i just upgraded to 3.x, im trying to masquerade 2 networks with a pool of ip addresses like this: eth0 net eth1 loc1 eth2 loc2 masq--- eth0 eth1 ipaddr1-ipaddr2 eth0 eth2 ipaddr3-ipaddr4 which yields to a lot of timeouts on my applications and also on http requests (using tranparent squid proxy with shorewall) i tried to use SAME:ipaddr1-ipaddr2 on the address field and i when i restart i get: iptables: No chain/target/match by that name ERROR: Command "/usr/sbin/iptables -t nat -A eth0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j SAME --to ipaddr1-ipaddr2" Failed note that when i leave the address field empty (using interface ip address) it works like a charm and yes, i have "ADD_SNAT_ALIASES=Yes" on my shorewall.conf any ideas? ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 24 March 2006 11:56, Alberto Sierra wrote:> i just upgraded to 3.x, im trying to masquerade 2 > networks with a pool of ip addresses like this: > eth0 net > eth1 loc1 > eth2 loc2 > > masq--- > > eth0 eth1 ipaddr1-ipaddr2 > eth0 eth2 ipaddr3-ipaddr4 > > which yields to a lot of timeouts on my applications > and also on http requests (using tranparent squid > proxy with shorewall)Was this working under 2.x or are you trying it for the first time.> > i tried to use > SAME:ipaddr1-ipaddr2 > on the address field and i when i restart i get: > > iptables: No chain/target/match by that name > ERROR: Command "/usr/sbin/iptables -t nat -A > eth0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j SAME --to > ipaddr1-ipaddr2" FailedThat means that you don''t have SAME target support in your kernel.> > note that when i leave the address field empty (using > interface ip address) it works like a charm > > and yes, i have "ADD_SNAT_ALIASES=Yes" on my > shorewall.conf > > any ideas? >No -- not with the skimpy information you''ve provided us. See http://www.shorewall.net/support.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks for the skimpy help.> > From: Tom Eastep <teastep@shorewall.net> > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] masquerading > Date: Fri, 24 Mar 2006 12:12:45 -0800 > CC: Alberto Sierra <albertuxco@yahoo.com> > > On Friday 24 March 2006 11:56, Alberto Sierra wrote: > > i just upgraded to 3.x, im trying to masquerade 2 > > networks with a pool of ip addresses like this: > > eth0 net > > eth1 loc1 > > eth2 loc2 > > > > masq--- > > > > eth0 eth1 ipaddr1-ipaddr2 > > eth0 eth2 ipaddr3-ipaddr4 > > > > which yields to a lot of timeouts on my > applications > > and also on http requests (using tranparent squid > > proxy with shorewall) > > Was this working under 2.x or are you trying it for > the first time. > > > > > > i tried to use > > SAME:ipaddr1-ipaddr2 > > on the address field and i when i restart i get: > > > > iptables: No chain/target/match by that name > > ERROR: Command "/usr/sbin/iptables -t nat -A > > eth0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j SAME > --to > > ipaddr1-ipaddr2" Failed > > That means that you don''t have SAME target support > in your kernel. > > > > > note that when i leave the address field empty > (using > > interface ip address) it works like a charm > > > > and yes, i have "ADD_SNAT_ALIASES=Yes" on my > > shorewall.conf > > > > any ideas? > > > > No -- not with the skimpy information you''ve > provided us. > > See http://www.shorewall.net/support.htm > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users> >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ok, patched my kernel with SAME target support, and when i add: eth0 eth1 SAME:ipaddr1-ipaddr2 on the masq file, and restarts, it shows: Adding IP Addresses... Error: an inet prefix is expected rather than "SAME". But then i try to load the iptables rule from the previous error (this was the error when i got when i had no SAME support) /usr/sbin/iptables -t nat -A eth0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j SAME --to ipaddr1-ipaddr2 it runs without errors. can anybody help me out here, (if you need any other details, please ask.)> > > > From: Tom Eastep <teastep@shorewall.net> > > To: shorewall-users@lists.sourceforge.net > > Subject: Re: [Shorewall-users] masquerading > > Date: Fri, 24 Mar 2006 12:12:45 -0800 > > CC: Alberto Sierra <albertuxco@yahoo.com> > > > > On Friday 24 March 2006 11:56, Alberto Sierra > wrote: > > > i just upgraded to 3.x, im trying to masquerade > 2 > > > networks with a pool of ip addresses like this: > > > eth0 net > > > eth1 loc1 > > > eth2 loc2 > > > > > > masq--- > > > > > > eth0 eth1 ipaddr1-ipaddr2 > > > eth0 eth2 ipaddr3-ipaddr4 > > > > > > which yields to a lot of timeouts on my > > applications > > > and also on http requests (using tranparent > squid > > > proxy with shorewall) > > > > Was this working under 2.x or are you trying it > for > > the first time. > > > > > > > > > > i tried to use > > > SAME:ipaddr1-ipaddr2 > > > on the address field and i when i restart i get: > > > > > > iptables: No chain/target/match by that name > > > ERROR: Command "/usr/sbin/iptables -t nat -A > > > eth0_masq -s 192.168.0.0/24 -d 0.0.0.0/0 -j SAME > > --to > > > ipaddr1-ipaddr2" Failed > > > > That means that you don''t have SAME target support > > in your kernel. > > > > > > > > note that when i leave the address field empty > > (using > > > interface ip address) it works like a charm > > > > > > and yes, i have "ADD_SNAT_ALIASES=Yes" on my > > > shorewall.conf > > > > > > any ideas? > > > > > > > No -- not with the skimpy information you''ve > > provided us. > > > > See http://www.shorewall.net/support.htm > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a > > sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ > > https://lists.shorewall.net/teastep.pgp.key > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > >https://lists.sourceforge.net/lists/listinfo/shorewall-users> > > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Saturday 25 March 2006 08:12, Alberto Sierra wrote:> Ok, patched my kernel with SAME target support, and > when i add: > > eth0 eth1 SAME:ipaddr1-ipaddr2 > > on the masq file, and restarts, it shows: > > Adding IP Addresses... > Error: an inet prefix is expected rather than "SAME". > > But then i try to load the iptables rule from the > previous error (this was the error when i got when i > had no SAME support) > > /usr/sbin/iptables -t nat -A eth0_masq -s > 192.168.0.0/24 -d 0.0.0.0/0 -j SAME --to > ipaddr1-ipaddr2 > > it runs without errors. > > can anybody help me out here, (if you need any other > details, please ask.)Please forward a trace as described at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Saturday 25 March 2006 08:17, Tom Eastep wrote:> > Please forward a trace as described at > http://www.shorewall.net/support.htm.If you compress the trace and the mailing-list handler still holds it for approval because it is too large then please just send me a copy personally and I will take a look at it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, March 25, 2006 08:19, Tom Eastep wrote:> On Saturday 25 March 2006 08:17, Tom Eastep wrote: > >> >> Please forward a trace as described at >> http://www.shorewall.net/support.htm. > > If you compress the trace and the mailing-list handler still holds it for > approval because it is too large then please just send me a copy > personally > and I will take a look at it.Or you can post it on the web somewhere if you prefer. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Saturday 25 March 2006 08:17, Tom Eastep wrote:> > Please forward a trace as described at > http://www.shorewall.net/support.htm. >Never mind -- I see the problem. It is an interaction between SAME and ADD_SNAT_ALIASES. You can either add the IP addresses manually using your Distribution''s network configurator or wait until I''ve coded and tested a fix (should be later today). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Saturday 25 March 2006 08:39, Tom Eastep wrote:> On Saturday 25 March 2006 08:17, Tom Eastep wrote: > > Please forward a trace as described at > > http://www.shorewall.net/support.htm. > > Never mind -- I see the problem. It is an interaction between SAME and > ADD_SNAT_ALIASES. You can either add the IP addresses manually using your > Distribution''s network configurator or wait until I''ve coded and tested a > fix (should be later today).Turned out to be easy to fix -- please try the firewall script found at: http://www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/errata/firewall (move it to /usr/share/shorewall/firewall as described in www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks --- Tom Eastep <teastep@shorewall.net> wrote:> On Saturday 25 March 2006 08:39, Tom Eastep wrote: > > On Saturday 25 March 2006 08:17, Tom Eastep wrote: > > > Please forward a trace as described at > > > http://www.shorewall.net/support.htm. > > > > Never mind -- I see the problem. It is an > interaction between SAME and > > ADD_SNAT_ALIASES. You can either add the IP > addresses manually using your > > Distribution''s network configurator or wait until > I''ve coded and tested a > > fix (should be later today). > > Turned out to be easy to fix -- please try the > firewall script found at: > >http://www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/errata/firewall> > (move it to /usr/share/shorewall/firewall as > described in >www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/known_problems.txt).> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642