[Shorewall-users] Fowarding through networks

Marshal McInnis Marshal at tgpc.us
Mon Mar 21 09:51:55 PST 2005


Yes the routor is on 10.10.0.1 and 10.11.0.1 its also on 10.12.0.1 and
its all routs ok I just want it to transfer trafic from the 10.10.0.1
ftp server to 10.11.0.1 network 

-----Original Message-----
From: shorewall-users-bounces at lists.shorewall.net
[mailto:shorewall-users-bounces at lists.shorewall.net] On Behalf Of Tom
Eastep
Sent: Friday, March 18, 2005 5:18 PM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Fowarding through networks

Marshal McInnis wrote:
> ACCEPT          fw              inet             tcp     53
> ACCEPT          fw              inet             udp     53
> ACCEPT          loc             inet             tcp     53
> ACCEPT          loc             inet             udp     53
> ACCEPT          loc             inet             all
> ACCEPT          inet            loc              all
> DNAT            inet            loc:10.10.0.4    tcp     443
> DNAT            inet            loc:10.10.0.4    tcp     80
> DNAT            inet            loc:10.10.0.4    tcp     21
> DNAT            inet            loc:10.10.0.4    tcp     25,110
> DNAT            inet            loc:10.10.0.4    tcp     123
> DNAT            inet            loc:10.10.0.4    tcp     1723
> DNAT            inet            loc:10.10.0.4    tcp     3389
> DNAT            inet            loc:10.10.0.4    tcp     4125
> DNAT            inet            loc:10.10.0.4    tcp     1723
> DNAT            inet            loc:10.10.0.4    47      -
> 

Shorewall has 29 configuration files. Typical users modify at least 4 of
them. YOU HAVE SHOWN US ONE!

> eth0                inet addr:209.159.32.162  Bcast:209.159.32.175
> Mask:255.255.255.240
> eth1                inet addr:10.10.0.1  Bcast:10.10.0.255
> Mask:255.255.255.0
> eth2                inet addr:10.11.0.1  Bcast:10.11.0.255
> Mask:255.255.255.0
> 

The above is interesting but incomplete.

Is your firewall the default gateway for both the 10.10.0.0/24 and
10.11.0.0/24 networks? If not, then this goes back the the same question
that I asked you to start with: *What do the routing tables look like on
the hosts in the two networks? In other words, do these hosts know how
to route traffic to the other network?*

Marshal, a router cannot route packets that are never sent to it. And a
firewall can never allow connections that it is never asked to rule on.
 So things must be configured so that traffic between the two networks
goes through your Shorewall router/firewall -- *it doesn't happen by
magic*.

Masquerade/SNAT and DNAT rules can make up for lack of proper routing
but WE NEED TO KNOW if your routing is adequate before we can advise
you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users at lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm




More information about the Shorewall-users mailing list