Winston Nolan
2005-Sep-19 12:55 UTC
3 interface gateway newbie question (2) with more/proper info
good day to you,
in my previous post i have omitted these results. I apologise, here is
my question again.
-the exact version of Shorewall you are running.
intranet shorewall # shorewall version2.4.2
-the complete, exact output of ip addr show
intranet shorewall # ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 <http://127.0.0.1/8> brd 127.255.255.255
<http://127.255.255.255> scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:3c:7c:47 brd ff:ff:ff:ff:ff:ff
inet 10.1.30.252/24 <http://10.1.30.252/24> brd 10.1.30.255
<http://10.1.30.255> scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:3c:7c:55 brd ff:ff:ff:ff:ff:ff
inet 10.1.30.1/24 <http://10.1.30.1/24> brd 10.1.30.255
<http://10.1.30.255> scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:b3:28:67:87 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 <http://192.168.1.22/24> brd 192.168.1.255
<http://192.168.1.255> scope global eth2
-the complete, exact output of ip route show
intranet shorewall # ip route show10.1.30.0/24 <http://10.1.30.0/24>
dev eth0 proto kernel scope link src 10.1.30.252
<http://10.1.30.252>10.1.30.0/24 <http://10.1.30.0/24> dev eth1
proto
kernel scope link src 10.1.30.1 <http://10.1.30.1>192.168.1.0/24
<http://192.168.1.0/24> dev eth2 proto kernel scope link src
192.168.1.22 <http://192.168.1.22>127.0.0.0/8 <http://127.0.0.0/8>
dev
lo scope link
default via 10.1.30.254 <http://10.1.30.254> dev eth1 metric 1
I have a 3 interface gateway -
eth0 (internal interface) 10.1.30.252 <http://10.1.30.252> (this is
connected to my lan (10.1.30.0/24 <http://10.1.30.0/24>)
eth1 (external interface) 10.1.30.1 <http://10.1.30.1> (this is
conencted to my isp router)
eth2 (wireless interface) 192.168.1.22 <http://192.168.1.22> (this is
conencted to my wireless to another isp)
my client workstations are all set on dhcp and their gateway is set to
10.1.30.252 <http://10.1.30.252>
for now all i want is for my internal workstations to be able to reach
anything on the internet (allow all)
and from the internet i want to allow surtain services like ssh, http,
https, ftp with the option of allowign more services later.
i have set up shorewall using both webmin and mc inside the shell
when using webmin and the check status command i see the following:
ARP
? (10.1.30.43 <http://10.1.30.43>) at 00:0D:61:11:89:3F [ether] on eth0
? (10.1.30.23 <http://10.1.30.23>) at 00:50:70:E7:16:65 [ether] on eth0
? (10.1.30.251 <http://10.1.30.251>) at 00:0D:61:E3:19:43 [ether] on eth0
? (10.1.30.30 <http://10.1.30.30>) at 00:E0:4C:EA:F0:04 [ether] on eth0
? (10.1.30.250 <http://10.1.30.250>) at 00:00:E8:5E:1D:A4 [ether] on eth0
? (10.1.30.69 <http://10.1.30.69>) at 00:50:70:44:DE:93 [ether] on eth0
? (10.1.30.13 <http://10.1.30.13>) at 00:00:E8:99:78:4E [ether] on eth0
? (10.1.30.49 <http://10.1.30.49>) at 00:E0:4C:FF:2F:0C [ether] on eth0
? (10.1.30.11 <http://10.1.30.11>) at 00:E0:4C:ED:D6:E7 [ether] on eth0
? (10.1.30.68 <http://10.1.30.68>) at 00:0D:61:64:2D:12 [ether] on eth0
? (10.1.30.180 <http://10.1.30.180>) at 00:0D:61:40:DD:B2 [ether] on eth0
? (10.1.30.34 <http://10.1.30.34>) at 00:0D:61:5E:BA:64 [ether] on eth0
? (10.1.30.56 <http://10.1.30.56>) at 00:0D:61:2B:2F:DB [ether] on eth0
? (10.1.30.9 <http://10.1.30.9>) at 00:E0:4C:EE:80:DE [ether] on eth0
? (10.1.30.33 <http://10.1.30.33>) at 00:0D:61:61:90:79 [ether] on eth0
? (10.1.30.55 <http://10.1.30.55>) at 00:00:00:40:25:C3 [ether] on eth0
? (10.1.30.63 <http://10.1.30.63>) at 00:0D:61:62:8C:39 [ether] on eth0
? (10.1.30.57 <http://10.1.30.57>) at 00:0D:61:2A:5C:E8 [ether] on eth0
? (10.1.30.169 <http://10.1.30.169>) at 00:0D:61:40:DD:8C [ether] on eth0
? (10.1.30.41 <http://10.1.30.41>) at 00:20:ED:37:46:53 [ether] on eth0
? (192.168.1.10 <http://192.168.1.10>) at 00:02:6F:35:61:C2 [ether] on
eth2
? (10.1.30.61 <http://10.1.30.61>) at 00:0D:61:60:9A:60 [ether] on eth0
? (10.1.30.19 <http://10.1.30.19>) at 00:0D:61:61:21:61 [ether] on eth0
? (10.1.30.58 <http://10.1.30.58>) at 00:08:A1:40:49:A7 [ether] on eth0
? (10.1.30.73 <http://10.1.30.73>) at 00:0F:EA:E9:7B:95 [ether] on eth0
? (10.1.30.17 <http://10.1.30.17>) at 00:0D:61:3F:CF:A1 [ether] on eth0
i am such a newbie to this and could anly assume that it''s becuase of
the following:
/proc
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 0
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 1
/proc/sys/net/ipv4/conf/eth0/log_martians = 0
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/log_martians = 0
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 0
/proc/sys/net/ipv4/conf/eth2/log_martians = 0
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 0
note /proc/sys/net/ipv4/conf/all/proxy_arp = 0
could this be my problem?
i also see alot of this:
tcp 6 431994 ESTABLISHED src=10.1.30.63 <http://10.1.30.63>
dst=10.1.30.252 <http://10.1.30.252> sport=1373 dport=5222
packets=4750 bytes=199620 src=10.1.30.252 <http://10.1.30.252>
dst=10.1.30.63 <http://10.1.30.63> sport=5222 dport=1373 packets=4751
bytes=201340 [ASSURED] mark=0 use=1
tcp 6 61456 ESTABLISHED src=207.103.58.50 <http://207.103.58.50>
dst=10.1.30.1 <http://10.1.30.1> sport=9662 dport=46634 packets=1
bytes=52 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1>
dst=207.103.58.50 <http://207.103.58.50> sport=46634 dport=9662
packets=0 bytes=0 mark=0 use=1
tcp 6 46581 ESTABLISHED src=81.236.13.214 <http://81.236.13.214>
dst=10.1.30.1 <http://10.1.30.1> sport=4662 dport=36819 packets=1
bytes=52 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1>
dst=81.236.13.214 <http://81.236.13.214> sport=36819 dport=4662
packets=0 bytes=0 mark=0 use=1
tcp 6 245989 ESTABLISHED src=219.142.227.38
<http://219.142.227.38> dst=10.1.30.1 <http://10.1.30.1> sport=4662
dport=45251 packets=1 bytes=40 [UNREPLIED] src=10.1.30.1
<http://10.1.30.1> dst=219.142.227.38 <http://219.142.227.38>
sport=45251 dport=4662 packets=0 bytes=0 mark=0 use=1
tcp 6 198358 ESTABLISHED src=84.194.82.31 <http://84.194.82.31>
dst=10.1.30.1 <http://10.1.30.1> sport=4662 dport=41695 packets=1
bytes=52 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1> dst=84.194.82.31
<http://84.194.82.31> sport=41695 dport=4662 packets=0 bytes=0 mark=0
use=1
tcp 6 215043 ESTABLISHED src=218.63.93.126 <http://218.63.93.126>
dst=10.1.30.1 <http://10.1.30.1> sport=4662 dport=53274 packets=1
bytes=40 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1>
dst=218.63.93.126 <http://218.63.93.126> sport=53274 dport=4662
packets=0 bytes=0 mark=0 use=1
tcp 6 116843 ESTABLISHED src=200.114.217.26
<http://200.114.217.26> dst=10.1.30.1 <http://10.1.30.1> sport=4662
dport=37457 packets=1 bytes=52 [UNREPLIED] src=10.1.30.1
<http://10.1.30.1> dst=200.114.217.26 <http://200.114.217.26>
sport=37457 dport=4662 packets=0 bytes=0 mark=0 use=1
tcp 6 144090 ESTABLISHED src=221.201.153.14
<http://221.201.153.14> dst=10.1.30.1 <http://10.1.30.1> sport=4662
dport=54650 packets=1 bytes=40 [UNREPLIED] src=10.1.30.1
<http://10.1.30.1> dst=221.201.153.14 <http://221.201.153.14>
sport=54650 dport=4662 packets=0 bytes=0 mark=0 use=1
tcp 6 42832 ESTABLISHED src=61.229.196.178
<http://61.229.196.178> dst=10.1.30.1 <http://10.1.30.1> sport=4662
dport=35376 packets=1 bytes=40 [UNREPLIED] src=10.1.30.1
<http://10.1.30.1> dst=61.229.196.178 <http://61.229.196.178>
sport=35376 dport=4662 packets=0 bytes=0 mark=0 use=1
tcp 6 289656 ESTABLISHED src=207.161.46.127
<http://207.161.46.127> dst=10.1.30.1 <http://10.1.30.1> sport=4662
dport=49871 packets=1 bytes=52 [UNREPLIED] src=10.1.30.1
<http://10.1.30.1> dst=207.161.46.127 <http://207.161.46.127>
sport=49871 dport=4662 packets=0 bytes=0 mark=0 use=1
tcp 6 140613 ESTABLISHED src=62.254.112.201
<http://62.254.112.201> dst=10.1.30.1 <http://10.1.30.1> sport=4662
dport=52337 packets=1 bytes=40 [UNREPLIED] src=10.1.30.1
<http://10.1.30.1> dst=62.254.112.201 <http://62.254.112.201>
sport=52337 dport=4662 packets=0 bytes=0 mark=0 use=1
tcp 6 361461 ESTABLISHED src=10.1.30.1 <http://10.1.30.1>
dst=85.250.91.139 <http://85.250.91.139> sport=43595 dport=6662
packets=1 bytes=1400 [UNREPLIED] src=85.250.91.139
<http://85.250.91.139> dst=10.1.30.1 <http://10.1.30.1> sport=6662
dport=43595 packets=0 bytes=0 mark=0 use=1
tcp 6 357010 ESTABLISHED src=70.156.19.68 <http://70.156.19.68>
dst=10.1.30.1 <http://10.1.30.1> sport=4662 dport=39925 packets=1
bytes=52 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1> dst=70.156.19.68
<http://70.156.19.68> sport=39925 dport=4662 packets=0 bytes=0 mark=0
use=1
tcp 6 346610 ESTABLISHED src=81.5.175.113 <http://81.5.175.113>
dst=10.1.30.1 <http://10.1.30.1> sport=14656 dport=58656 packets=1
bytes=52 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1> dst=81.5.175.113
<http://81.5.175.113> sport=58656 dport=14656 packets=0 bytes=0 mark=0
use=1
tcp 6 371189 ESTABLISHED src=10.1.30.1 <http://10.1.30.1>
dst=82.248.63.69 <http://82.248.63.69> sport=50622 dport=4662
packets=1 bytes=64 [UNREPLIED] src=82.248.63.69 <http://82.248.63.69>
dst=10.1.30.1 <http://10.1.30.1> sport=4662 dport=50622 packets=0
bytes=0 mark=0 use=1
tcp 6 326890 ESTABLISHED src=81.35.164.46 <http://81.35.164.46>
dst=10.1.30.1 <http://10.1.30.1> sport=4662 dport=46448 packets=1
bytes=52 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1> dst=81.35.164.46
<http://81.35.164.46> sport=46448 dport=4662 packets=0 bytes=0 mark=0
use=1
tcp 6 124165 ESTABLISHED src=207.103.58.50 <http://207.103.58.50>
dst=10.1.30.1 <http://10.1.30.1> sport=9662 dport=41385 packets=1
bytes=52 [UNREPLIED] src=10.1.30.1 <http://10.1.30.1>
dst=207.103.58.50 <http://207.103.58.50> sport=41385 dport=9662
packets=0 bytes=0 mark=0 use=1
could that [UNREPLIED] also have somethign to do with this?
when my shorewall is started i see this when i type route:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.30.0 <http://10.1.30.0> * 255.255.255.0
<http://255.255.255.0> U 0 0 0 eth0
192.168.1.0 <http://192.168.1.0> * 255.255.255.0
<http://255.255.255.0> U 0 0 0 eth2
loopback * 255.0.0.0 <http://255.0.0.0> U
0 0 0 lo
i cannot see eth1 anywhere and this is my external interface connected
to my gateway -
when i restart my network and have stopped the firewall i see this
when typing route:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.30.0 <http://10.1.30.0> * 255.255.255.0
<http://255.255.255.0> U 0 0 0 eth0
10.1.30.0 <http://10.1.30.0> * 255.255.255.0
<http://255.255.255.0> U 0 0 0 eth1
192.168.1.0 <http://192.168.1.0> * 255.255.255.0
<http://255.255.255.0> U 0 0 0 eth2
loopback * 255.0.0.0 <http://255.0.0.0> U
0 0 0 lo
default 10.1.30.254 <http://10.1.30.254> 0.0.0.0
<http://0.0.0.0> UG 1 0 0 eth1
i am planning to do away with my isp line and only go via wireless
interface, this wireless connection is still under testing though
guys i apologise for posting this twice. once again, thank you so much
for the brilliant program! you have really covered all ends.
thank you guys and have a nice day!
winston