Hello,
I have to connect two networks with both private IP-adresses, so I must NAT
between the networks.
There are only a few machines from one network, which must access the other
side.
So it is easy to edit one file with NAT-rules based on dedicated IPs.
My shorewall-installation does anything right (routing, traffic-forwarding,
filtering), but not NAT.
Anything in the one-to-one-NAT-guide I did not understand correct.
The iptables-entries for NAT are there, but will not used.
The IP 10.20.75.81 on eth1 should be translated to IP 192.168.201.199 on eth0,
but instead the packet
goes thru the firewall without NAT.
-------------------------------------------------
#shorewall show nat
Shorewall 4.5.5.3 NAT Table at auewriwanat1 - Mon Jan 13 11:56:50 CET 2014
Counters reset Thu Jan 9 20:03:39 CET 2014
Chain PREROUTING (policy ACCEPT 356 packets, 32458 bytes)
pkts bytes target prot opt in out source destination
0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 350 packets, 31990 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes)
pkts bytes target prot opt in out source destination
0 0 eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 10.20.75.81
to:192.168.201.199
Chain eth1_out (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.201.199 0.0.0.0/0
to:10.20.75.81
----------------------------------------------------
----------------------------------------------------
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 68:05:ca:0c:a5:be brd ff:ff:ff:ff:ff:ff
inet 192.168.20.244/24 brd 192.168.20.255 scope global eth0
inet6 fe80::6a05:caff:fe0c:a5be/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state
DOWN qlen 1000
link/ether 68:05:ca:0c:b8:08 brd ff:ff:ff:ff:ff:ff
inet 10.20.75.244/24 brd 10.20.75.255 scope global eth1
inet6 fe80::6a05:caff:fe0c:b808/64 scope link
valid_lft forever preferred_lft forever
----------------------------------------------------
----------------------------------------------------
# ip route show
default via 192.168.20.244 dev eth0
10.20.75.0/24 dev eth1 proto kernel scope link src 10.20.75.244
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.244
----------------------------------------------------
----------------------------------------------------
/etc/shorewall# cat nat
#########################################################################
# IP net IP loc
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
10.20.75.81 eth1 192.168.201.199 no no
----------------------------------------------------
Mit freundlichen Gruessen
Wolfgang Wagner
Systemadministration
RIWA GmbH
Gesellschaft fuer Geoinformationen
Zwingerstr. 2, 87435 Kempten
Tel: +49 (0) 831 / 522963-537
Fax: +49 (0) 831 / 522963-546
E-Mail: [email protected]
http://www.riwa-gis.de
RIWA GmbH, Zwingerstrasse 2, 87435 Kempten
Sitz der Gesellschaft: Kempten (Allgaeu)
Registergericht: Amtsgericht Kempten, HRB 6480
Geschaeftsfuehrer: Dipl.-Ing. Guenter Kraus
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
