Shorewall users - Jun 2011 - forwarding public vip to private vip and reverse

hi to all,

I am having problems forwarding from public vip to private vip and back

*configuration files*

interfaces
[CODE]
#ZONE    INTERFACE    BROADCAST    OPTIONS
net     eth5            detect
loc     bond0           detect
[/CODE]

policy
[CODE]
#SOURCE    DEST    POLICY        LOG    LIMIT:        CONNLIMIT:
#                LEVEL    BURST        MASK
loc    all    ACCEPT
net    all    ACCEPT
fw    all    ACCEPT
#fw    net    ACCEPT
#all    fw    ACCEPT

# THE FOLLOWING POLICY MUST BE LAST
all    all    DROP        info
#$FW    net    ACCEPT
[/CODE]

rules
[CODE]
#ACTION        SOURCE        DEST        PROTO    DEST    SOURCE       
  ORIGINAL    RATE        USER/    MARK    CONNLIMIT    TIME
#                            PORT    PORT(S)        DEST        LIMIT   
      GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW

#ACCEPT loc all tcp 80 #not needed

#    Accept DNS connections from the firewall to the network
#
DNS(ACCEPT)    $FW        net
#
#    Accept SSH connections from the local network for administration
#
SSH(ACCEPT)    loc        all
SSH(ACCEPT)    net        all
SSH(ACCEPT)    $FW        all
#
#    Allow Ping from the local network
#
Ping(ACCEPT)    $FW        all
Ping(ACCEPT)    $FW        all
Ping(ACCEPT)    net        all


#
# Drop Ping from the "bad" net zone.. and prevent your log from being 
flooded..
#

#Ping(DROP)    net        $FW

ACCEPT        $FW        all        icmp
ACCEPT        loc        all        icmp
ACCEPT        net        all        icmp


DNAT        net         loc:192.168.0.237  tcp  ssh,80,443            #works
[/CODE]

zones
[CODE]
#ZONE    TYPE        OPTIONS        IN            OUT
#                    OPTIONS            OPTIONS
fw    firewall
net    ipv4
loc    ipv4
[/CODE]

masq
[CODE]
eth5 bond0
[/CODE]



In the above my public vip is 195.x.x.21, but i am using a real server 
ip (192.168.0.237) and it works. BUT if i use 192.168.0.199 which is the 
private vip on the same box it does not work.

Any help???


------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 6/8/11 6:30 AM, Sharif Uddin wrote:
> I am having problems forwarding from public vip to private vip and back
> 
> *configuration files*
Note that http://www.shorewall.net/support.htm#Guidelines specifically
asks that you not send configuration files.
> 
> DNAT        net         loc:192.168.0.237  tcp  ssh,80,443           
#works
> [/CODE]
> 
> In the above my public vip is 195.x.x.21, but i am using a real server
> ip (192.168.0.237) and it works. BUT if i use 192.168.0.199 which is the
> private vip on the same box it does not work.
If it is on the same box, you DNAT rule needs to be:

DNAT	net	$FW:192.168.0.199
                ---

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

> On 6/8/11 6:30 AM, Sharif Uddin wrote:
>
>> I am having problems forwarding from public vip to private vip and back
>>
>> *configuration files*
> Note that http://www.shorewall.net/support.htm#Guidelines specifically
> asks that you not send configuration files.
>
Sorry, I didn''t realise.
>> DNAT        net         loc:192.168.0.237  tcp  ssh,80,443           
#works
>> [/CODE]
>>
>> In the above my public vip is 195.x.x.21, but i am using a real server
>> ip (192.168.0.237) and it works. BUT if i use 192.168.0.199 which is
the
>> private vip on the same box it does not work.
> If it is on the same box, you DNAT rule needs to be:
>
> DNAT	net	$FW:192.168.0.199
>                  ---
>
> -Tom
Thanks, I will give it a try
>
>
------------------------------------------------------------------------------
> EditLive Enterprise is the world''s most technically advanced
content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev