jamesp@vicidial.com
2010-Feb-19 18:54 UTC
Problem with internal forwards from masqueraded network
Hello. I have some port forwards that work good externally. Since I wanted to be able to use the same domain-name and port combination internally as well as externally I read through and followed the instructions at http://shorewall.net/FAQ.htm#faq2. The problem I am having is some of the forwards work, some don''t. They all work externally. Where would I go from here? My config is as follows: providers: knology 1 0x100 main eth1 111.222.333.9 track,balance=1 vlan1,vlan2,vlan3 brighthouse 2 0x200 main eth2 111.222.333.145 track,balance=2 vlan1,vlan3 rules: # External Forwards for the matt-matt dev servers DNAT net vlan1:192.168.198.2:22 tcp 40002 DNAT net vlan1:192.168.198.2:3690 tcp 3690 DNAT net vlan1:192.168.198.2:3690 tcp 43690 DNAT net vlan1:192.168.198.3:80 tcp 40080 DNAT net vlan1:192.168.198.3:22 tcp 40003 DNAT net vlan1:192.168.198.4:22 tcp 40004 DNAT net vlan1:192.168.198.5:22 tcp 40005 DNAT net vlan1:192.168.198.5:4569 udp 40569 # Internal forwards for Matt Matt craziness DNAT vlan1 vlan1:192.168.198.2:3690 tcp 43690 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.2 tcp 3690 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.2:22 tcp 40002 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.3:22 tcp 40003 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.3:80 tcp 40080 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.4:22 tcp 40004 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.5:22 tcp 40005 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.5:4569 udp 40569 - 111.222.333.146 masq: eth1 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 111.222.333.9 eth2 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 111.222.333.146 eth1 111.222.333.146 111.222.333.9 eth2 111.222.333.9 111.222.333.146 # oddball from internal to external to internal masquerade crap vlan1:192.168.198.2 vlan1 192.168.198.1 tcp 43690 vlan1:192.168.198.2 vlan1 192.168.198.1 tcp 3690 vlan1:192.168.198.2 vlan1 192.168.198.1 tcp 40002 vlan1:192.168.198.3 vlan1 192.168.198.1 tcp 40003 vlan1:192.168.198.3 vlan1 192.168.198.1 tcp 40080 vlan1:192.168.198.4 vlan1 192.168.198.1 tcp 40004 vlan1:192.168.198.5 vlan1 192.168.198.1 tcp 40005 vlan1:192.168.198.5 vlan1 192.168.198.1 udp 40569 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
jamesp@vicidial.com
2010-Feb-19 19:16 UTC
Problem with internal forwards from masqueraded network
Hello. I have some port forwards that work good externally. Since I wanted to be able to use the same domain-name and port combination internally as well as externally I read through and followed the instructions at http://shorewall.net/FAQ.htm#faq2. The problem I am having is some of the forwards work, some don''t. They all work externally. Where would I go from here? My config is as follows: providers: knology 1 0x100 main eth1 111.222.333.9 track,balance=1 vlan1,vlan2,vlan3 brighthouse 2 0x200 main eth2 111.222.333.145 track,balance=2 vlan1,vlan3 rules: # External Forwards for the matt-matt dev servers DNAT net vlan1:192.168.198.2:22 tcp 40002 DNAT net vlan1:192.168.198.2:3690 tcp 3690 DNAT net vlan1:192.168.198.2:3690 tcp 43690 DNAT net vlan1:192.168.198.3:80 tcp 40080 DNAT net vlan1:192.168.198.3:22 tcp 40003 DNAT net vlan1:192.168.198.4:22 tcp 40004 DNAT net vlan1:192.168.198.5:22 tcp 40005 DNAT net vlan1:192.168.198.5:4569 udp 40569 # Internal forwards for Matt Matt craziness DNAT vlan1 vlan1:192.168.198.2:3690 tcp 43690 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.2 tcp 3690 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.2:22 tcp 40002 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.3:22 tcp 40003 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.3:80 tcp 40080 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.4:22 tcp 40004 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.5:22 tcp 40005 - 111.222.333.146 DNAT vlan1 vlan1:192.168.198.5:4569 udp 40569 - 111.222.333.146 masq: eth1 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 111.222.333.9 eth2 10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16 111.222.333.146 eth1 111.222.333.146 111.222.333.9 eth2 111.222.333.9 111.222.333.146 # oddball from internal to external to internal masquerade crap vlan1:192.168.198.2 vlan1 192.168.198.1 tcp 43690 vlan1:192.168.198.2 vlan1 192.168.198.1 tcp 3690 vlan1:192.168.198.2 vlan1 192.168.198.1 tcp 40002 vlan1:192.168.198.3 vlan1 192.168.198.1 tcp 40003 vlan1:192.168.198.3 vlan1 192.168.198.1 tcp 40080 vlan1:192.168.198.4 vlan1 192.168.198.1 tcp 40004 vlan1:192.168.198.5 vlan1 192.168.198.1 tcp 40005 vlan1:192.168.198.5 vlan1 192.168.198.1 udp 40569 ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Tom Eastep
2010-Feb-19 20:54 UTC
Re: Problem with internal forwards from masqueraded network
jamesp@vicidial.com wrote:> The problem I am having is some of the forwards work, some don''t. > Where would I go from here? > > My config is as follows: >From http://www.shorewall.net/support.htm: Please do not include Shorewall configuration files unless you have been specifically asked to do so. The output of shorewall dump collected as described above is much more useful. Only think I can think of is that you are trying to forward ports that are normally in the local range (cat /proc/sys/net/ipv4/ip_local_port_range) which might cause intermittent failure if the port was already in use. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev