On Tue, Mar 8, 2011 at 3:49 PM, Tom Eastep <[email protected]> wrote:
> On 3/8/11 3:24 PM, Gianluca Varenni wrote: > > > > > > On Tue, Mar 8, 2011 at 3:12 PM, Tom Eastep <[email protected] > > <mailto:[email protected]>> wrote: > > > > > > PLEASE STOP TOP-POSTING! > > > > > > On 3/8/11 2:03 PM, Gianluca Varenni wrote: > > > I tried adding eth0 to the local zone and the following masq file: > > > > > > #INTERFACE SUBNET ADDRESS PROTO > > PORT(S) > > > IPSEC > > > eth0:10.0.0.0/8 <http://10.0.0.0/8> 192.168.77.0/24 > > <http://192.168.77.0/24> 10.17.48.2 > > > eth2 192.168.77.0/24 <http://192.168.77.0/24> > > 173.166.226.234 > > > > > > but it didn't work. I was trying to ping from 192.168.77.110 to > > 10.17.48.1, > > > and what I was seeing on eth0 was non-masquerated packets. > > > > > > > Then there is something in your configuration that you are not > > telling us. > > > > > Could it be because I'm trying to SNAT between two RFC1918 > networks? > > > > No. Please include the output of 'shorewall dump' collected as > described > > at http://www.shorewall.net/support.htm#Guidelines. > > > > > > Attached. > > > > Here is a connection that is properly natted: > > tcp 6 190420 ESTABLISHED src=192.168.77.150 dst=10.38.10.1 > sport=52923 dport=22 packets=20 bytes=2646 src=10.38.10.1 dst=10.17.48.2 > sport=22 dport=52923 packets=28 bytes=4324 [ASSURED] mark=2 use=1 > > So the rule *is* working. > > Here is a conntrack entry for an un-replied ping: > > > icmp 1 26 src=192.168.77.150 dst=10.17.48.1 type=8 code=0 id=1 > packets=613 bytes=36780 [UNREPLIED] src=10.17.48.1 dst=192.168.77.150 > type=0 code=0 id=1 packets=0 bytes=0 mark=0 use=1 > > But note this: > > Chain POSTROUTING (policy ACCEPT 340 packets, 22236 bytes) > pkts bytes target prot opt in out source > destination > 632 47883 eth2_masq 0 -- * eth2 0.0.0.0/0 > 0.0.0.0/0 > 0 0 eth0_masq 0 -- * eth0 0.0.0.0/0 > 0.0.0.0/0 > > So no new NAT requests were processed after you restarted/reset > Shorewall. So that entry is left over from before. > > Please wait until 'shorewall show connections | grep ^icmp' returns > nothing and then try to ping again; does it work then? > It works only partially. I can now ping 10.17.48.1 (or any host on the 10.17.48.0/23 LAN), but I cannot ping any other host in 10.0.0.0/8. If IP destination is not in 10.17.48.0/23, it gets sent out masquerated on eth2 (i.e. the WAN interface). shorewall dump attached. Thanks GV > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >
dump_20110308_1823.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
