shorewall-lite version 4.4.6 Debian Lenny - 2.6.26-2-686 I have a large network of public IPS ( 1.1.1.128/25 ) I have broken this up into several smaller subnets. I have a few servers that I want to NAT translate from my gateway server to a public IP on VLAN350. which is subnet 1.1.1.192 / 27. My gateway server has the following interfaces eth0 - 1.1.1.149 /28 eth1 - 172.16.1.0 /24 vlan350 - 1.1.1.193 /27 I have this entry in the nat configuration file: #EXTERNAL INTERFACE INTERNAL ALL LOCAL 1.1.1.198 vlan350 172.16.1.23 no no #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE but when the host 172.16.1.23 pings the internet, the IP is masquerarded as 1.1.1.149, not 1.1.1.198>From the gateway, I can do the followingping www.google.com -I 1.1.1.198 and I do get replies, and tcpdump on the gateway verifies that the IP being used is correct, so I know the routes are in place. Any suggestions as to what I might be doing wrong? The dump file is over 50k even after sending. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
On Mon, Mar 1, 2010 at 4:54 PM, Red Baron <redbaron73@gmail.com> wrote:> shorewall-lite version 4.4.6 > Debian Lenny - 2.6.26-2-686 > > I have a large network of public IPS ( 1.1.1.128/25 ) > > I have broken this up into several smaller subnets. I have a few servers > that I want to NAT translate from my gateway server to a public IP on > VLAN350. which is subnet 1.1.1.192 / 27. > > My gateway server has the following interfaces > > eth0 - 1.1.1.149 /28 > eth1 - 172.16.1.0 /24 > vlan350 - 1.1.1.193 /27 > > > I have this entry in the nat configuration file: > #EXTERNAL INTERFACE INTERNAL ALL LOCAL > 1.1.1.198 vlan350 172.16.1.23 no no > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > but when the host 172.16.1.23 pings the internet, the IP is masquerarded as > 1.1.1.149, not 1.1.1.198 > > From the gateway, I can do the following > > ping www.google.com -I 1.1.1.198 > > and I do get replies, and tcpdump on the gateway verifies that the IP being > used is correct, so I know the routes are in place. > > > Any suggestions as to what I might be doing wrong? > > The dump file is over 50k even after sending. >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Try
1.1.1.198 eth0 172.16.1.23 no no
INTERFACE - interfacelist[:[digit]]
Interfacees that have the EXTERNAL address
But its more often done by usage of masq instead of nat
put to your masq file
vlan350 eth1:172.16.1.23 1.1.1.198
The benefit of masq is to have control about proto and port as well.
If you use masq you can delete your nat file entry.
If you tar.bz2 your dump it should become smaller. Try ''tar -cjf
status.txt.tar.bz2 {your dump file}''
Cheers
Michael
_____
Von: Red Baron [mailto:redbaron73@gmail.com]
Gesendet: Montag, 1. März 2010 23:54
An: Shorewall Users
Betreff: [Shorewall-users] NAT Issue
shorewall-lite version 4.4.6
Debian Lenny - 2.6.26-2-686
I have a large network of public IPS ( 1.1.1.128/25 )
I have broken this up into several smaller subnets. I have a few servers
that I want to NAT translate from my gateway server to a public IP on
VLAN350. which is subnet 1.1.1.192 / 27.
My gateway server has the following interfaces
eth0 - 1.1.1.149 /28
eth1 - 172.16.1.0 /24
vlan350 - 1.1.1.193 /27
I have this entry in the nat configuration file:
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
1.1.1.198 vlan350 172.16.1.23 no no
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
but when the host 172.16.1.23 pings the internet, the IP is masquerarded as
1.1.1.149, not 1.1.1.198
>From the gateway, I can do the following
ping www.google.com <http://www.google.com/> -I 1.1.1.198
and I do get replies, and tcpdump on the gateway verifies that the IP being
used is correct, so I know the routes are in place.
Any suggestions as to what I might be doing wrong?
The dump file is over 50k even after sending.
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Red Baron wrote:> shorewall-lite version 4.4.6 > Debian Lenny - 2.6.26-2-686 > > I have a large network of public IPS ( 1.1.1.128/25 <http://1.1.1.128/25> ) > > I have broken this up into several smaller subnets. I have a few servers > that I want to NAT translate from my gateway server to a public IP on > VLAN350. which is subnet 1.1.1.192 / 27. > > My gateway server has the following interfaces > > eth0 - 1.1.1.149 /28 > eth1 - 172.16.1.0 /24 > vlan350 - 1.1.1.193 /27 > > > I have this entry in the nat configuration file: > #EXTERNAL INTERFACE INTERNAL ALL LOCAL > 1.1.1.198 vlan350 172.16.1.23 no no > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > but when the host 172.16.1.23 pings the internet, the IP is masquerarded > as 1.1.1.149, not 1.1.1.198 > > From the gateway, I can do the following > > ping www.google.com <http://www.google.com/> -I 1.1.1.198 > > and I do get replies, and tcpdump on the gateway verifies that the IP > being used is correct, so I know the routes are in place. > > > Any suggestions as to what I might be doing wrong?I assume that eth0 is your external interface with the default route? If so you want to specify that interface in the nat file, not vlan350. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Thanks..that did the job. On Mon, Mar 1, 2010 at 5:26 PM, Tom Eastep <teastep@shorewall.net> wrote:> Red Baron wrote: > > shorewall-lite version 4.4.6 > > Debian Lenny - 2.6.26-2-686 > > > > I have a large network of public IPS ( 1.1.1.128/25 <http://1.1.1.128/25> > ) > > > > I have broken this up into several smaller subnets. I have a few servers > > that I want to NAT translate from my gateway server to a public IP on > > VLAN350. which is subnet 1.1.1.192 / 27. > > > > My gateway server has the following interfaces > > > > eth0 - 1.1.1.149 /28 > > eth1 - 172.16.1.0 /24 > > vlan350 - 1.1.1.193 /27 > > > > > > I have this entry in the nat configuration file: > > #EXTERNAL INTERFACE INTERNAL ALL LOCAL > > 1.1.1.198 vlan350 172.16.1.23 no no > > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > > > but when the host 172.16.1.23 pings the internet, the IP is masquerarded > > as 1.1.1.149, not 1.1.1.198 > > > > From the gateway, I can do the following > > > > ping www.google.com <http://www.google.com/> -I 1.1.1.198 > > > > and I do get replies, and tcpdump on the gateway verifies that the IP > > being used is correct, so I know the routes are in place. > > > > > > Any suggestions as to what I might be doing wrong? > > I assume that eth0 is your external interface with the default route? If > so you want to specify that interface in the nat file, not vlan350. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev