Shorewall users - Apr 2012 - masqueraded ono-to-one nat???

OS=Centos 6.2

My problem is I have two terminal servers located in LAN that have been natted
and when I open a browser on either of those servers and go to whatsmyip.com it
reports the firewalls ip address instead of the ip address assigned in the nat
configuration. These servers respond to the outside world fine with their
assigned address and they have functioned for over a year without issue but we
are now trying to use software supplied by one of our clients to access their
site and their server won''t respond to our client side app. After a
long search for problems it was determined that the software would connect after
removing the nat entry for one of the servers and then connecting from that
server so I''m guessing that they must be doing some sort of spoof check
and refusing to allow connection to them since the server is identified as one
ip to the world but is talking from another ip. I have tried a couple of
different modifications to the masq file but nothing changes the outcome. I read
that it was not necessary to modify the masq because the one-to-one nat would
use the assigned ip but thats not happening for sure on either server. When I go
to whatsmyip from the DMZ the ip is reported correctly from a different server
that has it''s own one-to-one nat but there is no masquerading done for
DMZ like there is for LAN. Please advise.





--
This message was scanned by ESVA and is believed to be clean.



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 4/21/12 7:36 AM, Bert wrote:
> OS=Centos 6.2
> 
> My problem is I have two terminal servers located in LAN that have
> been natted and when I open a browser on either of those servers and
> go to whatsmyip.com it reports the firewalls ip address instead of
> the ip address assigned in the nat configuration. 
Are you running a transparent proxy on the firewall?

If not, then we will need to see the output of ''shorewall
dump''
collected as described at http://www.shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

Agh! I didn''t think of that. So that skewed my test through whatsmyip
but the issue is still the same. Also I tested another machine in the LAN with
the software and it works fine as it is not natted but it is masquaraded through
a dansguardian/squid transparent proxy as the two servers are. Oh, the software
in question uses https so it bypasses the DG/squid but to be sure I removed them
out of the rules and I get same result.
Shorewall dump was included in original but I attached to this one as well.

One other thing while I got your attention Tom, I''m a big fan of
Shorewall and have been using it for almost 10 years and I don''t think
I have ever had an issue with it. Great piece of work.



-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Saturday, April 21, 2012 10:47 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] masqueraded ono-to-one nat???

On 4/21/12 7:36 AM, Bert wrote:
> OS=Centos 6.2
> 
> My problem is I have two terminal servers located in LAN that have 
> been natted and when I open a browser on either of those servers and 
> go to whatsmyip.com it reports the firewalls ip address instead of the 
> ip address assigned in the nat configuration.
Are you running a transparent proxy on the firewall?

If not, then we will need to see the output of ''shorewall
dump''
collected as described at http://www.shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


--
This message was scanned by ESVA and is believed to be clean.



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 4/21/12 8:03 PM, Bert wrote:
> Agh! I didn''t think of that. So that skewed my test through
whatsmyip
> but the issue is still the same. Also I tested another machine in the
> LAN with the software and it works fine as it is not natted but it is
> masquaraded through a dansguardian/squid transparent proxy as the two
> servers are. Oh, the software in question uses https so it bypasses
> the DG/squid but to be sure I removed them out of the rules and I get
> same result. Shorewall dump was included in original but I attached
> to this one as well.
> 
> One other thing while I got your attention Tom, I''m a big fan of
> Shorewall and have been using it for almost 10 years and I don''t
> think I have ever had an issue with it. Great piece of work.
Thanks.

One question - what are the IP addresses of the terminal servers?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

"In 10 years I have never had a problem". That kept echoing in my head
so I went back through policies, rules, interfaces etc knowing that there is
nothing wrong with the software but yet there''s nothing wrong with my
setup either and the light went on. The customer never changed their rules to
allow the trmsrv ip''s through their firewall. Duh! Seems obvious and
the first thing to check but the duh moment is explainable but I won''t
bore you with the details. Thanks Tom and I''m so sorry to trash your
inbox with this.

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Saturday, April 21, 2012 10:53 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] masqueraded ono-to-one nat???

On 4/21/12 8:03 PM, Bert wrote:
> Agh! I didn''t think of that. So that skewed my test through
whatsmyip
> but the issue is still the same. Also I tested another machine in the 
> LAN with the software and it works fine as it is not natted but it is 
> masquaraded through a dansguardian/squid transparent proxy as the two 
> servers are. Oh, the software in question uses https so it bypasses 
> the DG/squid but to be sure I removed them out of the rules and I get 
> same result. Shorewall dump was included in original but I attached to 
> this one as well.
> 
> One other thing while I got your attention Tom, I''m a big fan of 
> Shorewall and have been using it for almost 10 years and I don''t
think
> I have ever had an issue with it. Great piece of work.
Thanks.

One question - what are the IP addresses of the terminal servers?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


--
This message was scanned by ESVA and is believed to be clean.


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 4/22/12 8:58 AM, Bert wrote:
> "In 10 years I have never had a problem". That kept echoing in my
> head so I went back through policies, rules, interfaces etc knowing
> that there is nothing wrong with the software but yet there''s
nothing
> wrong with my setup either and the light went on. The customer never
> changed their rules to allow the trmsrv ip''s through their
firewall.
> Duh! Seems obvious and the first thing to check but the duh moment is
> explainable but I won''t bore you with the details. Thanks Tom and
I''m
> so sorry to trash your inbox with this.
No problem, Bert; glad to hear that you got it sorted out.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2