So I am trying to get a firewall up at work using Shorewall 2.2 / Mandrake RC 1, where we have multi-ips assigned to a single machine.... Now at one point I had Shorewall and Mandrake configured and it was working... this was our setup essentially (I''ll use 192.0.0.x as out external IP addresses) In ifconfig: eth0 192.0.0.202 nmask 255.255.255.248 eth0:1 192.0.0.203 nmask 255.255.255.248 eth1 10.10.10.10 nmask 255.255.255.0 So when I have the network up like this, I can ping both .202 and .203 from the outside. Now I got shorewall working so that any web requests from .203 were going to this machine: 10.10.10.13 . Here''s a rough outline of the shorewall config I had Policy: Block everything from everywhere Rules: allow ICMP/HTTP from inside and out.... Nat: anything from .203 goes to 10.10.10.13 Everything was beautiful and on the way to success... Web requests were making their way to the .13 machine. Now everytime I rebooted Mandrake, the DNS entries would disapear... So since my co-worker is familiar with Fedora, I got convinced to replace the distro the very next day.... So I was a good planner and copied all the Shorewall configs onto a floppy... After Fedora was installed, I recreated the configurations for the NIC''s, installed Shorewall, and copied my config files to the dir, and started shorewall What ended up happening is not being able to reach/ping .203 from outside.... What''s more, is that each time I start shorewall, the eth0:1 config gets erased. And I can''t re-enter it with ifconfig until shorewall is stopped (ifconfig gives me an error about not being able to assign the address to the interface or something)..... So after fooling around, I figured out that if I took out the NAT entry in shorewall (.203 -> 10.10.10.13) and restarted, everything worked.... Unfortunately that meant the .203 pings were ending up at the firewall box and not the .13 box. So then I decided to reinstall Mandrake and to get it back to its old working status. Well, with the same exact Mandrake install as before, the same shorewall rpm, and the same config files from the floppy, Mandrake does the same thing as Fedora did, so I can''t even replicate what I had working initially. So now, I''m quite frustrated, and have no clue what to try or do? Any help would be greatly appreciated
Tom Eastep
2005-Feb-07 20:44 UTC
Re: Problems With NAT/Multi IPs Settings... Shorewall 2.2
Dan Mayer wrote:> > Everything was beautiful and on the way to success... Web requests were > making their way to the .13 machine. > > Now everytime I rebooted Mandrake, the DNS entries would disapear...What does that mean?> So > since my co-worker is familiar with Fedora, I got convinced to replace the > distro the very next day....Groan> > So I was a good planner and copied all the Shorewall configs onto a > floppy... > > After Fedora was installed, I recreated the configurations for the NIC''s, > installed Shorewall, and copied my config files to the dir, and started > shorewall > > What ended up happening is not being able to reach/ping .203 from > outside.... What''s more, is that each time I start shorewall, the eth0:1 > config gets erased. And I can''t re-enter it with ifconfig until shorewall is > stopped (ifconfig gives me an error about not being able to assign the > address to the interface or something).....Exact error messages are helpful -- vague references to "...or something..." are not helpful.> > So after fooling around, I figured out that if I took out the NAT entry in > shorewall (.203 -> 10.10.10.13) and restarted, everything worked.... > Unfortunately that meant the .203 pings were ending up at the firewall box > and not the .13 box.This sounds like you have ADD_IP_ALIASES=Yes in shorewall.conf.> > So then I decided to reinstall Mandrake and to get it back to its old > working status. > > Well, with the same exact Mandrake install as before, the same shorewall > rpm, and the same config files from the floppy, Mandrake does the same thing > as Fedora did, so I can''t even replicate what I had working initially. > > So now, I''m quite frustrated, and have no clue what to try or do? Any help > would be greatly appreciated >If you are configuring eth0:1 using a tool included with Mandrake/Fedora/Debian/Slackware/Gentoo/<whatever distribution you have installed today> then you do not want ADD_IP_ALIASES=Yes in shorewall.conf. See http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for additional information about configuring multiple addresses on an interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Feb-07 20:56 UTC
Re: Problems With NAT/Multi IPs Settings... Shorewall 2.2
Tom Eastep wrote:>> > > > If you are configuring eth0:1 using a tool included with > Mandrake/Fedora/Debian/Slackware/Gentoo/<whatever distribution you have > installed today> then you do not want ADD_IP_ALIASES=Yes in shorewall.conf. > > See http://shorewall.net/Shorewall_and_Aliased_Interfaces.html for > additional information about configuring multiple addresses on an interface. >As a final note, Shorewall 2.2 has a RETAIN_ALIASES option in shorewall.conf -- if you set ADD_IP_ALIASES=Yes and RETAIN_ALIASES=Yes then Shorewall will not delete existing addresses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Maybe Matching Threads
- RE: Problems With NAT/Multi IPs Settings... Sho rewall 2.2
- RE: Is ProxyARP or NAT entries really neccesary forDNAT to work?
- dnat problem
- After shorewall restart NAT SMTP connection slow; reboot and it works fine
- "Multiple Internet Connections" with four interfaces