I have the following interfaces loc eth0 net0 eth1 net1 eth2 (net0 and net1 are the two ISP networks) policy loc net0 ACCEPT loc net1 ACCEPT net0 all DROP info proxyarp 209.189.103.204 eth0 eth1 no no params Pellucidar=192.168.124.232 rules DNAT net0 loc:$Pellucidar tcp 22,80,1950,50005 - 209.189.103.204 ACCEPT all all icmp I can see the interface and ports but when I ping from the outside I get:>From 209.189.103.196 icmp_seq=1 Destination Host UnreachableAl least two of our customers do a "pre-ping" before connecting to our services (I guess this is an AS400 thing) so echo-reply is mandatory. What am i overlooking? -- Stephen
On Thursday 02 September 2004 10:45, Stephen Carville wrote:> I have the following > > interfaces > > loc eth0 > net0 eth1 > net1 eth2 > > (net0 and net1 are the two ISP networks) > > policy > loc net0 ACCEPT > loc net1 ACCEPT > net0 all DROP info > > proxyarp > > 209.189.103.204 eth0 eth1 no no > > params > > Pellucidar=192.168.124.232 > > rules > > DNAT net0 loc:$Pellucidar tcp 22,80,1950,50005 - 209.189.103.204 > ACCEPT all all icmp > > I can see the interface and ports but when I ping from the outside I > > get: > >From 209.189.103.196 icmp_seq=1 Destination Host Unreachable > > Al least two of our customers do a "pre-ping" before connecting to our > services (I guess this is an AS400 thing) so echo-reply is mandatory. > What am i overlooking?A better question would be "What are you trying to do???" 1) The entry in /etc/shorewall/proxyarp is causing arp requests for 209.189.103.204 that come from net1 to be responded to. It is also causing a host route to that address to be added to your local interface (eth0). 2) The DNAT rule causes requests from net0 on selected ports and addressed to 209.189.103.204 to be redirected to the ''loc'' network host 192.168.124.232. So is there a system in your local network with IP address 209.189.103.204? If not, then rather than using proxy ARP, what you want to do is configure 209.189.103.204 as a secondary IP address on eth1 -- your distribution''s network configuration tool should be able to do that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thursday 02 September 2004 11:09, Tom Eastep wrote:> > > 1) The entry in /etc/shorewall/proxyarp is causing arp requests for > 209.189.103.204 that come from net1That should have been "...from net0..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu September 2 2004 11:09 am, Tom Eastep wrote:> On Thursday 02 September 2004 10:45, Stephen Carville wrote: > > I have the following > > > > interfaces > > > > loc eth0 > > net0 eth1 > > net1 eth2 > > > > (net0 and net1 are the two ISP networks) > > > > policy > > loc net0 ACCEPT > > loc net1 ACCEPT > > net0 all DROP info > > > > proxyarp > > > > 209.189.103.204 eth0 eth1 no no > > > > params > > > > Pellucidar=192.168.124.232 > > > > rules > > > > DNAT net0 loc:$Pellucidar tcp 22,80,1950,50005 - 209.189.103.204 > > ACCEPT all all icmp > > > > I can see the interface and ports but when I ping from the outside I > > > > get: > > >From 209.189.103.196 icmp_seq=1 Destination Host Unreachable > > > > Al least two of our customers do a "pre-ping" before connecting to our > > services (I guess this is an AS400 thing) so echo-reply is mandatory. > > What am i overlooking? > > A better question would be "What are you trying to do???"Fair enough. I want certain ports sent to 209.189.103.204 to be forwarded to $Pellucidar (192.168.124.232) -- that part works. I also need the 209.189.103.204 address to respond to an echo request. I can do this using static NAT of course but all the literature on Shorewall and iptables seems to favor DNAT so I''m trying to see if it will do the job as well. My set up is pretty complex -- two ISP, two DMZ''s, one VPN to a remote office, and one trusted network -- and I am evaluating Shorewall as a replacement for the horribly complex Checkpoint with Watchguard setup we are using right now.> 1) The entry in /etc/shorewall/proxyarp is causing arp requests for > 209.189.103.204 that come from net1 to be responded to. It is also causing > a host route to that address to be added to your local interface (eth0). > > 2) The DNAT rule causes requests from net0 on selected ports and addressed > to 209.189.103.204 to be redirected to the ''loc'' network host > 192.168.124.232. > > So is there a system in your local network with IP address 209.189.103.204? > If not, then rather than using proxy ARP, what you want to do is configure > 209.189.103.204 as a secondary IP address on eth1 -- your distribution''s > network configuration tool should be able to do that.There is no local netwrok address 209.189.103.204> -Tom-- Stephen Carville Unix and Network Adminstrator DPSI 6033 W.Century Blvd. Los Angeles, CA 90045 310-342-3602
On Thursday 02 September 2004 12:32, Stephen Carville wrote:> > There is no local netwrok address 209.189.103.204 >Then I would ditch the proxyarp entry and simply add 209.189.103.204 as an address. That way, any requests (like pings) that aren''t being forwarded will be directed to the firewall itself. If you are otherwise ignoring ''ping'', you can add: ACCEPT net fw:209.189.103.204 icmp 8 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu September 2 2004 12:36 pm, Tom Eastep wrote:> On Thursday 02 September 2004 12:32, Stephen Carville wrote: > > There is no local netwrok address 209.189.103.204 > > Then I would ditch the proxyarp entry and simply add 209.189.103.204 as an > address. That way, any requests (like pings) that aren''t being forwarded > will be directed to the firewall itself.By golly, that works! Thanks.> If you are otherwise ignoring ''ping'', you can add: > > ACCEPT net fw:209.189.103.204 icmp 8 > > -Tom-- Stephen Carville Unix and Network Adminstrator DPSI 6033 W.Century Blvd. Los Angeles, CA 90045 310-342-3602