Brian K. Andersen
2004-Sep-10 11:12 UTC
Is ProxyARP or NAT entries really neccesary for DNAT to work?
I have been trying to get DNAT to work and I actually have succeeded too, however, not how I thought it would work when reading through the documentation. 1. No matter what I do I cannot get DNAT to work unless I have an entry in eiter the nat or the proxyarp file. Is that really how it''s supposed to be? I can''t find anything about it in the documentation. 2. Also, in the documentation it says that the order of the rules is not significant, however, if I DNAT port 80 into dmz before I DNAT port 80 to loc all request to port 80 is forwarded to dmz. If the loc entry is before the dmz entry it all works. Here''s my setup: Linux: Gentoo 2.4.26-r9 Shorewall: 2.0.4 Net: iface_eth0="192.168.1.254 broadcast 192.168.1.255 netmask 255.255.255.0" iface_eth1="192.168.201.17 broadcast 192.168.201.255 netmask 255.255.255.0" iface_eth2="???.??.77.142 broadcast ???.??.77.143 netmask 255.255.255.240" gateway="eth2/???.??.77.129" Interfaces: loc eth0 detect dmz eth1 detect net eth2 detect routefilter,norfc1918 Proxyarp: ???.??.77.131 eth1 eth2 No No ???.??.77.132 eth0 eth2 No No ???.??.77.136 eth0 eth2 No No ???.??.77.140 eth1 eth2 No No Rules that works: DNAT:info net loc:192.168.1.132 tcp 80 - ???.??.77.132 DNAT:info net loc:192.168.1.101 tcp 80 - ???.??.77.136 DNAT:info net dmz:192.168.201.4 tcp 80 - ???.??.77.131 DNAT:info net dmz:192.168.201.6 tcp 80 - ???.??.77.140 Rules that does not work (all requests to port 80 is forwarded to the dmz): DNAT:info net dmz:192.168.201.4 tcp 80 - ???.??.77.131 DNAT:info net dmz:192.168.201.6 tcp 80 - ???.??.77.140 DNAT:info net loc:192.168.1.132 tcp 80 - ???.??.77.132 DNAT:info net loc:192.168.1.101 tcp 80 - ???.??.77.136 Policy: loc net ACCEPT fw net ACCEPT dmz net ACCEPT net all DROP info all all REJECT info All in all pretty straight forward or so I think, although I have a feeling that it is my proxyarp file that is wrong (and I don''t think it is needed). Cheers, Brian K. Andersen
Guilsson
2004-Sep-10 17:02 UTC
Re: Is ProxyARP or NAT entries really neccesary for DNAT to work?
One possible reason is wrong or missing default gateway in the internal machines In this scenario, changing: DNAT net dmz:web.server tcp www to DNAT net dmz:web.server tcp www - <ip.of.dmz.iface.of.fw> causes the packets appear to come from FW interface instead of NET public IP. -Gilson Soares On Fri, 10 Sep 2004 13:12:09 +0200, Brian K. Andersen <bka@nonstop.dk> wrote:> I have been trying to get DNAT to work and I actually have succeeded > too, however, not how I thought it would work when reading through the > documentation. > > 1. No matter what I do I cannot get DNAT to work unless I have an entry > in eiter the nat or the proxyarp file. Is that really how it''s supposed > to be? I can''t find anything about it in the documentation. > 2. Also, in the documentation it says that the order of the rules is not > significant, however, if I DNAT port 80 into dmz before I DNAT port 80 > to loc all request to port 80 is forwarded to dmz. If the loc entry is > before the dmz entry it all works. > > Here''s my setup: > Linux: Gentoo 2.4.26-r9 > Shorewall: 2.0.4 > > Net: > iface_eth0="192.168.1.254 broadcast 192.168.1.255 netmask 255.255.255.0" > iface_eth1="192.168.201.17 broadcast 192.168.201.255 netmask > 255.255.255.0" > iface_eth2="???.??.77.142 broadcast ???.??.77.143 netmask > 255.255.255.240" > gateway="eth2/???.??.77.129" > > Interfaces: > loc eth0 detect > dmz eth1 detect > net eth2 detect routefilter,norfc1918 > > Proxyarp: > ???.??.77.131 eth1 eth2 No No > ???.??.77.132 eth0 eth2 No No > ???.??.77.136 eth0 eth2 No No > ???.??.77.140 eth1 eth2 No No > > Rules that works: > DNAT:info net loc:192.168.1.132 tcp 80 - ???.??.77.132 > DNAT:info net loc:192.168.1.101 tcp 80 - ???.??.77.136 > DNAT:info net dmz:192.168.201.4 tcp 80 - ???.??.77.131 > DNAT:info net dmz:192.168.201.6 tcp 80 - ???.??.77.140 > > Rules that does not work (all requests to port 80 is forwarded to the > dmz): > DNAT:info net dmz:192.168.201.4 tcp 80 - ???.??.77.131 > DNAT:info net dmz:192.168.201.6 tcp 80 - ???.??.77.140 > DNAT:info net loc:192.168.1.132 tcp 80 - ???.??.77.132 > DNAT:info net loc:192.168.1.101 tcp 80 - ???.??.77.136 > > Policy: > loc net ACCEPT > fw net ACCEPT > dmz net ACCEPT > net all DROP info > all all REJECT info > > All in all pretty straight forward or so I think, although I have a > feeling that it is my proxyarp file that is wrong (and I don''t think it > is needed). > > Cheers, > Brian K. Andersen > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >