Christian Vieser wrote: > Hi all, > > after a half day searching for an error, sniffing and upgrading to the > newest shorewall version I give up and the problem to you. I have > following configuration in my /etc/shorewall/masq: > > #INTERFACE SOURCE ADDRESS > vlan7::10.231.0.0/16 192.168.222.0/24 10.231.113.30 > vlan7 192.168.222.0/24 10.1.0.38 > > Towards a special network I need a masking of all outgoing traffic to > 10.231.113.30, in all other cases I use the basic address of the > interface for masking. What happens? Nothing - no packet towards an > address in 10.231.0.0 leaves the interface. If I swap the entries in the > config file, the packets go through the interface, but are masked with > the wrong IP (what would be the expected behavior). So I'm sure that > there is no fault in the other config files. > > Netfilter also seems to has the correct rules (whole dump enclosed): > > Chain vlan7_masq (1 references) > pkts bytes target prot opt in out source > destination > 10 600 SNAT 0 -- * * 192.168.222.0/24 > 10.231.0.0/16 to:10.231.113.30 > 2 96 SNAT 0 -- * * 192.168.222.0/24 > 0.0.0.0/0 to:10.1.0.38 > > I know that I had the same construction working some month ago. Only > difference is, that there it was a "real" eth interface and now it's a > vlan. > > Any idea?
I suspect that with the destination IP address rewritten to 10.231.113.30, the traffic then matches one of your SPD entries so the kernel is trying to send it down an IPSEC tunnel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
