My problem is one of virtual interfaces. First I understand the ramifications
of pass-through.
Here is what I'm trying to do.
Another (trusted) entity in our building has a router connected to our private
network to utilize out Internet connection.
It is at address 192.168.1.3. They recently requested a external static
Internet address. I acquired one and added a rule
(see the bottom of this). Even though I placed it at the end of the rules file
it preempts access to my webserver running
on the firewall and using the primary address on the same interface. I've
studied your page on virtual interfaces but I
must be missing something. What happens is everything coming in on the
xxx.xxx.xxx.141 address goes to loc:192.168.1.3.
What I want is the allow traffic to xxx.xxx.xxx.141 to go to the firewall
server and traffic to xxx.xxx.xxx.184 to go to 192.168.1.3.
Working on the assumption that even (possibly) dumb questions need answering,
why is this happening?
Also, the basis of my configuration is the two-interface sample.
[EMAIL PROTECTED] ~]# ip addr show
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:12:3f:73:de:72 brd ff:ff:ff:ff:ff:ff
inet xxx.xxx.xxx.141/25 brd xxx.xxx.xxx.255 scope global eth0
inet xxx.xxx.xxx.160/25 brd xxx.xxx.xxx.255 scope global secondary eth0:1
inet xxx.xxx.xxx.184/25 brd xxx.xxx.xxx.255 scope global secondary eth0:2
inet6 fe80::212:3fff:fe73:de72/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:fc:27:38:46 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
inet6 fe80::250:fcff:fe27:3846/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen
100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
[EMAIL PROTECTED] ~]# ip route show
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
xxx.xxx.xxx.128/25 dev eth0 proto kernel scope link src xxx.xxx.xxx.141
192.168.4.0/24 via 10.8.0.1 dev tun0 scope link
192.168.3.0/24 via 192.168.1.252 dev eth1
192.168.2.0/24 via 192.168.1.252 dev eth1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.123.0/24 via 192.168.1.3 dev eth1
169.254.0.0/16 dev eth1 scope link
default via xxx.xxx.xxx.129 dev eth0
The rule in question:
DNAT net loc:192.168.1.3 all -
xxx.xxx.xxx.184
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
