Re: [leaf-user] bering/shoreline snat problem

Mon, 20 Jan 2003 15:16:42 -0800 

Brian

Bryan D. Payne wrote the following at 19:12 20.01.2003:



   (DSL Connection)
         |
         |
|--------------------|
|  PPPoE interface   |
|                    |
|      **fw**        |
|                    |
|   192.168.0.1/24   |
|--------------------|
         |

OK your external interface is a RFC1918 address
you have to take care about that in your shorewall set up


         |
|--------------------|
|   192.168.0.4/24   |
|                    |
|    **beringfw**    |
|                    |
|  192.168.1.254/24  |
|--------------------|
         |

.....


* This packet travels through fw, and I assume that is working properly
for the purposes of this discussion.  This is a valid assumption because
the next thing that I see is a reply from 128.8.129.2 after it goes
through fw.  This reply is now destined for 192.168.0.4 (aka beingfw).
When beringfw receives the packet, it drops it, and logs it with the
following message in /var/log/messages:

Jan 20 11:40:49 firewall kernel: Shorewall:man1918:DROP:IN=eth0 OUT=
MAC=00:a0:24:e4:66:ea:00:30:ab:06:6c:9c:08:00 SRC=128.8.129.2
DST=192.168.0.4 LEN=64 TOS=0x00 PREC=0x00 TTL=56 ID=17230 DF PROTO=TCP
SPT=22 DPT=39534 WINDOW=25920 RES=0x00 ACK SYN URGP=0
and here you see the dropped packet in chain man1918 must be address mangling and norfc1918.You can try to see this chain with iptables -L man1918 but be aware that shorewall is a system, not just a collection of iptables rules. I believe you have to adapt the interfaces file to accept incoming rfc1918 addresses. See the shorewall docs.

HTH

Erich


THINK
P�ntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16



-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to