[Shorewall-users] eth1 to eth1

Tom Eastep teastep@shorewall.net
Thu, 4 Apr 2002 05:59:33 -0800 (PST)


Ian,

On Wed, 3 Apr 2002, ian wrote:

> I've run into a problem with 1.2.10 and would like to request a more
> experienced person's advice.  
> 
> My setup.. 
> 
> I'm Static NAT my boxes behind the firewall.  
> 
> 12.98.39.218 -> 10.10.10.10
> 12.98.39.219 -> 10.10.10.20
> 
> I've got two domain names that are setup here.  
> Domain1.com - ip 218
> Domain2.com - ip 219
> 
> When I try to send mail from Domain1.com to Domain2.com the firewall
> stops me with a loc2loc:REJECT log message.
>

So you've specified 'Yes' in the "ALL" column in /etc/shorewall/nat -- 
good.
 
> So I go into the policy file and set loc loc ACCEPT
> 
> That doesn't work so I try making a rule
> 
> ACCEPT loc loc tcp smtp
> 
> That doesn't work either..

It is a cardinal rule in Shorewall (and stated in the documentation) that 
if you have an ACCEPT policy and something doesn't work then adding more 
ACCEPT rules will NEVER make it work.

 
> 
> I find a work around by making a common entry like so:
> run_iptables -A FORWARD -i eth1 -o eth1 -p tcp --dport 25 -j ACCEPT
> 
> Now for obvious reason this isn't ideal.  I'd like to work with 
> shorewall system for easier usage and maintance as I like the setup
> and how its done right now.
> 
> What I see is the problem/bug/feature is that loc2loc is not used 
> in either the INPUT, OUTPUT or FORWARD chains.  It should be in 
> the FORWARD chain though.  Am I correct or did I miss some configuration
> somewhere?
>

It will be if you specify the 'multi' option for eth1 in 
/etc/shorewall/interfaces.
 
And now an editorial note:

Your setup hints strongly of the problems discussed in FAQs 2 and 2a and
would be MUCH cleaner if you would use Proxy ARP rather than static NAT.
In my view, any setup that requires a router to route packets out to the
same interface that they came in on is just plain broken.  I use static 
NAT in my own network but I have also implemented views in my DNS 
configuration so that my domain names resolve to local addresses for local 
clients and network addresses for network clients. If you would do that 
then your two local systems could communicate directly without having to 
involve your firewall. Alternatively, given that there are only two 
systems to deal with, entries in /etc/hosts would also be a fine solution.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net