Fathi Boudra
2006-Apr-26 12:16 UTC
access to a box that doesn''t have a gateway using shorewall ?
hi, i would like to access to a box that doesn''t have a gateway. my topology : * box eth0 192.168.0.67 * router (sarge+shorewall 3.0.5) eth0 192.168.0.68 gw 192.168.0.94 * my_remote_ip (affected to me by cisco vpn client) eth0 192.169.1.5 gw 192.169.1.5 A practical view is : i connect using http on router who redirect the traffic to box. So the idea is to use router (which is accessible) to access box (that i can''t access caused by the missing gateway). i tried masquerading, dnat and redirect but not successfully. I probably missed something... Any ideas how to resolve my problem ? cheers, Fathi ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Apr-26 13:47 UTC
Re: access to a box that doesn''t have a gateway using shorewall ?
Fathi Boudra wrote:> hi, > > i would like to access to a box that doesn''t have a gateway. > my topology : > * box > eth0 192.168.0.67 > * router (sarge+shorewall 3.0.5) > eth0 192.168.0.68 gw 192.168.0.94 > * my_remote_ip (affected to me by cisco vpn client) > eth0 192.169.1.5 gw 192.169.1.5 > > A practical view is : i connect using http on router who redirect the traffic > to box. So the idea is to use router (which is accessible) to access box > (that i can''t access caused by the missing gateway). i tried masquerading, > dnat and redirect but not successfully. I probably missed something... > > Any ideas how to resolve my problem ?Yes -- define the Shorewall box (192.168.0.68) as the default gateway on 192.168.0.67. That is the only correct solution. If 192.168.0.67 uses the Shorewall box (or some local system) as its DNS server then you can make this "sort of" work by adding this to /etc/shorewall/masq (in addition to port forwarding of course): <local interface>:192.168.0.67 0.0.0.0/0 192.168.0.68 That hack will make all traffic from outside look to 192.168.0.67 as if it originated on the Shorewall system. So the web server logs on 192.168.0.67 will be useless for determining who is accessing the site. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Fathi Boudra
2006-Apr-26 14:35 UTC
Re: access to a box that doesn''t have a gateway using shorewall ?
> Yes -- define the Shorewall box (192.168.0.68) as the default gateway on > 192.168.0.67. That is the only correct solution.this box lacks of gateway parameters, it''s in fact a PLC (programmable logic controller) not a real machine.> If 192.168.0.67 uses the Shorewall box (or some local system) as its DNS > server then you can make this "sort of" work by adding this to > /etc/shorewall/masq (in addition to port forwarding of course): > > <local interface>:192.168.0.67 0.0.0.0/0 192.168.0.68 > > That hack will make all traffic from outside look to 192.168.0.67 as if > it originated on the Shorewall system. So the web server logs on > 192.168.0.67 will be useless for determining who is accessing the site.i find a way to access the box using redir program : redir --lport=80 --cport=80 --caddr=192.168.0.67 i try to mimic this behavior using shorewall avoiding redir program, but no success ATM (masq ? dnat ? masq+dnat ? not really sure). cheers, Fathi ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Apr-26 16:51 UTC
Re: access to a box that doesn''t have a gateway using shorewall ?
Fathi Boudra wrote:> > i try to mimic this behavior using shorewall avoiding redir program, but no > success ATM (masq ? dnat ? masq+dnat ? not really sure).I just told you -- you have to use DNAT and MASQ. I don''t have enough information about your configuration to write your rules for you (even if I wanted to). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key