On Fri, 26 Jul 2002, Webmaster - Mars Society wrote: > Status - Cable company only routes IP to MAC's. I want 5 IP's I need 5 MAC's > on Lan Segment. > OK, so I got 3 there now, plus 2 pointed back (loc and dmz)
So you have 3 NICs outbound I take it? > There seems to be 3 ways to do anything in Shorewall. Whats the best way to > do the following: > > On the INTERNET side, I have 3 static IP's (1.1.1.1, 1.1.1.2, and 1.1.1.3) > One (1.1.1.1) will also be the default gateway for the MASQ'd net. > > These will be the IP's used to access 3 servers inside the dmz (now at > 192.168.10.243, 192.168.10,244 and 192.168.10.245) > That leaves no IP address for the firewall itself so your firewall won't be able to accept inbound connections if you use static NAT (unless you set NAT_BEFORE_RULES=No and use REDIRECT rules to redirect connections to your firewall). > To start with, lets put all ports out there, and we'll tighten it up later.. > That's never a good strategy -- better to start with it too tight and loosen it up. That way, you get messages like you see below to tell you when you need another rule. With everything open to start with, you never get any messages telling you that your firewall is to loose. > Proxy Arp doesn't seem to like the fact that the server IP and interface IP > are the same. Proxy ARP only works when the systems behind the firewall have the public IPs. That's not the way that you've set it up. > > With the rules file containing this on the last line: > DNAT net:1.1.1.1 dmz:192.168.1.243 all - > Where did you get the idea that this was a correct rule? I ask that seriously because someone else came up with that same kind of rule the other day and I want to fix the documentation to make this clearer. If you wanted to DNAT from 1.1.1.1 -> 192.168.1.243, the proper rule is: DNAT net dmz:192.168.1.243 <proto> <port> - 1.1.1.1 > Looks like all packets are being dropped. Log entry looks like: > > Jul 26 10:30:56 firewall kernel: Shorewall:net2all:DROP:IN=eth1 OUT= > MAC=00:40:f4:58:03:f3:00:07:0d:ae:68:70:08:00 SRC=208.8.184.240 DST=1.1.1.1 > LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=471 DF PROTO=TCP SPT=1029 DPT=25 > WINDOW=32120 RES=0x00 SYN URGP=0 That's because your rule above only applied to requests whose SOURCE ADDRESS was 1.1.1.1. > > I'd like to keep this as simple as possible to start with. > > Clues, please? NAT? SNAT? DNAT? (READ CHAPTER XX DUMMY, answers are > acceptable) > I'm afraid there's no chapter anywhere that will cover the setup you have. Most multi-IP setups only require one network interface. Given that you only have 3 IP addresses and you have 3 servers, I would use DNAT. You of course must SNAT the dmz to the internet with an entry in the /etc/shorewall/masq file. You'll have to just pick one of your external IP addresses to use as a source for outgoing connection requests. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
