On 12/18/18 6:43 AM, Vincent G wrote: > Hi there, > > I'm having a configuration issue when trying to DNAT over a multi nic > setup : > > I'm using debian8/jessie with shorewall 4.6.4.3 from packages > > The shorewall instance is connected to 4 interfaces with 3 zones : > - eth0: net > - eth1: net > - eth2: hard > - eth3: prod > > Yes, the first two interfaces are on the same network with different IPs > (eth0 : 10.31.0.101/24 / eth1: 10.31.0.102/24 / gateway : 10.31.0.254) > For testing purpose these IP addresses are static, but in the real world > it will be dhcp assigned ones. > > Goal is to DNAT incoming requests (and filter/drop other) : > - from net to ip101:443 to prod:172.31.1.31 > - from net to ip101:22 to prod:172.31.1.230 > - from net to ip102:443 to prod:172.31.1.61 > - from net to ip102:2222 to prod:172.31.1.61 > > All traffic from prod zone must go from eth0 to net zone. > > I've setup some rt_tables and ip rules and ping is working fine (with or > without shorewall) : > from net to ip101 : icmp traffic seen on eth0 > from net to ip102 : icmp traffic seen on eth1 > from ip101 (ping -I eth0 or ping without -I switch) : icmp traffic seen > on eth0 > from ip102 (ping -I eth1) : icmp traffic seen on eth1 > > I can have dnat working for ip101 OR ip102 but not for both. > I see martian source kernel errors for the non-working DNAT rule. (IPv4: > martian source 172.31.1.31 from 10.31.0.254, on dev eth0) > > I've attached a dump of my current setup one working for ip102 but > throwing martian source for requests on ip101 > > I've been struggling with this setup and cannot achieve what I want, can > someone point me to the mistake I've made ? >
Are you following the configuration guidance in http://www.shorewall.org/MultiISP.html? You can accomplish what you want fairly easily if you do. If you follow that guide and still have issues, please submit the output of 'shorewall dump' collected as described at http://www.shorewall.org/support.htm#Guidelines -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
