I'm still trying to get Shorewall working properly on a new Xen system. My current problem is that SNAT doesn't seem to work. When I connect out from behind my new firewall to another host, the source IP address is supposed to be SNAT'ed to the address of my firewall, but this isn't happening. The outbound connection =does= succeed -- just not with the desired masquerading of the source IP address.
I went back to Shorewall 3.4.4, in case there might be some bug in the 4.0.6 code I had been using, but the problem is unchanged in 3.4.4. The attached diagnostic output is from 3.4.4. I'm attaching the output of "shorewall dump". I'm also attaching a TAR file with my configuration (based on the "two-interfaces" example) -- I tried to make this example as small as possible while still illustrating the problem. The network "behind" my new firewall is 172.31.53.0/24. The exterior network is 172.29.0.0/24 (which is also my home LAN's network -- again, this system is still in development, so I'm working entirely within my home LAN for now). The experiment I did just before doing "shorewall dump" was to SSH from a host behind my firewall (172.31.53.5) to a host on my LAN (172.29.0.29). The SSH succeeded, but the source IP address was unchanged. I had hoped/ expected the connection to appear to have originated from my firewall's exterior address (172.29.0.53) -- but the target host saw the source's real address (172.31.53.5) instead. In the "NAT Table" portion of the "shorewall dump" output, you'll see a chain called "lan0_masq", which I assume is supposed to change a source address in the 172.31.53.0/24 range to 172.29.0.53. Note that lan0_masq is invoked once in the POSTROUTING chain, but the lan0_masq chain doesn't appear to be processing any packets. In case it may be helpful, here is a line from my syslog file (I added logging for SSH through the firewall). Note that the connection appears to have gone from 172.31.53.5 (my "dmz" network) to 172.29.0.29 (my "lan" network), as expected: Dec 26 20:07:23 whodunit kernel: [72660.851790] Shorewall:dmz2lan:ACCEPT:ssh IN=dmz0 OUT=lan0 SRC=172.31.53.5 DST=172.29.0.29 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=4635 DF PROTO=TCP SPT=57013 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 My firewall is the dom0 of a routed Xen 3.1 / Ubuntu 7.10 system (kernel 2.6.22-14-xen). The network behind the firewall (172.31.53.0/24) holds my domU's, though it also has a physical interface card (which currently doesn't have anything plugged into it). The external network interface (171.66.155.243) is currently unconnected while I develop/test. Any suggestions as to how I can get SNAT working would be gratefully appreciated. Thanks. -- Rich Wales === Palo Alto, CA, USA === [EMAIL PROTECTED] http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales
status.txt.gz
Description: GNU Zip compressed data
shorewallcfg.tgz
Description: application/compressed-tar
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
