[Shorewall-users] Problem with 2 entries in 'nat' table

Tom Eastep teastep at shorewall.net
Tue Oct 21 13:59:56 PDT 2003

On Tue, 2003-10-21 at 12:32, Alan D. Snyder wrote:
> Hello and thanks in advance for you help ...
> Have installed Shorewall and it performs well in all respects but one:
> When there are two entries in the 'nat' file, only the entry whose host
> address part is lowest receives traffic.
> It seems all nat, filter and mangle chains are reasonable.

Have you looked at this problem using ethereal or tcpdump? If the
netfilter rules are correct and the external IP addresses have been
added to the external interface (as the following paragraphs seem to
suggest), then you need to see what is happening on the link to cause
these symptoms.

Since there are folks on the list with 100's of entries in their nat
file (I personally use 2-4 depending on my mood), it is unlikely that
there is anything wrong with how Shorewall is setting up static NAT.

> After Shorewall is started, 'ip addr' shows the IP for each entry in 'nat'
> on the external interface.
> Have not issued any commands outside invoking Shorewall.  Er, why do the 'ip
> add' if they are already there?????

If I read the first paragraph correctly, it seems that an 'ip addr' show
shows that the external IP addresses from your nat file have been added
to the external interface. This happens as a result of
ADD_IP_ALIASES=Yes in shorewall.conf.

The next paragraph seems to complain about something but I can't
understand what it is. If you are complaining about the behavior of
ADD_IP_ALIASES=Yes, then by all means turn it off if you are adding the
addresses via some other means provided by your distribution.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-users mailing list