[Shorewall-users] ONE-To-ONE NAT and MASQ

Wed, 30 Sep 2009 16:05:43 -0700 

Simple Network

eth0: NET  (12.12.13.1/27)
eth1: LOC (192.168.1.1/24)

The Net has 4 PC's and 1 Asterisk box. Asterisk is on 192.168.1.2. I have
configured it for 1:1 nat to the outside. This appears to work, but I have
trouble if the firewall reboots, I ***MUST** reboot the asterisk box in
order for it to re-establish connections. If i do not do the reboot, then
inbound traffic never makes it past the NAT, and neither does outbound.

According to the docs, I may need to exclude 192.168.1.2 from the masq, but
when I modified it to exclude that one IP, things seemed worse.

Any help would be appreciated.


I am using shorewall 4.2.10, on CentOS 5.3. Kernel 2.6.18-128.2.1.el5
Iptables v1.3.5

#/etc/shorewall/nat
#
12.12.13.2    eth0    192.168.1.2   no   no
#LAST LINE /etc/shorewall/nat

# /etc/shorewall/masq
#
eth0   eth1
#LAST LINE /etc/shorewall/masq

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Extended Connection Tracking Match Support: Not available
   Old Connection Tracking Match Syntax: Not available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Physdev-is-bridged Support: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Not available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available
   Realm Match: Available
   Helper Match: Available
   Connlimit Match: Not available
   Time Match: Not available
   Goto Support: Available

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to