thr3ads.net - Shorewall users - Masquerading doesn''t work [Jun 2004]

If this information is useful, please help other people find it:
Share via:

jlonc@gi-bon.sk

2004-Jun-10 12:46 UTC

Masquerading doesn''t work

hi.

I''ve got problem with Shorewall masquerading (SNAT). Packets are
passing
through linux box/router but without source NATing.

My situation:
[local network]<--->[linux box/router]<--->[outer network]

local net: 192.168.2.0
outer net: 195.168.65.0

linux box eth0: 195.168.65.82 (this is gateway device)
linux box eth1 (local): 192.168.2.222

pc (PC-loc) in local net: 192.168.2.3  (gateway is set to 192.168.2.222 - 
eth1 on linux box/router)
pc (PC-net) in outer net: 195.168.65.81

/etc/shorewall/masq:
eth0    192.168.0.0/16

or /etc/shorewall/masq:
eth0    192.168.2.0/24  195.168.65.82

I''m trying to ping from PC-loc to PC-net. I expected PC-net to log 
external ip of linux box/router, but it logs source ip (ip of PC-A) -> so 
it cannot response to ping btw.

linux: Mandrake 10.0
kernel: 2.6.3
iptables: 1.2.9
shorewall: 2.0.2f

ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:94:23:a5 brd ff:ff:ff:ff:ff:ff
    inet 195.168.65.82/31 brd 195.168.65.255 scope global eth0
    inet6 fe80::201:2ff:fe94:23a5/64 scope link tentative 
       valid_lft forever preferred_lft forever
    inet6 ff02::1:ff94:23a5/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:94:22:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.222/24 brd 192.168.2.255 scope global eth1
    inet6 fe80::201:2ff:fe94:220f/64 scope link 
       valid_lft forever preferred_lft forever
    inet6 ff02::1:ff94:220f/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 ff02::1/128 scope global 
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0


ip route show:
195.168.65.82/31 dev eth0  proto kernel  scope link  src 195.168.65.82 
195.168.65.80/31 dev eth0  scope link 
192.168.2.0/24 dev eth1  scope link 
127.0.0.0/8 dev lo  scope link 
default dev eth0  scope link 


thanks for any advice.

Tom Eastep

2004-Jun-10 13:47 UTC

head link

Re: Masquerading doesn''t work

jlonc@gi-bon.sk wrote:
> thanks for any advice.
Please forward the output of "shorewall status" as an attachment.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

jlonc@gi-bon.sk

2004-Jun-10 14:28 UTC

head link

Re: Masquerading doesn''t work

hi.

thanks for quick reply.

anyway, i''ve made it work (somehow).


all i''ve done is this:
1. in KDE, "System\Configuration\Configure your 
computer\Network&Internet", and there "Internet connection
sharing" ->
installed some 2 packages + all main shorewall configuration files 
(/etc/shorewall) were modified (useless since then)
2. i downloaded and used two-interfaces.tgz from 
http://www1.shorewall.net/pub/shorewall/Samples/samples-2.0.1/ (samples of 
shorewall configuration)
3. everything worked as it should (at least pinging)


then i''ve tried my old config files and it have been working too
so i think, the problem was not in shorewall or configuration itself, but 
somewhere i don''t know where :)


thanks anyway.
Juraj Lonc

Tom Eastep

2004-Jun-10 15:53 UTC

head link

Re: Masquerading doesn''t work

jlonc@gi-bon.sk wrote:
> 
> 
> then i''ve tried my old config files and it have been working too
> so i think, the problem was not in shorewall or configuration itself, but 
> somewhere i don''t know where :)
> 
You don''t have both of your firewall''s NICs connected to the
same
hub/switch do you?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

jlonc@gi-bon.sk

2004-Jun-10 19:07 UTC

head link

Re: Masquerading doesn''t work

nope.
i''ve got 2 hubs, one for local net, and the second for
"outer" net.
one of firewall''s NICs is connected to the first hub and the second NIC
is
connected to the second hub.
it was allways so.


important is, that it works now.



> 
> > 
> > 
> > then i''ve tried my old config files and it have been working
too
> > so i think, the problem was not in shorewall or configuration itself, 
but > > somewhere i don''t know where :)
> > 
> 
> You don''t have both of your firewall''s NICs connected to
the same
> hub/switch do you?
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool

Shorewall users - Jun 2004 - Masquerading doesn''t work

Masquerading doesn''t work

Re: Masquerading doesn''t work

Re: Masquerading doesn''t work

Re: Masquerading doesn''t work

Re: Masquerading doesn''t work