On Fri, 25 Feb 2011, Tom Eastep wrote:
>>> Apparently you have since it doesn't work. But until you show us what
>>> you have done, we can't tell you what you are missing.
>>>
>>> Things to check:
>>>
>>> a) That you have set 'routeback' on the internal firewall interface.
>>> b) That you have added a hairpin DNAT rule.
>>> c) That you have added a hairpin SNAT entry in /etc/shorewall/masq
>>> d) That all of the addresses in the entries are correct.
>>
>> I think address are correct because it is all working fine a part the
>> "routeback".
>>
>> I have (actually, done some tests ...):
>>
>> #/etc/shorewall/interfaces
>> net vmbr0 detect dhcp,tcpflags,logmartians,nosmurfs
>> dmz vmbr8 detect tcpflags,nosmurfs,routefilter,routeback
>> dmz vmbr9 detect tcpflags,nosmurfs,routefilter,routeback
>> dmz vmbr10 detect tcpflags,nosmurfs,routefilter,routeback
>> loc vmtab+ detect tcpflags,nosmurfs,routefilter
>> loc vmbr2 detect tcpflags,nosmurfs,routefilter
>> dmz tap+ detect tcpflags,nosmurfs,routefilter
>>
>> #/etc/shorewall/masq
>>
>> vmbr0 vmbr9 1.2.3.109
>> vmbr0 vmbr10 1.2.3.110
>> vmbr0 vmbr8 1.2.3.108
>
> Please get rid of the interface names in the SOURCE column. You must be
> running some ancient version of Shorewall that doesn't issue a warning
> for that archaic usage.
I simply ignore the warning ... :-)
Ok, Changed in:
vmbr0 192.168.109.0/24 1.2.3.109
vmbr0 192.168.110.0/24 1.2.3.110
vmbr0 192.168.108.0/24 1.2.3.108
vmbr9 192.168.109.0/24 1.2.3.109 <<< NEW Attempt
> And I don't see any SNAT rule for dmz->dmz traffic.
I don't understand a logic for a correct syntax
Can please, give an example?
>> #/etc/shorewall/policy
>> $FW net ACCEPT
>> loc net ACCEPT
>> loc $FW ACCEPT
>> dmz net ACCEPT
>> ###dmz $FW ACCEPT
>> ###dmz dmz ACCEPT
>> net all DROP info
>> # The FOLLOWING POLICY MUST BE LAST
>> all all REJECT info
>>
>> #/etc/shorewall/rules
>> DNAT net dmz:192.168.109.9 tcp 20,21,80,443 - 1.2.3.109
>> DNAT net dmz:192.168.110.10 tcp 20,21,80,443 - 1.2.3.110
>> DNAT net dmz:192.168.108.8 tcp 20,21,80,443 - 1.2.3.108
>
> I see no dmz->dmz DNAT rules there.
Added:
DNAT dmz dmz:192.168.109.9 tcp 20,21,80,443 - 1.2.3.109
>>
>>
>>
>
> That is because you only have 1 out of the three things needed for
> hairpinning from dmz->dmz. You have 'routeback' but no applicable SNAT
> or DNAT rules.
Adding:
vmbr9 192.168.109.0/24 1.2.3.109
to /masq and:
DNAT dmz dmz:192.168.109.9 tcp 20,21,80,443 - 1.2.3.109
to /rules seems solve the problem.
But I reach this result by attpmts, not following a logical path (in my
mind that have limited understanding of [SD]NAT & c.
Is this conf correct?
Can I extend to the other servers or am I solving a problem and generating
many others?
Thank,
Paolo
------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
