Hi there. I''ve been reading the docs over and over and the understading of proxyarp escapes me. I''ve set up a firewall. I''ve got 10 external IP addresses and I want for a start to set up the first public IP address to access a server on the inside private network. It''s that darn proxyarp that is giving me problems. All else is working. I fail to understand how a public IP like 93.167.197.51 is associated with my 10.10.10.5 in any way because there''s no clear understanding from the config files. My firewall: eth0: 93.167.197.50 (net) eth1: 10.10.10.200 (loc) Public IP: 93.167.197.51 port 22 Server to connect to: 10.10.10.5 port 22 If someone could provide me with clues or a simple, working example of proxyarp in function, I would be very gratefull. :-) -- Med venlig hilsen/Kind regards Michael B. Arp Sørensen Programmer / BOFH Dansk Minkpapir A/S Research and Development Lab Bautavej 1A, indgang C - D 8210 Aarhus V Denmark I am /root and if you see me laughing you better have a backup. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Tuesday 18 November 2008 08:05, Michael Bernhard Arp Sørensen wrote:> Hi there. > > I've been reading the docs over and over and the understading of proxyarp > escapes me. > > I've set up a firewall. I've got 10 external IP addresses and I want for a > start to set up the first public IP address to access a server on the > inside private network. It's that darn proxyarp that is giving me problems. > All else is working. > > I fail to understand how a public IP like 93.167.197.51 is associated with > my 10.10.10.5 in any way because there's no clear understanding from the > config files. > > My firewall: > eth0: 93.167.197.50 (net) > eth1: 10.10.10.200 (loc) > > Public IP: > 93.167.197.51 port 22 > > Server to connect to: > 10.10.10.5 port 22 > > If someone could provide me with clues or a simple, working example of > proxyarp in function, I would be very gratefull. :-)Michael If you use proxy ARP then your server must have the external IP address. If you wish to leave your server with IP address 10.10.10.5 then use one-to-one NAT instead of proxy ARP. Steven. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
I am not sure why you want to use proxyarp. can you explain me? On Tue, Nov 18, 2008 at 11:01 AM, Steven Jan Springl < steven@springl.ukfsn.org> wrote:> On Tuesday 18 November 2008 08:05, Michael Bernhard Arp Sørensen wrote: > > Hi there. > > > > I've been reading the docs over and over and the understading of proxyarp > > escapes me. > > > > I've set up a firewall. I've got 10 external IP addresses and I want for > a > > start to set up the first public IP address to access a server on the > > inside private network. It's that darn proxyarp that is giving me > problems. > > All else is working. > > > > I fail to understand how a public IP like 93.167.197.51 is associated > with > > my 10.10.10.5 in any way because there's no clear understanding from the > > config files. > > > > My firewall: > > eth0: 93.167.197.50 (net) > > eth1: 10.10.10.200 (loc) > > > > Public IP: > > 93.167.197.51 port 22 > > > > Server to connect to: > > 10.10.10.5 port 22 > > > > If someone could provide me with clues or a simple, working example of > > proxyarp in function, I would be very gratefull. :-) > > Michael > > If you use proxy ARP then your server must have the external IP address. > > If you wish to leave your server with IP address 10.10.10.5 then use > one-to-one NAT instead of proxy ARP. > > Steven. > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Proxyarp (simplifying) is a way to your firewall responds on behalf your IP public address (other than the ip on the eth0 itself).I.E: if someone pings 93.167.197.50 your firewall respond. But if someone pings <http://93.167.197.50> 93.167.197.51 <http://93.167.197.50> nothing happens. So, putting 93.167.197.51 <http://93.167.197.50> in /etc/shorewall/proxyarp will able your firewall to receive all packets to this IP. ### /etc/shorewall/proxyarp 93.167.197.51 eth1 eth0 no ### Doing so, you can finally redirects any access to your internal host: ### /etc/shorewall/rules DNAT net loc:10.10.10.5 tcp ssh - 93.167.197.51 ### SSH to 93.167.197.50 go to your firewall SSH to 93.167.197.51 go to your 10.10.10.5 box -Gilson Soares On Tue, Nov 18, 2008 at 06:05, Michael Bernhard Arp Sørensen <mbs@dmplabs.dk> wrote:> Hi there. > > I''ve been reading the docs over and over and the understading of proxyarp > escapes me. > > I''ve set up a firewall. I''ve got 10 external IP addresses and I want for a > start to set up the first public IP address to access a server on the inside > private network. It''s that darn proxyarp that is giving me problems. All > else is working. > > I fail to understand how a public IP like 93.167.197.51 is associated with > my 10.10.10.5 in any way because there''s no clear understanding from the > config files. > > My firewall: > eth0: 93.167.197.50 (net) > eth1: 10.10.10.200 (loc) > > Public IP: > 93.167.197.51 port 22 > > Server to connect to: > 10.10.10.5 port 22 > > If someone could provide me with clues or a simple, working example of > proxyarp in function, I would be very gratefull. :-) > > -- > Med venlig hilsen/Kind regards > > Michael B. Arp Sørensen > Programmer / BOFH > > Dansk Minkpapir A/S > Research and Development Lab > Bautavej 1A, indgang C - D > 8210 Aarhus V > Denmark > > I am /root and if you see me laughing you better have a backup. > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Gilson, which is the difference using DNAT instead? On Wed, Nov 19, 2008 at 10:40 AM, Gilson Soares <gilson.soares@kobold.com.br> wrote:> Proxyarp (simplifying) is a way to your firewall responds on behalf your IP > public address (other than the ip on the eth0 itself).I.E: if someone > pings 93.167.197.50 your firewall respond. But if someone pings <http://93.167.197.50> > 93.167.197.51 <http://93.167.197.50> nothing happens. > > So, putting 93.167.197.51 <http://93.167.197.50> in > /etc/shorewall/proxyarp will able your firewall to receive all packets to > this IP. > > ### /etc/shorewall/proxyarp > 93.167.197.51 eth1 eth0 no > ### > > Doing so, you can finally redirects any access to your internal host: > > ### /etc/shorewall/rules > DNAT net loc:10.10.10.5 tcp ssh - 93.167.197.51 > ### > > SSH to 93.167.197.50 go to your firewall > SSH to 93.167.197.51 go to your 10.10.10.5 box > > -Gilson Soares > > > On Tue, Nov 18, 2008 at 06:05, Michael Bernhard Arp Sørensen < > mbs@dmplabs.dk> wrote: > >> Hi there. >> >> I've been reading the docs over and over and the understading of proxyarp >> escapes me. >> >> I've set up a firewall. I've got 10 external IP addresses and I want for a >> start to set up the first public IP address to access a server on the inside >> private network. It's that darn proxyarp that is giving me problems. All >> else is working. >> >> I fail to understand how a public IP like 93.167.197.51 is associated >> with my 10.10.10.5 in any way because there's no clear understanding from >> the config files. >> >> My firewall: >> eth0: 93.167.197.50 (net) >> eth1: 10.10.10.200 (loc) >> >> Public IP: >> 93.167.197.51 port 22 >> >> Server to connect to: >> 10.10.10.5 port 22 >> >> If someone could provide me with clues or a simple, working example of >> proxyarp in function, I would be very gratefull. :-) >> >> -- >> Med venlig hilsen/Kind regards >> >> Michael B. Arp Sørensen >> Programmer / BOFH >> >> Dansk Minkpapir A/S >> Research and Development Lab >> Bautavej 1A, indgang C - D >> 8210 Aarhus V >> Denmark >> >> I am /root and if you see me laughing you better have a backup. >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer's >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
"Instead" of what ? DNAT forwards PORTS (not entire host) to a internal host. As the shorewall site states 99% needs just port forwarding; one-to-one NAT just for special cases (see http://www.shorewall.net/NAT.htm). Using DNAT with the last two parameters ( - 93.167.197.51 ) only works using that IP in /etc/shorewall/proxyarp. Gilson Soares On Wed, Nov 19, 2008 at 11:11, Nico Pagliaro <nicopag@gmail.com> wrote:> Gilson, which is the difference using DNAT instead? > > > On Wed, Nov 19, 2008 at 10:40 AM, Gilson Soares < > gilson.soares@kobold.com.br> wrote: > >> Proxyarp (simplifying) is a way to your firewall responds on behalf your >> IP public address (other than the ip on the eth0 itself). I.E: if someone >> pings 93.167.197.50 your firewall respond. But if someone pings <http://93.167.197.50> >> 93.167.197.51 <http://93.167.197.50> nothing happens. >> >> So, putting 93.167.197.51 <http://93.167.197.50> in >> /etc/shorewall/proxyarp will able your firewall to receive all packets to >> this IP. >> >> ### /etc/shorewall/proxyarp >> 93.167.197.51 eth1 eth0 no >> ### >> >> Doing so, you can finally redirects any access to your internal host: >> >> ### /etc/shorewall/rules >> DNAT net loc:10.10.10.5 tcp ssh - 93.167.197.51 >> ### >> >> SSH to 93.167.197.50 go to your firewall >> SSH to 93.167.197.51 go to your 10.10.10.5 box >> >> -Gilson Soares >> >> >> On Tue, Nov 18, 2008 at 06:05, Michael Bernhard Arp Sørensen < >> mbs@dmplabs.dk> wrote: >> >>> Hi there. >>> >>> I''ve been reading the docs over and over and the understading of proxyarp >>> escapes me. >>> >>> I''ve set up a firewall. I''ve got 10 external IP addresses and I want for >>> a start to set up the first public IP address to access a server on the >>> inside private network. It''s that darn proxyarp that is giving me problems. >>> All else is working. >>> >>> I fail to understand how a public IP like 93.167.197.51 is associated >>> with my 10.10.10.5 in any way because there''s no clear understanding >>> from the config files. >>> >>> My firewall: >>> eth0: 93.167.197.50 (net) >>> eth1: 10.10.10.200 (loc) >>> >>> Public IP: >>> 93.167.197.51 port 22 >>> >>> Server to connect to: >>> 10.10.10.5 port 22 >>> >>> If someone could provide me with clues or a simple, working example of >>> proxyarp in function, I would be very gratefull. :-) >>> >>> -- >>> Med venlig hilsen/Kind regards >>> >>> Michael B. Arp Sørensen >>> Programmer / BOFH >>> >>> Dansk Minkpapir A/S >>> Research and Development Lab >>> Bautavej 1A, indgang C - D >>> 8210 Aarhus V >>> Denmark >>> >>> I am /root and if you see me laughing you better have a backup. >>> >>> ------------------------------------------------------------------------- >>> This SF.Net email is sponsored by the Moblin Your Move Developer''s >>> challenge >>> Build the coolest Linux based applications with Moblin SDK & win great >>> prizes >>> Grand prize is a trip for two to an Open Source event anywhere in the >>> world >>> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer''s >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/