Thank you Tom, That has cleared everything up for me.
I was "tying" the IP's to there specific interfaces, and getting bogged down in details..... or as the classic phrase goes "Step back and look at the bigger picture" which you clearly illustrated for me. Thank you again Tom Cheers Adam -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Eastep Sent: Wednesday, 9 January 2008 2:25 PM To: Shorewall Users Subject: Re: [Shorewall-users] Shorewall and LVS-NAT (via fwmark) nat'd machines can't access the outside world directly Tom Eastep wrote: > Adam Niedzwiedzki wrote: >> Ahh ok, >> I'm confusing myself :( >> If I put an entry in the /etc/shorewall/nat do I have to setup >> /etc/shorewall/masq The machine/s behind LVS will need to connect via >> an External IP other then the router/firewall one... >> >> Hence why I masq behind eth1 >> >> Remember this machine is my router as well (eth0 has a /30 with my >> upstream) >> eth1 is my /25 >> > > If you want the hosts on eth2 to use a different external IP address, > you put that address in the ADDRESS column of the masq file entry. > Your statement 'Hence why I masq behind eth1' indicates that you may not be viewing the relationship between the host, the interfaces and the addresses properly. Lets say that a Linux system has IP addresses IP1, IP2, IP3 and IP4 and that it has interfaces IF1, IF2, and IF3. The way that I mentally picture this system is like this: __________ | IF1 | _______________|__________|______________ | | | | | |___ | IP1 | | | IP2 | | | IP3 |IF2| | IP4 | | | |___| | | | | |_________________________________________| | | | IF3 | ---------- This view emphasizes the fact that the IP addresses belong to the *host* and not to the Interfaces. In the Linux default mode of operation, an ARP 'who-has' request for any of the addresses received on any of the (ethernet) interfaces, will be responded to with the MAC address of that interface. Each IP address is configured on an interface but the address<->interface relationship only really important in two cases: a) when the system is sending a packet that doesn't have an address (the local client has bound its sending socket to the 0 address) b) in MASQUERADE when you are letting the system pick the source address to use for some outgoing packets. So for traffic leaving the system on IF1, you can pick any of the IP addresses (IP1-4) as the SNAT source address provided that responses from the target host with that destination IP address will be routed back to this system. In fact, you can use the IP address of any host accessed via IF2 or IF3 if that address meets the criteria that traffic sent to that address from the recipient will be routed back to this system. HTH -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
