What is my source? tail /var/log/messages Dec 14 14:53:14 rama-kandra kernel: Shorewall:all2all:REJECT:IN= OUT=eth3 SRC=203.96.213.73 DST=203.152.118.23 LEN=288 TOS=0x00 PREC=0x00 TTL=64 ID=73 DF PROTO=UDP SPT=500 DPT=500 LEN=268 doesn''t match tcrules 4 202.37.230.93 0.0.0.0/0 udp 500 how does the kernel decide which src to use? Ultimately I want all UDP 500 to use src 202.37.230.93 P.
What is my source? tail /var/log/messages Dec 14 14:53:14 rama-kandra kernel: Shorewall:all2all:REJECT:INOUT=eth3 SRC=203.96.213.73 DST=203.152.118.23 LEN=288 TOS=0x00 PREC=0x00 TTL=64 ID=73 DF PROTO=UDP SPT=500 DPT=500 LEN=268 doesn''t match tcrules 4 202.37.230.93 0.0.0.0/0 udp 500 how does the kernel decide which src to use? Ultimately I want all UDP 500 to use src 202.37.230.93 P.
On Tue, 2004-12-14 at 14:56 +1300, Paul wrote:> What is my source? > tail /var/log/messages > Dec 14 14:53:14 rama-kandra kernel: Shorewall:all2all:REJECT:IN> OUT=eth3 SRC=203.96.213.73 DST=203.152.118.23 LEN=288 TOS=0x00 PREC=0x00 > TTL=64 ID=73 DF PROTO=UDP SPT=500 DPT=500 LEN=268 > > doesn''t match tcrules > 4 202.37.230.93 0.0.0.0/0 udp 500 > > how does the kernel decide which src to use? > > Ultimately I want all UDP 500 to use src 202.37.230.93Paul -- this whole thread is wildly off-topic for this list! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Mon, 2004-12-13 at 17:58 -0800, Tom Eastep wrote:> On Tue, 2004-12-14 at 14:56 +1300, Paul wrote: > > What is my source? > > tail /var/log/messages > > Dec 14 14:53:14 rama-kandra kernel: Shorewall:all2all:REJECT:IN> > OUT=eth3 SRC=203.96.213.73 DST=203.152.118.23 LEN=288 TOS=0x00 PREC=0x00 > > TTL=64 ID=73 DF PROTO=UDP SPT=500 DPT=500 LEN=268 > > > > doesn''t match tcrules > > 4 202.37.230.93 0.0.0.0/0 udp 500 > > > > how does the kernel decide which src to use? > > > > Ultimately I want all UDP 500 to use src 202.37.230.93 > > Paul -- this whole thread is wildly off-topic for this list!The Shorewall list that is -- I see you also commited the cross-post sin... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Mon, 2004-12-13 at 18:01 -0800, Tom Eastep wrote:> On Mon, 2004-12-13 at 17:58 -0800, Tom Eastep wrote: > > On Tue, 2004-12-14 at 14:56 +1300, Paul wrote: > > > What is my source? > > > tail /var/log/messages > > > Dec 14 14:53:14 rama-kandra kernel: Shorewall:all2all:REJECT:IN> > > OUT=eth3 SRC=203.96.213.73 DST=203.152.118.23 LEN=288 TOS=0x00 PREC=0x00 > > > TTL=64 ID=73 DF PROTO=UDP SPT=500 DPT=500 LEN=268 > > > > > > doesn''t match tcrules > > > 4 202.37.230.93 0.0.0.0/0 udp 500 > > > > > > how does the kernel decide which src to use? > > > > > > Ultimately I want all UDP 500 to use src 202.37.230.93 > > > > Paul -- this whole thread is wildly off-topic for this list! > > The Shorewall list that is -- I see you also commited the cross-post > sin...and 99% of the people on the Netfilter list won''t know what your mean by ''tcrules''... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi all-
I''ve got a couple of LANs that are on different subnets and I was
wondering if it''s possible to do some special natting so I can firewall
their connections.
Basically I have one network that is on a 199.168.157 subnet and another
on a 192.168.1 subnet. Basically what I was hoping to be able to do is
NAT 199.168.157.101-104 so that they translated to 192.168.1.1-4 and
also work the NAT back the other way.
In other words, I was hoping to make it so that if a computer on the
199.168.157 subnet sent a packet to 199.168.157.101 it would be taken by
the firewall (probably with proxy arp) then translated to be
192.168.1.1. The source address would have to be mangled as well so
that it thinks it''s responding to a local IP, say 192.168.1.5 which
would NAT to 199.168.157.15.
All the IP''s are static. Is this possible?
Thanks,
Dave King
I think what you''re wanting to do is use SNAT. Although some of the brighter minds on here may disagree. On Tue, 14 Dec 2004 00:39:31 -0700, daveshore@davewking.com <daveshore@davewking.com> wrote:> Hi all- > I''ve got a couple of LANs that are on different subnets and I was > wondering if it''s possible to do some special natting so I can firewall > their connections. > > Basically I have one network that is on a 199.168.157 subnet and another > on a 192.168.1 subnet. Basically what I was hoping to be able to do is > NAT 199.168.157.101-104 so that they translated to 192.168.1.1-4 and > also work the NAT back the other way. > > In other words, I was hoping to make it so that if a computer on the > 199.168.157 subnet sent a packet to 199.168.157.101 it would be taken by > the firewall (probably with proxy arp) then translated to be > 192.168.1.1. The source address would have to be mangled as well so > that it thinks it''s responding to a local IP, say 192.168.1.5 which > would NAT to 199.168.157.15. > > All the IP''s are static. Is this possible? > > Thanks, > Dave King > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Tue, 2004-12-14 at 00:39 -0700, daveshore@davewking.com wrote:> > All the IP''s are static. Is this possible? >I don''t have a clear picture of what you are trying to do but it sounds like you could use a combination of DNAT rules (proto = all) and SNAT entries in /etc/shorewall/masq. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks for the replies, I''ll try and be a little more clear in my discription. So basically I have the two distinct LAN subnets and I want to have a firewalled connection between them that makes them think some of the computers are on both subnets using NAT (so they won''t use a gateway to communicate). Basically I''m hoping to be able to send a packet to an address on one LAN which will be recieved by the firewall, filtered, have it''s address changed to one on the other LAN and sent on it''s way. For example LAN 1 (199.168.157.*) LAN 2 (192.168.1.*) 199.168.157.10------------------->NAT by Firewall 192.168.1.10 199.168.157.24------------------->NAT by Firewall 192.168.1.11 199.168.157.36------------------->NAT by Firewall 192.168.1.12 NAT by Firewall 199.168.157.101<----------------192.168.157.1 NAT by Firewall 199.168.157.102<----------------192.168.157.2 NAT by Firewall 199.168.157.103<----------------192.168.157.3 So, for example, a computer on LAN 2 (say 192.168.1.1) could communicate with 199.168.157.10 by sending a packet to 192.168.1.10. The firewall would use proxy arp to make it think that it was the computer that should get the packet, then probably SNAT and DNAT to fix it so it went to the right computer, and so that the stuff could get back to the original computer. So in this case it would change the source address of the packet from 192.168.1.1 to 199.168.157.101 and the destination from 192.168.1.10 to 199.168.157.10. Then when a reply was sent it would have to do all the same translations backwords. So basically I believe this can be done, as you said, with a combination of DNAT rules, SNAT rules and some proxy arp magic. If this is wrong let me know. I''ve built a proxy arp firewall before using shorewall and it works quite well. One question I have is what IP address should I put on the firewall LAN cards (it will have 2, one connected to each LAN). In my other proxy arp firewall, on side where the packets came in from the internet I used a public IP, and on the side of the computers I used a non-routable IP that wasn''t on the same subnet of the computers behind the firewall. What would the correct settings be here since I''m using proxy arp both ways. Thanks, Dave King Tom Eastep wrote:>On Tue, 2004-12-14 at 00:39 -0700, daveshore@davewking.com wrote: > > > >>All the IP''s are static. Is this possible? >> >> >> > >I don''t have a clear picture of what you are trying to do but it sounds >like you could use a combination of DNAT rules (proto = all) and SNAT >entries in /etc/shorewall/masq. > >-Tom > >
On Tue, 2004-12-14 at 09:22 -0700, daveshore@davewking.com wrote:> > So basically I believe this can be done, as you said, with a > combination of DNAT rules, SNAT rules and some proxy arp magic.No -- Proxy ARP has absolutely no applicability here. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, 2004-12-14 at 08:27 -0800, Tom Eastep wrote:> On Tue, 2004-12-14 at 09:22 -0700, daveshore@davewking.com wrote: > > > > > > So basically I believe this can be done, as you said, with a > > combination of DNAT rules, SNAT rules and some proxy arp magic. > > No -- Proxy ARP has absolutely no applicability here. >But you might take a look at http://shorewall.net/netmap.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, 2004-12-14 at 09:22 -0700, daveshore@davewking.com wrote:> One question I have is what IP > address should I put on the firewall LAN cards (it will have 2, one > connected to each LAN). In my other proxy arp firewall, on side where > the packets came in from the internet I used a public IP, and on the > side of the computers I used a non-routable IP that wasn''t on the same > subnet of the computers behind the firewall.You need to configure the IP addresses used as destinations for the other network (such as 192.168.1.10) _on the firewall_. Similarly, you need to configure the dummy source IP addresses (such as 199.168.157.101) _on the firewall_. The rest is just DNAT rules and SNAT entries as I said before. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, 2004-12-14 at 08:38 -0800, Tom Eastep wrote:> The rest is just DNAT rules and SNAT > entries as I said before.Or entries in /etc/shorewall/netmap if you choose to go that route. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
If I don''t use proxy arp how will the network know that a packet sent to 192.168.1.10 needs to be sent to the firewall which will then translate it to 199.168.157.10 and sent it out on the other card? Like I said I''d like to do this without making any routing gateway changes on the LAN computers themselves. My situation is similar to the link you sent, but it seems to me (I may be very wrong here) that I should be able to do it with only one firewall since it''s on two different subnets. I guess I can also do it by messing with the routing tables on each of the computers on the LANs and set the gateway for the IP''s I need to the IP of the firewall. I was hoping to be able to avoid this and be able to drop the firewall in an it would all work, maybe that''s not possible though . . . Thanks again for the reply, Dave King Tom Eastep wrote:>On Tue, 2004-12-14 at 09:22 -0700, daveshore@davewking.com wrote: > > > > >>So basically I believe this can be done, as you said, with a >>combination of DNAT rules, SNAT rules and some proxy arp magic. >> >> > >No -- Proxy ARP has absolutely no applicability here. > >-Tom > >
On Tue, 2004-12-14 at 09:42 -0700, daveshore@davewking.com wrote:> If I don''t use proxy arp how will the network know that a packet sent to > 192.168.1.10 needs to be sent to the firewall which will then translate > it to 199.168.157.10 and sent it out on the other card? Like I said I''d > like to do this without making any routing gateway changes on the LAN > computers themselves. My situation is similar to the link you sent, but > it seems to me (I may be very wrong here) that I should be able to do it > with only one firewall since it''s on two different subnets. I guess I > can also do it by messing with the routing tables on each of the > computers on the LANs and set the gateway for the IP''s I need to the IP > of the firewall. I was hoping to be able to avoid this and be able to > drop the firewall in an it would all work, maybe that''s not possible > though . . .Again -- you have to configure the IP addresses ON THE FIREWALL (see http://shorewall.net/Shorewall_and_Aliased_Interfaces.html). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ok, I get it now, I''ll give it a try and if I have any more questions I''ll let you know. Thanks for all your help, Dave King Tom Eastep wrote:>On Tue, 2004-12-14 at 09:22 -0700, daveshore@davewking.com wrote: > > >>One question I have is what IP >>address should I put on the firewall LAN cards (it will have 2, one >>connected to each LAN). In my other proxy arp firewall, on side where >>the packets came in from the internet I used a public IP, and on the >>side of the computers I used a non-routable IP that wasn''t on the same >>subnet of the computers behind the firewall. >> >> > >You need to configure the IP addresses used as destinations for the >other network (such as 192.168.1.10) _on the firewall_. Similarly, you >need to configure the dummy source IP addresses (such as >199.168.157.101) _on the firewall_. The rest is just DNAT rules and SNAT >entries as I said before. > >-Tom > >