[Shorewall-users] Masquerading issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Shorewall-3.0.3
RH9 (+legacy updates)
eth0: loc: 192.168.1.0/24
eth0:0: loc: 192.168.20.0/24
eth1:: 69.70.32.8/29

I'm worked all day on an issue I found today and I just can't find a way
to fix my problem.
So, basically, for now, my network looks like this:

  Internet
    ^
    |
 (69.70.32.8/29)
   Firewall
  192.168.1.1
     ^
     |
 LAN/Servers
(192.168.1.0/24)

So, servers are nated (DNAT) from my external static ips to my LAN, this
works fine.
I use a SNAT for my outgoing traffic to go out on the internet using
69.70.32.10. This works fine.
I need to masq my own LAN to my firewall to be able to use the DNAT of
my external IPs inside my LAN, this works fine for now, but this is my
problem.

I want to add a new subnet (in a virtual interface of my LAN on the
firewall), 192.168.20.0/24. Everything's setup, I get a problem, when I
am connecting from 192.168.1.0/24 to 192.168.20.0/24 (of vice-versa), I
am masqueraded as the interface of this network of the firewall.
(ssh 192.168.20.3 from 192.168.1.109 is saw as coming from 192.168.20.1).
This causes problems and I just want this subnet to be routed internally
with nothing more.

I included my config files and my status (status.txt) in the mail, but
my masq contains this:
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth1                    eth0            69.70.32.10
eth0                    eth0

(eth0   eth0) looks weird, but it's the only way I found to be able to
talk to my nat from the eth1 network from the LAN.
If I remove this line, I get what I want, being routed normaly inside,
but I can't talk to my dnat from my /29 on the internet.

I tried to put thing in and out from the hosts file, but it doesn't
change anything.

SO now I am asking for your help! ;)

Thanks a lot!

- --
C=E9dric Charest
Administrateur de Syst=E8mes / System Administrator
Terrascale Technologies Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD6R/MudvjQGGRi3oRAvPvAKCzAAoMx3bLaXgihx7t9qAsJ3nhMQCgth/o
Coem5MDS5sDq8y2JAPhWRaM=3D
=3DXF3O
-----END PGP SIGNATURE-----