shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: [Shorewall-users] one-to-one nat and internal h

[Shorewall-users] one-to-one nat and internal hosts communicating trough external public IP

From: Stephane Bouvard <ml_at_nospam>
Date: Thu Jan 12 2012 - 15:36:07 GMT
To: shorewall-users@lists.sourceforge.net

Hi,

Yes, i've read the differents FAQ, and i fully understand them...

But i cannot use proxy arp : my hosts are dedicated servers hosted on the cloud with only one vlan available (my hoster refuse to give more than 1 vlan), and thus my two zones net & loc are connected to the same vlan, and proxy arp need two layer 2 separated network. Split DNS are not a solution nope, because i do not have control on the DNS (i host customers VPS on my servers, my customers use their own DNS on their VPS, and i cannot give to one customer the list of domains used by the others customers).

As i do not want that loc->loc traffic appear to originate on the firewall, i'm testing another solution that i would like to explain here, to see if you think there could be some problems i've not yet detected...

Thus to resume :

# net (eth0) : 1.1.1.0/24 - gateway (router of my hoster) 1.1.1.254
# loc (eth1) : 10.1.1.0/24

# interfaces
net eth0 detect blacklist
loc eth1 detect routeback

# nat
1.1.1.2 eth0 10.1.1.2 no no
1.1.1.2 eth1 10.1.1.2 no no
1.1.1.3 eth0 10.1.1.3 no no
1.1.1.3 eth1 10.1.1.3 no no

To explain : i declare twice the one-to-one rules, once on the net interface, like documented, but also once on the loc interface... i do *not* declare any masq rule

It seems to work : when 10.1.1.2 try to reach 1.1.1.3, 10.1.1.3 receive the connection originated from 1.1.1.2, it's what i want...

But is there any reason i should not use this method ? I've not found this solution documented in the FAQ of Shorewall, and thus i ask myself if i miss something...

Thanks for any tips on this subject :)

-- Bien à vous... _ (_' Un problème de serveur ? Diagnostic rapide et pro pour 25 euros ! ,_)téphane Bouvard http://www.infogerance-serveurs.com ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users