shorewall-users April 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Problem with nat on a mul

Re: [Shorewall-users] Problem with nat on a multiple isp configuration

From: Alessandro Faglia <alessandro.faglia_at_nospam>
Date: Wed Apr 11 2012 - 15:17:08 GMT
To: Shorewall Users <shorewall-users@lists.sourceforge.net>

On Wed, Apr 11, 2012 at 4:38 PM, Tom Eastep <teastep@shorewall.net> wrote:

> On 04/11/2012 12:57 AM, Alessandro Faglia wrote:
>
> > My two internet uplinks (eth4 and ppp0) belongs to the same "net" zone.
> > Everything is working fine but I have a problem with natting.
> >
> > The problematic rule is this:
> > DNAT net lan1:<internal IP of my mail server> tcp 25
> >
>
> Have you followed the DNAT troubleshooting procedure described in
> Shorewall FAQs 1a and 1b?
>

I did :-(

I created a LOG rule to track 25/tcp packets and in the syslog I see
Apr 11 17:06:56 <sw-box> kernel: Shorewall:net2lan1:LOG:IN=ppp0 OUT=eth1
SRC=<src-ip> DST=192.168.1.9 LEN=44 TOS=0x00 PREC=0x00 TTL=42 I
D=36272 PROTO=TCP SPT=47814 DPT=25 WINDOW=2048 RES=0x00 SYN URGP=0
Apr 11 17:06:56 <sw-box> kernel: Shorewall:net2lan1:LOG:IN=ppp0 OUT=eth1
SRC=<src-ip> DST=192.168.1.9 LEN=44 TOS=0x00 PREC=0x00 TTL=39 I
D=51095 PROTO=TCP SPT=47815 DPT=25 WINDOW=3072 RES=0x00 SYN URGP=0

Here <sw-box> is the hostname of the box where shorewall is running (local
IP is 192.168.1.1) and <src-ip> is the public IP of the other box I'm
running nmap to test.

In the target box the gateway is poiting to the shorewall box:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
bond0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0
bond0

Maybe the bond interface on the target server is involved in the issue? but
in this case it won't work even when scanning the other IP, at least I
think so...

I don't have a clue...
Alessandro

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users