Shorewall users - Feb 2005 - Problems With NAT/Multi IPs Settings... Shorewall 2.2

So I am trying to get a firewall up at work using Shorewall 2.2 / Mandrake
RC 1, where we have multi-ips assigned to a single machine....

Now at one point I had Shorewall and Mandrake configured and it was
working... this was our setup essentially (I''ll use 192.0.0.x as out
external IP addresses) 

In ifconfig:

eth0 192.0.0.202 nmask 255.255.255.248
eth0:1 192.0.0.203 nmask 255.255.255.248
eth1 10.10.10.10 nmask 255.255.255.0


So when I have the network up like this, I can ping both .202 and .203 from
the outside.

Now I got shorewall working so that any web requests from .203 were going to
this machine: 10.10.10.13 . Here''s a rough outline of the shorewall
config I
had

Policy: Block everything from everywhere
Rules: allow ICMP/HTTP from inside and out.... 
Nat: anything from .203 goes to 10.10.10.13

Everything was beautiful and on the way to success... Web requests were
making their way to the .13 machine.

Now everytime I rebooted Mandrake, the DNS entries would disapear... So
since my co-worker is familiar with Fedora, I got convinced to replace the
distro the very next day....

So I was a good planner and copied all the Shorewall configs onto a
floppy...

After Fedora was installed, I recreated the configurations for the
NIC''s,
installed Shorewall, and copied my config files to the dir, and started
shorewall

What ended up happening is not being able to reach/ping .203 from
outside.... What''s more, is that each time I start shorewall, the
eth0:1
config gets erased. And I can''t re-enter it with ifconfig until
shorewall is
stopped (ifconfig gives me an error about not being able to assign the
address to the interface or something).....

So after fooling around, I figured out that if I took out the NAT entry in
shorewall (.203 -> 10.10.10.13) and restarted, everything worked....
Unfortunately that meant the .203 pings were ending up at the firewall box
and not the .13 box. 

So then I decided to reinstall Mandrake and to get it back to its old
working status.

Well, with the same exact Mandrake install as before, the same shorewall
rpm, and the same config files from the floppy, Mandrake does the same thing
as Fedora did, so I can''t even replicate what I had working initially.

So now, I''m quite frustrated, and have no clue what to try or do? Any
help
would be greatly appreciated

Dan Mayer wrote:
> 
> Everything was beautiful and on the way to success... Web requests were
> making their way to the .13 machine.
> 
> Now everytime I rebooted Mandrake, the DNS entries would disapear...
What does that mean?
> So
> since my co-worker is familiar with Fedora, I got convinced to replace the
> distro the very next day....
Groan
> 
> So I was a good planner and copied all the Shorewall configs onto a
> floppy...
> 
> After Fedora was installed, I recreated the configurations for the
NIC''s,
> installed Shorewall, and copied my config files to the dir, and started
> shorewall
> 
> What ended up happening is not being able to reach/ping .203 from
> outside.... What''s more, is that each time I start shorewall, the
eth0:1
> config gets erased. And I can''t re-enter it with ifconfig until
shorewall is
> stopped (ifconfig gives me an error about not being able to assign the
> address to the interface or something).....
Exact error messages are helpful -- vague references to "...or
something..." are not helpful.
> 
> So after fooling around, I figured out that if I took out the NAT entry in
> shorewall (.203 -> 10.10.10.13) and restarted, everything worked....
> Unfortunately that meant the .203 pings were ending up at the firewall box
> and not the .13 box. 
This sounds like you have ADD_IP_ALIASES=Yes in shorewall.conf.
> 
> So then I decided to reinstall Mandrake and to get it back to its old
> working status.
> 
> Well, with the same exact Mandrake install as before, the same shorewall
> rpm, and the same config files from the floppy, Mandrake does the same
thing
> as Fedora did, so I can''t even replicate what I had working
initially.
> 
> So now, I''m quite frustrated, and have no clue what to try or do?
Any help
> would be greatly appreciated
> 
If you are configuring eth0:1 using a tool included with
Mandrake/Fedora/Debian/Slackware/Gentoo/<whatever distribution you have
installed today> then you do not want ADD_IP_ALIASES=Yes in shorewall.conf.

See http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for
additional information about configuring multiple addresses on an interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>
> 
> 
> If you are configuring eth0:1 using a tool included with
> Mandrake/Fedora/Debian/Slackware/Gentoo/<whatever distribution you have
> installed today> then you do not want ADD_IP_ALIASES=Yes in
shorewall.conf.
> 
> See http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for
> additional information about configuring multiple addresses on an
interface.
> 
As a final note, Shorewall 2.2 has a RETAIN_ALIASES option in
shorewall.conf -- if you set ADD_IP_ALIASES=Yes and RETAIN_ALIASES=Yes
then Shorewall will not delete existing addresses.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key