Michael Weickel - iQom Business Services GmbH wrote: > I will make an example for DNS. It runs public on 81.209.168.100 and RFC1918 > on 10.10.10.85. I try to access 81.209.168.100 on port 53 from v516 machine > 10.100.198.1 and the only result I see is this > > ping www.google.de source fasstethernet 0 (where fe0 is 10.100.198.1) > > tcpdump -i vlan516 host 10.100.198.1 > 00:06:03.180204 IP 10.100.198.1.52928 > 81.209.168.100.domain: 17+ A? > www.google.de. (31) >
Okay -- I'm assuming that this is an incoming DNS packet on vlan516
addressed to 81.209.168.100? Because if were an outgoing packet, it
would have been SNATed to 172.20.20.5.
Chain vlan516_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- * * 172.20.20.0/24
0.0.0.0/0 policy match dir out pol none to:172.20.20.5
0 0 SNAT all -- * * 10.100.198.0/24
0.0.0.0/0 policy match dir out pol none to:172.20.20.5
So I'm already lost as to why you would see this packet on this interface.
There don't seem to be any DNAT rules for traffic arriving on vlan516 so
the packet remains unmodified. It hits this routing rule:
32722: from all iif vlan516 lookup iqom_test_dns
That routing table contains:
10.100.198.0/24 via 172.20.20.2 dev vlan516
default via 217.199.198.153 dev vlan3006
So it is shipped off to 217.199.198.153 through vlan3006 where it is
masqueraded.
> First of all I tried without using Shorewall FAQ 2b and the result is
> exactly as tcpdumped above.
I saw no sign of FAQ 2b's solution in that example. I must be missing
something, but then your routing configuration is so complex that it
would take a week to understand fully (and I'm not going to spend a week
on this...).
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
