Dear Tom,
Ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:7D:A7:0B:BF
inet addr:172.17.180.67 Bcast:172.17.180.127
Mask:255.255.255.192
/etc/shorewall/rules:
DNAT:info loc loc:10.100.100.11 udp 53 - 10.10.10.11
DNAT:info loc loc:10.100.100.11 tcp 53 - 10.10.10.11
/etc/shorewall/interfaces
loc eth0 detect dhcp,routeback
/etc/shorewall/masq
eth0:10.100.100.11 172.17.180.0/26 172.17.180.67
now a nslookup from 172.17.180.71 to 10.10.10.11 does the follwing:
> server 10.10.10.11
DNS request timed out.
timeout was 2 seconds.
Standardserver: [10.10.10.11]
Address: 10.10.10.11
>
Logfile on Gateway:
Dec 14 10:53:47 gw-lauf1 kernel: Shorewall:loc_dnat:DNAT:IN=eth0 OUT=
MAC=00:e0:7d:a7:0c:bf:09:a0:f8:03:d4:c0:08:00 SRC=172.17.180.71
DST=10.10.10.11 LEN=63 TOS=0x00 PREC=0x00 TTL=127 ID=50778 PROTO=UDP
SPT=56997 DPT=53 LEN=43
I think that the gateway doesnt rewrite the Destination IP from
10.10.10.11 to 10.100.100.11.
And then the Cisco doesnt accept these Packets.
Log from TCPDUMP:
12:36:40.098449 172.17.180.71.17322 > 10.10.10.11.53: 10+ A?
ica.company. (28)
12:36:40.098561 172.17.180.71.17322 > 10.10.10.11.53: 10+ A?
ica.company. (28)
12:36:40.098817 172.17.180.71.17322 > 10.100.100.11.53: 10+ A?
ica.company. (28)
12:36:40.109417 10.100.100.11.53 > 172.17.180.71.17322: 10* 3/1/3 A
10.100.100.24,[|domain] (DF)
Any Answers ??
Christian
Tom Eastep schrieb:
> Christian Bayer wrote:
>
>> Hello,
>>
>> following problem:
>>
>> I have a network 172.17.180.64/255.255.255.192 (LOC). Default Gateway
>> 172.17.180.67
>> The Shorewall Firewall is Defaultgateway and has IP 172.17.180.67.
>>
>> Behind a OTHER CISCO Gateway 172.17.180.68 is a DMZ which uses the
>> Subnet 10.100.100.0/255.255.255.0
>> In this DMZ is a DNS Server with IP 10.100.100.11
>>
>> The Problem:
>> On all Clients in the 172.17.180.64/255.255.255.192 net the OLD DNS
>> Server (10.10.10.11 !!!) is written in the Network Settings,
>> and the CISCO Accepts only Packets to the 10.100.100.x subnet.
>>
>> The only thing i want is to FORWARD all UDP/TCP 53 connects to
>> 10.10.10.11 to the new DNS 10.100.100.11 !!!
>>
>> I already used the follwing RULE on 172.17.180.67:
>> DNAT loc loc:10.100.100.11 udp 53 -
>> 10.10.10.11
>> DNAT loc loc:10.100.100.11 tcp 53 -
>> 10.10.10.11
>>
>> but this doesnt work.
>>
>> Please Help !!
>>
>>
>
> A configuration such as yours is covered in the Shorewall documentation in the
> article at http://www.shorewall.net/Multiple_Zones.html (From the
> documentation
> index, follow the link labeled "Routing on ONe Interface").
>
> As described there, you need to: set the 'routeback' option on your local
> interface in /etc/shorewall/interfaces.
>
> You *may* also need to add this entry to your /etc/shorewall/masq file.
>
> <local_if>:10.100.100.11 172.17.180.0/26 172.17.180.67
>
> but simply adding 'routeback' (along with your DNAT rules) should be enough.
>
> -Tom
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
