On 1/13/2014 3:08 AM, [email protected] wrote: > Hello, > > I have to connect two networks with both private IP-adresses, so I must NAT > between the networks. > There are only a few machines from one network, which must access the other > side. > So it is easy to edit one file with NAT-rules based on dedicated IPs.
Looking at the IP configuration below, I don't understand why you think you must use NAT. I assume that it is because the default gateway on 10.20.75.81 is not the Shorewall box? > > My shorewall-installation does anything right (routing, traffic-forwarding, > filtering), but not NAT. > > Anything in the one-to-one-NAT-guide I did not understand correct. > The iptables-entries for NAT are there, but will not used. > > The IP 10.20.75.81 on eth1 should be translated to IP 192.168.201.199 on > eth0, but instead the packet > goes thru the firewall without NAT. > > > ------------------------------------------------- > #shorewall show nat > Shorewall 4.5.5.3 NAT Table at auewriwanat1 - Mon Jan 13 11:56:50 CET 2014 > > Counters reset Thu Jan 9 20:03:39 CET 2014 > > Chain PREROUTING (policy ACCEPT 356 packets, 32458 bytes) > pkts bytes target prot opt in out source > destination > 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > > Chain INPUT (policy ACCEPT 350 packets, 31990 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 1 packets, 72 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 1 packets, 72 bytes) > pkts bytes target prot opt in out source > destination > 0 0 eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0 > > Chain eth1_in (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT all -- * * 0.0.0.0/0 > 10.20.75.81 to:192.168.201.199 > > Chain eth1_out (1 references) > pkts bytes target prot opt in out source > destination > 0 0 SNAT all -- * * 192.168.201.199 0.0.0.0/0 > to:10.20.75.81 Those rules say: a) Packets arriving on eth1 that are addressed to 10.20.75.81 are forwarded to 192.168.201.199. But I don't see how that will ever happen, since 10.20.75.81 is not a configured IP address on eth1 (you need to add it if you want that rule to work). b) Packets leaving on eth1 with source IP 192.168.201.199 should have the source IP changed to 10.20.75.81. > # ip addr show > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 68:05:ca:0c:a5:be brd ff:ff:ff:ff:ff:ff > inet 192.168.20.244/24 brd 192.168.20.255 scope global eth0 > inet6 fe80::6a05:caff:fe0c:a5be/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state > DOWN qlen 1000 > link/ether 68:05:ca:0c:b8:08 brd ff:ff:ff:ff:ff:ff > inet 10.20.75.244/24 brd 10.20.75.255 scope global eth1 > inet6 fe80::6a05:caff:fe0c:b808/64 scope link > valid_lft forever preferred_lft forever > ---------------------------------------------------- I see that eth1 was down when that output was produced. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
