Hi, can anybody help me translate this iptable to a shorewall rule : iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP Host ip = xx.xx.xx.xx, guest ip subnet is yy.yy.yy.yy/255.255.255.0 * *Thanks in advance. * * -- mess-mate ------------ ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
mess-mate wrote:> Hi, > > can anybody help me translate this iptable to a shorewall rule : > > iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP > > Host ip = xx.xx.xx.xx, guest ip subnet is yy.yy.yy.yy/255.255.255.0 > *What problem are you trying to solve? I would be surprised if you don''t already have an entry in /etc/shorewall/masq that does what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> mess-mate wrote: >> Hi, >> >> can anybody help me translate this iptable to a shorewall rule : >> >> iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP >> >> Host ip = xx.xx.xx.xx, guest ip subnet is yy.yy.yy.yy/255.255.255.0 >> * > > What problem are you trying to solve? I would be surprised if you > don''t already have an entry in /etc/shorewall/masq that does what you > want. > > -Tom >Thanks for the reply. I''m very new to shorewall and say to iptables to :( What i try to solve is this: I''ve a server to act as a webserver. and for security i want to isolate the webserver part from the rest of the machine. So i installed in the DMZ machine ( as host) a linux-vserver, the guest , but you already know that. So the guest and the host has to deal (use) the same interface : eth1. I solved the routing problem on the router (is also a firewall (shorewall) and proxy (squid). (Maybe you remember my previous posts about that :) Now it works great.) The host have also a shorewall firewall and when i ping from the router to the guest, shorewall (on the host) reject it and of course do not route it to the guest and i can''t find why and what todo to resolve it. The "SRC=192.168.20.254" part is from the host (ip 192.168.20.1) and the "DST=192.168.30.1" part is the ip of the guest. I can ping from the host and the guest to the router but i can not reach the net from the guest . Here the ''ip route ls'' from the host: 192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.1 192.168.30.0/24 dev eth1 proto kernel scope link src 192.168.30.1 default via 192.168.20.254 dev eth1 and from the guest: 192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.1 192.168.30.0/24 dev eth1 proto kernel scope link src 192.168.30.1 default via 192.168.20.254 dev eth1 Best regards mess-mate> ------------------------------------------------------------------------------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
mess-mate wrote:> Tom Eastep wrote: > >> mess-mate wrote: >>> Hi, >>> >>> can anybody help me translate this iptable to a shorewall rule : >>> >>> iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP >>> >>> Host ip = xx.xx.xx.xx, guest ip subnet is yy.yy.yy.yy/255.255.255.0 >>> * >> What problem are you trying to solve? I would be surprised if you >> don''t already have an entry in /etc/shorewall/masq that does what you >> want. >> >> -Tom >> > Thanks for the reply. I''m very new to shorewall and say to iptables to :( > What i try to solve is this:<Mostly useless information deleted> Mess-mate, Please follow the advice that Martin Leben has already given you and go to http://www.shorewall.net/support.htm#Guidelines and follow the instructions for submitting a useful problem report. Without knowing what you configuration really looks like, we would just be guessing about what is wrong and how to correct it. But here are a couple of tips: a) Be sure that IP_FORWARDIG=Yes in shorewall.conf b) Be sure that there is an entry for your DMZ in /etc/shorewall/masq. c) Be sure that you have the required DNAT rule(s) in place to allow your webserver to be accessed from the net (note: you will _not_ be able to ping your webserver from the net). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> mess-mate wrote: >> Tom Eastep wrote: >> >>> mess-mate wrote: >>>> Hi, >>>> >>>> can anybody help me translate this iptable to a shorewall rule : >>>> >>>> iptables -t NAT -A POSTROUTING -s GUEST_IP -j SNAT --to-source HOST_IP >>>> >>>> Host ip = xx.xx.xx.xx, guest ip subnet is yy.yy.yy.yy/255.255.255.0 >>>> * >>> What problem are you trying to solve? I would be surprised if you >>> don''t already have an entry in /etc/shorewall/masq that does what you >>> want. >>> >>> -Tom >>> >> Thanks for the reply. I''m very new to shorewall and say to iptables >> to :( >> What i try to solve is this: > > <Mostly useless information deleted> > > Mess-mate, > > Please follow the advice that Martin Leben has already given you and > go to http://www.shorewall.net/support.htm#Guidelines and follow the > instructions for submitting a useful problem report. > > Without knowing what you configuration really looks like, we would > just be guessing about what is wrong and how to correct it. > > But here are a couple of tips: > > a) Be sure that IP_FORWARDIG=Yes in shorewall.conf > b) Be sure that there is an entry for your DMZ in /etc/shorewall/masq. > c) Be sure that you have the required DNAT rule(s) in place to allow > your webserver to be accessed from the net (note: you will _not_ be > able to ping your webserver from the net). > > -Tom > > ------------------------------------------------------------------------ > >Hi, attached the statux.txt. a) it is b)the machine is located in the dmz zone and is running very well without any entry in /etc/shorewall/masq, for now c) no nat rules. The DNAT rule is given in the router machine and redirect to my website actually on the host . DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP And i want my website in the vservers guest, so dmz:192.168.20.1 shall become dmz:192.168.30.1 in the future when my problem is solved. I consulted the guidelines, suport and many others before asking for help, but nothing about this situation. There is no firewall on the guest. Hope i clarify a little bit more :( internet | modem | ppp0 | machine 2 (dmz zone) machine 1 --------------------------------------------------------------| ------------- | eth2 -----------------------------| | |router | -------------> | server (host) --> | vserver (guest) | | | eth0 | | 192.168.20.1 | 192.168.30.1 | | ------------- | firewall | no firewall | | | | -----------------------------| | | ---------------------------------------------------------------| | loc (eth1) lan machines best regards ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Please post your diagram again -- this time, use a text editor to draw it and attach it as a text attachment. We couldn''t make any sense out of your last diagram because it was turned into nonsense by your mailer. mess-mate wrote:>> > Hi, > attached the statux.txt. > a) it is > b)the machine is located in the dmz zone and is running very well > without any entry in /etc/shorewall/masq, for nowYou have chosen the name ''dmz'' for the _only_ zone that this system interfaces to. But from the point of view of Netfilter (and Shorewall), this is just a standalone system with two IP addresses on its network interface. The fact that one of those addresses belongs to a Vserver guest is immaterial in so far as Shorewall is concerned.> c) no nat rules. The DNAT rule is given in the router machine and > redirect to my website actually on the host .So in other words, you have TWO systems running Shorewall?> DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP > And i want my website in the vservers guest, so dmz:192.168.20.1 shall > become dmz:192.168.30.1 in the future when my problem is solved.So, if you "shorewall clear" on the Vserver host, does everything start working perfectly?> > Hope i clarify a little bit more :(Not really. If you have two Shorewall configurations, please collect a dump from both and describe exactly what doesn''t work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> > If you have two Shorewall configurations, please collect a dump from > both and describe exactly what doesn''t work.I can see from the dump that ping from 192.168.20.254 is being rejected. That is because you are not accepting ping from that IP address; for some reason, you are allowing ping requests only from 192.168.10.2, .4 or .6. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> > > Please post your diagram again -- this time, use a text editor to draw > it and attach it as a text attachment. We couldn''t make any sense out > of your last diagram because it was turned into nonsense by your mailer. > > mess-mate wrote: > >>> >> Hi, >> attached the statux.txt. >> a) it is >> b)the machine is located in the dmz zone and is running very well >> without any entry in /etc/shorewall/masq, for now > > You have chosen the name ''dmz'' for the _only_ zone that this system > interfaces to. But from the point of view of Netfilter (and > Shorewall), this is just a standalone system with two IP addresses on > its network interface. The fact that one of those addresses belongs to > a Vserver guest is immaterial in so far as Shorewall is concerned. > >> c) no nat rules. The DNAT rule is given in the router machine and >> redirect to my website actually on the host . > > So in other words, you have TWO systems running Shorewall? > >> DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP >> And i want my website in the vservers guest, so dmz:192.168.20.1 shall >> become dmz:192.168.30.1 in the future when my problem is solved. > > So, if you "shorewall clear" on the Vserver host, does everything > start working perfectly? > >> >> Hope i clarify a little bit more :( > > Not really. > > If you have two Shorewall configurations, please collect a dump from > both and describe exactly what doesn''t work. > > -Tom > ------------------------------------------------------------------------ > >Here is: - a shorewall dump from the router: status-router.txt - a diagram : diagram-lan.txt The answer for your last question (So, if you "shorewall clear" on the Vserver host, does everything start working perfectly? ) is no. This is why i add a shorewall dump of the router machine. I can''t access the internet from my vserver-guest I can ping from the router to the vserver-guest and vice-versa. mess-mate ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
snip.. I''ve found this about vserver host/guest iptables. http://www.unixshell.com/wiki/index.php/Creating_and_using_vserver_virtual_servers mess-mate ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
mess-mate wrote:> Here is: > - a shorewall dump from the router: status-router.txt > - a diagram : diagram-lan.txt > The answer for your last question (So, if you "shorewall clear" on the > Vserver host, does everything start working perfectly? ) is no. This is > why i add a shorewall dump of the router machine. > I can''t access the internet from my vserver-guest > I can ping from the router to the vserver-guest and vice-versa.Two questions: a) What possible reason would you have for placing the vserver guest in an IP network different from the host? That seems like a strategy designed to confuse you and keep things from working. b) What default gateway have you defined for the vserver guest? Better yet, what is the output of "ip route ls" on that "system". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
mess-mate wrote:> snip.. > > I''ve found this about vserver host/guest iptables. > http://www.unixshell.com/wiki/index.php/Creating_and_using_vserver_virtual_servers > > mess-mateHi, You seem to have chosen "Networking Option B" (DNAT) in the guide you mention above. My guess is that you did that choice because in "Networking Option A" it says: The first option for networking is for those who want their guests to have external IP addresses. This is ideal for resellers, and is actually the simpler setup. If you decide to use Networking Option A, you must have additional external IP addresses. ... which might have scared you off. But please note that when the guide talks about "external IP addresses" above, they really mean IP addresses that are usable on the physical network of the vserver host. In YOUR case that is NOT "external IP addresses", but rather addresses in the network 192.168.20.0/24. So, to make a long story short: Choose "Networking Option A" instead. That is MUCH easier to understand, configure and maintain. And I would like to go as far as to say that you shouldn''t even try to fix your current setup, unless you do it purely for educational purposes. Good luck! /Martin Leben ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> mess-mate wrote: > >> Here is: >> - a shorewall dump from the router: status-router.txt >> - a diagram : diagram-lan.txt >> The answer for your last question (So, if you "shorewall clear" on the >> Vserver host, does everything start working perfectly? ) is no. This is >> why i add a shorewall dump of the router machine. >> I can''t access the internet from my vserver-guest >> I can ping from the router to the vserver-guest and vice-versa. > > Two questions: > > a) What possible reason would you have for placing the vserver guest > in an IP network different from the host? That seems like a strategy > designed to confuse you and keep things from working. > > b) What default gateway have you defined for the vserver guest? Better > yet, what is the output of "ip route ls" on that "system". > > -Tom > ------------------------------------------------------------------------ > >Attached the ip route ls from the guest. The reason of a different ip on the guest is to have a better form to that of chrooting the webserver. The vserver people recommend it and said it works without any problem. I can now ping from the router when i added this rule to the host: Ping/ACCEPT dmz:192.168.20.254 $FW ( as you can see on the early sended status.txt of the host) and this for ping 192.168.30.1. mess-mate ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
mess-mate wrote:> Tom Eastep wrote: > > >> mess-mate wrote: >> >> >>> Here is: >>> - a shorewall dump from the router: status-router.txt >>> - a diagram : diagram-lan.txt >>> The answer for your last question (So, if you "shorewall clear" on the >>> Vserver host, does everything start working perfectly? ) is no. This is >>> why i add a shorewall dump of the router machine. >>> I can''t access the internet from my vserver-guest >>> I can ping from the router to the vserver-guest and vice-versa. >>> >> Two questions: >> >> a) What possible reason would you have for placing the vserver guest >> in an IP network different from the host? That seems like a strategy >> designed to confuse you and keep things from working. >> >> b) What default gateway have you defined for the vserver guest? Better >> yet, what is the output of "ip route ls" on that "system". >> >> -Tom >> ------------------------------------------------------------------------ >> >> >> > Attached the ip route ls from the guest. > > The reason of a different ip on the guest is to have a better form to > that of chrooting the webserver. > The vserver people recommend it and said it works without any problem. > I can now ping from the router when i added this rule to the host: > Ping/ACCEPT dmz:192.168.20.254 $FW ( as you can see on the > early sended status.txt of the host) > and this for ping 192.168.30.1. > > mess-mate > > > ------------------------------------------------------------------------ > > 192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.1 > 192.168.30.0/24 dev eth1 proto kernel scope link src 192.168.30.1 > default via 192.168.20.254 dev eth1 > > ------------------------------------------------------------------------ > >Hi folks, i can access internet now since i changed (hard configured) /etc/resolv.conf. Normaly in debian /etc/resolv.conf is not to be done because there is a /etc/resolvconf directory who''s do the job. But have take''s a few seconds to get access, is not instanenous as usely and i don''t know what this warning on the router does here: Apr 17 13:49:45 router kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MACSRC=86.122.119.233 DST=86.192.36.220 LEN=48 TOS=0x0 Apr 17 13:49:48 router kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MACSRC=86.122.119.233 DST=86.192.36.220 LEN=48 TOS=0x0 IP 86.192.36.220 is the dynamically allowed ip from my ISP. mess-mate ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
mess-mate wrote:> > But have take''s a few seconds to get access, is not instanenous as uselySounds like you may still have a DNS problem.> and i don''t know what this warning on the router does here: > > Apr 17 13:49:45 router kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC> SRC=86.122.119.233 DST=86.192.36.220 LEN=48 TOS=0x0 > Apr 17 13:49:48 router kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC> SRC=86.122.119.233 DST=86.192.36.220 LEN=48 TOS=0x0You have truncated the messages to omit the protocol (and port). Without that information, we can''t help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone