Hi all, I just started having a strange problem with my network connections recently, and hope someone here could give me an idea what is happening. I''ve been using shorewall for a while now on this one machine, but suddenly, I cannot access browse the internet from the loc zone. I haven''t changed anything and I can still ping the internet, use ssh, voip, and other services from this zone without issues. I can also access internet web pages from the dmz without issues. I''ve attached a shorewall status; if you need any further info, please let me know. Thanks in advance, Daniel
On Friday 09 December 2005 10:58, Shorewall List wrote:> Hi all, > > > > I just started having a strange problem with my network connections > recently, and hope someone here could give me an idea what is happening. > I''ve been using shorewall for a while now on this one machine, but > suddenly, I cannot access browse the internet from the loc zone. I > haven''t changed anything and I can still ping the internet, use ssh, > voip, and other services from this zone without issues. I can also > access internet web pages from the dmz without issues. I''ve attached a > shorewall status; if you need any further info, please let me know.Looks like something must be wrong with your Web Proxy running on 192.168.2.250. HTML connection requests are being forwarded to that system per your DNAT rule: Chain loc2dmz (1 references) pkts bytes target prot opt in out source destination ... 6 360 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.250 tcp dpt:80 But no new connections (in fact no traffic at all) from the dmz to the internet: Chain dmz2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 BTW: It is silly to have dmz->net ACCEPT rules when your dmz->net policy is ACCEPT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 09 December 2005 11:05, Tom Eastep wrote:> On Friday 09 December 2005 10:58, Shorewall List wrote: > > Hi all, > > > > > > > > I just started having a strange problem with my network connections > > recently, and hope someone here could give me an idea what is happening. > > I''ve been using shorewall for a while now on this one machine, but > > suddenly, I cannot access browse the internet from the loc zone. I > > haven''t changed anything and I can still ping the internet, use ssh, > > voip, and other services from this zone without issues. I can also > > access internet web pages from the dmz without issues. I''ve attached a > > shorewall status; if you need any further info, please let me know. > > Looks like something must be wrong with your Web Proxy running on > 192.168.2.250. HTML connection requests are being forwarded to that system > per your DNAT rule: > > Chain loc2dmz (1 references) > pkts bytes target prot opt in out source > destination > > ... > > 6 360 ACCEPT tcp -- * * 0.0.0.0/0 > 192.168.2.250 tcp dpt:80 > > But no new connections (in fact no traffic at all) from the dmz to the > internet:Here''s more evidence: tcp 6 8 SYN_SENT src=192.168.1.98 dst=66.102.7.147 sport=34806 dport=80 [UNREPLIED] src=192.168.2.250 dst=192.168.1.98 sport=80 dport=34806 use=1 This indicates that the SYN (connection request) was forwarded to 192.168.2.250 but that no reply has been returned. Is 192.168.2.250 running a firewall that is dropping connection requests on port 80. Or is 192.168.2.250 dual-homed with an interface on the 192.168.1.0/24 network? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, 192.168.2.250 actually runs an apache server that I''ve set to be accessible from the internet and loc zone, using rules: DNAT net dmz:192.168.2.250:80 tcp 80 DNAT loc dmz:192.168.2.250:80 tcp 80 - $ETH0_IP 192.168.2.250 is running shorewall 2.4.2, with one zone, net, which has the rule: ACCEPT net fw tcp 80 FYI, this server is not online at the moment, and it wasn''t when I created the shorewall dump. Strangely, web traffic was working fine last night, and this morning it wasn''t. I''ve disabled all DNAT rules to the dmz at the moment, but maybe you could give me an idea of what exactly the rule that was redirecting the http traffic. Thanks for your help, Daniel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, December 09, 2005 11:40 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Connection problems from loc zone On Friday 09 December 2005 11:05, Tom Eastep wrote:> On Friday 09 December 2005 10:58, Shorewall List wrote: > > Hi all, > > > > > > > > I just started having a strange problem with my network connections > > recently, and hope someone here could give me an idea what ishappening.> > I''ve been using shorewall for a while now on this one machine, but > > suddenly, I cannot access browse the internet from the loc zone. I > > haven''t changed anything and I can still ping the internet, use ssh, > > voip, and other services from this zone without issues. I can also > > access internet web pages from the dmz without issues. I''ve attacheda> > shorewall status; if you need any further info, please let me know. > > Looks like something must be wrong with your Web Proxy running on > 192.168.2.250. HTML connection requests are being forwarded to thatsystem> per your DNAT rule: > > Chain loc2dmz (1 references) > pkts bytes target prot opt in out source > destination > > ... > > 6 360 ACCEPT tcp -- * * 0.0.0.0/0 > 192.168.2.250 tcp dpt:80 > > But no new connections (in fact no traffic at all) from the dmz to the > internet:Here''s more evidence: tcp 6 8 SYN_SENT src=192.168.1.98 dst=66.102.7.147 sport=34806 dport=80 [UNREPLIED] src=192.168.2.250 dst=192.168.1.98 sport=80 dport=34806 use=1 This indicates that the SYN (connection request) was forwarded to 192.168.2.250 but that no reply has been returned. Is 192.168.2.250 running a firewall that is dropping connection requests on port 80. Or is 192.168.2.250 dual-homed with an interface on the 192.168.1.0/24 network? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
Hi, Forgot to mention that disabling all the DNAT -> dmz rules has corrected the issue, but I''m not sure as to which rule was the real culprit... Thank you, Daniel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, December 09, 2005 11:40 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Connection problems from loc zone On Friday 09 December 2005 11:05, Tom Eastep wrote:> On Friday 09 December 2005 10:58, Shorewall List wrote: > > Hi all, > > > > > > > > I just started having a strange problem with my network connections > > recently, and hope someone here could give me an idea what ishappening.> > I''ve been using shorewall for a while now on this one machine, but > > suddenly, I cannot access browse the internet from the loc zone. I > > haven''t changed anything and I can still ping the internet, use ssh, > > voip, and other services from this zone without issues. I can also > > access internet web pages from the dmz without issues. I''ve attacheda> > shorewall status; if you need any further info, please let me know. > > Looks like something must be wrong with your Web Proxy running on > 192.168.2.250. HTML connection requests are being forwarded to thatsystem> per your DNAT rule: > > Chain loc2dmz (1 references) > pkts bytes target prot opt in out source > destination > > ... > > 6 360 ACCEPT tcp -- * * 0.0.0.0/0 > 192.168.2.250 tcp dpt:80 > > But no new connections (in fact no traffic at all) from the dmz to the > internet:Here''s more evidence: tcp 6 8 SYN_SENT src=192.168.1.98 dst=66.102.7.147 sport=34806 dport=80 [UNREPLIED] src=192.168.2.250 dst=192.168.1.98 sport=80 dport=34806 use=1 This indicates that the SYN (connection request) was forwarded to 192.168.2.250 but that no reply has been returned. Is 192.168.2.250 running a firewall that is dropping connection requests on port 80. Or is 192.168.2.250 dual-homed with an interface on the 192.168.1.0/24 network? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Friday 09 December 2005 12:02, Shorewall List wrote:> Hi, > > Forgot to mention that disabling all the DNAT -> dmz rules has corrected > the issue, but I''m not sure as to which rule was the real culprit...NONE of your DNAT rules with ''loc'' in the SOURCE zone specified an ORIGINAL DEST. So it looks like the ETH0_IP shell variable was empty in this rule:> DNAT loc dmz:192.168.2.250:80 tcp 80 - $ETH0_IP-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 09 December 2005 12:10, Tom Eastep wrote:> On Friday 09 December 2005 12:02, Shorewall List wrote: > > Hi, > > > > Forgot to mention that disabling all the DNAT -> dmz rules has corrected > > the issue, but I''m not sure as to which rule was the real culprit... > > NONE of your DNAT rules with ''loc'' in the SOURCE zone specified an ORIGINAL > > DEST. So it looks like the ETH0_IP shell variable was empty in this rule: > > DNAT loc dmz:192.168.2.250:80 tcp 80 - $ETH0_IP >I notice that you are running Shorewall 3.0.2 -- If you recently upgraded from a version of Shorewall earlier than 2.2.0. If this is the case then you may be setting ETHO_IP like this: ETH0_IP=`find_interface_address eth0` when you now need to set it using this statement: ETH0_IP=`find_first_interface_address eth0` That change is described in the 2.2.0 release notes but not in the 2.4.0 or 3.0.0 notes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 09 December 2005 14:37, Tom Eastep wrote:> On Friday 09 December 2005 12:10, Tom Eastep wrote: > > On Friday 09 December 2005 12:02, Shorewall List wrote: > > > Hi, > > > > > > Forgot to mention that disabling all the DNAT -> dmz rules has > > > corrected the issue, but I''m not sure as to which rule was the real > > > culprit... > > > > NONE of your DNAT rules with ''loc'' in the SOURCE zone specified an > > ORIGINAL > > > > DEST. So it looks like the ETH0_IP shell variable was empty in this rule: > > > DNAT loc dmz:192.168.2.250:80 tcp 80 - $ETH0_IP > > I notice that you are running Shorewall 3.0.2 -- If you recently upgraded > from a version of Shorewall earlier than 2.2.0. If this is the case then > you may be setting ETHO_IP like this:The above is worthy of an award for fractured syntax but hopefully you understood what I meant: "I notice that you are running Shorewall 3.0.2 -- If you recently upgraded from a version of Shorewall earlier than 2.2.0 then you may be setting ETHO_IP like this:" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, As always, your wisdom is greatly appreciated! Thank you, Daniel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, December 09, 2005 2:44 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Connection problems from loc zone On Friday 09 December 2005 14:37, Tom Eastep wrote:> On Friday 09 December 2005 12:10, Tom Eastep wrote: > > On Friday 09 December 2005 12:02, Shorewall List wrote: > > > Hi, > > > > > > Forgot to mention that disabling all the DNAT -> dmz rules has > > > corrected the issue, but I''m not sure as to which rule was thereal> > > culprit... > > > > NONE of your DNAT rules with ''loc'' in the SOURCE zone specified an > > ORIGINAL > > > > DEST. So it looks like the ETH0_IP shell variable was empty in thisrule:> > > DNAT loc dmz:192.168.2.250:80 tcp 80 - $ETH0_IP > > I notice that you are running Shorewall 3.0.2 -- If you recentlyupgraded> from a version of Shorewall earlier than 2.2.0. If this is the casethen> you may be setting ETHO_IP like this:The above is worthy of an award for fractured syntax but hopefully you understood what I meant: "I notice that you are running Shorewall 3.0.2 -- If you recently upgraded from a version of Shorewall earlier than 2.2.0 then you may be setting ETHO_IP like this:" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click