Hi.
I have a Debian Etch (4.0) server with Shorewall 3.2.6 / iptables 1.3.6.
/etc/network/interfaces:
iface eth0 inet static
address 10.0.100.5
netmask 255.255.255.0
gateway 10.0.100.1
dns-nameservers 151.99.125.2
auto eth0
iface eth0:1 inet static
address 13.0.0.2
netmask 255.255.255.0
auto eth0:1
As you can see I have a single Network Card with 1 main IP ( 10.0.100.5)
and an Alias (13.0.0.2). This was done because I had to setup racoon /
ipsec-tools for a IPSEC VPN Tunnel and the 13.0.0.x/24 class was forced
from the other''s side sysadmin.
Still, the tunnel works fine (i can ping a remote host 10.11.100.24
successfullty). I manually had to setup a route to route all packets to
the 10.100.11.24 trhough the 13.0.0.2 interface (alias).
I read that (eventually) I should put some entry in the
/etc/shorewall/masq file. Still, I have not grasped what I should really
enter in that conf file. Any hint (if positive)?
Now, this is my problem: I would like to FORWARD all incoming conns to
TCP 3030 to the remote 10.100.11.24, hence, through the IPSEC tunnel.
I have read the whole Shorewall FAQ and MASQ, but no luck.
Follows my routing table and shorewall confs (IP_FORWARDING is enabled
in shorewall.conf)
sys05:/etc/shorewall# route
Kernel IP routing table
Destination Gateway Genmask Flags
Metric Ref Use Iface
10.100.11.24 13.0.0.2 255.255.255.255 UGH 0
0 0 eth0
10.0.100.0 * 255.255.255.0 U
0 0 0 eth0
13.0.0.0 * 255.255.255.0 U
0 0 0 eth0
default 10.0.100.1 0.0.0.0
UG 0 0 0 eth0
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
fw firewall
net eth0 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
net fw DROP info
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT(S) PORT(S)
DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#DNAT net net:13.0.0.2 tcp 3030
ACCEPT net:10.0.100.0/24 fw icmp
ACCEPT net fw tcp http
ACCEPT net fw tcp 1723
ACCEPT net fw tcp isakmp
ACCEPT net fw udp 500
ACCEPT net:10.0.100.3 fw tcp ssh
DNAT net net:13.0.0.2 tcp 3030
Thank you
Andrea Fastame
DAXO - Italy
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Hi Andrea, not totally sure on this, but it should work: On 5/23/07, Andrea Fastame <a.fastame@daxo.it> wrote: <...cut...>> Still, the tunnel works fine (i can ping a remote host 10.11.100.24 > successfullty). I manually had to setup a route to route all packets to > the 10.100.11.24 trhough the 13.0.0.2 interface (alias). > I read that (eventually) I should put some entry in the > /etc/shorewall/masq file. Still, I have not grasped what I should really > enter in that conf file. Any hint (if positive)? > > Now, this is my problem: I would like to FORWARD all incoming conns to > TCP 3030 to the remote 10.100.11.24, hence, through the IPSEC tunnel. > I have read the whole Shorewall FAQ and MASQ, but no luck.<...cut...>> /etc/shorewall/interfaces > > #ZONE INTERFACE BROADCAST OPTIONS > fw firewall > net eth0 detect > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVEI think you might want to specify the ''routeback'' option here, because the traffic is leaving the same interface that it arrived on. ~David ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
That could do. I hope. Could you be a little more specific, though? in my "interfaces": #ZONE INTERFACE BROADCAST OPTIONS fw firewall net eth0 detect routeback and "rules" #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT(S) PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW DNAT net:10.0.100.5 net:13.0.0.2 tcp 3030 ACCEPT net:10.0.100.0/24 fw icmp ACCEPT net fw tcp http ACCEPT net fw tcp 1723 ACCEPT net fw tcp isakmp ACCEPT net fw udp 500 ACCEPT net:10.0.100.3 fw tcp ssh I tried as upsaid (adding routeback to my eth0 and modifying the DNAT rule as above) but still no go... Any hint? _________________________________________________ Andrea Fastame Technical Manager email: a.fastame@daxo.it <mailto:a.fastame@daxo.it> Via dei Ramai, 1/11 - 57121 Livorno, Italy Office: +39 0586 427010 fax +39 0586 443245 web site: www.daxo.it _________________________________________________ DAXO s.r.l. - All Rights Reserved. This message and the enclosed documents may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. David Mohr ha scritto:> Hi Andrea, > not totally sure on this, but it should work: > > On 5/23/07, Andrea Fastame <a.fastame@daxo.it> wrote: > <...cut...> > > >> Still, the tunnel works fine (i can ping a remote host 10.11.100.24 >> successfullty). I manually had to setup a route to route all packets to >> the 10.100.11.24 trhough the 13.0.0.2 interface (alias). >> I read that (eventually) I should put some entry in the >> /etc/shorewall/masq file. Still, I have not grasped what I should really >> enter in that conf file. Any hint (if positive)? >> >> Now, this is my problem: I would like to FORWARD all incoming conns to >> TCP 3030 to the remote 10.100.11.24, hence, through the IPSEC tunnel. >> I have read the whole Shorewall FAQ and MASQ, but no luck. >> > > <...cut...> > > >> /etc/shorewall/interfaces >> >> #ZONE INTERFACE BROADCAST OPTIONS >> fw firewall >> net eth0 detect >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >> > > I think you might want to specify the ''routeback'' option here, because > the traffic is leaving the same interface that it arrived on. > > ~David > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/