[Shorewall-users] Help with nat settings

Thu, 18 Sep 2008 17:53:25 -0700 

Hi,

I'm setting up shorewall (v. 3.4.8) and have established some IPs in the
nat file.

For testing purposes only, I have my main eth0 interface for shorewall
(the "net" interface) in network 192.168.0. The dmz interface is eth2 in
network 192.168.1.

Here's a snippet of ip addr output:

3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:00:24:c0:02:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.200/24 brd 192.168.0.255 scope global eth0
    inet 192.168.0.199/24 brd 192.168.0.255 scope global secondary
eth0:1

5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:00:24:c0:02:de brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth2


And I have in the nat file:
192.168.0.199        eth0:1                192.168.1.200


in the rules file I opened it up for testing:
Ping/ACCEPT  net         fw 
Ping/ACCEPT  net         dmz
Ping/ACCEPT  loc         fw 
Ping/ACCEPT  dmz         fw 
Ping/ACCEPT  fw          dmz


And I have a test PC connected to the net interface, IP 192.168.0.104.


The routing from the fw looks correct:
# ip route
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1 
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.200 
default via 192.168.0.1 dev eth0 


Here's what I see:

ping fw -> dmz is ok (192.168.1.1 -> 192.168.1.200)
ping net -> fw main address is ok (192.168.0.104 -> 192.168.0.200)
ping net -> dmz FAILS (192.168.0.104 -> 192.168.0.199)

I know packets are not being dropped so it's not shorewall that's
blocking. I guess something's just not getting routed properly? If I can
go net -> fw and fw -> dmz, why is the net -> dmz failing?

Thanks
Ricardo


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to