Hello, We are using several DNAT rules for incoming traffic to our network, and several more MASQ rules for outgoing traffic. Now, I have a request for a mechanical controls system which needs a DNAT for a single UDP port, but also needs a MASQ rule for accessing web traffic. The machine will be a private IP inside our LAN, routed by our Cisco router to the firewall running shorewall. ie: I have this in rules: DNAT net sls:10.2.251.10:21068 udp 21068 - x.x.x.x (x.x.x.x = firewall eth1 address) and this in masq: eth1 $VLAN251 64.251.72.14 I''m guessing this won''t work. Is there another way to achieve this without adding another external IP to the firewall? shorewall version 2.2.0 (I know, it''s old) two nics as follows: eth1 (net) <-> [fw] <-> eth0 (int) <-> [Cisco] <-> local 10.x.x.x subnets both eth1 and eth0 are on public routable networks, everything behind the Cisco is private. Thanks. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Shawn Wright wrote:> Hello,Hello Shawn. Haven''t heard from you in quite a while.> > We are using several DNAT rules for incoming traffic to our network, and several > more MASQ rules for outgoing traffic. Now, I have a request for a mechanical > controls system which needs a DNAT for a single UDP port, but also needs a > MASQ rule for accessing web traffic. The machine will be a private IP inside our > LAN, routed by our Cisco router to the firewall running shorewall. > > ie: > > I have this in rules: > > DNAT net sls:10.2.251.10:21068 udp 21068 - x.x.x.x > (x.x.x.x = firewall eth1 address)So let''s see if I understand the problem. You want to: a) Forward UDP port 21068 to 10.2.251.10; and b) You want to masquerade 10.2.241.10 to the internet. If that''s correct, then we need to know: a) Does the Shorewall box have a route to 10.2.243.10 via the Cicso? b) Is the Cisco doing any form of NAT on behalf of 10.2.251.10? I assume that the firewall has a route via the Cisco for the 10.2.254.10/xx network?> > and this in masq: > eth1 $VLAN251 64.251.72.14 > > I''m guessing this won''t work.Without knowing what the contents of $VLAN251 are, we have no way of telling. Is there another way to achieve this without adding> another external IP to the firewall?If the Shorewall box has a route to 10.2.254.10 via the cisco and $VLAN251 includes 10.2.254.10, and if 10.2.254.10 has a default route through the cisco and if the cisco has a default route through the Shorewalll box then it should work with the rules that you have. I suggest that you read http://www.shorewall.net/Multiple_Zones.html since it covers your network topology.> > shorewall version 2.2.0 (I know, it''s old)Old! That ancient thing went out of support between Thanksgiving day and Christmas in 2005! Given that is the case, I don''t know how much help we (or the current Shorewall documents) will be.> two nics as follows: > > eth1 (net) <-> [fw] <-> eth0 (int) <-> [Cisco] <-> local 10.x.x.x subnets > > both eth1 and eth0 are on public routable networks, everything behind the Cisco > is private.-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 13 Feb 2008 at 15:52, Tom Eastep wrote:> Shawn Wright wrote: > > Hello, > > Hello Shawn. > > Haven''t heard from you in quite a while.Hi Tom, yes, it''s been a while. Shorewall works so well I haven''t needed to check in much. :-)> So let''s see if I understand the problem. > > You want to: > > a) Forward UDP port 21068 to 10.2.251.10; and > b) You want to masquerade 10.2.241.10 to the internet.Yes.> If that''s correct, then we need to know: > > a) Does the Shorewall box have a route to 10.2.243.10 via the Cicso?Yes.> b) Is the Cisco doing any form of NAT on behalf of 10.2.251.10?No.> I assume that the firewall has a route via the Cisco for the 10.2.254.10/xx > network? > > > > > and this in masq: > > eth1 $VLAN251 64.251.72.14 > > > > I''m guessing this won''t work. > > Without knowing what the contents of $VLAN251 are, we have no way of telling.Sorry, $VLAN251 contains 10.2.251.0/24> Is there another way to achieve this without adding > > another external IP to the firewall? > > If the Shorewall box has a route to 10.2.254.10 via the cisco and $VLAN251 > includes 10.2.254.10, and if 10.2.254.10 has a default route through the > cisco and if the cisco has a default route through the Shorewalll box then > it should work with the rules that you have.Great! I have since discovered something else is not working as it should, as I''ve duplicated a similar VLAN config, and am getting different results. I will sort that out before attempting to fix the shorewall issue, since it sounds like it should work as I need it to.> I suggest that you read http://www.shorewall.net/Multiple_Zones.html since > it covers your network topology.> > > > shorewall version 2.2.0 (I know, it''s old) > > Old! That ancient thing went out of support between Thanksgiving day and > Christmas in 2005! Given that is the case, I don''t know how much help we (or > the current Shorewall documents) will be.I was reading the 2.x docs, and they are still pretty good, but I hadn''t seen the other one on multiple zones. I am planning to upgrade soon, I swear. I just have about 6 other servers that need to be done first... Thanks for the help! -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/