Shorewall users - Mar 2006 - Masquerading an already Masqueraded network (FAILING)

Hi,

I hope you can help I am trying to masquerade an already masqueraded
network.

I have a small network BOX A is a Xen linux 2.6.12.6 BUT not running Xen
networking only host domain running (domain 0) (its xen enabled kernel
with the xen hypervisor) effectively just a normal linux this is
masquerading eth0 (local network 172.16.1.0/24) out to eth1 (cable
modem) it also is running as a local fileserver, dns, dhcp server for
eth0 running shorewall for firewalling.  Box B is a Xen linux 2.6.12.6
running the hostserver and several domains in Bridge mode.  Box B is a
clone of an internet server, used for testing so has the true boxes live
ips (not private).  Box B In addition to the clone has an extra domain
that is the gateway for the ''live ip'' and masquerades it out
to its
private ip of 172.16.1.45 using shorewall & have tried just an iptables
masquerade rule).

Internet
  | (eth1)
BOX A (172.16.1.1) Shorewall (no specific routing for Box B non private ip)
   | (eth0)
   |
   |
   | POINT X
   |
---------------------
|                   |
other             Box B  (containing domain 172.16.1.45)
machines

the other machines can access the internet fine.  172.16.1.45 can access
the internet fine.  Box B non private ip domains can access
172.16.1.0/24 network fine but cannot access the internet.  tcpdump at
point X shows that Box B non private IP domains traffic has been
masqueraded to 172.16.1.45.  If you tcpdump on the eth1 of Box A then it
shows that the Box B non private IP domains traffic is coming through as
172.16.1.45 onto the internet (it is not masquerading it again), but all
other traffic including traffic originating from 172.16.1.45 domain
(i.e. not masqueraded by 172.16.1.45) gets masqueraded by Box A fine.

I can send any appropriate config files, but havent included any since
im not sure what is needed.

In summary,  Shorewall is not masquerading traffic that has already been
masqueraded (either by shorewall or just a single iptables line).  Is
there any easy solution/switch something obvious that I have missed or
is it more complicated.

This used to work but I have since upgrade Box A to xen (but not running
xen bridges etc as only has host domain), and box b has been rebuilot
with xen 3 and updated versions of everything.

Any help would be much appreciated.

Thanks

Simon


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Wednesday 15 March 2006 14:41, Simon Atack wrote:
>
> I can send any appropriate config files, but havent included any since
> im not sure what is needed.
>
We need the information requested at http://www.shorewall.net/support.htm. I 
suspect that it is the way that you have coded your /etc/shorewall/masq file 
on box A but I need to see the details to be sure. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I have included the requested shorewall dump as status-BoxA.txt.bz2 this
is from BoxA shorewall.  BoxB router/masquerade domain (172.16.1.45) has
the iptables command to masquerade 212.13.203.176/28.  I used this
capture command when doing a ssh 128.243.105.3 from 212.13.203.190 (that
 got masqueraded by 172.16.1.45)

I would appreciate any help that can be given.

Thanks

Simon

Tom Eastep wrote:
> On Wednesday 15 March 2006 14:41, Simon Atack wrote:
> 
>> I can send any appropriate config files, but havent included any since
>> im not sure what is needed.
>>
> 
> We need the information requested at http://www.shorewall.net/support.htm.
I
> suspect that it is the way that you have coded your /etc/shorewall/masq
file
> on box A but I need to see the details to be sure. 
> 
> -Tom
Previous message attached

Hi,

I hope you can help I am trying to masquerade an already masqueraded
network.

I have a small network BOX A is a Xen linux 2.6.12.6 BUT not running Xen
networking only host domain running (domain 0) (its xen enabled kernel
with the xen hypervisor) effectively just a normal linux this is
masquerading eth0 (local network 172.16.1.0/24) out to eth1 (cable
modem) it also is running as a local fileserver, dns, dhcp server for
eth0 running shorewall for firewalling.  Box B is a Xen linux 2.6.12.6
running the hostserver and several domains in Bridge mode.  Box B is a
clone of an internet server, used for testing so has the true boxes live
ips (not private).  Box B In addition to the clone has an extra domain
that is the gateway for the ''live ip'' and masquerades it out
to its
private ip of 172.16.1.45 using shorewall & have tried just an iptables
masquerade rule).

Internet
  | (eth1)
BOX A (172.16.1.1) Shorewall (no specific routing for Box B non private ip)
   | (eth0)
   |
   |
   | POINT X
   |
---------------------
|                   |
other             Box B  (containing domain 172.16.1.45)
machines

the other machines can access the internet fine.  172.16.1.45 can access
the internet fine.  Box B non private ip domains can access
172.16.1.0/24 network fine but cannot access the internet.  tcpdump at
point X shows that Box B non private IP domains traffic has been
masqueraded to 172.16.1.45.  If you tcpdump on the eth1 of Box A then it
shows that the Box B non private IP domains traffic is coming through as
172.16.1.45 onto the internet (it is not masquerading it again), but all
other traffic including traffic originating from 172.16.1.45 domain
(i.e. not masqueraded by 172.16.1.45) gets masqueraded by Box A fine.

I can send any appropriate config files, but havent included any since
im not sure what is needed.

In summary,  Shorewall is not masquerading traffic that has already been
masqueraded (either by shorewall or just a single iptables line).  Is
there any easy solution/switch something obvious that I have missed or
is it more complicated.

This used to work but I have since upgrade Box A to xen (but not running
xen bridges etc as only has host domain), and box b has been rebuilot
with xen 3 and updated versions of everything.

Any help would be much appreciated.

Thanks

Simon

On Wednesday 15 March 2006 16:26, Simon Atack wrote:
> I have included the requested shorewall dump as status-BoxA.txt.bz2 this
> is from BoxA shorewall.  BoxB router/masquerade domain (172.16.1.45) has
> the iptables command to masquerade 212.13.203.176/28.  I used this
> capture command when doing a ssh 128.243.105.3 from 212.13.203.190 (that
>  got masqueraded by 172.16.1.45)
>
> I would appreciate any help that can be given.
>
I don''t see anything wrong here, assuming that the packets in question
have
source IP 176.16.1.45 and have correct TCP/UDP checksums; I do note though 
that there were packets leaving eth1 during the period covered by the dump 
that did not have source IP addresses in 176.16.1.0/24. Any idea what that 
traffic is?

Other people have reported unexplained weirdness with MASQ/SNAT in Xen Dom0 as 
well. I''ll try to reproduce these problems this weekend; I avoid
serious
firewalling in Dom0 like the plague in my own network so I will have to 
reconfigure to do the tests.

I wrote http://www.shorewall.net/Xen.html before I was converted to the 
"other" way of using Xen hosts for firewalls which I have described in
http://www.shorewall.net/XenMyWay.html. As I say in 
http://www.shorewall.net/Xen.html:

	I find Xen Domain 0 to be an arcane environment in which to try to use 
	Netfilter (and hence Shorewall). As the number of interfaces and bridges 	
	increase, complexity increases geometrically. I recommend following this 
	guide only if you really need to place a public server in your local network. 
	Otherwise, the way that I use Xen is much more straight-forward.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key