Thanks Tom
Will test tonight and report back
On Wed, 2009-10-21 at 11:03 -0700, Tom Eastep wrote:
> Ibrahim Hamouda wrote:
> > Sorry guys if this has made it before to the list, I just subscribed.
> >
> > Here is my situation:
> >
> > ISP Gateway: 111.111.111.253
> > My gateway : 111.111.111.254
> >
> > subnets routed from ISP to 111.111.111.254 : 222.222.222.144/29,
> > 333.333.333.192/27 and 444.444.444.128/26
> >
> > I have three internal networks that I don't want them to see each other
> > but I want a way of seeing them all: 192.168.3.0/24, 192.168.4.0/24 and
> > 192.168.253.0/24
> >
> > all these internal networks are running either web, mail or other kind
> > of services that needs to have one to one nat with a public address.
> >
> > now I'm running as follows:
> >
> > first linux box:
> >
> > eth0: 111.111.111.254
> > eth1: 222.222.222.145, 333.333.333.193 and 444.444.444.129
> >
> > no protection at all, don't know how to do it
> >
> > second liunux box:
> > eth0: all the above public IP addresses
> > eth1: 192.168.3.1, 192.168.4.1, 192.168.253.1
> >
> > shorewall is doing all the natting and dnatting ..etc.
> >
> > this setup is working fine except not able to protect the first box.
> >
> > The question is: Is there a way in shorewall setup to do all with one
> > box, or if not, how to protect the first box and keep the traffic
> > flowing?
>
> To do it on one box:
>
> a) On the second box, remove all of the public IP addresses from eth0.
> b) On the second box, add 111.111.111.254 to eth0.
> c) Remove the first box
> d) On the second box, 'arping -U -I eth0 111.111.111.254' (be sure your
> 'arping' is the one from the iputils package by Alexey Kuznetsov
> (Debian package iputils-arping)
>
> Hint: To use 1:1 NAT, it is only necessary that the external IP address
> be routed to the gateway by the upstream router. The address does not
> need to be configured on the gateway itself.
>
> --------------------------------------------------------------------------
>
> To protect the first box.
>
> Follow the two-interface quickstart guide but instead of adapting
> /etc/shorewall/masq to your configuration, simple remove the entry from
> that file.
>
> -Tom
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
