Re: [Shorewall-users] SNAT/ARP issue - shorewall-shell_4.0.15-1_all.deb

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Tom Eastep wrote:
> Tom Eastep wrote:
>> Trent O'Callaghan wrote:
>>> MASQ/SNAT and ARP are interacting in a way that is causing outbound
>>> connectivity issues in periods of low traffic (when ARP entries timeout). 
>>> Tcpdump of ARP packets shows who-has packets with the SNAT IP address when I
>>> need them to have the Firewall's Interface IP address as their source.
>>>
>>> I have modified MASQ to SNAT to the Firewall's Interface IP address for the
>>> Peering network (via 198.32.212.73), but outbound traffic is normally to
>>> more distant networks and my default route is to the Paid Internet (via
>>> 121.200.226.210).
>>>
>>> I have seen some have scripted ARP watchers that could assist but I believe
>>> this is something Shorewall can cope with, but I am lacking in the
>>> knowledge.
>>>
>>> root@per-r1:/etc/shorewall# ifconfig -a
>>> eth0      Link encap:Ethernet  HWaddr 00:15:17:cc:dd:90
>>>           inet addr:121.200.226.210  Bcast:121.200.226.211
>>> Mask:255.255.255.252
>>> eth0:1    Link encap:Ethernet  HWaddr 00:15:17:cc:dd:90
>>>           inet addr:198.32.212.73  Bcast:198.32.212.255  Mask:255.255.255.0
>>> eth0:2    Link encap:Ethernet  HWaddr 00:15:17:cc:dd:90
>>>           inet addr:180.233.131.7  Bcast:180.233.131.255  Mask:255.255.255.0
>>> eth1      Link encap:Ethernet  HWaddr 00:15:17:cc:dd:91
>>>           inet addr:10.240.0.1  Bcast:10.240.0.255  Mask:255.255.255.0
>>>
>>> root@per-r1:/etc/shorewall# ip route show table main | grep -v zebra
>>> 121.200.226.208/30 dev eth0  proto kernel  scope link  src 121.200.226.210
>>> 198.32.212.0/24 dev eth0  proto kernel  scope link  src 198.32.212.73
>>> 180.233.131.0/24 dev eth0  proto kernel  scope link  src 180.233.131.7
>>> 10.240.1.0/24 dev eth1  proto kernel  scope link  src 10.240.1.1
>>> default via 121.200.226.209 dev eth0  metric 100
>>>
>>> #
>>> # Shorewall version 4 - Masq file
>>> #
>>> eth0:!198.32.212.0/24   eth1:!10.240.1.7        180.233.131.7
>> Ah! I took one more look at your report and I seriously doubt that the
>> above rule does what you expect. Rewrite it as:
>>
>> eth0:!198.32.212.0/24    10.240.0.0/24!10.240.1.7
> 
> In fact, the current version of Shorewall (4.4.6) rejects that type of rule:
> 
> gateway:/etc/shorewall# shorewall check
> Compiling...
>    WARNING: Using an interface as the masq SOURCE requires the interface
> to be up and configured when Shorewall starts/restarts :
> /etc/shorewall/masq (line 7)
>    ERROR: SOURCE interface may not be specified with a source IP address
> in the POSTROUTING chain : /etc/shorewall/masq (line 7)
> gateway:/etc/shorewall#
> 
> Are you still using Shorewall-shell? 

Duh -- just looked at the Subject again. I suggest that you look at
http://www.shorewall.net/LennyToSqueeze.html. Also, note that the Debian
Shorewall maintainer has Shorewall 4.4 packages available for Lenny; a
link to his site can be found on the Shorewall download page.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________