On Thursday 09 March 2006 12:00, Charrua wrote:> Hi, > > I use Shorewall 2.4.7 with Leaf Bering Uclibc 2.4B1 > > My ISP has assigned me the subnet 200.58.129.0/27 (255.255.255.224) > A few users have assigned public IPs, the rest of the users have assigned > private IPs(SNAT). > I use DNAT for SMTP access from Internet to the server configured with > RFC1918 ip(192.168.115.2), the public ip is 200.58.129.15. > > If I connect from Internet to 200.58.129.15 smtp port, I don''t have > problem. If I connect from loc Zone RFC1918 ip''s, I don´t have problem. > But if I connect from some of the public Ip''s assigned to me (for example > 200.58.129.2) I can''t get acces to 200.58.129.15 smtp port. > > I read in the FAQ that the recomandation is to use a internal DNS server to > resolve this problem, but in this moment I can´t implement this solution. > > What can I do?You can use the other hacks suggested in the FAQ: a) set routeback on the local interface. b) Add loc->loc DNAT rules as needed. c) SNAT loc->loc traffic. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, I use Shorewall 2.4.7 with Leaf Bering Uclibc 2.4B1 My ISP has assigned me the subnet 200.58.129.0/27 (255.255.255.224) A few users have assigned public IPs, the rest of the users have assigned private IPs(SNAT). I use DNAT for SMTP access from Internet to the server configured with RFC1918 ip(192.168.115.2), the public ip is 200.58.129.15. If I connect from Internet to 200.58.129.15 smtp port, I don''t have problem. If I connect from loc Zone RFC1918 ip''s, I don´t have problem. But if I connect from some of the public Ip''s assigned to me (for example 200.58.129.2) I can''t get acces to 200.58.129.15 smtp port. I read in the FAQ that the recomandation is to use a internal DNS server to resolve this problem, but in this moment I can´t implement this solution. What can I do? Thanks Andrés
Hi, I use Shorewall 2.4.7 with Leaf Bering Uclibc 2.4B1 My ISP has assigned me the subnet 200.58.129.0/27 (255.255.255.224) A few users have assigned public IPs, the rest of the users have assigned private IPs(SNAT). I use DNAT for SMTP access from Internet to the server configured with RFC1918 ip(192.168.115.2), the public ip is 200.58.129.15. If I connect from Internet to 200.58.129.15 smtp port, I don''t have problem. If I connect from loc Zone RFC1918 ip''s, I don´t have problem. But if I connect from some of the public Ip''s assigned to me (for example 200.58.129.2) I can''t get acces to 200.58.129.15 smtp port. I read in the FAQ that the recomandation is to use a internal DNS server to resolve this problem, but in this moment I can´t implement this solution. What can I do? Thanks Andrés
> You can use the other hacks suggested in the FAQ: > a) set routeback on the local interface. > b) Add loc->loc DNAT rules as needed. > c) SNAT loc->loc traffic.Thanks Tom, a) routeback was already set in eth2 I read the faq again and then I made this changes, b) Add in RULES file: DNAT loc loc:192.168.115.2 tcp smtp - 200.58.129.15 c) I add in the MASQ file: eth2:192.168.115.2 eth2 192.168.115.1 tcp smtp After making these changes, it didn''t work anyway. We still can not connect from 200.58.129.2 to 200.58.129.15 25 In the FAQ, the example is whit a private IP, but this is a public IP. I truly don''t understand what is wrong. ¿What can I do? Thanks, Andrés ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Cc: "Charrua" <charrua@kernel.net.uy> Sent: Thursday, March 09, 2006 4:35 PM Subject: Re: [Shorewall-users] DNAT and public ip problem ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 10 March 2006 06:14, Charrua wrote:> > You can use the other hacks suggested in the FAQ: > > a) set routeback on the local interface. > > b) Add loc->loc DNAT rules as needed. > > c) SNAT loc->loc traffic. > > Thanks Tom, > > a) routeback was already set in eth2 > > I read the faq again and then I made this changes, > > b) Add in RULES file: > DNAT loc loc:192.168.115.2 tcp smtp - 200.58.129.15 > > c) I add in the MASQ file: > eth2:192.168.115.2 eth2 192.168.115.1 tcp smtp > > After making these changes, it didn''t work anyway. > We still can not connect from 200.58.129.2 to 200.58.129.15 25 > > In the FAQ, the example is whit a private IP, but this is a public IP.None of the code involved should know the difference.> I truly don''t understand what is wrong. ¿What can I do?Looks like you are going to have to debug the problem using tcpdump and/or ethereal. You may have to use those tools on all three computers to understand what is happening. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom, I used ethereal, and I solved the problem. Using Ethereal I see that I dont''t get ARP response from 200.58.129.15 (if I try to connect from 200.58.129.2). The solution was assign 200.58.129.15 to eth2 in the shorewall router. Thanks a lot. Andrés ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Sent: Friday, March 10, 2006 1:37 PM Subject: Re: [Shorewall-users] DNAT and public ip problem ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642