Hi!
It''s more "how iptables works" question than pure Shorewall
one.
In fact I will describe two variants.
***
Let''s assume:
1) network for interchange traffic with my ISP: 80.10.10.0/30,
80.10.10.1: my gateway on his network, 80.10.10.2: my router''s
interface;
2) address class assigned to me: 80.10.50.0/28 - which means I
have 6 usable IP addresses: 80.10.50.1 - 80.10.50.6
3) my router running Linux with Shorewall installed; it has four
networking interfaces: eth0 connected to ISP; eth1, eth2, eth3
are internal;
I''d like to achieve something like this:
1) on eth1 I have my private network connected, address space
is 192.168.1.0/24; it should run SNAT via one of above public
addresses - I have elected: 80.10.50.1;
2) on eth2 I have my private network connected, address space
is 192.168.2.0/24; I''d like to have some of this hosts to be
visible as NAT 1-to-1; it also applies to $FW and other local
interfaces! so I have made NAT 1-to-1 entries:
192.168.2.101 is visible as 80.10.50.2
192.168.2.102 is visible as 80.10.50.3
3) on eth3 I have servers with pure public addresses, hosts:
80.10.50.4, 80.10.50.5; and router''s address on interface
eth3 is: 80.10.50.6 - so .4 and .5 have default gateway set
to .6;
Each interface creates separate zone using interface name.
In above situation:
1) hosts from eth1 accessing hosts on eth3 gets there with
80.10.50.1 source address which is SNAT''s address - correct;
2) hosts from eth2 which are 1-to-1 NATranslated accessing
hosts on eth3 gets there with appropriate public (translated)
addresses: 80.10.50.2 or 80.10.50.3
3) hosts from eth2 which are not translated accessing hosts
on eth3 gets there with their private 192.168.2.x addresses;
As far as I know traffic for situation 2) and 3) is routed
due to POLICY: eth2 to eth3 - so when I set it to ACCEPT
both 2) and 3) is passing, whe I set to DROP or REJECT both
traffic do not pass. Of course policy may be eth2 to any
set of zones containing eth3.
Of course it is not very good situation since I see RFC1918
packets arriving on this interface. So - in my situation
would it be correct to pass ''norfc1918'' option to interface
eth3? I suppose yes. Maybe it is the best solution?
***
Let''s also assume that my situation is "slightly" different.
Now on both eth2 and eth3 there is private address space set,
NAT 1-to-1 is made. Network space for eth3 is 192.168.3.x.
Remaining public addresses: 80.10.50.4, .5 and .6 are NAT
1-to-1 translated to some hosts on this network.
Traffic originating on eth2 host that is NOT NATranslated
which goes to NATranslated host on eth3 will arrive with
source address belonging to RFC1918 classess. Now I cannot
user norfc1918 option since on both interfaces there are
192.168.x.x hosts. Can I solve this situation without
creating special subzones or rules selecting hosts?
What is also important to me - where should I bind all the
80.10.50.x addresses (it''s my address space). In fact my 6
public addresses are all uses: first one is used for SNAT
and all other are used for 1-to-1 NAT - so in fact I do not
need any of therse addresses to bind on physical interface.
On the other hand SNAT must have some "external interface".
Which one should I use? Maybe create a dummy or another
loopback?
Thanks in advance.
AdamLis;
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Adam Lis wrote:> Hi! > > It''s more "how iptables works" question than pure Shorewall one. > In fact I will describe two variants.You seem to be worried about packets with source addresses in RFC 1918 ranges. Why??? If they are your own internal system, why do you care? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Alex Martin
2007-Jan-26 04:35 UTC
Re: NAT 1-to-1 and routing to interface on same machine;
cut> I''d like to achieve something like this: > 1) on eth1 I have my private network connected, address space > is 192.168.1.0/24; it should run SNAT via one of above public > addresses - I have elected: 80.10.50.1; > 2) on eth2 I have my private network connected, address space > is 192.168.2.0/24; I''d like to have some of this hosts to be > visible as NAT 1-to-1; it also applies to $FW and other local > interfaces! so I have made NAT 1-to-1 entries: > 192.168.2.101 is visible as 80.10.50.2 > 192.168.2.102 is visible as 80.10.50.3 > 3) on eth3 I have servers with pure public addresses, hosts: > 80.10.50.4, 80.10.50.5; and router''s address on interface > eth3 is: 80.10.50.6 - so .4 and .5 have default gateway set > to .6; >snip Do you understand proxy arp? http://www.shorewall.net/ProxyARP.htm -Alex ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV