Shorewall users - Mar 2010 - WG: NAT Issue

Forget about my part to nat file. I was wrong. Try my masq configuration. 

 

  _____  

Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] 
Gesendet: Dienstag, 2. März 2010 00:17
An: ''Shorewall Users''
Betreff: AW: [Shorewall-users] NAT Issue

 

Try

 

1.1.1.198    eth0    172.16.1.23    no    no

 

INTERFACE - interfacelist[:[digit]]

Interfacees that have the EXTERNAL address

But its more often done by usage of masq instead of nat

 

put to your masq file

 

vlan350            eth1:172.16.1.23           1.1.1.198

 

The benefit of masq is to have control about proto and port as well. 

 

If you use masq you can delete your nat file entry. 

 

If you tar.bz2 your dump it should become smaller. Try ''tar -cjf
status.txt.tar.bz2 {your dump file}''

 

 

Cheers

Michael 

  _____  

Von: Red Baron [mailto:redbaron73@gmail.com] 
Gesendet: Montag, 1. März 2010 23:54
An: Shorewall Users
Betreff: [Shorewall-users] NAT Issue

 

shorewall-lite version 4.4.6
Debian Lenny -  2.6.26-2-686

I have a large network of public IPS ( 1.1.1.128/25 )

I have broken this up into several smaller subnets. I have a few servers
that I want to NAT translate from my gateway server to a public IP on
VLAN350. which is subnet 1.1.1.192 / 27.

My gateway server has the following interfaces

eth0 - 1.1.1.149 /28
eth1 - 172.16.1.0 /24
vlan350 - 1.1.1.193 /27


I have this entry in the nat configuration file:
#EXTERNAL    INTERFACE    INTERNAL    ALL        LOCAL
1.1.1.198    vlan350    172.16.1.23    no    no
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

but when the host 172.16.1.23 pings the internet, the IP is masquerarded as
1.1.1.149, not 1.1.1.198
>From the gateway, I can do the following
ping www.google.com <http://www.google.com/>  -I 1.1.1.198

and I do get replies, and tcpdump on the gateway verifies that the IP being
used is correct, so I know the routes are in place.


Any suggestions as to what I might be doing wrong?

The dump file is over 50k even after sending.



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

In addition I suppose that you are mutlihomed by two internet connections. 

If this is true it seems that your default route points to the next hop of
eth0 instead of vlan350.

If you need both ways you could solve your problems by setup of two tables
and policy routing. 

Shorewall providers report would help you. 

 

 

Cheers

Michael

 

  _____  

Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] 
Gesendet: Dienstag, 2. März 2010 00:20
An: ''Shorewall Users''
Betreff: [Shorewall-users] WG: NAT Issue

 

Forget about my part to nat file. I was wrong. Try my masq configuration. 

 

  _____  

Von: Michael Weickel - iQom Business Services GmbH [mailto:mw@iqom.de] 
Gesendet: Dienstag, 2. März 2010 00:17
An: ''Shorewall Users''
Betreff: AW: [Shorewall-users] NAT Issue

 

Try

 

1.1.1.198    eth0    172.16.1.23    no    no

 

INTERFACE - interfacelist[:[digit]]

Interfacees that have the EXTERNAL address

But its more often done by usage of masq instead of nat

 

put to your masq file

 

vlan350            eth1:172.16.1.23           1.1.1.198

 

The benefit of masq is to have control about proto and port as well. 

 

If you use masq you can delete your nat file entry. 

 

If you tar.bz2 your dump it should become smaller. Try ''tar -cjf
status.txt.tar.bz2 {your dump file}''

 

 

Cheers

Michael 

  _____  

Von: Red Baron [mailto:redbaron73@gmail.com] 
Gesendet: Montag, 1. März 2010 23:54
An: Shorewall Users
Betreff: [Shorewall-users] NAT Issue

 

shorewall-lite version 4.4.6
Debian Lenny -  2.6.26-2-686

I have a large network of public IPS ( 1.1.1.128/25 )

I have broken this up into several smaller subnets. I have a few servers
that I want to NAT translate from my gateway server to a public IP on
VLAN350. which is subnet 1.1.1.192 / 27.

My gateway server has the following interfaces

eth0 - 1.1.1.149 /28
eth1 - 172.16.1.0 /24
vlan350 - 1.1.1.193 /27


I have this entry in the nat configuration file:
#EXTERNAL    INTERFACE    INTERNAL    ALL        LOCAL
1.1.1.198    vlan350    172.16.1.23    no    no
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

but when the host 172.16.1.23 pings the internet, the IP is masquerarded as
1.1.1.149, not 1.1.1.198
>From the gateway, I can do the following
ping www.google.com <http://www.google.com/>  -I 1.1.1.198

and I do get replies, and tcpdump on the gateway verifies that the IP being
used is correct, so I know the routes are in place.


Any suggestions as to what I might be doing wrong?

The dump file is over 50k even after sending.



------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev