[Shorewall-newbies] NAT issue
sakthi at altair.com
Fri Jan 23 17:24:38 PST 2004
I added a rule to allow LDAP from loc->fw and routeback to loc interface
that took care of my issue.
In FAQ 2A, you are suggesting
"Another good way to approach this problem is to switch from one-to-one NAT
to Proxy ARP."
If I switch to proxy ARP instead of one-to-one NAT, will I still be able to
control traffic to the server by adding specific rules in the
From: Tom Eastep [mailto:teastep at shorewall.net]
Sent: Friday, January 23, 2004 3:39 PM
To: sakthi at altair.com; shorewall-newbies at lists.shorewall.net
Subject: Re: [Shorewall-newbies] NAT issue
On Friday 23 January 2004 12:13 pm, Sakthivel Subramanian wrote:
> First of all I would like to thank Tom Eastep for this excellent
> I am using Shorewall 1.4.8 on a 2.4.20-8 linux kernel with the basic 2
> interface setup eth0 - Connected to a router which provides
> internet/VPN access eth1 - Connected to the LAN
> net eth0 192.168.1.255 blacklist,dropunclean,routefilter
> loc eth1 10.10.1.255 routefilter
> In the current firewall setup, I have a Windows server inside the
> firewall with an IP (10.10.1.10). I have a one-to-one NAT using the
> Shorewall/nat file
> 192.168.1.10 eth0:10 10.10.1.10 No No
> Machines from our corporate network access the server using the
> 192.168.1.10 IP via the router VPN tunnels and the traffic is
> controlled by shorewall/rules without any problem.
> The problem I am facing is locally when my machine (10.10.1.4) tries
> to access the server using the server's external IP (192.168.1.10). I
> keep getting the following message from Shorewall.
> Jan 23 14:11:41 10.10.1.1 kernel: Shorewall:all2all:REJECT:IN=eth1
> OUT= MAC=00:a0:cc:3f:68:f6:00:0b:db:ca:78:17:08:00 SRC=10.10.1.4
> DST=192.168.1.10 LEN=245 TOS=0x00 PREC=0x00 TTL=128 ID=6734 PROTO=UDP
> SPT=4502 DPT=389 LEN=225
> Shorewall is rejecting port 389 (LDAP) access to 192.168.1.10 from my
> machine 10.10.1.4 based on all2all policy. Notice the empty output
> interface. (OUT= ) If I try pinging 192.168.1.10 from my machine, I
> get a respose back.
> My default policy is
> loc net ACCEPT
> I explicitly added the following rule but it didn't help.
> ACCEPT:info loc net:192.168.1.10 tcp 389
> ACCEPT:info loc net:192.168.1.10 udp 389
> I tried creating a new zone with 192.168.1.0/24 as host list and added
> policy to allow all traffic to that zone and it didn't help either.
This is a variation on FAQ 2.
Your entry in /etc/shorewall/nat has "No" in the "ALL INTERFACES" column so
requests to 192.168.1.10 coming in on eth1 do not get natted. Since you are
accepting ping loc->fw but you aren't accepting LDAP loc->fw, the ping
appears to work but LDAP fails.
Unfortunately is not sufficient to just put "Yes" in the ALL INTERFACES
column. That would cause LDAP requests from 10.10.1.x to 192.168.1.10 to be
rerouted to 10.10.1.4 but that system's replies will go straight back to the
10.10.1.x client who would discard them (because they would have the wrong
The solution is therefore the same as in FAQ 2.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies