Hi all, first of all thanks to Tom for the great job he''s doing with shorewall. My problem: I have a Linux 2.4.26 & shorewall 2.0.5 firewall with this configuration: - eth0 ---> Internet connection, with 12 public ip addresses - eth1 ---> Lan connection, with ip 192.168.11.1/24 - eth2 ---> Second internet connection, with 1 public ip address At the moment all the hosts on my internal LAN use the first internet connection to reach the Internet, using obviously 192.168.11.4 as default gw. My problem is: I have set up a new server, and I want it to use the second Internet connection and to be reached via the second internet connection''s public ip address. In fact I believe what i want is one-to-one nat. I''ve followed the instructions in the One-to-one NAT howto ( http://www.shorewall.net/NAT.htm ), and I can manage to make the outgoing connections from the server to appear as originating from the specific ip address I want, but not to forward all the ports on the eth2 of the firewall to the server. I set up a normal port forwarding, as I usually done for other servers, but with no luck... Anybody has any idea? Thanks a lot! Bye... Mattia
> My problem is: I have set up a new server, and I want it to use the > second Internet connection and to be reached via the second internet > connection''s public ip address. In fact I believe what i want is > one-to-one nat.Sounds to me like you want Proxy-ARP?
> At the moment all the hosts on my internal LAN use the first internet > connection to reach the Internet, using obviously 192.168.11.4 as > default gw.obviously 192.168.11.1... sorry :)
Mattia wrote:> Hi all, > first of all thanks to Tom for the great job he''s doing with shorewall. > My problem: I have a Linux 2.4.26 & shorewall 2.0.5 firewall with this > configuration: > - eth0 ---> Internet connection, with 12 public ip addresses > - eth1 ---> Lan connection, with ip 192.168.11.1/24 > - eth2 ---> Second internet connection, with 1 public ip address > > At the moment all the hosts on my internal LAN use the first internet > connection to reach the Internet, using obviously 192.168.11.4 as > default gw. > > My problem is: I have set up a new server, and I want it to use the > second Internet connection and to be reached via the second internet > connection''s public ip address. In fact I believe what i want is > one-to-one nat. > I''ve followed the instructions in the One-to-one NAT howto ( > http://www.shorewall.net/NAT.htm ), and I can manage to make the > outgoing connections from the server to appear as originating from the > specific ip address I want, but not to forward all the ports on the eth2 > of the firewall to the server. I set up a normal port forwarding, as I > usually done for other servers, but with no luck...You don''t use port forwarding rules with one-to-one NAT!!!!! You use ACCEPT rules for incoming traffic, not DNAT rules. Secondly, one-to-one nat does not forward all ports on the external interface!! It allows connections to the external IP address specified in your /etc/shorewall/nat entry to be mapped to the internal IP address in that entry *given the proper ACCEPT rules*. The external IP address MUST NOT BE THE PRIMARY IP ADDRESS OF THE EXTERNAL INTERFACE (eth2 in your case). If you still think that one-to-one NAT is appropriate and can''t get it to work then please give us the details: a) What is eth2''s IP address. b) What external IP address are you using for the server? c) What internal IP address are you using for the server? d) What does your entry in /etc/shorewall/nat look like? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Mattia wrote: > >> Hi all, >> first of all thanks to Tom for the great job he''s doing with shorewall. >> My problem: I have a Linux 2.4.26 & shorewall 2.0.5 firewall with this >> configuration: >> - eth0 ---> Internet connection, with 12 public ip addresses >> - eth1 ---> Lan connection, with ip 192.168.11.1/24 >> - eth2 ---> Second internet connection, with 1 public ip address >> >> At the moment all the hosts on my internal LAN use the first internet >> connection to reach the Internet, using obviously 192.168.11.4 as >> default gw. >> >> My problem is: I have set up a new server, and I want it to use the >> second Internet connection and to be reached via the second internet >> connection''s public ip address. In fact I believe what i want is >> one-to-one nat. >> I''ve followed the instructions in the One-to-one NAT howto ( >> http://www.shorewall.net/NAT.htm ), and I can manage to make the >> outgoing connections from the server to appear as originating from the >> specific ip address I want, but not to forward all the ports on the >> eth2 of the firewall to the server. I set up a normal port forwarding, >> as I usually done for other servers, but with no luck... > > > You don''t use port forwarding rules with one-to-one NAT!!!!! You use > ACCEPT rules for incoming traffic, not DNAT rules. > > Secondly, one-to-one nat does not forward all ports on the external > interface!! It allows connections to the external IP address specified > in your /etc/shorewall/nat entry to be mapped to the internal IP address > in that entry *given the proper ACCEPT rules*. The external IP address > MUST NOT BE THE PRIMARY IP ADDRESS OF THE EXTERNAL INTERFACE (eth2 in > your case). > > If you still think that one-to-one NAT is appropriate and can''t get it > to work then please give us the details: > > a) What is eth2''s IP address. > b) What external IP address are you using for the server? > c) What internal IP address are you using for the server? > d) What does your entry in /etc/shorewall/nat look like?Handling incoming traffic in your environment will also require some policy routing -- see Shorewall FAQ 38 and pay particular attention to the information provided by Martin Brown. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > > Handling incoming traffic in your environment will also require some > policy routing -- see Shorewall FAQ 38 and pay particular attention to > the information provided by Martin Brown. >Sorry -- the FAQ is #32, not #38. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Il giorno 13/lug/04, alle 15:32, Tom Eastep ha scritto:> Mattia wrote: >> Hi all, >> first of all thanks to Tom for the great job he''s doing with >> shorewall. >> My problem: I have a Linux 2.4.26 & shorewall 2.0.5 firewall with >> this configuration: >> - eth0 ---> Internet connection, with 12 public ip addresses >> - eth1 ---> Lan connection, with ip 192.168.11.1/24 >> - eth2 ---> Second internet connection, with 1 public ip address >> At the moment all the hosts on my internal LAN use the first internet >> connection to reach the Internet, using obviously 192.168.11.4 as >> default gw. >> My problem is: I have set up a new server, and I want it to use the >> second Internet connection and to be reached via the second internet >> connection''s public ip address. In fact I believe what i want is >> one-to-one nat. >> I''ve followed the instructions in the One-to-one NAT howto ( >> http://www.shorewall.net/NAT.htm ), and I can manage to make the >> outgoing connections from the server to appear as originating from >> the specific ip address I want, but not to forward all the ports on >> the eth2 of the firewall to the server. I set up a normal port >> forwarding, as I usually done for other servers, but with no luck... > > You don''t use port forwarding rules with one-to-one NAT!!!!! You use > ACCEPT rules for incoming traffic, not DNAT rules.oops... big mistake... :-\> > Secondly, one-to-one nat does not forward all ports on the external > interface!! It allows connections to the external IP address specified > in your /etc/shorewall/nat entry to be mapped to the internal IP > address in that entry *given the proper ACCEPT rules*.I can''t get the appropriate rule... it is an ACCEPT rule, but between which zones? net and loc or net and fw? Let''s say I want all the ports on the external public ip address to be mapped on the internal private address, would something like this be correct or I''m completely wrong? ACCEPT net fw tcp 1:65535> The external IP address MUST NOT BE THE PRIMARY IP ADDRESS OF THE > EXTERNAL INTERFACE (eth2 in your case)....and there''s no way if I have just 1 public ip address on that interface?> > If you still think that one-to-one NAT is appropriate and can''t get it > to work then please give us the details: > > a) What is eth2''s IP address.Here is my ifconfig output eth0 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.210 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:242051793 errors:0 dropped:0 overruns:1 frame:0 TX packets:290521335 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1739390149 (1658.8 Mb) TX bytes:1069141898 (1019.6 Mb) Interrupt:4 Base address:0x9400 eth0:1 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.211 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:2 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.212 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:3 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.213 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:4 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.214 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:5 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.215 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:6 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.216 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:7 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.217 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:8 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.218 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:9 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.219 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:10 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.220 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:11 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.221 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth0:12 Link encap:Ethernet HWaddr 00:04:75:DA:3F:E7 inet addr:81.x.y.222 Bcast:81.x.y.223 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:4 Base address:0x9400 eth1 Link encap:Ethernet HWaddr 00:04:75:E7:F1:7D inet addr:192.168.11.4 Bcast:192.168.11.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:298750211 errors:0 dropped:0 overruns:4 frame:0 TX packets:245012494 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3262670926 (3111.5 Mb) TX bytes:683393190 (651.7 Mb) Interrupt:15 Base address:0x9000 eth1:1 Link encap:Ethernet HWaddr 00:04:75:E7:F1:7D inet addr:192.168.19.4 Bcast:192.168.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:15 Base address:0x9000 eth2 Link encap:Ethernet HWaddr 00:10:4B:46:72:2F inet addr:213.x.y.226 Bcast:80.x.y.239 Mask:255.255.255.240 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:4 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:240 (240.0 b) Interrupt:4 Base address:0x8400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1481 errors:0 dropped:0 overruns:0 frame:0 TX packets:1481 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:90896 (88.7 Kb) TX bytes:90896 (88.7 Kb)> b) What external IP address are you using for the server?The primary ip address of eth2> c) What internal IP address are you using for the server?192.168.11.127/24> d) What does your entry in /etc/shorewall/nat look like?81.x.y.216 eth0 192.168.11.127 no no
Mattia wrote:> >> The external IP address MUST NOT BE THE PRIMARY IP ADDRESS OF THE >> EXTERNAL INTERFACE (eth2 in your case). > > > ...and there''s no way if I have just 1 public ip address on that interface? >There is NO WAY to use one-to-one NAT if you only have 1 public IP address. You must use a simple DNAT rule: DNAT net:eth2 loc:<internal ip> all and you must use policy routing to ensure that the replies are routed back out eth2 rather than out your other external interface. A rather simple routing policy that sents all traffic from the <internal ip> out through eth2 is all you really need but that isn''t a Shorewall configuration issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Mattia wrote: > >> >>> The external IP address MUST NOT BE THE PRIMARY IP ADDRESS OF THE >>> EXTERNAL INTERFACE (eth2 in your case). >> >> >> >> ...and there''s no way if I have just 1 public ip address on that >> interface? >> > > There is NO WAY to use one-to-one NAT if you only have 1 public IP > address.Actually, that isn''t totally true. If you set ADD_IP_ALIASES=No in shorewall.conf, you can probably get away with one-to-one NAT. Then your ACCEPT rules just look like: ACCEPT net:eth2 loc:<internal ip> ...> You must use a simple DNAT rule: > > DNAT net:eth2 loc:<internal ip> allAlthough I would really recommend individual rules for the things that you want forwarded. Otherwise, it makes it very difficult to diagnose problems on eth2. The same applies if you use one-to-one NAT as described above.> > and you must use policy routing to ensure that the replies are routed > back out eth2 rather than out your other external interface. A rather > simple routing policy that sents all traffic from the <internal ip> out > through eth2 is all you really need but that isn''t a Shorewall > configuration issue.Sorry: If you use DNAT for input, you also need an SNAT rule in /etc/shorewall/masq if you want outgoing connections to work: eth2 <internal ip> <ip address of eth2> and be sure that you don''t have ADD_SNAT_ALIASES=Yes in shorewall.conf. Regardless of which you chose, the key thing that you are probably still missing is the policy routing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net