Shorewall 4.4.11 on Debian Squeeze Is there a quick way to setup many-to-many NAT ? Ie, I want to have clients in one zone (192.168.1.x) to be NAT''d to unique addresses in a different zone (10.0.0.x) Otherwise, as I read the man pages, I''d need to put this in the masq file : eth1 eth2:192.168.1.2 10.0.0.2 eth1 eth2:192.168.1.3 10.0.0.3 and so on Is that correct ? Or I could put eth1 eth2 10.0.0.2-10.0.0.254::persistent to get a random but persistent mapping ? I''d prefer not to be using NAT at all here, but I reckon the chances of getting all the back end servers (which I don''t manage) set up with correct routing is on the low side of nil. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Wed, 2011-11-09 at 13:27 +0100, Simon Hobson wrote:> Shorewall 4.4.11 on Debian Squeeze > > Is there a quick way to setup many-to-many NAT ? > > Ie, I want to have clients in one zone (192.168.1.x) to be NAT''d to > unique addresses in a different zone (10.0.0.x) > > Otherwise, as I read the man pages, I''d need to put this in the masq file : > eth1 eth2:192.168.1.2 10.0.0.2 > eth1 eth2:192.168.1.3 10.0.0.3 > and so on > Is that correct ? > > Or I could put > eth1 eth2 10.0.0.2-10.0.0.254::persistent > to get a random but persistent mapping ?Will netmap (http://www.shorewall.net/netmap.html) serve your need? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
Tom Eastep wrote:>Will netmap (http://www.shorewall.net/netmap.html) serve your need?Yes, I think it would be just the ticket. Should NETMAP show up when I do "shorewall show capabilities" ? But then since the problem* came to light that''s triggered this, management have finally suggested we review our network setup. So it''s just possible I might be able to move to a routed setup internally :-) * It turns out that if two people attempt to access an SMB share via many-to-one NAT, each connection attempt results in all other users sharing the same IPv4 address to have their sessions terminated. It only happens with Windows servers and clients which have enhanced security turned on. It''s been driving the web developers in the other office nuts :D http://www.nynaeve.net/?p=93 Brilliant protocol design, and something else that NAT breaks :-/ -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
On Wed, 2011-11-09 at 16:03 +0100, Simon Hobson wrote:> Tom Eastep wrote: > > >Will netmap (http://www.shorewall.net/netmap.html) serve your need? > > Yes, I think it would be just the ticket. Should NETMAP show up when > I do "shorewall show capabilities" ?No. There''s no specific test for NETMAP but Squeeze supports it.> > But then since the problem* came to light that''s triggered this, > management have finally suggested we review our network setup. So > it''s just possible I might be able to move to a routed setup > internally :-) > > * It turns out that if two people attempt to access an SMB share via > many-to-one NAT, each connection attempt results in all other users > sharing the same IPv4 address to have their sessions terminated. It > only happens with Windows servers and clients which have enhanced > security turned on. It''s been driving the web developers in the other > office nuts :D > http://www.nynaeve.net/?p=93 > Brilliant protocol design, and something else that NAT breaks :-/ >I feel your pain. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
> > But then since the problem* came to light that''s triggered this, >> management have finally suggested we review our network setup. So >> it''s just possible I might be able to move to a routed setup >> internally :-) >> >> * It turns out that if two people attempt to access an SMB share via >> many-to-one NAT, each connection attempt results in all other users >> sharing the same IPv4 address to have their sessions terminated. It >> only happens with Windows servers and clients which have enhanced >> security turned on. It''s been driving the web developers in the other >> office nuts :D >> http://www.nynaeve.net/?p=93 >> Brilliant protocol design, and something else that NAT breaks :-/ >> > >I feel your pain.OK, they''ve now asked me to do this. 3 networks, Int, Ext, Back Border router R Gateway G R connects Ext (public class C, Pub) to the internet G connects all 3 networks Routing on G is fairly simple - R is the default gateway, the 3 networks are locally connected. I believe I need to change masq from: Ext Int Back Int to just : Ext:!Pub/24 Int As I read the man page, this means NAT will be applied to connections outside of our public subnet, but not to connections to our own hosts. plus turn off routefilter on Ext. And on R, add a static route to Int via G plus turn on routeback on it''s interface in Ext Obviously I''ll also need to set the policies and rules to suit. If I have that right, connections between the office network and hosts single homed on the back end network "just work" - they''ll have their default gateway pointed to G. For hosts on the public network, return packets will go via R first which will redirect them via G. For hosts that are dual homed on the Ext and Back networks, connections to their backend addresses will go out direct but the return packets will go via R as the default router for those hosts. Thus needing routefilter turned off on G. Most hosts won''t have a static route added to the internal network - hence the routing via R. Does that look about right ? I''ve done most of this before, but not with Shorewall or Linux boxes. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
While I realise it''s off-topic here, does anyone know if multihomed (multi NIC) Windows servers do route filtering by default ? And of course, how to turn it off ? -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d