Re: [Shorewall-users] Help with nat settings

Thu, 18 Sep 2008 17:59:56 -0700 

Ricardo Kleemann wrote:

Hi,

I'm setting up shorewall (v. 3.4.8) and have established some IPs in the
nat file.

For testing purposes only, I have my main eth0 interface for shorewall
(the "net" interface) in network 192.168.0. The dmz interface is eth2 in
network 192.168.1.

Here's a snippet of ip addr output:

3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:00:24:c0:02:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.200/24 brd 192.168.0.255 scope global eth0
    inet 192.168.0.199/24 brd 192.168.0.255 scope global secondary
eth0:1

5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:00:24:c0:02:de brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth2


And I have in the nat file:
192.168.0.199        eth0:1                192.168.1.200


in the rules file I opened it up for testing:
Ping/ACCEPT net fw Ping/ACCEPT net dmz Ping/ACCEPT loc fw Ping/ACCEPT dmz fw Ping/ACCEPT fw dmz 


And I have a test PC connected to the net interface, IP 192.168.0.104.


The routing from the fw looks correct:
# ip route
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.200 default via 192.168.0.1 dev eth0 

Here's what I see:

ping fw -> dmz is ok (192.168.1.1 -> 192.168.1.200)
ping net -> fw main address is ok (192.168.0.104 -> 192.168.0.200)
ping net -> dmz FAILS (192.168.0.104 -> 192.168.0.199)

I know packets are not being dropped so it's not shorewall that's
blocking. I guess something's just not getting routed properly? If I can
go net -> fw and fw -> dmz, why is the net -> dmz failing?


What is the output of "shorewall show zones"?

-Tom
--
Tom Eastep \ The ultimate result of shielding men from the effects of folly 
               \ is to fill the world with fools -- Herbert Spencer
Shoreline,      \ http://shorewall.net
Washington USA   \ [EMAIL PROTECTED]
PGP Public Key    \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to