Hi all,
I was wondering if anyone could help me with a bit of tricky shorewall
config.
We have a slightly strange setup with the following characteristics:
A debian squeeze gateway / firewall machine with shorewall version
4.4.11.6-3. This machine sits between our internal LAN (network
192.168.80.0/24 on interface br0 192.168.80.254 due to the machine
running an openvpn bridged setup) and the outside world (interface eth0,
let's say with IP address a.b.c.d).
This firewall is providing DNAT for the hosts on the internal LAN and
the setup works fine for this purpose.
The problem is that we also have a few hosts that need *real* external
IP addresses, which we are hoping to provide using proxyarp. We have
another IP range external to the firewall presented to the interface
eth0 (172.24.252.192/26). These machines sit behind the firewall but
must be directly accessible from outside.
Our setup was working for both DNAT and proxyarp with the old version of
shorewall in lenny, but after a dist-upgrade, it no-longer liked the
following line in my /etc/shorewall/masq file:
#INTERFACE SOURCE
ADDRESS PROTO PORT(S) IPSEC MARK
eth0 br0:!172.24.252.192/26
So I changed it to:
eth0 br0
... which worked for DNAT but the proxyarp stopped working.
Having read all the shorewall config guides I could get my hands on, I
tried various of the following:
eth0 br0:!172.24.252.192/26 (shorewall complains this
is not valid syntax)
eth0 192.168.80.254 (works for DNAT but not proxyarp)
eth0 192.168.80.0/24 a.b.c.d (works for DNAT but
not proxyarp)
I'm at a bit of a loss as to how to get DNAT and proxyarp working
together again!
My /etc/shorewall/proxyarp file has lines like this in it for the hosts
needing proxyarp:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
172.24.252.193 eth0 br0 No Yes
Any advice would be greatly appreciated! I've been pulling my hair out
about this all morning and fiddling with a live firewall with people
working behind it is stressful enough!
Many thanks,
Dan Tomlinson
--
Systems Administrator
Cambridge Systems Biology Centre (CSBC)
Tennis Court Road
Cambridge
CB2 1QR
01223 760252
------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops? How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
