Yes thank you for answering so fast !
I have corrected it, here the new diagram and the new routing table. But it
still doesn''t work.>From the router i can access to 192.168.11.254
I have add the rules :
DNAT loc priv:192.168.11.254:22 tcp 22
But i can''t connect to 192.168.11.254 from LAN
The DNAT fonction doesn''t work, but i can DROP packet arriving on eth0
(loc)
or eth2 (net)
I don''t understand where is the mistake.
Net
| Private network : 192.168.33.0/24 -
Gateway : 192.168.33.254
| Private ISP router : 192.168.33.254
Router ISP:192.168.1.254 Private ISP router : 192.168.11.254
------------------------
--------------------------------------------------------
| |
-------------------------------------------------------------
| Eth2 : noip Eth1 : 192.168.11.253 |
Firewall Shorewall 2.0.9
| | |
Fedora Core 2
| br0 : 192.168.1.199 |
| | |
| Eth0 : noip |
-------------------------------------------------------------
|
------------------------------------------
LAN 192.168.1.0/24 - Gateway : 192.168.1.254
-----Message d''origine-----
De : shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] De la part de
shorewall-users-request@lists.shorewall.net
Envoyé : dimanche 3 octobre 2004 21:00
À : shorewall-users@lists.shorewall.net
Objet : Shorewall-users Digest, Vol 23, Issue 4
Send Shorewall-users mailing list submissions to
shorewall-users@lists.shorewall.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.shorewall.net/mailman/listinfo/shorewall-users
or, via email, send a message with subject or body ''help'' to
shorewall-users-request@lists.shorewall.net
You can reach the person managing the list at
shorewall-users-owner@lists.shorewall.net
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Shorewall-users digest..."
Today''s Topics:
1. Bridge and routing question (Fr?d?ric Raynaud)
2. Re: Bridge and routing question (Tom Eastep)
----------------------------------------------------------------------
Message: 1
Date: Sun, 3 Oct 2004 19:14:21 +0200
From: Fr?d?ric Raynaud <raynaud.f@ifrance.com>
Subject: [Shorewall-users] Bridge and routing question
To: <shorewall-users@lists.shorewall.net>
Message-ID: <0410031652.321312@b0504.idoo.com>
Content-Type: text/plain; charset="Windows-1252"
Hi all,
Perhaps I''ve miss something...
I have read every FAQ and documentation from shorewall.net before asking
question here, hope someone can help me !
Try many things DNAT, netmasq, proxy arp, it doesn''t work.
LAN and PRIVATE network can''t see each other, i can''t ping
PRIVATE LAN from
LAN and vice-versa.
I first think of routing error, but i can''t see where..
I try to DNAT port 22 from eth1 to eth0, i still can''t ssh LAN from
PRIVATE
LAN and when i use tcpdump tcp-ip packet are still send to Router ISP.
Perhaps i should try shorewall newer beta version ?
Many thanks in advance for any help.
Eth0 and eth2 are bridged.
I can ping net from LAN
I can ping every firewall''s interface from LAN and PRIVATE LAN I can
ping
everything from firewall
Bridging is activated in shorewall.conf
Net
| Private network :
192.168.33.0/24 - Gateway : 192.168.33.254
| Private ISP router :
192.168.33.254
Router ISP:192.168.1.254 Private ISP router : 192.168.11.254
------------------------
--------------------------------------------------------
| |
-------------------------------------------------------------
| Eth2 : noip Eth1 :
192.168.11.253 | Firewall Shorewall 2.0.9
| |
| Fedora Core 2
| br0 : 192.168.1.199
|
| |
|
| Eth0 : 192.168.1.250
|
-------------------------------------------------------------
|
------------------------------------------
LAN 192.168.1.0/24 - Gateway : 192.168.1.254
The Firewall routing table :
Net Gateway Genmask Indic Metric Ref
Use Iface
192.168.33.0 192.168.11.253 255.255.255.0 UG 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.11.0 192.168.11.253 255.255.255.0 UG 0 0 0 eth1
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 br0
Shorewall zone :
#ZONE HOST(S) OPTIONS
net br0:eth2
loc br0:eth0 routeback
Shorewall interfaces :
#ZONE INTERFACE BROADCAST OPTIONS
#
- br0 detect
priv eth1 detect routeback
Shorewall policy :
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
loc fw ACCEPT
fw net ACCEPT
fw loc ACCEPT
priv loc ACCEPT
loc priv ACCEPT
fw priv ACCEPT
priv fw ACCEPT
priv net ACCEPT
Shorewal zones:
#ZONE DISPLAY COMMENTS
priv priv Global intranet
net Net Internet
loc Local Local networks
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.767 / Virus Database: 514 - Release Date: 21/09/2004
___[ Pub ]____________________________________________________________
Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres !
http://rencontre.rencontres.com/index.php?origine=4
------------------------------
Message: 2
Date: Sun, 03 Oct 2004 11:09:42 -0700
From: Tom Eastep <teastep@shorewall.net>
Subject: Re: [Shorewall-users] Bridge and routing question
To: Mailing List for Shorewall Users
<shorewall-users@lists.shorewall.net>
Message-ID: <41604066.8030806@shorewall.net>
Content-Type: text/plain; charset=windows-1252
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Fridiric Raynaud wrote:>
>
> Eth0 and eth2 are bridged.
>
> The Firewall routing table :
>
> Net Gateway Genmask Indic Metric Ref
> Use Iface
> 192.168.33.0 192.168.11.253 255.255.255.0 UG 0 0
0 eth1> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
If eth0 is bridged then it must not have an IP address and hence will not
appear in the routing table.
- -Tom
- --
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBYEBmO/MAbZfjDLIRAne8AKCSLvKQqYsYkDttgNkG1PXdUlTouwCgqEvD
YQ+MHZBvEZyMf5+75xdyqmU=Pr/B
-----END PGP SIGNATURE-----
------------------------------
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
End of Shorewall-users Digest, Vol 23, Issue 4
**********************************************
_____________________________________________________________________
Envie de discuter en "live" avec vos amis ? Tilicharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1hre messagerie instantanie de France
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.767 / Virus Database: 514 - Release Date: 21/09/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.767 / Virus Database: 514 - Release Date: 21/09/2004
_____________________________________________________________________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France