Bob Proulx wrote: > > 15.6.88.87 host initiating the telnet connect > | > eth0 15.6.94.236 > eth0:0 15.6.88.149 > +-----+ > |linux| > +-----+ > eth1 10.1.0.1 > | > 10.1.0.2 host accepting the telnet > > Following http://www.shorewall.net/NAT.htm I created the following: > > /etc/shorewall/nat > #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL > 15.6.88.149 eth0 10.1.0.2 no yes > > However the result of that configuration was unsuccessful. Regardless > of the setting of ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf > this never seemed to create an interface for 15.6.88.149. No ping.
Shorewall will never create an interface. > > Shouldn't an IP alias have been created in the above configuration? No. But address 15.6.88.149 should have been added to the IPv4 configuration for eth0. > > Eventually I created 15.6.88.149 manually labeled eth0:0 using Debian's > /etc/network/interfaces and ifup. With a manually created interface > and the above configuration packets routed out eth1 but failed to have > their source addresses translated. Running tcpdump I found that the > packets leaving eth1 retained their original 15.6.88.87 source > address. When this showed up to the 10.1.0.2 host it discarded them > as an invalid packet for that network. Why? > > 15.6.88.87 -> 15.6.88.149:23 into eth0 > Became: > 15.6.88.87 -> 10.1.0.2:23 out of eth1 > > Shouldn't the source address have been translated to be from 10.1.0.1? No. > > As per http://www.shorewall.net/Documentation.htm#Masq I added an SNAT > entry and this coupled with the nat rule above did route and translate > the source address. > > /etc/shorewall/masq > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > eth1 eth0 10.1.0.1 > > 15.6.88.87 -> 15.6.88.149:23 into eth0 > Became: > 10.1.0.1 -> 10.1.0.2:23 out of eth1 > > Success! This configuration appears to work perfectly for me. I can > telnet to the 15.6.88.149 address and it routes and translates and a > connection is enabled. I can connect to the device on the private > address. > But I will have another > box to try this on soon and can collect information from it then. > Until then I have a configuration that is working. I am only hoping > to improve the documentation such that this would be easier for > someone else trying to do something similar. Ok. I would like to understand why the address apparently didn't get added. > > Any ideas on what I was doing wrong? Or should the documentation for > one-to-one nat include creating the IP alias manually and adding a > masq entry too? Again, I don't understand what the masq entry is necessary unless 10.1.0.2 doesn't have a default gateway defined. As to creating the alias, the NAT documentation already includes this: Note Shorewall will automatically add the external address to the specified interface unless you specify ADD_IP_ALIASES=“no” (or “No”) in /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if you set it to “Yes” or “yes” then you must NOT configure your own alias(es). I have no idea why an address was not created for you with ADD_IP_ALIASES=Yes -- I would have to see a trace of "shorewall start" in order to understand what went wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
