On Tue, Mar 8, 2011 at 6:24 PM, Gianluca Varenni <[email protected]
> wrote:
>
>
> On Tue, Mar 8, 2011 at 3:49 PM, Tom Eastep <[email protected]> wrote:
>
>> On 3/8/11 3:24 PM, Gianluca Varenni wrote:
>> >
>> >
>> > On Tue, Mar 8, 2011 at 3:12 PM, Tom Eastep <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> >
>> > PLEASE STOP TOP-POSTING!
>> >
>> >
>> > On 3/8/11 2:03 PM, Gianluca Varenni wrote:
>> > > I tried adding eth0 to the local zone and the following masq file:
>> > >
>> > > #INTERFACE SUBNET ADDRESS PROTO
>> > PORT(S)
>> > > IPSEC
>> > > eth0:10.0.0.0/8 <http://10.0.0.0/8> 192.168.77.0/24
>> > <http://192.168.77.0/24> 10.17.48.2
>> > > eth2 192.168.77.0/24 <http://192.168.77.0/24>
>> > 173.166.226.234
>> > >
>> > > but it didn't work. I was trying to ping from 192.168.77.110 to
>> > 10.17.48.1,
>> > > and what I was seeing on eth0 was non-masquerated packets.
>> > >
>> >
>> > Then there is something in your configuration that you are not
>> > telling us.
>> >
>> > > Could it be because I'm trying to SNAT between two RFC1918
>> networks?
>> >
>> > No. Please include the output of 'shorewall dump' collected as
>> described
>> > at http://www.shorewall.net/support.htm#Guidelines.
>> >
>> >
>> > Attached.
>> >
>>
>> Here is a connection that is properly natted:
>>
>> tcp 6 190420 ESTABLISHED src=192.168.77.150 dst=10.38.10.1
>> sport=52923 dport=22 packets=20 bytes=2646 src=10.38.10.1 dst=10.17.48.2
>> sport=22 dport=52923 packets=28 bytes=4324 [ASSURED] mark=2 use=1
>>
>> So the rule *is* working.
>>
>> Here is a conntrack entry for an un-replied ping:
>>
>>
>> icmp 1 26 src=192.168.77.150 dst=10.17.48.1 type=8 code=0 id=1
>> packets=613 bytes=36780 [UNREPLIED] src=10.17.48.1 dst=192.168.77.150
>> type=0 code=0 id=1 packets=0 bytes=0 mark=0 use=1
>>
>> But note this:
>>
>> Chain POSTROUTING (policy ACCEPT 340 packets, 22236 bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 632 47883 eth2_masq 0 -- * eth2 0.0.0.0/0
>> 0.0.0.0/0
>> 0 0 eth0_masq 0 -- * eth0 0.0.0.0/0
>> 0.0.0.0/0
>>
>> So no new NAT requests were processed after you restarted/reset
>> Shorewall. So that entry is left over from before.
>>
>> Please wait until 'shorewall show connections | grep ^icmp' returns
>> nothing and then try to ping again; does it work then?
>>
>
> It works only partially. I can now ping 10.17.48.1 (or any host on the
> 10.17.48.0/23 LAN), but I cannot ping any other host in 10.0.0.0/8. If IP
> destination is not in 10.17.48.0/23, it gets sent out masquerated on eth2
> (i.e. the WAN interface). shorewall dump attached.
>
>
An update to this. Everything works if I add a static route with
route add -net 10.0.0.0/8 gw 10.17.48.1 dev eth0
Is it normal that I need to add a static route outside of the shorewall
configuration files?
Thanks
GV
> Thanks
> GV
>
>
>> -Tom
>> --
>> Tom Eastep \ When I die, I want to go like my Grandfather who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Colocation vs. Managed Hosting
>> A question and answer guide to determining the best fit
>> for your organization - today and in the future.
>> http://p.sf.net/sfu/internap-sfd2d
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
