Simple Network eth0: NET (12.12.13.1/27) eth1: LOC (192.168.1.1/24) The Net has 4 PC''s and 1 Asterisk box. Asterisk is on 192.168.1.2. I have configured it for 1:1 nat to the outside. This appears to work, but I have trouble if the firewall reboots, I ***MUST** reboot the asterisk box in order for it to re-establish connections. If i do not do the reboot, then inbound traffic never makes it past the NAT, and neither does outbound. According to the docs, I may need to exclude 192.168.1.2 from the masq, but when I modified it to exclude that one IP, things seemed worse. Any help would be appreciated. I am using shorewall 4.2.10, on CentOS 5.3. Kernel 2.6.18-128.2.1.el5 Iptables v1.3.5 #/etc/shorewall/nat # 12.12.13.2 eth0 192.168.1.2 no no #LAST LINE /etc/shorewall/nat # /etc/shorewall/masq # eth0 eth1 #LAST LINE /etc/shorewall/masq Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Extended Connection Tracking Match Support: Not available Old Connection Tracking Match Syntax: Not available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Not available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available NFQUEUE Target: Available Realm Match: Available Helper Match: Available Connlimit Match: Not available Time Match: Not available Goto Support: Available ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Red Baron wrote:> Simple Network > > eth0: NET (12.12.13.1/27 <http://12.12.13.1/27>) > eth1: LOC (192.168.1.1/24 <http://192.168.1.1/24>) > > The Net has 4 PC''s and 1 Asterisk box. Asterisk is on 192.168.1.2. I > have configured it for 1:1 nat to the outside. This appears to work, but > I have trouble if the firewall reboots, I ***MUST** reboot the asterisk > box in order for it to re-establish connections. If i do not do the > reboot, then inbound traffic never makes it past the NAT, and neither > does outbound. > > According to the docs, I may need to exclude 192.168.1.2 from the masq, > but when I modified it to exclude that one IP, things seemed worse.One-to-one NAT takes precedence over masq; there is no need to omit the address from MAQ.> Any help would be appreciated.You don''t say which distribution you are using so I can''t give you specifics but you might try the following: a) Install the conntrack package (On Debian, it provides /usr/sbin/conntrack); and b) Use the "-p" option when starting Shorewall at boot. You will need to modify /etc/init.d/shorewall to do that (the "-p" should appear after "start"). HTH, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Centos 5.3 Got lost in my ramblings i guess. I believe it uses conntrack On 10/1/09, Tom Eastep <teastep@shorewall.net> wrote:> Red Baron wrote: >> Simple Network >> >> eth0: NET (12.12.13.1/27 <http://12.12.13.1/27>) >> eth1: LOC (192.168.1.1/24 <http://192.168.1.1/24>) >> >> The Net has 4 PC''s and 1 Asterisk box. Asterisk is on 192.168.1.2. I >> have configured it for 1:1 nat to the outside. This appears to work, but >> I have trouble if the firewall reboots, I ***MUST** reboot the asterisk >> box in order for it to re-establish connections. If i do not do the >> reboot, then inbound traffic never makes it past the NAT, and neither >> does outbound. >> >> According to the docs, I may need to exclude 192.168.1.2 from the masq, >> but when I modified it to exclude that one IP, things seemed worse. > > One-to-one NAT takes precedence over masq; there is no need to omit the > address from MAQ. > > >> Any help would be appreciated. > > You don''t say which distribution you are using so I can''t give you > specifics but you might try the following: > > a) Install the conntrack package (On Debian, it provides > /usr/sbin/conntrack); and > > b) Use the "-p" option when starting Shorewall at boot. You will need to > modify /etc/init.d/shorewall to do that (the "-p" should appear after > "start"). > > HTH, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >-- Sent from my mobile device ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf