be sent to 207.24.y.2 not to 207.24.x.1 Is that clear? How can I go about doing this. If DNAT is not an option, may be there is something else. Any ideas? Krishnan> d) So if all of the original destination addresses are the same, how can > the firewall do anything different than what it is currently doing????? > > e) If the original IP addresses are different, and you really want DNAT > (as opposed to just ACCEPT -- see FAQ 30), then your rules need to > specify the original destination IP address in the appropriate column. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
tkrishna@iyka.com wrote:>>Tom Eastep wrote: >> >> >>>tkrishna@iyka.com wrote: >>> >>> >>> >>>>I tried the option DETECT_DNAT_IP=Yes did not help either. >>>> >>>>Any ideas? >>> >>> >>>So exactly what criteria is the firewall to apply to decide which >>>server to connect to? >> >>If my answer sounds flippant, you need to go back and read your post >>from the point of view of those of us who know nothing about your >>configuration other than what you have shown us. >> >>a) Your "rules" are using obviously fake IP addresses (WHY??? IP >>addresses are not state secrets). >> > > > IP address are not state secrets but that does mean that I have to > disclose IP address. Again I did not put in the actual public IP address > but the truth is the IP address are real routable valid IP address. > > >>b) We therefore don''t know if these addresses are RFC 1918 addresses or >>not. >> > > The IP address are valid so RFC 1918 does not apply for this. Its a > 207.24.x.x address so its a actual address. > > >>c) You are showing us DNAT rules which implies rewriting the destination >> IP address. >> > > I need to be able to access two different PPTP servers. That is the only > requirement. One of the server is in the 207.24.x.x network and the other > is in 207.24.y.y network. Other than DNAT I am not sure if there is a way > to route the call to the PPTP server. The PPTP server takes two ports > 1723 and 47. The Shorewall looks at the rules file and applies the very > first entry for all PPTP connections. > > What I am telling is that if I have a rule such as > > DNAT net loc:207.24.x.1 tcp 1723 > DNAT net loc:207.24.x.1 47 > > and another rule below it stating > > DNAT net loc:207.24.y.2 tcp 1723 > DNAT net loc:207.24.y.2 47 > > When a user requests a PPTP connection to 207.24.y.2 the request should be > sent to 207.24.y.2 not to 207.24.x.1 > > Is that clear? How can I go about doing this. If DNAT is not an option, > may be there is something else. Any ideas? >You still haven''t read FAQ #30 -- you want ACCEPTs rules rather than DNAT rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net