Re: [Shorewall-users] inside access of external address port back to internal address

Sat, 26 May 2007 05:40:43 -0700 

Felix Erkinger wrote:
> Hi,
> 
> i have a setup with a xen server and to interfaces, One to the public
> net, and one a direct link to a other xen server used for intra domain
> communication.
> 
> dom0 is setup with to bridges, netbr and clubr (cluster bridge), where
> the dom0 only has a ip address on eth1 on the clubr bridge.
> 
> There is a domu with two virtual interfaces bound to both clubr and
> netbr, which makes the firewalling, routing and natting.
> 
> Every domu has a interfaces connected to the clubr, so intra cluster
> communication works, and outside access goes via the gateway domu.
> 
> There is a mailserver which gets the smtp/ssmtp ports from the public
> interfaces natted to his internal address.
> Im using shorewall 3.0.5.
> Alltough a fancy setup, it works.
> 
> The problem with that is, if a internal domu (except the firewall domu
> where it is working) wants to access the public mailserver via his
> official address it doesnt get routed back to the internal address.
> 
> "picture":
>   web domu (1.2.3.3 -> smtp mail.mysetup.org (external)
>   ->via-> gateway domu (1.2.3.1) ->via-> mail domu (1.2.3.2)
> (doesnt work)
> 
> gateway domu rules:
> # Route external firewall address:25 to internal mailserver
> DNAT  net     clu:1.2.3.2:25  tcp     25
> # experimental rule (doesnt work, currently disabled and makes strange
> things)
> DNAT  clu     clu:1.2.3.2:25  tcp     25
> 
> gateway domu interfaces:
> net   eth0    detect  tcpflags,norfc1918
> clu   eth1    detect  routeback

This sounds like Shorewall FAQ #2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to