On 9/13/2014 5:20 AM, Paolo Nesti Poggi wrote: > Den 08-09-2014 10:33, Paolo Nesti Poggi skrev: >> Den 08-09-2014 01:24, Tom Eastep skrev: >>> On 9/5/2014 3:29 AM, Paolo Nesti Poggi wrote: >>>> Hi >>>> We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) >>>> that has been working flawlessly for years. >>>> Now we have changed broadband provider and with it we've got new IP >>>> addresses. >>>> I've reconfigured shorewall with the new addresses and since then we no >>>> longer have functioning DNAT for boxes that are forwarded from IP >>>> different from the main IP address. >>>> >>>> As far as I could see, for doing the provider change we only needed to >>>> edit the params (params for main IP and ekstra IPs)and masq file (main >>>> IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf >>>> >>>> Having done those changes everything works OK, even DNAT from the main >>>> IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes >>>> forwarded to from other IPs in the address range are not working at all >>>> (ssh: connect to host 89.233.14.37 port 22: Connection timed out) >>>> >>>> I hope you can help me find a way to further troubleshoot this. >>>> >>>> I've re-read the section regarding the 3-interface setup: >>>> http://shorewall.net/three-interface.htm >>>> and the >>>> DNAT troubleshooting http://shorewall.net/FAQ.htm#faq1a and #faq1b >>>> >>>> The routes I'm troubleshooting all show 0 packets in the output of >>>> 'shorewall show nat', however the ISP ensures me that they are not >>>> dropping anything (this is a 200Mb/sec symmetric connection). >>>> >>>> The output of 'shorewal show nat' for one of the hosts in question is: >>>> 0 0 DNAT tcp -- * * 0.0.0.0/0 89.233.14.37 >>>> multiport dports 22,80,443,3690,8000,5001,3306 to:192.168.37.37 >>>> 0 0 DNAT udp -- * * 0.0.0.0/0 89.233.14.37 >>>> multiport dports 5001,22,3306 to:192.168.37.37 >>>> >>>> where doing 'ssh 89.233.14.37' from a host outside of this network >>>> should connect me to my box on 192.168.37.37 in the local network. >>>> If I set up a Windows PC with static address 89.233.14.37 and connect it >>>> to the switch of my provider I can ping it from outside, but if I try >>>> and connect to my box on 192.168.37.37 I only get "Connection timed out" >>>> >>>> Do you have any idea of what might be going wrong and/or how I can move >>>> forward in troubleshooting this issue? >>>> >>> Have you confirmed with tcpdump that the tcp port22 are even reaching >>> the firewall and that they have the correct L2 destination address? >>> >>> >> The only thing I have from tcpdump reg. these addresses when I try and >> ssh to them are ARP messages like this: >> >> 14:29:55.386918 ARP, Request who-has 89.233.14.37 tell 89.233.14.33, >> length 46 >> >> About the gateway (89.233.14.33), I was reading about >> http://shorewall.net/shorewall_setup_guide.htm#Options and I get now >> that probably the decisive difference between the old set up and the >> new one (apart from the single addresses) is that previously we had a >> non-routed setup, because the addresses were in two different >> segments, while we now have a whole subnet (89.233.14.32/28), >> therefore we need to change /etc/network/interfaces accordingly. >> >> If this is correct am I right in understanding that the section: >> "*Routed* - Traffic to any of your addresses will be routed through a >> single gateway address. This will generally only be done if your ISP >> has assigned you a complete subnet (/29 or larger). In this case, you >> will assign the gateway address as the IP address of your >> firewall/router's external interface." >> >> Means that '/etc/network/interfaces' should be: >> >> address 89.233.14.33 >> network 89.233.14.32/28 >> broadcast 89.233.14.47 >> netmask 255.255.255.240 >> gateway 89.233.14.33 >> >> and not >> >> address 89.233.14.34 >> network 89.233.14.32/28 >> broadcast 89.233.14.47 >> netmask 255.255.255.240 >> gateway 89.233.14.33 >> >> as we have now? > > Hi again, > Hope to get som feed back about some more findings. I also hope not to > offende anybody reporting about some obviously wrong trials. > I'm trying at least to rule out options. > > 1. I have tried out configuring the IP address as I had understood the > section mentioned above ("routed" setup), hence with > /etc/network/interfaces like: > > iface eth0 inet static > address 89.233.14.33 > network 89.233.14.32/28 > netmask 255.255.255.240 > broadcast 89.233.14.47 > gateway 89.233.14.33 > > > Accordingly I also changed the masq file to have 89.233.14.33 as > external address. > > This did not work at all. No connection from local to internet not to > mention the other way around. > A tcpdump shows Wireshark complaining about; > "Expert Info (Warn/Sequence): Duplicate IP address configured > (89.233.14.33)" > > Which of course is exactly what I did, I gave our NIC an IP address that > our provider has already given to their device (the gateway). > > It could be interesting to know what/how I did misunderstand the text > "*Routed* - Traffic to any of your addresses will be routed ..." cited > above from the documentation. > > 2. Tcpdumps of what exactly happens with the current (kind of) working > configuration. > > This has /etc/network/interfaces like: > iface eth0 inet static > address 89.233.14.34 > network 89.233.14.32/28 > broadcast 89.233.14.47 > netmask 255.255.255.240 > gateway 89.233.14.33 > > In this case everything works as it used to regarding forwarding of IP > 89.233.14.34 to addresses on the DMZ (e.g. 89.233.14.34 to > 192.168.201.12), but when I try and connect from outside to other IPs > that should be forwarded to hosts on the local net, as 89.233.14.37 to > 192.168.37.37 or even port 22 for 89.233.14.40 to the same DMZ host > 192.168.201.12, what happens is that no ARP answer is sent back from > eth0 to the gateway to begin with, hence no packets ever arrive to eth0. > > An image of wireshark with arp filter on a tcpdump file is attached, > showing a series of ARP requests from the gateway and no answer, apart > from when the request is about the 89.233.14.34 address. >
You need to configure 'virtual' interfaces. Here's a snippet from my
/etc/network/interfaces file:
#
# Commcast Business Class
#
auto eth1 eth1:1 eth1:2
iface eth1 inet static
address 70.90.191.121
netmask 255.255.255.248
network 70.90.191.120
broadcast 70.90.191.127
iface eth1:1 inet static
address 70.90.191.122
netmask 255.255.255.248
network 70.90.191.120
broadcast 70.90.191.127
iface eth1:2 inet static
address 70.90.191.123
netmask 255.255.255.248
network 70.90.191.120
broadcast 70.90.191.127
The primary IP address is 70.90.191.121 and I've configured two more
addresses from by 70.90.191.120/29 assigned subnet (the other two are
assigned to servers in my DMZ).
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
