Shorewall users - Aug 2005 - Shorewall with 1to1 NAT, loc cannot reach from net/fw after system reboot, net2fw & fw2net work fine

Dear all,

I am running shorewall 2.2.3 on debian sarge, I builded up a one to one NAT 
with 192.168.1.* matching with real IPs.

dom@vod:~$ ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0f:1f:6c:18:2a brd ff:ff:ff:ff:ff:ff
inet 210.0.235.237/28 <http://210.0.235.237/28> brd
210.0.235.239<http://210.0.235.239>scope global eth0
inet 210.0.235.229/28 <http://210.0.235.229/28> brd
210.0.235.239<http://210.0.235.239>scope global secondary eth0:0
inet6 fe80::20f:1fff:fe6c:182a/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0f:1f:6c:18:2b brd ff:ff:ff:ff:ff:ff
inet 192.168.1.237/24 <http://192.168.1.237/24> brd
192.168.1.255<http://192.168.1.255>scope global eth1
inet6 fe80::20f:1fff:fe6c:182b/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:04:23:a8:85:94 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:04:23:a8:85:95 brd ff:ff:ff:ff:ff:ff
6: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 <http://0.0.0.0> brd 0.0.0.0 <http://0.0.0.0>

The machine got 4 ethernet but I used 2 only.

ip route show

210.0.235.224/28 <http://210.0.235.224/28> dev eth0 proto kernel scope
link
src 210.0.235.237 <http://210.0.235.237>
192.168.1.0/24 <http://192.168.1.0/24> dev eth1 proto kernel scope link
src
192.168.1.237 <http://192.168.1.237>
default via 210.0.235.225 <http://210.0.235.225> dev eth0


dom@vod:/etc/network$ cat interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 210.0.235.237 <http://210.0.235.237>
netmask 255.255.255.240 <http://255.255.255.240>
network 210.0.235.224 <http://210.0.235.224>
broadcast 210.0.235.239 <http://210.0.235.239>
gateway 210.0.235.225 <http://210.0.235.225>
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 202.82.1.2 <http://202.82.1.2>
dns-search pbe.com.hk <http://pbe.com.hk>

auto eth0:0
iface eth0:0 inet static
address 210.0.235.229 <http://210.0.235.229>
netmask 255.255.255.240 <http://255.255.255.240>

auto eth1
iface eth1 inet static
address 192.168.1.237 <http://192.168.1.237>
netmask 255.255.255.0 <http://255.255.255.0>

PROBLEM is : I can reach the 192.168.1.* machines from net if I start 
shorewall manually after boot up, but not normal boot up. The shorewall init 
script is showing everything normal after boot up.

Is there something wrong in the start-up stage? is it because Shorewall 
started too early? What should I do?

Thanks in advance, I almost getting cold in datacenter now, I will be very 
happy if I can get any kind of help ASAP.

Dom.

Dom Liang wrote:
>
> PROBLEM is : I can reach the 192.168.1.* machines from net if I start
> shorewall manually after boot up, but not normal boot up. The shorewall
> init script is showing everything normal after boot up.
>
> Is there something wrong in the start-up stage? is it because Shorewall
> started too early? What should I do?
>
Dom -- I told you on IRC. You need to give us the output of "shorewall
status" after you have booted and when you can''t connect.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Sorry I forgot. Please see attached for the file.

On 8/30/05, Tom Eastep <teastep@shorewall.net>
wrote:
> 
> Dom Liang wrote:
> 
> >
> > PROBLEM is : I can reach the 192.168.1.* machines from net if I start
> > shorewall manually after boot up, but not normal boot up. The
shorewall
> > init script is showing everything normal after boot up.
> >
> > Is there something wrong in the start-up stage? is it because
Shorewall
> > started too early? What should I do?
> >
> 
> Dom -- I told you on IRC. You need to give us the output of "shorewall
> status" after you have booted and when you can''t connect.
> 
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> 
> 
> 

-- 
Dominie Liang 梁文堅
http://www.hkdom.com
dominie@gmail.com

Dom Liang wrote:
> Sorry I forgot. Please see attached for the file.
>
> On 8/30/05, *Tom Eastep* <teastep@shorewall.net
> <mailto:teastep@shorewall.net>> wrote:
>
>     Dom Liang wrote:
>
>     >
>     > PROBLEM is : I can reach the 192.168.1.* machines from net if I
start
>     > shorewall manually after boot up, but not normal boot up. The
>     shorewall
>     > init script is showing everything normal after boot up.
>     >
>     > Is there something wrong in the start-up stage? is it because
>     Shorewall
>     > started too early? What should I do?
>     >
>
>From the "shorewall status" output:
/proc

   /proc/sys/net/ipv4/ip_forward = 0

If you don''t have IP_FORWARDING=Yes in shorewall.conf, then you should
set it that way. If you do have that setting then something is resetting
/proc/sys/net/ipv4/ip_forward after Shorewall starts and you will have
to determine what that is.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks Tom, it works well now, but it should be "On" but not
"Yes" in
shorewall.conf.

Anyway, greatly thanks. I don''t have to goto datacenter again today ^^;

Dom.

On 8/30/05, Tom Eastep <teastep@shorewall.net>
wrote:
> 
> Dom Liang wrote:
> > Sorry I forgot. Please see attached for the file.
> >
> > On 8/30/05, *Tom Eastep* <teastep@shorewall.net
> > <mailto:teastep@shorewall.net>> wrote:
> >
> > Dom Liang wrote:
> >
> > >
> > > PROBLEM is : I can reach the 192.168.1.* machines from net if I
start
> > > shorewall manually after boot up, but not normal boot up. The
> > shorewall
> > > init script is showing everything normal after boot up.
> > >
> > > Is there something wrong in the start-up stage? is it because
> > Shorewall
> > > started too early? What should I do?
> > >
> >
> 
> >From the "shorewall status" output:
> 
> /proc
> 
> /proc/sys/net/ipv4/ip_forward = 0
> 
> If you don''t have IP_FORWARDING=Yes in shorewall.conf, then you
should
> set it that way. If you do have that setting then something is resetting
> /proc/sys/net/ipv4/ip_forward after Shorewall starts and you will have
> to determine what that is.
> 
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> 
> 
> 

-- 
Dominie Liang 梁文堅
http://www.hkdom.com
dominie@gmail.com

Dom Liang wrote:
> Thanks Tom, it works well now, but it should be "On" but not
"Yes" in
> shorewall.conf.
Oops -- sorry.
>
> Anyway, greatly thanks. I don''t have to goto datacenter again
today ^^;
>
Hopefully you can warm up from yesterday ;-)

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key