Hi Shorewall, I have a server running a private virtual machine dmz on br0 which has address 192.168.123.1 and usually VIP (i''m using VRRP) 192.168.123.253. The public if (NET_IF) is 203.0.113.1 with VIP: 203.0.113.253 My /etc/shorewall/masq currently has: NET_IF:1 192.168.123.0/24 203.0.113.253 which works perfectly, and assures that in conjunction with a DNAT rule in /etc/shorewall/rules like: DNAT net dmz:192.168.123.22 tcp ssh - 203.0.113.253 that packets on port 22 to the public VIP get directed to a machine like: 192.168.123.22 and that machine''s connections outbound appear to come from that VIP too. Note: that virtual machine uses 192.168.123.253 as it''s gateway. The problem: I''d like to add two more VIP''s, namely a public one: 203.0.113.254 and 192.168.123.254 (a private one on br0), and if the gateway in the virtual machine is set to .253 use the first VIP for SNAT and if it''s 254 use the second VIP. The following rules didn''t work, how do I get this to work please? I was unable to ping 8.8.8.8 from inside my VM but I was able to ping the gateway (192.168.123.253) (of course). NET_IF:1 192.168.123.253 203.0.113.253 NET_IF:2 192.168.123.254 203.0.113.254 Note the :1 and :2 correspond to the legacy labels that VRRP sets. Thank you in advance, sorry for the long read, James ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
Hey there... Attached is a shorewall dump, removed a few useless things. If there is too much going on, let me know and I can add more details. Hope this is okay, Thanks again, James On Wed, 2011-04-20 at 14:04 -0400, James wrote:> Hi Shorewall, > > I have a server running a private virtual machine dmz on br0 which has > address 192.168.123.1 and usually VIP (i''m using VRRP) 192.168.123.253. > The public if (NET_IF) is 203.0.113.1 with VIP: 203.0.113.253 > My /etc/shorewall/masq currently has: > > NET_IF:1 192.168.123.0/24 203.0.113.253 > > which works perfectly, and assures that in conjunction with a DNAT rule > in /etc/shorewall/rules like: > > DNAT net dmz:192.168.123.22 tcp ssh - 203.0.113.253 > > that packets on port 22 to the public VIP get directed to a machine > like: 192.168.123.22 and that machine''s connections outbound appear to > come from that VIP too. Note: that virtual machine uses 192.168.123.253 > as it''s gateway. > > The problem: I''d like to add two more VIP''s, namely a public one: > 203.0.113.254 and 192.168.123.254 (a private one on br0), and if the > gateway in the virtual machine is set to .253 use the first VIP for SNAT > and if it''s 254 use the second VIP. The following rules didn''t work, how > do I get this to work please? I was unable to ping 8.8.8.8 from inside > my VM but I was able to ping the gateway (192.168.123.253) (of course). > > NET_IF:1 192.168.123.253 203.0.113.253 > NET_IF:2 192.168.123.254 203.0.113.254 > > Note the :1 and :2 correspond to the legacy labels that VRRP sets. > > Thank you in advance, sorry for the long read, > > James > >------------------------------------------------------------------------------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails
On Apr 23, 2011, at 2:36 PM, James wrote:> Hey there... Attached is a shorewall dump, removed a few useless things. > If there is too much going on, let me know and I can add more details. > Hope this is okay, >> >> NET_IF:1 192.168.123.253 203.0.113.253 >> NET_IF:2 192.168.123.254 203.0.113.254 >> >> Note the :1 and :2 correspond to the legacy labels that VRRP sets.I don''t see anything in the dump that looks like those rules. But when you add them, I hope you put them *before* the second rule below. Chain NET_IF_masq (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 172.16.1.0/24 0.0.0.0/0 to:203.0.113.253 10 620 SNAT all -- * * 192.168.123.0/24 0.0.0.0/0 to:203.0.113.253 Please configure the rules that you are trying to make work, try the ping that fails, *then* take the dump (assuming that the ping still fails). Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails