On Sun, 23 Jun 2002, Nachman Yaakov Ziskind wrote:
> Tom Eastep wrote (on Wed, Jun 19, 2002 at 05:55:04AM -0700):
> | On Wed, 19 Jun 2002, Nachman Yaakov Ziskind wrote:
> |
> | > NAT:
> | > 216.236.142.81 eth0 10.1.1.1
> | > 216.236.142.82 eth0 10.1.1.252
> | > 216.236.142.83 eth0 10.1.1.253
> | > 216.236.142.84 eth0 10.1.1.254
> | > 216.236.142.85 eth0 10.1.1.63
> |
> | Are you sure that they can communicate with each other? Are you just using
> | 'ping'? If you are just using 'ping', it is the firewall that is
> | responding to ping, not the NAT machine. There is nothing in your
> | configuration that would let these systems communicate using their
> | external IP addresses.
>
> Really?? The firewall does not pass along the ICMP packets to the destination
> host? I'm wondering why this would be. It certainly lessens the value of the
> ping utility ("Ok, host x is up. Unless it's not.")
>
Sigh -- two things.
The NAT rules that you post above don't include the fourth column. That
column determines if NAT occurs only from the interface specified in
column 2 or if it applies to connections from all interfaces. If you leave
it out, then NAT only applies to packets arriving through the interface in
column 2. Since you were pinging from another interface, NAT didn't apply
and the ICMP echo requests were directed to the firewall itself.
As for Shorewall's passing or not passing ICMP packets, that is well
documented in both the Troubleshooting section
(http://www.shorewall.net/troubleshoot.htm) and in the FAQ
(http://www.shorewall.net/FAQ.htm#faq5).
>
> | > But the MASQ'ed machines cannot use the public IP
> | > addresses (they *can* address the Static NAT machines by their RFC 1918
> | > addresses), although they can access other part of the Internet. I *think*
> | > they can ping the public IP's, although I didn't have enough time to make
> | > sure.
> |
> | Ok -- please read FAQ #2 and 2b (http://www.shorewall.net/FAQ.htm#faq2)
> | then get back to me. I think that what you want to do is MUCH better done
> | using Bind 9 views than with IP kludges. I have a configuration very
> | similar to yours (see http://www.shorewall.net/myfiles.htm) and that is
> | what I do. The FAQ gives my reasons.
>
> [I have no clue what Bind 9 views is, or how to set it up. But I suspect it
> involves doing things through DNS. I further suspect it will be like pulling
> teeth with every w/s pointing to my ISP's DNS servers.
> I suppose I *could* just load a hosts file on every workstation. Ouch.]
>
Well, there other solutions. These other solutions route packets back out
the same interface that they came in on with always strikes me as a stupid
way to do things.
> I read the FAQ and decided that #2 is like my situation. So, I put "multi" in
> /etc/shorewall/interfaces:
>
> loc eth1 detect routestopped,multi
>
> and this in /etc/shorewall/rules:
>
> DNAT loc loc:10.1.1.254 tcp www - 216.236.142.84:10.1.1.200
>
> which ought to match the NAT entry:
>
> 216.236.142.84 eth0 10.1.1.254
>
> and got for my trouble:
>
> # shorewall restart
>
> [snip]
> Error: Invalid Target in rule "DNAT loc loc:10.1.1.254 tcp www -
> 216.236.142.84:10.1.1.200"
> Processing /etc/shorewall/stop ...
> Terminated
>
>
Groan -- you mentioned at the outset that you are running Shorewall 1.2.12
yet I referred you to the 1.3.x FAQ. My bad... The syntax for 1.2.x is
different.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
