[Shorewall-devel] Problem with DNAT 3 IP's two NIC

Johny Hazin jhazin at sistelhn.com
Tue Sep 7 17:53:35 PDT 2004


Thanks Tom

Sorry, I was wrong, this is the correct question...

I have this configuration:

                                                                         |
Email Server 192.168.0.253                                 |  
___|___         Port 25 SMTP                          ___|____                                              ____
| LAN   |-------------------------------------Eth1    -----  |Firewall | -----  Eth0       10.10.10.166     |NET |
 | Local |                                     192.168.0.1        |             Eth0:0    10.10.10.163   
                                                                         |
                                                                         |

eth0      Link encap:Ethernet  HWaddr 00:C0:F0:54:DC:1E  
          inet addr:10.10.10.166  Bcast:10.10.10.167  Mask:255.255.255.248
          inet6 addr: fe80::2c0:f0ff:fe54:dc1e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1738708 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1538724 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1130239548 (1077.8 Mb)  TX bytes:248692331 (237.1 Mb)
          Interrupt:15 Base address:0xb000 

eth0:0    Link encap:Ethernet  HWaddr 00:C0:F0:54:DC:1E  
          inet addr:10.10.10.163  Bcast:10.10.10.167  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:15 Base address:0xb000 

eth1      Link encap:Ethernet  HWaddr 00:50:8B:E9:D3:7C  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::250:8bff:fee9:d37c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1803457 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1783929 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:261270108 (249.1 Mb)  TX bytes:1149310777 (1096.0 Mb)

Eth0  Net Zone (two Ip addresses)
Eth1  Local Zone

OS Fedora 2
Shorewall Version 2.0.7

In Eth1 i have my email server with the private ip 192.168.0.253 and the public ip is 10.10.10.163, when i do the DNAT i have this:

Sep  5 11:13:55 ns kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=00:c0:f0:54:dc:1e:00:04:27:fd:6c:cb:08:00 SRC=205.240.205.176 DST=10.10.10.163 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=50942 DF PROTO=TCP SPT=62382 DPT=25 WINDOW=65148 RES=0x00 SYN URGP=0 

IN=eth0=OUT ,this is my problem, in and out is same interface. DNAT doesnt works. I follow this instructions: http://shorewall.net/Shorewall_and_Aliased_Interfaces.html

My /etc/shorewall/rules is

##########################################################################################################################
#ACTION  SOURCE          DEST                                    PROTO   DEST                        SOURCE     ORIGINAL     RATE            USER/
#                                                                                               PORT                           PORT(S)        DEST         LIMIT           GROUP
REDIRECT        loc            8080                                        tcp     80                                      -                   -                 -                  -
ACCEPT           all               all                                          tcp     21,22,23,25,53,80,110         -                   -                  -                  -
DNAT:info         net              loc:192.168.0.253:25               tcp     25                                      -            10.10.10.163       -                   -

I fixed the column, i copied it wrong.


/etc/shorewall/masq

###############################################################################
#INTERFACE              SUBNET                          ADDRESS                 PROTO   PORT(S)
      eth0                192.168.0.0/255.255.255.0


Thanks

Johny



More information about the Shorewall-devel mailing list