thr3ads.net - Shorewall users - Problem with outgoing Masquerade [Mar 2005]

If this information is useful, please help other people find it:
Share via:

Stephen Carville

2005-Mar-02 00:11 UTC

Problem with outgoing Masquerade

I''m having another little problem with my new firewall.  I want
outgoing port
25 from my mail server to appear on the address 65.223.121.227 so I created 
the file masq:

eth2  192.168.124.18  65.223.121.227  tcp  25
eth1            eth5
eth1            eth3
eth1            eth4

eth1 == net0 == 209.189.103.196/27
eth2 == net1 == 65.223.121.237/28
eth3 == dmz0
eth4 == dmz1
eth5 == loc == 192.168.124.249/24

(Yes I know the danger of having a production server in the local network.  I 
inherited this setup and I am trying to fix it)

65.223.121.227 is on eth2:1

Shorewall restarts cleanly and I see in the status:

   0     0 SNAT       tcp  --  *      *       192.168.124.18       0.0.0.0/0  
tcp dpt:25 to:65.223.121.227

Next I log onto 192.168.124.18 and initate an outbound connection to port 25 
on a machine in another Autonomous System.

$ telnet 216.117.196.95 25
Trying 216.117.196.95...
Connected to 216.117.196.95.
Escape character is ''^]''.
220 mail.heronforge.net ESMTP Postfix
quit
221 Bye
Connection closed by foreign host.

On eth5 on the firewall I see:

15:25:15.473608 192.168.124.18.36587 > 216.117.196.95.smtp: S 
772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp 645676248 
0,nop,wscale 0> (DF) [tos 0x10]
15:25:15.503249 216.117.196.95.smtp > 192.168.124.18.36587: S 
1219378846:1219378846(0) ack 772082251 win 5792 <mss 1460,sackOK,timestamp 
427958860 645676248,nop,wscale 2> (DF)
15:25:15.503403 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 1 win 5840 
<nop,nop,timestamp 645676251 427958860> (DF) [tos 0x10]
15:25:15.866525 216.117.196.95.smtp > 192.168.124.18.36587: P 1:40(39) ack 1 
win 1448 <nop,nop,timestamp 427959228 645676251> (DF)
15:25:15.866743 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 40 win 5840
<nop,nop,timestamp 645676287 427959228> (DF) [tos 0x10]
15:25:17.865766 192.168.124.18.36587 > 216.117.196.95.smtp: P 1:7(6) ack 40 
win 5840 <nop,nop,timestamp 645676487 427959228> (DF) [tos 0x10]
15:25:17.889344 216.117.196.95.smtp > 192.168.124.18.36587: . ack 7 win 1448 
<nop,nop,timestamp 427961252 645676487> (DF)
15:25:17.901743 216.117.196.95.smtp > 192.168.124.18.36587: P 40:49(9) ack 7 
win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
15:25:17.902264 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 49 win 5840
<nop,nop,timestamp 645676491 427961253> (DF) [tos 0x10]
15:25:17.908362 216.117.196.95.smtp > 192.168.124.18.36587: F 49:49(0) ack 7 
win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
15:25:17.908763 192.168.124.18.36587 > 216.117.196.95.smtp: F 7:7(0) ack 50 
win 5840 <nop,nop,timestamp 645676491 427961253> (DF) [tos 0x10]
15:25:17.932752 216.117.196.95.smtp > 192.168.124.18.36587: . ack 8 win 1448 
<nop,nop,timestamp 427961295 645676491> (DF)

This is what I expect.  However on the target machine:

15:25:15.477122 IP 209.189.103.196.36587 > 216.117.196.95.smtp: S 
772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp 645676248 
0,nop,wscale 0>
15:25:15.477160 IP 216.117.196.95.smtp > 209.189.103.196.36587: S 
1219378846:1219378846(0) ack 772082251 win 5792 <mss 1460,sackOK,timestamp 
427958860 645676248,nop,wscale 2>
15:25:15.506939 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 1 win 
5840 <nop,nop,timestamp 645676251 427958860>
15:25:15.844588 IP 216.117.196.95.smtp > 209.189.103.196.36587: P 1:40(39)
ack
1 win 1448 <nop,nop,timestamp 427959228 645676251>
15:25:15.869751 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 40 win 
5840 <nop,nop,timestamp 645676287 427959228>
15:25:17.869000 IP 209.189.103.196.36587 > 216.117.196.95.smtp: P 1:7(6) ack 
40 win 5840 <nop,nop,timestamp 645676487 427959228>
15:25:17.869021 IP 216.117.196.95.smtp > 209.189.103.196.36587: . ack 7 win 
1448 <nop,nop,timestamp 427961252 645676487>
15:25:17.869266 IP 216.117.196.95.smtp > 209.189.103.196.36587: P 40:49(9)
ack
7 win 1448 <nop,nop,timestamp 427961253 645676487>
15:25:17.869532 IP 216.117.196.95.smtp > 209.189.103.196.36587: F 49:49(0)
ack
7 win 1448 <nop,nop,timestamp 427961253 645676487>
15:25:17.906320 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 49 win 
5840 <nop,nop,timestamp 645676491 427961253>
15:25:17.911918 IP 209.189.103.196.36587 > 216.117.196.95.smtp: F 7:7(0) ack 
50 win 5840 <nop,nop,timestamp 645676491 427961253>
15:25:17.911935 IP 216.117.196.95.smtp > 209.189.103.196.36587: . ack 8 win 
1448 <nop,nop,timestamp 427961295 645676491>

Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a source 
address of 209.189.103.196.  Is this the correct behavior?  If so how do I 
get the source address on outgoing packets NAT''ed to 65.223.121.227?


-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602

Jerry Vonau

2005-Mar-02 00:43 UTC

head link

Re: Problem with outgoing Masquerade

> I''m having another little problem with my new firewall.  I want
outgoing port
> 25 from my mail server to appear on the address 65.223.121.227 so I created
> the file masq:
>
> eth2  192.168.124.18  65.223.121.227  tcp  25
> eth1            eth5
> eth1            eth3
> eth1            eth4
>
> eth1 == net0 == 209.189.103.196/27
> eth2 == net1 == 65.223.121.237/28
> eth3 == dmz0
> eth4 == dmz1
> eth5 == loc == 192.168.124.249/24
>
> (Yes I know the danger of having a production server in the local network. 
I
> inherited this setup and I am trying to fix it)
>
> 65.223.121.227 is on eth2:1
>
> Shorewall restarts cleanly and I see in the status:
>
>    0     0 SNAT       tcp  --  *      *       192.168.124.18      
0.0.0.0/0
> tcp dpt:25 to:65.223.121.227
>
> Next I log onto 192.168.124.18 and initate an outbound connection to port
25
> on a machine in another Autonomous System.
>
> $ telnet 216.117.196.95 25
> Trying 216.117.196.95...
> Connected to 216.117.196.95.
> Escape character is ''^]''.
> 220 mail.heronforge.net ESMTP Postfix
> quit
> 221 Bye
> Connection closed by foreign host.
>
> On eth5 on the firewall I see:
>
> 15:25:15.473608 192.168.124.18.36587 > 216.117.196.95.smtp: S
> 772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp 645676248
> 0,nop,wscale 0> (DF) [tos 0x10]
> 15:25:15.503249 216.117.196.95.smtp > 192.168.124.18.36587: S
> 1219378846:1219378846(0) ack 772082251 win 5792 <mss
1460,sackOK,timestamp
> 427958860 645676248,nop,wscale 2> (DF)
> 15:25:15.503403 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 1 win
5840
> <nop,nop,timestamp 645676251 427958860> (DF) [tos 0x10]
> 15:25:15.866525 216.117.196.95.smtp > 192.168.124.18.36587: P 1:40(39)
ack 1
> win 1448 <nop,nop,timestamp 427959228 645676251> (DF)
> 15:25:15.866743 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 40 win
5840
> <nop,nop,timestamp 645676287 427959228> (DF) [tos 0x10]
> 15:25:17.865766 192.168.124.18.36587 > 216.117.196.95.smtp: P 1:7(6) ack
40
> win 5840 <nop,nop,timestamp 645676487 427959228> (DF) [tos 0x10]
> 15:25:17.889344 216.117.196.95.smtp > 192.168.124.18.36587: . ack 7 win
1448
> <nop,nop,timestamp 427961252 645676487> (DF)
> 15:25:17.901743 216.117.196.95.smtp > 192.168.124.18.36587: P 40:49(9)
ack 7
> win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
> 15:25:17.902264 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 49 win
5840
> <nop,nop,timestamp 645676491 427961253> (DF) [tos 0x10]
> 15:25:17.908362 216.117.196.95.smtp > 192.168.124.18.36587: F 49:49(0)
ack 7
> win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
> 15:25:17.908763 192.168.124.18.36587 > 216.117.196.95.smtp: F 7:7(0) ack
50
> win 5840 <nop,nop,timestamp 645676491 427961253> (DF) [tos 0x10]
> 15:25:17.932752 216.117.196.95.smtp > 192.168.124.18.36587: . ack 8 win
1448
> <nop,nop,timestamp 427961295 645676491> (DF)
>
> This is what I expect.  However on the target machine:
>
> 15:25:15.477122 IP 209.189.103.196.36587 > 216.117.196.95.smtp: S
> 772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp 645676248
> 0,nop,wscale 0>
> 15:25:15.477160 IP 216.117.196.95.smtp > 209.189.103.196.36587: S
> 1219378846:1219378846(0) ack 772082251 win 5792 <mss
1460,sackOK,timestamp
> 427958860 645676248,nop,wscale 2>
> 15:25:15.506939 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 1
win
> 5840 <nop,nop,timestamp 645676251 427958860>
> 15:25:15.844588 IP 216.117.196.95.smtp > 209.189.103.196.36587: P
1:40(39) ack
> 1 win 1448 <nop,nop,timestamp 427959228 645676251>
> 15:25:15.869751 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 40
win
> 5840 <nop,nop,timestamp 645676287 427959228>
> 15:25:17.869000 IP 209.189.103.196.36587 > 216.117.196.95.smtp: P 1:7(6)
ack
> 40 win 5840 <nop,nop,timestamp 645676487 427959228>
> 15:25:17.869021 IP 216.117.196.95.smtp > 209.189.103.196.36587: . ack 7
win
> 1448 <nop,nop,timestamp 427961252 645676487>
> 15:25:17.869266 IP 216.117.196.95.smtp > 209.189.103.196.36587: P
40:49(9) ack
> 7 win 1448 <nop,nop,timestamp 427961253 645676487>
> 15:25:17.869532 IP 216.117.196.95.smtp > 209.189.103.196.36587: F
49:49(0) ack
> 7 win 1448 <nop,nop,timestamp 427961253 645676487>
> 15:25:17.906320 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 49
win
> 5840 <nop,nop,timestamp 645676491 427961253>
> 15:25:17.911918 IP 209.189.103.196.36587 > 216.117.196.95.smtp: F 7:7(0)
ack
> 50 win 5840 <nop,nop,timestamp 645676491 427961253>
> 15:25:17.911935 IP 216.117.196.95.smtp > 209.189.103.196.36587: . ack 8
win
> 1448 <nop,nop,timestamp 427961295 645676491>
>
> Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a source
> address of 209.189.103.196.  Is this the correct behavior?  If so how do I
> get the source address on outgoing packets NAT''ed to
65.223.121.227?
What script/howto are you using to setup the routing for your 2 ISPs?

Jerry Vonau

Tom Eastep

2005-Mar-02 01:32 UTC

head link

Re: Problem with outgoing Masquerade

Stephen Carville wrote:
> 
> Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a source
> address of 209.189.103.196.  Is this the correct behavior?  If so how do I 
> get the source address on outgoing packets NAT''ed to
65.223.121.227?
> 
> 
Please read *and understand*
http://shorewall.net/Shorewall_and_Routing.html.

WHAT YOU ARE SEEING CANNOT BE CHANGED BY ANY SHOREWALL SETTING!


-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Stephen Carville

2005-Mar-02 03:31 UTC

head link

Re: Problem with outgoing Masquerade

On Tue March 1 2005 4:43 pm, Jerry Vonau wrote:> > I''m having another little problem with my new firewall.  I
want outgoing
> > port 25 from my mail server to appear on the address 65.223.121.227 so
I
> > created the file masq:
> >
> > eth2  192.168.124.18  65.223.121.227  tcp  25
> > eth1            eth5
> > eth1            eth3
> > eth1            eth4
> >
> > eth1 == net0 == 209.189.103.196/27
> > eth2 == net1 == 65.223.121.237/28
> > eth3 == dmz0
> > eth4 == dmz1
> > eth5 == loc == 192.168.124.249/24
> >
> > (Yes I know the danger of having a production server in the local
> > network.  I inherited this setup and I am trying to fix it)
> >
> > 65.223.121.227 is on eth2:1
> >
> > Shorewall restarts cleanly and I see in the status:
> >
> >    0     0 SNAT       tcp  --  *      *       192.168.124.18      
> > 0.0.0.0/0 tcp dpt:25 to:65.223.121.227
> >
> > Next I log onto 192.168.124.18 and initate an outbound connection to
port
> > 25 on a machine in another Autonomous System.
> >
> > $ telnet 216.117.196.95 25
> > Trying 216.117.196.95...
> > Connected to 216.117.196.95.
> > Escape character is ''^]''.
> > 220 mail.heronforge.net ESMTP Postfix
> > quit
> > 221 Bye
> > Connection closed by foreign host.
> >
> > On eth5 on the firewall I see:
> >
> > 15:25:15.473608 192.168.124.18.36587 > 216.117.196.95.smtp: S
> > 772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp
645676248
> > 0,nop,wscale 0> (DF) [tos 0x10]
> > 15:25:15.503249 216.117.196.95.smtp > 192.168.124.18.36587: S
> > 1219378846:1219378846(0) ack 772082251 win 5792 <mss
> > 1460,sackOK,timestamp 427958860 645676248,nop,wscale 2> (DF)
> > 15:25:15.503403 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 1
win
> > 5840 <nop,nop,timestamp 645676251 427958860> (DF) [tos 0x10]
> > 15:25:15.866525 216.117.196.95.smtp > 192.168.124.18.36587: P
1:40(39)
> > ack 1 win 1448 <nop,nop,timestamp 427959228 645676251> (DF)
> > 15:25:15.866743 192.168.124.18.36587 > 216.117.196.95.smtp: . ack
40 win
> > 5840 <nop,nop,timestamp 645676287 427959228> (DF) [tos 0x10]
> > 15:25:17.865766 192.168.124.18.36587 > 216.117.196.95.smtp: P
1:7(6) ack
> > 40 win 5840 <nop,nop,timestamp 645676487 427959228> (DF) [tos
0x10]
> > 15:25:17.889344 216.117.196.95.smtp > 192.168.124.18.36587: . ack 7
win
> > 1448 <nop,nop,timestamp 427961252 645676487> (DF)
> > 15:25:17.901743 216.117.196.95.smtp > 192.168.124.18.36587: P
40:49(9)
> > ack 7 win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
> > 15:25:17.902264 192.168.124.18.36587 > 216.117.196.95.smtp: . ack
49 win
> > 5840 <nop,nop,timestamp 645676491 427961253> (DF) [tos 0x10]
> > 15:25:17.908362 216.117.196.95.smtp > 192.168.124.18.36587: F
49:49(0)
> > ack 7 win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
> > 15:25:17.908763 192.168.124.18.36587 > 216.117.196.95.smtp: F
7:7(0) ack
> > 50 win 5840 <nop,nop,timestamp 645676491 427961253> (DF) [tos
0x10]
> > 15:25:17.932752 216.117.196.95.smtp > 192.168.124.18.36587: . ack 8
win
> > 1448 <nop,nop,timestamp 427961295 645676491> (DF)
> >
> > This is what I expect.  However on the target machine:
> >
> > 15:25:15.477122 IP 209.189.103.196.36587 > 216.117.196.95.smtp: S
> > 772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp
645676248
> > 0,nop,wscale 0>
> > 15:25:15.477160 IP 216.117.196.95.smtp > 209.189.103.196.36587: S
> > 1219378846:1219378846(0) ack 772082251 win 5792 <mss
> > 1460,sackOK,timestamp 427958860 645676248,nop,wscale 2>
> > 15:25:15.506939 IP 209.189.103.196.36587 > 216.117.196.95.smtp: .
ack 1
> > win 5840 <nop,nop,timestamp 645676251 427958860>
> > 15:25:15.844588 IP 216.117.196.95.smtp > 209.189.103.196.36587: P
> > 1:40(39) ack 1 win 1448 <nop,nop,timestamp 427959228 645676251>
> > 15:25:15.869751 IP 209.189.103.196.36587 > 216.117.196.95.smtp: .
ack 40
> > win 5840 <nop,nop,timestamp 645676287 427959228>
> > 15:25:17.869000 IP 209.189.103.196.36587 > 216.117.196.95.smtp: P
1:7(6)
> > ack 40 win 5840 <nop,nop,timestamp 645676487 427959228>
> > 15:25:17.869021 IP 216.117.196.95.smtp > 209.189.103.196.36587: .
ack 7
> > win 1448 <nop,nop,timestamp 427961252 645676487>
> > 15:25:17.869266 IP 216.117.196.95.smtp > 209.189.103.196.36587: P
> > 40:49(9) ack 7 win 1448 <nop,nop,timestamp 427961253 645676487>
> > 15:25:17.869532 IP 216.117.196.95.smtp > 209.189.103.196.36587: F
> > 49:49(0) ack 7 win 1448 <nop,nop,timestamp 427961253 645676487>
> > 15:25:17.906320 IP 209.189.103.196.36587 > 216.117.196.95.smtp: .
ack 49
> > win 5840 <nop,nop,timestamp 645676491 427961253>
> > 15:25:17.911918 IP 209.189.103.196.36587 > 216.117.196.95.smtp: F
7:7(0)
> > ack 50 win 5840 <nop,nop,timestamp 645676491 427961253>
> > 15:25:17.911935 IP 216.117.196.95.smtp > 209.189.103.196.36587: .
ack 8
> > win 1448 <nop,nop,timestamp 427961295 645676491>
> >
> > Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a
> > source address of 209.189.103.196.  Is this the correct behavior?  If
so
> > how do I get the source address on outgoing packets NAT''ed to
> > 65.223.121.227?
>
> What script/howto are you using to setup the routing for your 2 ISPs?
I followed the instructions at http://www.shorewall.net/FAQ.htm#faq32

The commands I used are:

# flush tables
ip route flush table T1
ip route flush table T2

### define the routing tables
# eth1 (verio)
ip route add 127.0.0.0/8 dev lo table T1
ip route add 192.168.124.0/24 dev eth5 table T1
ip route add 209.189.103.192/27 dev eth1 src 209.189.103.196 table T1
ip route add default via 209.189.103.222 table T1

# eth2 (worldcom)
ip route add 127.0.0.0/8 dev lo table T2
ip route add 192.168.124.0/24 dev eth5 table T2
ip route add 65.223.121.224/28 dev eth2 src 65.223.121.237 table T2
ip route add default via 65.223.121.225 table T2

# add routes
ip route add 209.189.103.192/27 dev eth1 src 209.189.103.196
ip route add 65.223.121.224/28 dev eth2 src 65.223.121.237
ip route add default via 209.189.103.222

# delete interfaces rules JIC
ip rule delete from 209.189.103.196
ip rule delete from 65.223.121.237

# external interface rules
ip rule add from 209.189.103.196 table T1
ip rule add from 65.223.121.237 table T2

-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602

Stephen Carville

2005-Mar-02 04:02 UTC

head link

Re: Problem with outgoing Masquerade

On Tue March 1 2005 5:32 pm, Tom Eastep wrote:> Stephen Carville wrote:
> > Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a
> > source address of 209.189.103.196.  Is this the correct behavior?  If
so
> > how do I get the source address on outgoing packets NAT''ed to
> > 65.223.121.227?
>
> Please read *and understand*
> http://shorewall.net/Shorewall_and_Routing.html.
I did read it but my understanding was that the entry in /etc/shorewall/masq 
would act as an SNAT command and change the source address.  I guess this 
must be incorrect.

I''m trying to subscribe to the lartc list but have not, so far,
received a
confirmation.  I''ll go back to lurking here...

-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602

Tom Eastep

2005-Mar-02 04:09 UTC

head link

Re: Problem with outgoing Masquerade

Stephen Carville wrote:> On Tue March 1 2005 5:32 pm, Tom Eastep wrote:
> 
>>Stephen Carville wrote:
>>
>>>Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a
>>>source address of 209.189.103.196.  Is this the correct behavior? 
If so
>>>how do I get the source address on outgoing packets NAT''ed
to
>>>65.223.121.227?
>>
>>Please read *and understand*
>>http://shorewall.net/Shorewall_and_Routing.html.
> 
> 
> I did read it but my understanding was that the entry in
/etc/shorewall/masq
> would act as an SNAT command and change the source address.  I guess this 
> must be incorrect.
No, it is not incorrect. BUT IT OCCURS WELL AFTER ROUTING (study the
diagram in that article).

You have to arrange for packets from your mail server to be routed
through the correct routing table to send them out of the interface you
want -- THEN THE MASQ RULES FOR THAT INTERFACE WILL WORK.

That involves marking the packets in the PREROUTING CHAIN and
''ip'' rules
to send the marked packets through the desired routing table.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2005-Mar-02 04:22 UTC

head link

Re: Problem with outgoing Masquerade

Tom Eastep wrote:
>>
>>I did read it but my understanding was that the entry in
/etc/shorewall/masq
>>would act as an SNAT command and change the source address.  I guess
this
>>must be incorrect.
> 
> 
> No, it is not incorrect. BUT IT OCCURS WELL AFTER ROUTING (study the
> diagram in that article).
> 
Or put another way, do you see ONE single mention of /etc/shorewall/masq
in the article about Shorewall and Routing?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Stephen Carville

2005-Mar-02 04:43 UTC

head link

Re: Problem with outgoing Masquerade

On Tue March 1 2005 8:22 pm, Tom Eastep wrote:> Tom Eastep wrote:
> >>I did read it but my understanding was that the entry in
> >> /etc/shorewall/masq would act as an SNAT command and change the
source
> >> address.  I guess this must be incorrect.
> >
> > No, it is not incorrect. BUT IT OCCURS WELL AFTER ROUTING (study the
> > diagram in that article).
>
> Or put another way, do you see ONE single mention of /etc/shorewall/masq
> in the article about Shorewall and Routing?
No.  I was relying on the comments in the masq file. (and the fact it works 
when there is only one outging interface.)

-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602

Jerry Vonau

2005-Mar-02 05:28 UTC

head link

Re: Problem with outgoing Masquerade

> On Tue March 1 2005 5:32 pm, Tom Eastep wrote:
> > Stephen Carville wrote:
> > > Instead of replacing the 192.168.124.18 with 65.223.121.227, I
get a
> > > source address of 209.189.103.196.  Is this the correct behavior?
If so
> > > how do I get the source address on outgoing packets
NAT''ed to
> > > 65.223.121.227?
> >
> > Please read *and understand*
> > http://shorewall.net/Shorewall_and_Routing.html.
>
> I did read it but my understanding was that the entry in
/etc/shorewall/masq
> would act as an SNAT command and change the source address.  I guess this
> must be incorrect.
>
> I''m trying to subscribe to the lartc list but have not, so far,
received a
> confirmation.  I''ll go back to lurking here...
Does the machine that should respond to 65.223.121.227 have to respond to
another ip on
the other provider? Or to put it another way are you dnat''ing one ip on
each isp
to the same
machine on the local lan? If it''s just the one ip you could just use an
''ip
rule'' to state the source
address of the mail server into the isp''s table
ie: /sbin/ip rule add from $MAIL table T1
If you have it replying to 2 public ip''s, I''d use 2 private
lan addresses and
dnat each provider
one of  them, then setup rules like above for each ip/provider. This should
work, providing the
mail server uses the correct source ip for the reply.

Jerry Vonau

Stephen Carville

2005-Mar-02 06:20 UTC

head link

Re: Problem with outgoing Masquerade

On Tuesday 01 March 2005 9:28 pm, Jerry Vonau wrote:> > On Tue March 1 2005 5:32 pm, Tom Eastep wrote:
> > > Stephen Carville wrote:
> > > > Instead of replacing the 192.168.124.18 with 65.223.121.227,
I get a
> > > > source address of 209.189.103.196.  Is this the correct
behavior?  If
> > > > so how do I get the source address on outgoing packets
NAT''ed to
> > > > 65.223.121.227?
> > >
> > > Please read *and understand*
> > > http://shorewall.net/Shorewall_and_Routing.html.
> >
> > I did read it but my understanding was that the entry in
> > /etc/shorewall/masq would act as an SNAT command and change the source
> > address.  I guess this must be incorrect.
> >
> > I''m trying to subscribe to the lartc list but have not, so
far, received
> > a confirmation.  I''ll go back to lurking here...
>
> Does the machine that should respond to 65.223.121.227 have to respond to
> another ip on
> the other provider? 
Right now, yes but I hope to change that
> Or to put it another way are you dnat''ing one ip on 
> each isp to the same
> machine on the local lan? 
Up until recently all the machines used a static(?) NAT where each external 
address corresponded to exactly one internal address.  The particular machine 
in question has four addresses split two and two between the providers.  
Partly this is because we have customers who have hard coded the IP they 
connect to and will not or cannot change it.  So I have to maintain a few 
addresses even tho only one customer uses it on only one port.  I was hoping 
that, among other things,  DNAT would let me use those address for some other 
services instead of allocating another external address.
> If it''s just the one ip you could just use an ''ip 
> rule'' to state the source
> address of the mail server into the isp''s table
> ie: /sbin/ip rule add from $MAIL table T1
> If you have it replying to 2 public ip''s, I''d use 2
private lan addresses
> and dnat each provider
> one of  them, then setup rules like above for each ip/provider. This should
> work, providing the
> mail server uses the correct source ip for the reply.
Now that (I think) I understand he relation between NAT and routing a little 
better, I''ve set up a test machine where I can, hopefully, work out the
routing issues independent of the firewalling issues.

-- 
Stephen Carville
Systems and Network Administrator
310-342-3602
stephen@totalflood.com

Tom Eastep

2005-Mar-02 15:31 UTC

head link

Re: Problem with outgoing Masquerade

Stephen Carville wrote:
> 
> 
> Now that (I think) I understand he relation between NAT and routing a
little
> better, I''ve set up a test machine where I can, hopefully, work
out the
> routing issues independent of the firewalling issues.
> 
Very wise -- the routing issues involved are much more daunting than are
the firewalling issues.

-Tom
-- 
Tom Eastep    \ Off-list replies are cheerfully ignored
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Eduardo Ferreira

2005-Mar-02 18:56 UTC

head link

Re: Problem with outgoing Masquerade

Tom Eastep wrote on 02/03/2005 12:31:59:
> Stephen Carville wrote:
> 
> > 
> > 
> > Now that (I think) I understand he relation between NAT and routing a 
little > > better, I''ve set up a test machine where I can, hopefully,
work out
the > > routing issues independent of the firewalling issues.
> > 
> 
> Very wise -- the routing issues involved are much more daunting than are
> the firewalling issues.
> 
> -Tom
And let''s hope he shares with us...

Diego Piñon Conde

2005-Mar-03 17:41 UTC

head link

Re: Problem with outgoing Masquerade

Stephen:

    I have something similar here... and is working... but i´ve included one
lookup rule for table T1 for ip´s on my dmz. That way something that comes
from my dmz use table T1, going out whit the correct gateway...

    bellow you can see my configuration files

    sorry for my english.... i hope this help you

rucucu:/home/diego# ip rule show
0:      from all lookup local
32761:  from 192.168.146.0/24 lookup T1
32762:  from 192.168.5.0/24 lookup T2
32763:  from 192.168.1.93 lookup T2
32765:  from 200.69.146.93 lookup T1
32766:  from all lookup main
32767:  from all lookup default

rucucu:/etc/shorewall# ip route list table T1
200.69.146.80/28 dev eth1  scope link  src 200.69.146.93
192.168.146.0/24 dev eth3  scope link
192.168.5.0/24 dev eth0  scope link
192.168.1.0/24 dev eth2  scope link
default via 200.69.146.81 dev eth1

rucucu:/etc/shorewall# ip route list table T2
200.69.146.80/28 dev eth1  scope link
192.168.146.0/24 dev eth3  scope link
192.168.5.0/24 dev eth0  scope link
192.168.1.0/24 dev eth2  scope link  src 192.168.1.93
default via 192.168.1.1 dev eth2

<<interfaces file>>
loc     eth0            192.168.5.255
net2    eth1            200.69.146.95
net     eth2            192.168.1.255  #routed adsl
dmz     eth3            192.168.146.255


<<zones file>>
net     Net             Internet
net2    Techtel         Internet by Techtel
loc     Local           Local networks
dmz     DMZ             Demilitarized zone

<<masq file >>
eth2    eth0
#DMZ sale por net2
eth1:0  192.168.146.202         200.69.146.82   tcp     http,domain
eth1:0  192.168.146.202         200.69.146.82   udp     domain
eth1:2  192.168.146.204         200.69.146.84   tcp     http
eth1:3  192.168.146.205         200.69.146.85   tcp     http
eth1:4  192.168.146.206         200.69.146.86   tcp     http
eth1:5  192.168.146.207         200.69.146.87   tcp     http

eth1:1  192.168.146.233         200.69.146.83   tcp
http,pop3,smtp,domain,8383
eth1:1  192.168.146.233         200.69.146.83   udp     domain
eth1:3  192.168.146.235         200.69.146.85   tcp     pop3,smtp,8383
eth1:5  192.168.146.237         200.69.146.87   tcp     pop3,smtp,8383

#eth1:6 192.168.146.50          200.69.146.91   tcp     47,1723



----- Original Message ----- 
From: "Stephen Carville" <stephen@totalflood.com>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, March 02, 2005 1:02 AM
Subject: Re: [Shorewall-users] Problem with outgoing Masquerade [this is
Spam][88.2%]


On Tue March 1 2005 5:32 pm, Tom Eastep wrote:> Stephen Carville wrote:
> > Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a
> > source address of 209.189.103.196.  Is this the correct behavior?  If
so
> > how do I get the source address on outgoing packets NAT''ed to
> > 65.223.121.227?
>
> Please read *and understand*
> http://shorewall.net/Shorewall_and_Routing.html.
I did read it but my understanding was that the entry in /etc/shorewall/masq
would act as an SNAT command and change the source address.  I guess this
must be incorrect.

I''m trying to subscribe to the lartc list but have not, so far,
received a
confirmation.  I''ll go back to lurking here...

-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Shorewall users - Mar 2005 - Problem with outgoing Masquerade

Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Re: Problem with outgoing Masquerade

Reasonably Related Threads