thr3ads.net - Shorewall users - Fail to NAT [Mar 2006]

If this information is useful, please help other people find it:
Share via:

Lim Swee Tat

2006-Mar-09 06:28 UTC

Fail to NAT

Hi folks,
  I have been trying really hard to get shorewall running with
one-to-one nat on my system for days now, and I really need some help now.

I need to set up one-to-one NAT for 203.117.137.32/28.  These will be
the machines 192.168.21.0/24.  Specifically, I want 203.117.137.35 to be
going to 192.168.21.3, and 203.117.137.34 to be going to 192.168.21.1.

I''ve got 203.117.137.34 running, but I simply cannot ping
203.117.137.35.  Why is this happening?  I don''t even know where to
start tracing.

Cheers
Lim Swee Tat

Simon Matter

2006-Mar-09 07:08 UTC

head link

Re: Fail to NAT

> Hi folks,
>   I have been trying really hard to get shorewall running with
> one-to-one nat on my system for days now, and I really need some help now.
>
> I need to set up one-to-one NAT for 203.117.137.32/28.  These will be
> the machines 192.168.21.0/24.  Specifically, I want 203.117.137.35 to be
> going to 192.168.21.3, and 203.117.137.34 to be going to 192.168.21.1.
>
> I''ve got 203.117.137.34 running, but I simply cannot ping
> 203.117.137.35.  Why is this happening?  I don''t even know where
to
> start tracing.
Just some ideas:
- When you try to ping 203.117.137.35 from external address, what do your
logs show (or dmesg)?
- Are you sure your masq entry is correct? Maybe you want to test without
it ?
- Can you ping to the internet from 192.168.21.3?

Simon


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Lim Swee Tat

2006-Mar-09 07:57 UTC

head link

Re: Fail to NAT

Hi Simon,

My replies below:

Simon Matter said the following on Thursday 09,March,2006 03:08
PM:> Just some ideas:
> - When you try to ping 203.117.137.35 from external address, what do your
> logs show (or dmesg)?I''ve been running the ping for the past hour or so, and there is
nothing
in dmesg.
> - Are you sure your masq entry is correct? Maybe you want to test without
> it ?the masq entry was originally:
hdlc0   eth0

Then I tried:
hdlc0   eth0     203.117.137.33

Then I tried:
hdlc0:0  eth0    203.117.137.33


None of the above works.
> - Can you ping to the internet from 192.168.21.3?Yes, but the host 192.168.21.3 has 2 interfaces.  1 facing the internet,
another with the ip address 192.168.21.3.  The system also runs shorewall.

From the shorewall host (192.168.21.1), I am able to ping 192.168.21.3.

Cheers
Lim Swee Tat


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep

2006-Mar-09 15:44 UTC

head link

Re: Fail to NAT

On Wednesday 08 March 2006 22:28, Lim Swee Tat wrote:> Hi folks,
>   I have been trying really hard to get shorewall running with
> one-to-one nat on my system for days now, and I really need some help now.
>
> I need to set up one-to-one NAT for 203.117.137.32/28.  These will be
> the machines 192.168.21.0/24.  Specifically, I want 203.117.137.35 to be
> going to 192.168.21.3, and 203.117.137.34 to be going to 192.168.21.1.
>
> I''ve got 203.117.137.34 running, but I simply cannot ping
> 203.117.137.35.  Why is this happening?  I don''t even know where
to
> start tracing.
>
>
Is the default gateway on 192.168.21.3 set correctly (192.168.21.1)?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Lim Swee Tat

2006-Mar-09 15:50 UTC

head link

Re: Fail to NAT

Hi,
  It is currently not configured to 192.168.21.1.  Instead, because I
have that other machine facing the internet, it''s default gateway is on
the other interface.

  If I do want my shorewall firewall machine "bacchus" to nat traffic
under this situation for migration, how should I go about doing it?

Appreciate your prompt reply.

Cheers
Lim Swee Tat

Tom Eastep said the following on Thursday 09,March,2006 11:44
PM:> On Wednesday 08 March 2006 22:28, Lim Swee Tat wrote:
>> Hi folks,
>>   I have been trying really hard to get shorewall running with
>> one-to-one nat on my system for days now, and I really need some help
now.
>>
>> I need to set up one-to-one NAT for 203.117.137.32/28.  These will be
>> the machines 192.168.21.0/24.  Specifically, I want 203.117.137.35 to
be
>> going to 192.168.21.3, and 203.117.137.34 to be going to 192.168.21.1.
>>
>> I''ve got 203.117.137.34 running, but I simply cannot ping
>> 203.117.137.35.  Why is this happening?  I don''t even know
where to
>> start tracing.
>>
>>
> 
> Is the default gateway on 192.168.21.3 set correctly (192.168.21.1)?
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
> !DSPAM:44104d60297401217264220!

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep

2006-Mar-09 15:53 UTC

head link

Re: Fail to NAT

On Thursday 09 March 2006 07:50, Lim Swee Tat wrote:> Hi,
>   It is currently not configured to 192.168.21.1.  Instead, because I
> have that other machine facing the internet, it''s default gateway
is on
> the other interface.
>
>   If I do want my shorewall firewall machine "bacchus" to nat
traffic
> under this situation for migration, how should I go about doing it?
>
> Appreciate your prompt reply.
You will have to SNAT all traffic going out of your firewall''s local
interface
to 192.168.21.3 to have source IP 192.168.21.1.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Lim Swee Tat

2006-Mar-09 15:54 UTC

head link

Re: Fail to NAT

Hi,
  How do I go about doing that?

I did try the entry

eth0:192.168.21.3  eth0  192.168.21.1

But that did not seem to solve the issue.

Cheers
Lim Swee Tat

Tom Eastep said the following on 03/09/2006 11:53 PM:> On Thursday 09 March 2006 07:50, Lim Swee Tat wrote:
>> Hi,
>>   It is currently not configured to 192.168.21.1.  Instead, because I
>> have that other machine facing the internet, it''s default
gateway is on
>> the other interface.
>>
>>   If I do want my shorewall firewall machine "bacchus" to nat
traffic
>> under this situation for migration, how should I go about doing it?
>>
>> Appreciate your prompt reply.
> 
> You will have to SNAT all traffic going out of your firewall''s
local interface
> to 192.168.21.3 to have source IP 192.168.21.1.
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
> !DSPAM:44104f7a298211336712104!

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep

2006-Mar-09 16:01 UTC

head link

Re: Fail to NAT

On Thursday 09 March 2006 07:54, Lim Swee Tat wrote:> Hi,
>   How do I go about doing that?
>
> I did try the entry
>
> eth0:192.168.21.3  eth0  192.168.21.1
>
> But that did not seem to solve the issue.
>
Look at the SUBNET column -- how could that *possibly* work.

Use eth0:192.168.21.3 0.0.0.0/0 192.168.21.1

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Lim Swee Tat

2006-Mar-10 01:39 UTC

head link

Re: Fail to NAT

Cool.  This is working at last!!!  And I spend days trying to figure
things out. *sigh*. :)

Cheers
Lim Swee Tat

Tom Eastep said the following on Friday 10,March,2006 12:01
AM:> On Thursday 09 March 2006 07:54, Lim Swee Tat wrote:
>> Hi,
>>   How do I go about doing that?
>>
>> I did try the entry
>>
>> eth0:192.168.21.3  eth0  192.168.21.1
>>
>> But that did not seem to solve the issue.
>>
> 
> Look at the SUBNET column -- how could that *possibly* work.
> 
> Use eth0:192.168.21.3 0.0.0.0/0 192.168.21.1
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
> !DSPAM:441051d1298882893244913!

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Shorewall users - Mar 2006 - Fail to NAT

Fail to NAT

Re: Fail to NAT

Re: Fail to NAT

Re: Fail to NAT

Re: Fail to NAT

Re: Fail to NAT

Re: Fail to NAT

Re: Fail to NAT

Re: Fail to NAT