Hi, I am wondering if I can accomplish the following configuration behind my shorewall system. I have a subnet of 8 IP''s which I have translated thru shorewall to local IP addresses in my network fine. I now have the issue where I MUST run a live IP on a virtual box I am configuring. Can I setup shorewall policy or rules to allow this to happen in my present configuration. My shorewall box has 2 lan cards 1 local and 1 for DSL. In a pinch, I could put another nic in and use VLAN connectivity perhaps? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On 30/07/2009 12:20, Marcus Limosani wrote:> Hi, > > I am wondering if I can accomplish the following configuration behind my > shorewall system. > > I have a subnet of 8 IP’s which I have translated thru shorewall to > local IP addresses in my network fine. > > I now have the issue where I MUST run a live IP on a virtual box I am > configuring. > > Can I setup shorewall policy or rules to allow this to happen in my > present configuration. > > My shorewall box has 2 lan cards 1 local and 1 for DSL. > > In a pinch, I could put another nic in and use VLAN connectivity perhaps?Hi, Would 1:1 NAT be an option ? Laurent ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
I don''t think so. The requirement for the software I want to utilise dictates that the IP address of the system be the real world address. I have to be able to configure the virtual machine''s eth0 as 203.xxx.xxx.xxx and not any of the IP''s from a private subnet. -----Original Message----- From: Laurent CARON [mailto:lcaron@lncsa.com] Sent: Thursday, 30 July 2009 9:42 PM To: Shorewall Users Subject: Re: [Shorewall-users] DNAT / Live IP Translation On 30/07/2009 12:20, Marcus Limosani wrote:> Hi, > > I am wondering if I can accomplish the following configuration behind my > shorewall system. > > I have a subnet of 8 IP''s which I have translated thru shorewall to > local IP addresses in my network fine. > > I now have the issue where I MUST run a live IP on a virtual box I am > configuring. > > Can I setup shorewall policy or rules to allow this to happen in my > present configuration. > > My shorewall box has 2 lan cards 1 local and 1 for DSL. > > In a pinch, I could put another nic in and use VLAN connectivity perhaps?Hi, Would 1:1 NAT be an option ? Laurent ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
> I don''t think so. > > The requirement for the software I want to utilise dictates that the IP > address of the system be the real world address. > > I have to be able to configure the virtual machine''s eth0 as > 203.xxx.xxx.xxx and not any of the IP''s from a private subnet.You may want to use proxyarp then. I think Tom has even made some nice docs about it and it''s really the cleanest way to do such things. Regards, Simon> > -----Original Message----- > From: Laurent CARON [mailto:lcaron@lncsa.com] > Sent: Thursday, 30 July 2009 9:42 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] DNAT / Live IP Translation > > On 30/07/2009 12:20, Marcus Limosani wrote: >> Hi, >> >> I am wondering if I can accomplish the following configuration behind my >> shorewall system. >> >> I have a subnet of 8 IP''s which I have translated thru shorewall to >> local IP addresses in my network fine. >> >> I now have the issue where I MUST run a live IP on a virtual box I am >> configuring. >> >> Can I setup shorewall policy or rules to allow this to happen in my >> present configuration. >> >> My shorewall box has 2 lan cards 1 local and 1 for DSL. >> >> In a pinch, I could put another nic in and use VLAN connectivity >> perhaps? > > > Hi, > > Would 1:1 NAT be an option ? > > Laurent > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Marcus Limosani wrote:>The requirement for the software I want to utilise dictates that the >IP address of the system be the real world address. > >I have to be able to configure the virtual machine''s eth0 as >203.xxx.xxx.xxx and not any of the IP''s from a private subnet.Proxy ARP ? It''s how Tom runs his servers, and there''s a page about it on the Shorewall site. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Thanks Simon and Simon :) Many thanks for this, was able to muddle my way through it and get it operating as I require. I have access to the IP externally, just one more hurdle. I cannot get to this IP from within my own network, and am not sure where in Shorewall I need to configure a rule that will route traffic from my internal network of 192.168.0.x to this external IP. -----Original Message----- From: Simon Hobson [mailto:linux@thehobsons.co.uk] Sent: Thursday, 30 July 2009 11:19 PM To: Shorewall Users Subject: Re: [Shorewall-users] DNAT / Live IP Translation Marcus Limosani wrote:>The requirement for the software I want to utilise dictates that the >IP address of the system be the real world address. > >I have to be able to configure the virtual machine''s eth0 as >203.xxx.xxx.xxx and not any of the IP''s from a private subnet.Proxy ARP ? It''s how Tom runs his servers, and there''s a page about it on the Shorewall site. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Simon Matter wrote:>> I don''t think so. >> >> The requirement for the software I want to utilise dictates that the IP >> address of the system be the real world address. >> >> I have to be able to configure the virtual machine''s eth0 as >> 203.xxx.xxx.xxx and not any of the IP''s from a private subnet. > > You may want to use proxyarp then. I think Tom has even made some nice > docs about it and it''s really the cleanest way to do such things. >I agree that proxy arp is the way to go. The question of whether another firewall interface is needed depends on whether the local hosts need access to the virtual machine. If so, it will work best if the virtual machine''s network interface is connected to a separate firewall interface. If Marcus has a VLAN-capable switch though, there is no need to add another NIC to the firewall; simply use Linux VLAN support on the current local interface. If the local interface is eth1, VLAN support will create eth1.0 and eth1.1 which are separate interface as far as Shorewall is concerned. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
> Thanks Simon and Simon :) > > Many thanks for this, was able to muddle my way through it and get it > operating as I require. I have access to the IP externally, just one more > hurdle. > > I cannot get to this IP from within my own network, and am not sure where > in Shorewall I need to configure a rule that will route traffic from my > internal network of 192.168.0.x to this external IP.You should tell us exactly what you did and what didn''t work for you. At least to me that''s not clear enough to say anything. Simon> > > -----Original Message----- > From: Simon Hobson [mailto:linux@thehobsons.co.uk] > Sent: Thursday, 30 July 2009 11:19 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] DNAT / Live IP Translation > > Marcus Limosani wrote: > >>The requirement for the software I want to utilise dictates that the >>IP address of the system be the real world address. >> >>I have to be able to configure the virtual machine''s eth0 as >>203.xxx.xxx.xxx and not any of the IP''s from a private subnet. > > Proxy ARP ? > > It''s how Tom runs his servers, and there''s a page about it on the > Shorewall site. > > -- > Simon Hobson > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Marcus Limosani wrote:> Thanks Simon and Simon :) > > Many thanks for this, was able to muddle my way through it and get it > operating as I require. I have access to the IP externally, just one > more hurdle. > > I cannot get to this IP from within my own network, and am not sure > where in Shorewall I need to configure a rule that will route traffic > from my internal network of 192.168.0.x to this external IP.That''s why I recommended that you put the virtual machine on another firewall interface. What you have now, with both public and private addresses on your internal LAN, is a hack. You can make it work, somewhat, by adding the ''routeback'' option to your firewall''s internal interface in /etc/shorewall/interfaces. But that isn''t a very good solution... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Well, I have been able to set up a Virtual hosting box on 203.35.xxx.xxx It is visible from the outside world no problem. Web, Email, FTP etc all respond as expected, and other ports are blocked, as expected. I run my network internally as 192.168.0.x, my firewall box is running as 192.168.0.254 If I try to connect to the 203.35.xxx.xxx system, I have no route to host from the internal network. The firewall PC does however see those resources. A tracert from a PC on internal network reports ''Destination protocol unreachable'' I can''t ping it, telnet to it on running services etc :( -----Original Message----- From: Simon Matter [mailto:simon.matter@invoca.ch] Sent: Saturday, 1 August 2009 12:01 AM To: Shorewall Users Subject: Re: [Shorewall-users] DNAT / Live IP Translation> Thanks Simon and Simon :) > > Many thanks for this, was able to muddle my way through it and get it > operating as I require. I have access to the IP externally, just one more > hurdle. > > I cannot get to this IP from within my own network, and am not sure where > in Shorewall I need to configure a rule that will route traffic from my > internal network of 192.168.0.x to this external IP.You should tell us exactly what you did and what didn''t work for you. At least to me that''s not clear enough to say anything. Simon> > > -----Original Message----- > From: Simon Hobson [mailto:linux@thehobsons.co.uk] > Sent: Thursday, 30 July 2009 11:19 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] DNAT / Live IP Translation > > Marcus Limosani wrote: > >>The requirement for the software I want to utilise dictates that the >>IP address of the system be the real world address. >> >>I have to be able to configure the virtual machine''s eth0 as >>203.xxx.xxx.xxx and not any of the IP''s from a private subnet. > > Proxy ARP ? > > It''s how Tom runs his servers, and there''s a page about it on the > Shorewall site. > > -- > Simon Hobson > > Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed > author Gladys Hobson. Novels - poetry - short stories - ideal as > Christmas stocking fillers. Some available as e-books. > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what''s new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
While watching dmesg connections, I see the following REJECT message Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.x DST=203.xx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=19417 DF PROTO=TCP SPT=63918 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 As I put google to work, I see this commonly referred to as Shorewall FAQ #2a. Following the guidelines here, I have been able to implement a rule via masquerading the internal network. Thanks for the support and responses. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
> While watching dmesg connections, I see the following REJECT message > > Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.x DST=203.xx.xx.xx > LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=19417 DF PROTO=TCP SPT=63918 DPT=80 > WINDOW=8192 RES=0x00 SYN URGP=0 > > As I put google to work, I see this commonly referred to as Shorewall FAQ > #2a. > > Following the guidelines here, I have been able to implement a rule via > masquerading the internal network.To me it looks like a hack. I think what Tom told you using the ''routeback'' interface option was a better solution if you have both the 192.168.0.x and the proxyarped address on the same interface. However a much cleaner way would be to add another interface to the box and put the proxyarped host there. Simon ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
It was actually the enabling of the routeback option on eth1 that fixed it. The Rule didn''t do anything :) -----Original Message----- From: Simon Matter [mailto:simon.matter@invoca.ch] Sent: Saturday, 1 August 2009 7:52 PM To: Shorewall Users Subject: Re: [Shorewall-users] DNAT / Live IP Translation> While watching dmesg connections, I see the following REJECT message > > Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.0.x DST=203.xx.xx.xx > LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=19417 DF PROTO=TCP SPT=63918 DPT=80 > WINDOW=8192 RES=0x00 SYN URGP=0 > > As I put google to work, I see this commonly referred to as Shorewall FAQ > #2a. > > Following the guidelines here, I have been able to implement a rule via > masquerading the internal network.To me it looks like a hack. I think what Tom told you using the ''routeback'' interface option was a better solution if you have both the 192.168.0.x and the proxyarped address on the same interface. However a much cleaner way would be to add another interface to the box and put the proxyarped host there. Simon ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july