Ibrahim Hamouda wrote: > Sorry guys if this has made it before to the list, I just subscribed. > > Here is my situation: > > ISP Gateway: 111.111.111.253 > My gateway : 111.111.111.254 > > subnets routed from ISP to 111.111.111.254 : 222.222.222.144/29, > 333.333.333.192/27 and 444.444.444.128/26 > > I have three internal networks that I don't want them to see each other > but I want a way of seeing them all: 192.168.3.0/24, 192.168.4.0/24 and > 192.168.253.0/24 > > all these internal networks are running either web, mail or other kind > of services that needs to have one to one nat with a public address. > > now I'm running as follows: > > first linux box: > > eth0: 111.111.111.254 > eth1: 222.222.222.145, 333.333.333.193 and 444.444.444.129 > > no protection at all, don't know how to do it > > second liunux box: > eth0: all the above public IP addresses > eth1: 192.168.3.1, 192.168.4.1, 192.168.253.1 > > shorewall is doing all the natting and dnatting ..etc. > > this setup is working fine except not able to protect the first box. > > The question is: Is there a way in shorewall setup to do all with one > box, or if not, how to protect the first box and keep the traffic > flowing?
To do it on one box: a) On the second box, remove all of the public IP addresses from eth0. b) On the second box, add 111.111.111.254 to eth0. c) Remove the first box d) On the second box, 'arping -U -I eth0 111.111.111.254' (be sure your 'arping' is the one from the iputils package by Alexey Kuznetsov (Debian package iputils-arping) Hint: To use 1:1 NAT, it is only necessary that the external IP address be routed to the gateway by the upstream router. The address does not need to be configured on the gateway itself. -------------------------------------------------------------------------- To protect the first box. Follow the two-interface quickstart guide but instead of adapting /etc/shorewall/masq to your configuration, simple remove the entry from that file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
