Hey All,
I am running currently Astaro 2.0, although this works for any version of Astaro that uses the DHCP Client hack for Cable Modem users and other custom DHCP hacks.
PROBLEM : I had installed the script and it ran perfectly, I then added several DNAT and SNAT rules and allowances for game hosting and FTP/Napster servers. Well, AT&T (my cable modem provider) switched the IP and my DNAT/SNAT was not working any longer.
I then looked in the "packet filter->live log" section of the GUI and saw that under SNAT and DNAT, my old IP was being used. Strange I thought because the masquerading was working correctly.
Then, upon further inspection, noticed that the reason was because the masquerading was like this
MASQUERADE all -- * eth1 192.168.0.0/24 0.0.0.0/0
Meaning that all my traffic on the internal zone was going anywhere and WAS NOT dependent on the external IP (as the script was determining that based upon $IP in the script).
For DNAT and SNAT however, the situation was different. It was like for example:
DNAT udp -- * * 0.0.0.0/0 123.123.123.123
This meant that it was using the ip that was hard-coded by the $ip variable in the script.
I rebooted and same thing, even after in the GUI I completed deleted the DNAT/SNAT information.
SOLUTION :
Log in as loginuser and su to root. Then, change to the
/etc/wfe/conf directory
In there, you should find the netdata file. There lies the problem. I noticed that before I modified it, there was entries like:
X#My-Zone#192.168.0.0#255.255.255.0#V
X#My-Zone-2#192.168.0.43#255.255.255.255#V
X#External#my.old.external.ip#255.255.255.255#V
X#External#my.old.external.ip#255.255.255.255#V
X#External#my.new.external.ip#255.255.255.255#V
X#External#my.new.external.ip#255.255.255.255#V
Notice that the new IP is under the old. Every time the box is restarted, it appends this file with the external IP number which is why it was not seeing my new ip for the DNAT/SNAT.
What you will need to do, for example using vi, is to delete the lines that have the external information, just leaving perhaps just the last one written. Then, restart the box and the DNAT/SNAT will operate correctly.
My thought is perhaps the dhcp script could be modified to do a grep or some other search inside the netdata file for this line (the external one) and delete it, and THEN append the new data. Doing this would allow for a new IP upon reboot (as this is when for me AT&T's updated IP kicks in).
Hope this works and helps out those that may have hit this problem and wondered why, it would seem a fairly easy hack to implement this either in the current hack or in the upcoming "official" Astaro DCHP client support. I also have another article about another hack for the "dhcp hack" that was required before I could even get SNAT/DNAT going.
Thanks again to Astaro for a great program and firewall, and all the hackers that continue to extend the usefullness of this product.
Matthew
Guest User!
You are not Sophos Staff.