Shorewall users - Jan 2012 - one-to-one nat and internal hosts communicating trough external public IP

Hi,

Yes, i''ve read the differents FAQ, and i fully understand them...

But i cannot use proxy arp : my hosts are dedicated servers hosted on the cloud
with only one vlan available (my hoster refuse to give more than 1 vlan), and
thus my two zones net & loc are connected to the same vlan, and proxy arp
need two layer 2 separated network.  Split DNS are not a solution nope, because
i do not have control on the DNS (i host customers VPS on my servers, my
customers use their own DNS on their VPS, and i cannot give to one customer the
list of domains used by the others customers).

As i do not want that loc->loc traffic appear to originate on the firewall,
i''m testing another solution that i would like to explain here, to see
if you think there could be some problems i''ve not yet detected...

Thus to resume :

# net (eth0) :  1.1.1.0/24 - gateway (router of my hoster) 1.1.1.254
# loc (eth1) : 10.1.1.0/24


# interfaces
net	eth0	detect		blacklist
loc	eth1	detect		routeback


# nat
1.1.1.2	eth0		10.1.1.2	no	no
1.1.1.2	eth1		10.1.1.2	no	no
1.1.1.3	eth0		10.1.1.3	no	no
1.1.1.3	eth1		10.1.1.3	no	no


To explain : i declare twice the one-to-one rules, once on the net interface,
like documented, but also once on the loc interface...  i do *not* declare any
masq rule

It seems to work : when 10.1.1.2 try to reach 1.1.1.3, 10.1.1.3 receive the
connection originated from 1.1.1.2, it''s what i want...

But is there any reason i should not use this method ?  I''ve not found
this solution documented in the FAQ of Shorewall, and thus i ask myself if i
miss something...


Thanks for any tips on this subject :)

-- 
Bien à vous...
 _
(_''      Un problème de serveur ?  Diagnostic rapide et pro pour 25
euros !
,_)téphane Bouvard                      http://www.infogerance-serveurs.com



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

On 01/12/2012 07:36 AM, Stephane Bouvard wrote:
> Hi,
> 
> Yes, i''ve read the differents FAQ, and i fully understand them...
> 
> But i cannot use proxy arp : my hosts are dedicated servers hosted on the
cloud with only one vlan available (my hoster refuse to give more than 1 vlan),
and thus my two zones net & loc are connected to the same vlan, and proxy
arp need two layer 2 separated network.  Split DNS are not a solution nope,
because i do not have control on the DNS (i host customers VPS on my servers, my
customers use their own DNS on their VPS, and i cannot give to one customer the
list of domains used by the others customers).
> 
> As i do not want that loc->loc traffic appear to originate on the
firewall, i''m testing another solution that i would like to explain
here, to see if you think there could be some problems i''ve not yet
detected...
> 
> Thus to resume :
> 
> # net (eth0) :  1.1.1.0/24 - gateway (router of my hoster) 1.1.1.254
> # loc (eth1) : 10.1.1.0/24
> 
> 
> # interfaces
> net	eth0	detect		blacklist
> loc	eth1	detect		routeback
> 
> 
> # nat
> 1.1.1.2	eth0		10.1.1.2	no	no
> 1.1.1.2	eth1		10.1.1.2	no	no
> 1.1.1.3	eth0		10.1.1.3	no	no
> 1.1.1.3	eth1		10.1.1.3	no	no
> 
> 
> To explain : i declare twice the one-to-one rules, once on the net
interface, like documented, but also once on the loc interface...  i do *not*
declare any masq rule
> 
> It seems to work : when 10.1.1.2 try to reach 1.1.1.3, 10.1.1.3 receive the
connection originated from 1.1.1.2, it''s what i want...
> 
> But is there any reason i should not use this method ?  I''ve not
found this solution documented in the FAQ of Shorewall, and thus i ask myself if
i miss something...
> 
There is no reason not to use your rules. But these rules do the same thing:

	1.1.1.2	eth0		10.1.1.2	yes	-
	1.1.1.2	eth1		10.1.1.2	yes	-

and are documented in FAQ 2a.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

Bonjour,

,- - [ Le jeudi 12 janvier 2012 vers 19:05 Tom Eastep écrivait: ] - -
|
>> # nat
>> 1.1.1.2       eth0            10.1.1.2        no      no
>> 1.1.1.2       eth1            10.1.1.2        no      no
>> 1.1.1.3       eth0            10.1.1.3        no      no
>> 1.1.1.3       eth1            10.1.1.3        no      no
> There is no reason not to use your rules. But these rules do the same
thing:
>         1.1.1.2 eth0            10.1.1.2        yes     -
>         1.1.1.2 eth1            10.1.1.2        yes     -
> and are documented in FAQ 2a.
|
`- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I suppose that you mean

1.1.1.2	eth0		10.1.1.2	yes	-
1.1.1.3	eth0		10.1.1.3	yes	-

?

According the FAQ 2a, with this settings i should also set a masq ( eth1	eth1
1.1.1.1 )  to allow servers to use the public ip to connect each other, meaning
that all loc->loc traffic appear to originate on the firewall, from the
1.1.1.1 IP, and not from the public IP of the real originating server... 
it''s precisely what i would like to avoid and the reason why
i''ve set two explicit NAT rules...

It''s also confirmed by the http://www.shorewall.net/NAT.htm page :
Specifying “Yes” in this column will not by itself allow systems on the lower
LAN to access each other using their public IP addresses.

-- 
Bien à vous...
 _
(_''      Un problème de serveur ?  Diagnostic rapide et pro pour 25
euros !
,_)téphane Bouvard                      http://www.infogerance-serveurs.com



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

On 01/12/2012 02:07 PM, Stephane Bouvard wrote:
> Bonjour, `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - - - - - - -
> 
> I suppose that you mean
> 
> 1.1.1.2	eth0		10.1.1.2	yes	- 1.1.1.3	eth0		10.1.1.3	yes	-
> 
> ?
Yes.
> 
> According the FAQ 2a, with this settings i should also set a masq (
> eth1	eth1	1.1.1.1 )  to allow servers to use the public ip to connect
> each other, meaning that all loc->loc traffic appear to originate on
> the firewall, from the 1.1.1.1 IP, and not from the public IP of the
> real originating server...  it''s precisely what i would like to
avoid
> and the reason why i''ve set two explicit NAT rules...
> 
> It''s also confirmed by the http://www.shorewall.net/NAT.htm page :
> Specifying “Yes” in this column will not by itself allow systems on
> the lower LAN to access each other using their public IP addresses.
> 
You are correct. I''ll add your method to the FAQ; thanks for the tip.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

On Thu, 2012-01-12 at 14:46 -0800, Tom Eastep wrote:
> 
> > 
> > According the FAQ 2a, with this settings i should also set a masq (
> > eth1	eth1	1.1.1.1 )  to allow servers to use the public ip to connect
> > each other, meaning that all loc->loc traffic appear to originate
on
> > the firewall, from the 1.1.1.1 IP, and not from the public IP of the
> > real originating server...  it''s precisely what i would like
to avoid
> > and the reason why i''ve set two explicit NAT rules...
> > 
> > It''s also confirmed by the http://www.shorewall.net/NAT.htm
page :
> > Specifying “Yes” in this column will not by itself allow systems on
> > the lower LAN to access each other using their public IP addresses.
> > 
> 
> You are correct. I''ll add your method to the FAQ; thanks for the
tip.
I''ve taken another look at this and I was correct and the FAQ is
wrong :-(.

Here is the critical part of the difference between the two methods
(both compiled with OPTIMIZE=31):

--A PREROUTING -d 1.1.1.2 -j DNAT --to-destination 10.1.1.2
--A PREROUTING -d 1.1.1.3 -j DNAT --to-destination 10.1.1.3
--A POSTROUTING -s 10.1.1.2 -j SNAT --to-source 1.1.1.2
--A POSTROUTING -s 10.1.1.3 -j SNAT --to-source 1.1.1.3
+:~comb0 - [0:0]
+:~comb1 - [0:0]
+-A PREROUTING -i eth0 -j ~comb0
+-A PREROUTING -i eth1 -j ~comb0
+-A POSTROUTING -o eth0 -j ~comb1
+-A POSTROUTING -o eth1 -j ~comb1
+-A ~comb0 -d 1.1.1.2 -j DNAT --to-destination 10.1.1.2
+-A ~comb0 -d 1.1.1.3 -j DNAT --to-destination 10.1.1.3
+-A ~comb1 -s 10.1.1.2 -j SNAT --to-source 1.1.1.2
+-A ~comb1 -s 10.1.1.3 -j SNAT --to-source 1.1.1.3

These two rulesets are equivalent, but the optimizer does a slightly
better job with my way than with yours.

I''ll correct the FAQ.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

On 01/12/2012 04:11 PM, Tom Eastep wrote:
> 
> I''ll correct the FAQ.
> 
FAQ corrected.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

Hi,

,- - [ Le vendredi 13 janvier 2012 vers 01:11 Tom Eastep écrivait: ] - -
|
> I've taken another look at this and I was correct and the FAQ is
> wrong :-(.
Good news, thanks, the setup would be easier :)

|
`- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



-- 
Bien à vous...
 _
(_'      Un problème de serveur ?  Diagnostic rapide et pro pour 25 euros !
,_)téphane Bouvard                      http://www.infogerance-serveurs.com



------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users