On Thu, 2011-09-08 at 17:48 +0100, Dan Tomlinson wrote:> Hi all,
>
> I was wondering if anyone could help me with a bit of tricky shorewall
> config.
>
> We have a slightly strange setup with the following characteristics:
>
> A debian squeeze gateway / firewall machine with shorewall version
> 4.4.11.6-3. This machine sits between our internal LAN (network
> 192.168.80.0/24 on interface br0 192.168.80.254 due to the machine
> running an openvpn bridged setup) and the outside world (interface
> eth0, let''s say with IP address a.b.c.d).
>
> This firewall is providing DNAT for the hosts on the internal LAN and
> the setup works fine for this purpose.
>
> The problem is that we also have a few hosts that need *real* external
> IP addresses, which we are hoping to provide using proxyarp. We have
> another IP range external to the firewall presented to the interface
> eth0 (172.24.252.192/26). These machines sit behind the firewall but
> must be directly accessible from outside.
>
> Our setup was working for both DNAT and proxyarp with the old version
> of shorewall in lenny, but after a dist-upgrade, it no-longer liked
> the following line in my /etc/shorewall/masq file:
>
> #INTERFACE SOURCE
> ADDRESS PROTO PORT(S) IPSEC MARK
> eth0 br0:!172.24.252.192/26
>
> So I changed it to:
>
> eth0 br0
>
> ... which worked for DNAT but the proxyarp stopped working.
Entries in /etc/shorewall/masq will not have any effect on proxy arp. It
will only determine the SOURCE IP address of *outgoing* connections from
hosts behind the firewall.
>
> Having read all the shorewall config guides I could get my hands on, I
> tried various of the following:
>
> eth0 br0:!172.24.252.192/26 (shorewall complains
> this is not valid syntax)
> eth0 192.168.80.254 (works for DNAT but not
> proxyarp)
> eth0 192.168.80.0/24 a.b.c.d (works for DNAT
> but not proxyarp)
You want the last one.
>
> I''m at a bit of a loss as to how to get DNAT and proxyarp working
> together again!
I think you need to determine *why* proxy arp isn''t working. Have you
sniffed traffic on eth0 to see what is happening when an external hosts
pings 172.24.252.193? That should be your first step.
>
> My /etc/shorewall/proxyarp file has lines like this in it for the
> hosts needing proxyarp:
>
> #ADDRESS INTERFACE EXTERNAL HAVEROUTE
> PERSISTENT
>
> 172.24.252.193 eth0 br0 No Yes
>
> Any advice would be greatly appreciated! I''ve been pulling my
hair
> out about this all morning and fiddling with a live firewall with
> people working behind it is stressful enough!
>
See above. And, if you can''t determine what the problem is, then please
send me the output of ''shorewall dump'' and I''ll take
a look.
Thanks,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops? How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/