Tom Eastep wrote (on Wed, Jun 19, 2002 at 05:55:04AM -0700):
| On Wed, 19 Jun 2002, Nachman Yaakov Ziskind wrote:
|
| > Tom Eastep wrote (on Tue, Jun 18, 2002 at 07:53:08PM -0700):
| > | On Tue, 18 Jun 2002, Nachman Yaakov Ziskind wrote:
| > |
| > | > Using Bering:
| > | > Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown
| > | >
| > | > with Shorewall 1.2.12. I'm MASQ'ing the local net to the outside,
| > | > except for a few servers which are using Static NAT.
| > | >
| > | > Zones:
| > | >
| > | > net Net Internet
| > | > loc Local Local networks
| > | >
| > | > Ifaces:
| > | >
| > | > net eth0 detect routefilter
| > | > loc eth1 detect routestopped
| > | >
| > |
| > | Given that you are having a problem involving NAT and MASQ, it would be
| > | helpful if you posted the contents of those files.
| >
| > Okay:
| >
| > MASQ:
| >
| > eth0 10.1.1.0/24!10.1.1.252,10.1.1.253,10.1.1.254,10.1.1.63
| >
|
| While it's ok to exclude the static NAT addresses, it is not necessary.
| The static NAT rules get applied before the MASQ rule. Also, since you
| have static external IPs, you should probably use SNAT (i.e., list the
| external IP address that you want to SNAT through).
|
| > NAT:
| > 216.236.142.81 eth0 10.1.1.1
| > 216.236.142.82 eth0 10.1.1.252
| > 216.236.142.83 eth0 10.1.1.253
| > 216.236.142.84 eth0 10.1.1.254
| > 216.236.142.85 eth0 10.1.1.63
|
| Ok.
|
| >
| > | > All my policies are set to ACCEPT, for testing purposes. My RULES file
| > | > is unmodified. So the firewall is wide open, right?
| > |
| > | Yes, plus you don't have to look at any helpful diagnostic messages that
| > | way.
| >
| > I'm ignorant enough not to know if this is sarcasm. Seriiously, shouldn't I
| > start with the fireall in a minimalist configuration - to make sure
| > everything else works - and then build from there? Isn't it better to
| > troubleshoot one piece at a time, rather than try to debug everything at
| > once and just get frustrated?
|
| With only static NAT and MASQ, opening up the firewall as you have done is
| fine. In general, I prefer to start with the firewall closed so that I
| open only as much as is necessary and no more.
|
| > | > Problem: from my MASQ'ed boxes, I can see the whole 'NET - except for
| > | > the Static NAT boxes. But I can see the Static NAT boxes from the
| > | >outside. Also, the Static NAT boxes can see each other (even using the
| > | > public IP addresses).
| > | >
| >
| > | Without knowing what your configuration looks like (including IP
| > | addresses, subnetting and routing), it's hard to know what's wrong.
| > Inside: 10.1.1.0/24, of which the above named hosts are assigned public IP
| > addresses, the rest use PAT. Outside: 216.236.142.80/240 are the public
| > IP's the router is assigned a public IP on another subnet
| > (64.49.72.186/30), and the default gateway is .185 on the same subnet.
| >
| > | > It is not a DNS problem, as using the public IP addresses is no better
| > | > (the private IP addresses work fine).
| > | > I'm stumped. How do I troubleshoot this?
| > |
| > | First please tell us what your configuration really looks like then tell
| > | us which computers can communicate with which other computers and which
| > | can't using which addresses (remember, computers can't SEE each other --
| > | they can only communicate with one another).
| > Okay, the outside can communicate (i.e., pull up web pages) on the Static
| > NAT addresses above. The Static NAT machines themselves can communicate
| > with each other and the outside world.
|
| Are you sure that they can communicate with each other? Are you just using
| 'ping'? If you are just using 'ping', it is the firewall that is
| responding to ping, not the NAT machine. There is nothing in your
| configuration that would let these systems communicate using their
| external IP addresses.
Really?? The firewall does not pass along the ICMP packets to the destination
host? I'm wondering why this would be. It certainly lessens the value of the
ping utility ("Ok, host x is up. Unless it's not.")
| > But the MASQ'ed machines cannot use the public IP
| > addresses (they *can* address the Static NAT machines by their RFC 1918
| > addresses), although they can access other part of the Internet. I *think*
| > they can ping the public IP's, although I didn't have enough time to make
| > sure.
|
| Ok -- please read FAQ #2 and 2b (http://www.shorewall.net/FAQ.htm#faq2)
| then get back to me. I think that what you want to do is MUCH better done
| using Bind 9 views than with IP kludges. I have a configuration very
| similar to yours (see http://www.shorewall.net/myfiles.htm) and that is
| what I do. The FAQ gives my reasons.
[I have no clue what Bind 9 views is, or how to set it up. But I suspect it
involves doing things through DNS. I further suspect it will be like pulling
teeth with every w/s pointing to my ISP's DNS servers. I suppose I *could* just
load a hosts file on every workstation. Ouch.]
I read the FAQ and decided that #2 is like my situation. So, I put "multi" in
/etc/shorewall/interfaces:
loc eth1 detect routestopped,multi
and this in /etc/shorewall/rules:
DNAT loc loc:10.1.1.254 tcp www - 216.236.142.84:10.1.1.200
which ought to match the NAT entry:
216.236.142.84 eth0 10.1.1.254
and got for my trouble:
# shorewall restart
[snip]
Error: Invalid Target in rule "DNAT loc loc:10.1.1.254 tcp www -
216.236.142.84:10.1.1.200"
Processing /etc/shorewall/stop ...
Terminated
:-(
Thanks again for your help.
--
_________________________________________
Nachman Yaakov Ziskind, EA, LLM [EMAIL PROTECTED]
Attorney and Counselor-at-Law http://yankel.com
Economic Group Pension Services http://egps.com
Actuaries and Employee Benefit Consultants
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
