>What does that mean? Does in mean that you assigned an RFC 1918 address >to the WAN port and set the router's default gateway to the IP address >of the internal interface on your linux box?
Yes, that is correct. >Hopefully the router's VPN supports NAT-T(Nat traversal) and you have >configured the VPN to use it; otherwise, this probably won't work at all). Hmm dont know yet. I can see that the packets which i sent get to the other side. The problem is that the packets i recive dont reach the hw router on this side. I keep getting reject log on internal interface of linux box, for udp packets. The internet is working fine from this router. >Did you add an SNAT rule (/etc/shorewall/masq) so that traffic from this >router appears to come from that external IP address? Hmm. No i didnt. I just set DNAT rule in "rules" like this: DNAT net:$other_hw_router loc:local_ip_of_my_hw_router udp 500 Can you write me the code for "masq"? I dont get it, which external IP must appear. My HW router has internet address like "192.168.x.x" and when it send packet it uses linux box and its IP "193.x.x.x.". That IP is also visible on the other side of the internet on other HW router. At least it should be, because other hw router is set to alow only that IP (193.x.x.x). >The traffic that is being logged is coming INTO your firewall on eth0 -- >it isn't a response from '...the other side'. But why do I get reject error then? (85.x.x.x is the HW router on other side; 193.x.x.x. is the linux box) Shorewall:all2all:REJECT:IN=eth0 OUT= > MAC=00:40:f4:b2:94:96:00:19:cb:2c:df:87:08:00 SRC=85.x.x.x DST=193.x.x.x > LEN=104 TOS=0x00 PREC=0x00 TTL=245 ID=36536 PROTO=UDP SPT=500 DPT=500 LEN=84 >I don't either -- but then you really haven't given us anything to go on >(no Shorewall configuration or dump -- oh, Shorewall 2.2 didn't even >have a 'dump' command. You really should upgrade....). > I have accept rules for all port and tcp, udp, ah and esp for NET:IP to > FW and NET:IP to LOC. > > DNAT is created for NET:IP to LOC:IP for all ports and all protocols. >Again, what about SNAT? Hmmm. Not sure what you are trying to say. Do you mean what you mentioned above about "masq"? I know this kind of questions are stupid, but please give me more hints. Thanks! Scorpy ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
