Hi there, I'm having a configuration issue when trying to DNAT over a multi nic setup :
I'm using debian8/jessie with shorewall 4.6.4.3 from packages The shorewall instance is connected to 4 interfaces with 3 zones : - eth0: net - eth1: net - eth2: hard - eth3: prod Yes, the first two interfaces are on the same network with different IPs (eth0 : 10.31.0.101/24 / eth1: 10.31.0.102/24 / gateway : 10.31.0.254) For testing purpose these IP addresses are static, but in the real world it will be dhcp assigned ones. Goal is to DNAT incoming requests (and filter/drop other) : - from net to ip101:443 to prod:172.31.1.31 - from net to ip101:22 to prod:172.31.1.230 - from net to ip102:443 to prod:172.31.1.61 - from net to ip102:2222 to prod:172.31.1.61 All traffic from prod zone must go from eth0 to net zone. I've setup some rt_tables and ip rules and ping is working fine (with or without shorewall) : from net to ip101 : icmp traffic seen on eth0 from net to ip102 : icmp traffic seen on eth1 from ip101 (ping -I eth0 or ping without -I switch) : icmp traffic seen on eth0 from ip102 (ping -I eth1) : icmp traffic seen on eth1 I can have dnat working for ip101 OR ip102 but not for both. I see martian source kernel errors for the non-working DNAT rule. (IPv4: martian source 172.31.1.31 from 10.31.0.254, on dev eth0) I've attached a dump of my current setup one working for ip102 but throwing martian source for requests on ip101 I've been struggling with this setup and cannot achieve what I want, can someone point me to the mistake I've made ? Regards, Vincent
shorewall_ok_ip102.dump
Description: Binary data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
