Hi,
I''m trying to use shorewall for a RAS dialup solution
We have networks we need to connect to with the same ranges internally
(i.e. 2 separate users with a 192.168.0.0/24 range). We connect to these
via a pptp tunnel (or isdn)
The problem we have is that we need to access these networks all the
time, so allocate them a range from our internal range. This will then
be NATed to the address on the client side.
For this to work the solution we put in needs to route before it NATs -
so all traffic for network 1 is first routed to the ppp0 interface and
then NATed to the customers internal address, whereas traffic for
network 2 is routed to ppp1 even though it has the same address after
the NAT has taken place
This is what I need to happen (I hope it turns out ok)
Client(172.16.0.1) -> ServerA-CustA (172.20.0.1) -> {[shorewall eth0]
->
ROUTED -> [shorewall ppp0] -> NAT 172.20.0.1 to 192.168.0.1 -> customer
Client(172.16.0.1) -> ServerA-CustB (172.20.1.1) -> {[shorewall eth0]
->
ROUTED -> [shorewall ppp1] -> NAT 172.20.1.1 to 192.168.0.1 -> customer
Obviously if it NAT''s before it ROUTES both the addresses will be to
192.168.0.1, and so will not go down the right interface
so basically I need to know whether Shorewall NATs before it routes, or
the other way round?
Any input into this problem would be much appreciated.
Thanks in advance,
Rob
Lynx Technology Ltd is a Cisco Systems Gold Certified Partner, Microsoft Gold
Certified Partner and HP Business Partner Select / Authorised Warranty Delivery
Partner.
Sales Offices: Sheffield, London City, High Wycombe
DISCLAIMER:
This message is intended only for the use of the person(s) (''Intended
Recipient'') to whom it is addressed. It may contain information, which
is privileged and confidential. Accordingly any dissemination, distribution,
copying or other use of this message or any of its content by any person other
than the Intended Recipient may constitute a breach of civil or criminal law and
is strictly prohibited. If you are not the Intended Recipient, please contact
the sender as soon as possible. Neither Lynx Technology Ltd or the sender accept
any responsibility for viruses and it is your responsibility to scan the email
and attachments. Any liability arising from any third party acting on any
information contained in this email is hereby excluded. Lynx Technology Ltd
will hold data provided by you for marketing and promotional purposes unless
otherwise advised. Please see our Statement of Privacy at www.lynxtec.com.
On Wed, 2004-11-24 at 17:29 +0000, Ellison, Robert wrote:> so basically I need to know whether Shorewall NATs before it routes, or > the other way round? > > Any input into this problem would be much appreciated.See: http://shorewall.net/NetfilterOverview.html http://shorewall.net/PacketHandling.html Linux/Netfilter cannot alter the destination IP address after routing. You might investigate this approach: http://shorewall.net/netmap.html It can be used with NAT as well as NETMAP but it requires packet rewriting in the routers at both end of the tunnel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi,
I am a subscriber, but under the address rob@lynxtec.org any help here
would be appreciated...
I''m trying to use shorewall for a RAS dialup solution
We have networks we need to connect to with the same ranges internally
(i.e. 2 separate users with a 192.168.0.0/24 range). We connect to these
via a pptp tunnel (or isdn)
The problem we have is that we need to access these networks all the
time, so allocate them a range from our internal range. This will then
be NATed to the address on the client side.
For this to work the solution we put in needs to route before it NATs -
so all traffic for network 1 is first routed to the ppp0 interface and
then NATed to the customers internal address, whereas traffic for
network 2 is routed to ppp1 even though it has the same address after
the NAT has taken place
This is what I need to happen (I hope it turns out ok)
Client(172.16.0.1) -> ServerA-CustA (172.20.0.1) -> {[shorewall eth0]
->
ROUTED -> [shorewall ppp0] -> NAT 172.20.0.1 to 192.168.0.1 -> customer
Client(172.16.0.1) -> ServerA-CustB (172.20.1.1) -> {[shorewall eth0]
->
ROUTED -> [shorewall ppp1] -> NAT 172.20.1.1 to 192.168.0.1 -> customer
Obviously if it NAT''s before it ROUTES both the addresses will be to
192.168.0.1, and so will not go down the right interface
so basically I need to know whether Shorewall NATs before it routes, or
the other way round?
Any input into this problem would be much appreciated.
Thanks in advance,
Rob
Lynx Technology Ltd is a Cisco Systems Gold Certified Partner, Microsoft Gold
Certified Partner and HP Business Partner Select / Authorised Warranty Delivery
Partner.
Sales Offices: Sheffield, London City, High Wycombe
DISCLAIMER:
This message is intended only for the use of the person(s) (''Intended
Recipient'') to whom it is addressed. It may contain information, which
is privileged and confidential. Accordingly any dissemination, distribution,
copying or other use of this message or any of its content by any person other
than the Intended Recipient may constitute a breach of civil or criminal law and
is strictly prohibited. If you are not the Intended Recipient, please contact
the sender as soon as possible. Neither Lynx Technology Ltd or the sender accept
any responsibility for viruses and it is your responsibility to scan the email
and attachments. Any liability arising from any third party acting on any
information contained in this email is hereby excluded. Lynx Technology Ltd
will hold data provided by you for marketing and promotional purposes unless
otherwise advised. Please see our Statement of Privacy at www.lynxtec.com.
On Mon, 2004-11-29 at 11:28 +0000, Ellison, Robert wrote:> > Any input into this problem would be much appreciated.I answered this question last week! Here''s the reply again: See: http://shorewall.net/NetfilterOverview.html http://shorewall.net/PacketHandling.html Linux/Netfilter cannot alter the destination IP address after routing. You might investigate this approach: http://shorewall.net/netmap.html It can be used with NAT as well as NETMAP but it requires packet rewriting in the routers at both end of the tunnel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, I need to be able to do this on one end of the links only. The idea is that we control this one box to connect to customers sites (which run win2000 RAS boxes) . Is there no way in linux to NAT after the routing? If not in linux, do you know of anything else that may support this with pptp and ppp interfaces? Thanks for your help, Rob -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: 29 November 2004 15:02 To: Shorewall Users Cc: Ellison, Robert Subject: Re: [Shorewall-users] Route first or NAT? On Mon, 2004-11-29 at 11:28 +0000, Ellison, Robert wrote:> > Any input into this problem would be much appreciated.I answered this question last week! Here''s the reply again: See: http://shorewall.net/NetfilterOverview.html http://shorewall.net/PacketHandling.html Linux/Netfilter cannot alter the destination IP address after routing. You might investigate this approach: http://shorewall.net/netmap.html It can be used with NAT as well as NETMAP but it requires packet rewriting in the routers at both end of the tunnel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Lynx Technology Ltd is a Cisco Systems Gold Certified Partner, Microsoft Gold Certified Partner and HP Business Partner Select / Authorised Warranty Delivery Partner. Sales Offices: Sheffield, London City, High Wycombe DISCLAIMER: This message is intended only for the use of the person(s) (''Intended Recipient'') to whom it is addressed. It may contain information, which is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible. Neither Lynx Technology Ltd or the sender accept any responsibility for viruses and it is your responsibility to scan the email and attachments. Any liability arising from any third party acting on any information contained in this email is hereby excluded. Lynx Technology Ltd will hold data provided by you for marketing and promotional purposes unless otherwise advised. Please see our Statement of Privacy at www.lynxtec.com.
On Mon, 2004-11-29 at 15:09 +0000, Ellison, Robert wrote:> Hi, > I need to be able to do this on one end of the links only. > The idea is that we control this one box to connect to customers sites > (which run win2000 RAS boxes) . > Is there no way in linux to NAT after the routing?There is no way to do it with Netfilter. There is a way to do NAT with the iproute package but: a) I haven''t tried it in years and don''t remember how it works. b) You can read the documentation about it and experiment with it as well as I can. c) It is off-topic for this list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Mon, 2004-11-29 at 16:09 +0000, Ellison, Robert wrote:> Ok, thanks for you help anyway. > i''ll give iproute a try. > Do you have any idea if it will work in conjunction with Shorewall?No, I don''t. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key