I struggled mightily to get the Kernel on our CentOS 4.3 box to 2.6 tree and gave up and formatted the drive and installed FC 5 and updated its kernel so we now have Policy Match functionality. Our setup, we have 2 ISPs (3 NICS, 1 for each ISP and third as DMZ) We have multiple public IP''s for both ISPs and each IP we have bound to the relevant NIC Each IP is then DNAT''d to the relevant server in the DMZ which has a private IP. Our goal To enable a server to be accessible via a specific public IP from either ISP. We have all firewall rules setup and the Providers and Masquerade file setup and it works beautifullly for a single public IP on each ISP. My question is how do I add the other public IPs in the Masquerade file. I followed the example in adding the primary IP of each only and these are the only IP''s that are then accessible/respond. The others are no longer accessible? I have basically straight out of the docs each interface masq to each other (obviously using the relevant public IP''s from each ISP on our network rather than those in the docs as below) eth0 130.252.99.27 206.124.146.176 eth1 206.124.146.176 130.252.99.27 I even tried simply eth0 eth1 eth1 eth0 with same results as above Any guidance on this would be appreciated as we are so close on this right now, it is truly amazing the power of Shorewall with such little configuration!
Admin Pro Tools wrote:> I struggled mightily to get the Kernel on our CentOS 4.3 box to 2.6 tree and > gave up and formatted the drive and installed FC 5 and updated its kernel so > we now have Policy Match functionality. > > Our setup, we have 2 ISPs (3 NICS, 1 for each ISP and third as DMZ) > We have multiple public IP''s for both ISPs and each IP we have bound to the > relevant NIC > Each IP is then DNAT''d to the relevant server in the DMZ which has a private > IP.That is a single dmz? or one for each isp?> > Our goal > To enable a server to be accessible via a specific public IP from either > ISP. > > We have all firewall rules setup and the Providers and Masquerade file setup > and it works beautifullly for a single public IP on each ISP. > My question is how do I add the other public IPs in the Masquerade file. I > followed the example in adding the primary IP of each only and these are the > only IP''s that are then accessible/respond. The others are no longer > accessible? > > I have basically straight out of the docs each interface masq to each other > (obviously using the relevant public IP''s from each ISP on our network > rather than those in the docs as below) > > eth0 130.252.99.27 206.124.146.176 > eth1 206.124.146.176 130.252.99.27 > > I even tried simply > eth0 eth1 > eth1 eth0 > > with same results as above > > Any guidance on this would be appreciated as we are so close on this right > now, it is truly amazing the power of Shorewall with such little > configuration! >Best is if you tar up your config and a "shorewall dump" then post it.. This can get a bit involved, and what you posted is not enough information. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
I tried attaching my config tar''d but it got rejected. I will list here in text the main files I have changed I appreciate very much your willingness to help with this, I have attached the entire etc/shorewall directory. I have explained my scenario below, eth0 and eth1 both have multiple IP''s assigned to them. I have removed almost all my firewall rules as when I was having an issue I thought I go back to basics to help troubleshoot, however there is simply a bunch of other DNAT rules for each server and service located in the DMZ. My shorewall dump is below (using fc5 and shorewall 3.0.6-1) Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available ## ZONES fw firewall net ipv4 dmz ipv4 ##INTERFACES #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter,tcpflags,logmartians,nosmurfs net eth1 detect norfc1918,routefilter,tcpflags,logmartians,nosmurfs dmz eth3 detect tcpflags,nosmurfs ##POLICY # If you want to force clients to access the Internet via a proxy server # on your firewall, change the loc to net policy to REJECT info. dmz net ACCEPT dmz $FW REJECT info dmz all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net REJECT info $FW loc REJECT info $FW all REJECT info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ###MASQ #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 216.215.XXX.XX 69.15.XXX.XX eth1 69.15.XXX.XX 216.215.XXX.XX #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ##RULES #All DMZ connections to net are allowed ACCEPT dmz net # ###### DNS Requests allowed ###### # DNS/ACCEPT $FW net DNS/ACCEPT dmz net DNS/ACCEPT dmz $FW # ##### PING OK ###### # Ping/ACCEPT dmz net Ping/ACCEPT dmz $FW Ping/ACCEPT net $FW Ping/ACCEPT $FW net # ##### Web browsing allowed from FW/loc ##### # Web/ACCEPT $FW net Web/ACCEPT dmz net # # #### Webmin ##### # ACCEPT net $FW tcp 10000 ACCEPT loc $FW tcp 10000 # # DMZ Servers Config ACCEPT net dmz tcp 80 DNAT net dmz:192.168.2.45 tcp 80 - 69.15.XXX.XX DNAT net dmz:192.168.2.45 tcp 80 - 216.215.XXX.XX #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE On 4/14/06, Jerry Vonau <jvonau@shaw.ca> wrote:> > Admin Pro Tools wrote: > > I struggled mightily to get the Kernel on our CentOS 4.3 box to 2.6 tree > and > > gave up and formatted the drive and installed FC 5 and updated its > kernel so > > we now have Policy Match functionality. > > > > Our setup, we have 2 ISPs (3 NICS, 1 for each ISP and third as DMZ) > > We have multiple public IP''s for both ISPs and each IP we have bound to > the > > relevant NIC > > Each IP is then DNAT''d to the relevant server in the DMZ which has a > private > > IP. > That is a single dmz? or one for each isp? > > > > > Our goal > > To enable a server to be accessible via a specific public IP from either > > ISP. > > > > We have all firewall rules setup and the Providers and Masquerade file > setup > > and it works beautifullly for a single public IP on each ISP. > > My question is how do I add the other public IPs in the Masquerade file. > I > > followed the example in adding the primary IP of each only and these are > the > > only IP''s that are then accessible/respond. The others are no longer > > accessible? > > > > I have basically straight out of the docs each interface masq to each > other > > (obviously using the relevant public IP''s from each ISP on our network > > rather than those in the docs as below) > > > > eth0 130.252.99.27 206.124.146.176 > > eth1 206.124.146.176 130.252.99.27 > > > > I even tried simply > > eth0 eth1 > > eth1 eth0 > > > > with same results as above > > > > Any guidance on this would be appreciated as we are so close on this > right > > now, it is truly amazing the power of Shorewall with such little > > configuration! > > > > Best is if you tar up your config and a "shorewall dump" then post it.. > This can get a bit involved, and what you posted is not enough > information. > > Jerry > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
Admin Pro Tools wrote:> I tried attaching my config tar''d but it got rejected. I will list here in > text the main files I have changed > > I appreciate very much your willingness to help with this, I have > attached the entire etc/shorewall directory. I have explained my > scenario below, eth0 and eth1 both have multiple IP''s assigned to > them. I have removed almost all my firewall rules as when I was having > an issue I thought I go back to basics to help troubleshoot, however > there is simply a bunch of other DNAT rules for each server and > service located in the DMZ. > > My shorewall dump is below (using fc5 and shorewall 3.0.6-1)<snip>> > > ###MASQ > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > eth0 216.215.XXX.XX 69.15.XXX.XX > eth1 69.15.XXX.XX 216.215.XXX.XX > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >Off the top of my head, if your using DNAT, as below, you have not MASQ''d the return traffic, your missing something like: eth0 192.168.2.0/24 69.15.XXX.XX eth1 192.168.2.0/24 216.215.XXX.XX> ##RULES > #All DMZ connections to net are allowed > ACCEPT dmz net > # > ###### DNS Requests allowed ###### > # > DNS/ACCEPT $FW net > DNS/ACCEPT dmz net > DNS/ACCEPT dmz $FW > # > ##### PING OK ###### > # > Ping/ACCEPT dmz net > Ping/ACCEPT dmz $FW > Ping/ACCEPT net $FW > Ping/ACCEPT $FW net > # > ##### Web browsing allowed from FW/loc ##### > # > Web/ACCEPT $FW net > Web/ACCEPT dmz net > # > # > #### Webmin ##### > # > ACCEPT net $FW tcp 10000 > ACCEPT loc $FW tcp 10000 > # > # DMZ Servers Config > ACCEPT net dmz tcp 80 > DNAT net dmz:192.168.2.45 tcp 80 - 69.15.XXX.XX > DNAT net dmz:192.168.2.45 tcp 80 - 216.215.XXX.XX > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >Your not using the NAT file are you? How did you setup the providers file? The whole "shorewall dump" provides much more detail of how you have configured shorewall and the network interfaces on your system. Jerry ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Thursday 20 April 2006 05:40, Admin Pro Tools wrote:> > My shorewall dump is below (using fc5 and shorewall 3.0.6-1)Where? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Excellent, I do not have those masq entries however this was working without them, my issue was that I have multiple IP''s (external) on eth0 & eth1 and the only traffic being accepted was from the 2 public IP''s I had listed in the masq file. I was unsure how to list the others (if necessary). I have removed all these extra IP''s for now while I start from scratch but I have them normally added as eth0:1, eth0:2, etc and eth1:1, eth1:2 etc I apologize for the long post - here is my entire dump below Counters reset Mon Apr 3 18:06:33 EDT 2006 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 23454 16M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 18541 packets, 9136K bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 2086 2979K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 100 12979 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 18263 13M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 1683 80784 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 1322 163K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited NAT Table Chain PREROUTING (policy ACCEPT 3006 packets, 244K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 78 packets, 5099 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 78 packets, 5099 bytes) pkts bytes target prot opt in out source destination Mangle Table Chain PREROUTING (policy ACCEPT 23450 packets, 16M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 23450 packets, 16M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 18537 packets, 9130K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 18613 packets, 9140K bytes) pkts bytes target prot opt in out source destination tcp 6 104 TIME_WAIT src=192.168.3.10 dst=64.233.161.104 sport=46539 dport=443 packets=12 bytes=2065 src=64.233.161.104 dst=192.168.3.10 sport=443 dport=46539 packets=10 bytes=3346 [ASSURED] mark=0 use=1 udp 17 4 src=192.168.3.10 dst=64.89.74.2 sport=32778 dport=53 packets=1 bytes=59 src=64.89.74.2 dst=192.168.3.10 sport=53 dport=32778 packets=1 bytes=272 mark=0 use=1 udp 17 154 src=192.168.3.10 dst=64.89.70.2 sport=32778 dport=53 packets=2 bytes=120 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32778 packets=2 bytes=472 [ASSURED] mark=0 use=1 udp 17 4 src=192.168.3.10 dst=64.89.70.2 sport=32779 dport=53 packets=1 bytes=61 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32779 packets=1 bytes=136 mark=0 use=1 tcp 6 46 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2490 dport=10000 packets=11 bytes=954 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2490 packets=14 bytes=12417 [ASSURED] mark=0 use=1 tcp 6 94 TIME_WAIT src=192.168.3.10 dst=66.249.83.83 sport=49752 dport=80 packets=6 bytes=677 src=66.249.83.83 dst=192.168.3.10 sport=80 dport=49752 packets=5 bytes=735 [ASSURED] mark=0 use=1 udp 17 13 src=192.168.3.10 dst=64.89.70.2 sport=32787 dport=53 packets=1 bytes=60 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32787 packets=1 bytes=128 mark=0 use=1 tcp 6 420525 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=6009 dport=58333 packets=243 bytes=13468 src=127.0.0.1 dst=127.0.0.1 sport=58333 dport=6009 packets=242 bytes=700500 [ASSURED] mark=0 use=1 tcp 6 431942 ESTABLISHED src=192.168.3.17 dst=192.168.3.10 sport=2612 dport=10000 packets=11 bytes=2199 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2612 packets=10 bytes=3312 [ASSURED] mark=0 use=1 udp 17 9 src=192.168.3.10 dst=64.89.70.2 sport=32785 dport=53 packets=1 bytes=61 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32785 packets=1 bytes=136 mark=0 use=1 tcp 6 21 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2397 dport=10000 packets=21 bytes=3553 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2397 packets=26 bytes=16241 [ASSURED] mark=0 use=1 udp 17 9 src=192.168.3.10 dst=64.89.70.2 sport=32783 dport=53 packets=1 bytes=61 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32783 packets=1 bytes=312 mark=0 use=1 udp 17 5 src=192.168.3.10 dst=64.89.70.2 sport=32782 dport=53 packets=1 bytes=61 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32782 packets=1 bytes=136 mark=0 use=1 udp 17 13 src=192.168.3.10 dst=64.89.70.2 sport=32786 dport=53 packets=1 bytes=60 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32786 packets=1 bytes=320 mark=0 use=1 tcp 6 103 TIME_WAIT src=192.168.3.10 dst=66.249.83.19 sport=42350 dport=443 packets=15 bytes=2931 src=66.249.83.19 dst=192.168.3.10 sport=443 dport=42350 packets=11 bytes=3072 [ASSURED] mark=0 use=1 tcp 6 99 TIME_WAIT src=192.168.3.10 dst=64.233.161.104 sport=46535 dport=443 packets=15 bytes=1513 src=64.233.161.104 dst=192.168.3.10 sport=443 dport=46535 packets=11 bytes=7464 [ASSURED] mark=0 use=1 tcp 6 41 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2428 dport=10000 packets=12 bytes=2427 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2428 packets=11 bytes=2884 [ASSURED] mark=0 use=1 tcp 6 42 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2429 dport=10000 packets=21 bytes=3141 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2429 packets=24 bytes=16072 [ASSURED] mark=0 use=1 tcp 6 431987 ESTABLISHED src=192.168.3.10 dst=66.249.83.83 sport=49758 dport=80 packets=8 bytes=2294 src=66.249.83.83 dst=192.168.3.10 sport=80 dport=49758 packets=10 bytes=6225 [ASSURED] mark=0 use=1 tcp 6 94 TIME_WAIT src=192.168.3.10 dst=72.14.205.83 sport=55501 dport=80 packets=6 bytes=670 src=72.14.205.83 dst=192.168.3.10 sport=80 dport=55501 packets=5 bytes=663 [ASSURED] mark=0 use=1 udp 17 13 src=192.168.3.10 dst=64.89.70.2 sport=32788 dport=53 packets=1 bytes=60 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32788 packets=1 bytes=320 mark=0 use=1 tcp 6 431942 ESTABLISHED src=192.168.3.17 dst=192.168.3.10 sport=2614 dport=10000 packets=9 bytes=1681 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2614 packets=8 bytes=2463 [ASSURED] mark=0 use=1 udp 17 155 src=192.168.3.10 dst=64.89.70.2 sport=32781 dport=53 packets=2 bytes=121 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32781 packets=2 bytes=440 [ASSURED] mark=0 use=1 tcp 6 15 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2368 dport=10000 packets=19 bytes=2805 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2368 packets=25 bytes=17372 [ASSURED] mark=0 use=1 udp 17 4 src=192.168.3.10 dst=64.89.70.2 sport=32780 dport=53 packets=1 bytes=60 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32780 packets=1 bytes=320 mark=0 use=1 tcp 6 100 TIME_WAIT src=192.168.3.10 dst=66.249.83.19 sport=42351 dport=443 packets=11 bytes=1465 src=66.249.83.19 dst=192.168.3.10 sport=443 dport=42351 packets=8 bytes=2286 [ASSURED] mark=0 use=1 tcp 6 420532 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=57724 dport=50000 packets=2 bytes=112 src=127.0.0.1 dst=127.0.0.1 sport=50000 dport=57724 packets=1 bytes=60 [ASSURED] mark=0 use=1 udp 17 16 src=192.168.3.10 dst=64.89.70.2 sport=32790 dport=53 packets=1 bytes=61 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32790 packets=1 bytes=136 mark=0 use=1 tcp 6 12 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2336 dport=10000 packets=11 bytes=978 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2336 packets=15 bytes=13731 [ASSURED] mark=0 use=1 tcp 6 37 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2427 dport=10000 packets=15 bytes=2889 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2427 packets=16 bytes=5708 [ASSURED] mark=0 use=1 tcp 6 44 TIME_WAIT src=192.168.3.17 dst=192.168.3.10 sport=2466 dport=10000 packets=13 bytes=1444 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2466 packets=18 bytes=14423 [ASSURED] mark=0 use=1 udp 17 166 src=192.168.3.10 dst=64.89.70.2 sport=32789 dport=53 packets=2 bytes=121 src=64.89.70.2 dst=192.168.3.10 sport=53 dport=32789 packets=2 bytes=440 [ASSURED] mark=0 use=1 tcp 6 431942 ESTABLISHED src=192.168.3.17 dst=192.168.3.10 sport=2615 dport=10000 packets=9 bytes=1674 src=192.168.3.10 dst=192.168.3.17 sport=10000 dport=2615 packets=8 bytes=2350 [ASSURED] mark=0 use=1 tcp 6 103 TIME_WAIT src=192.168.3.10 dst=64.233.161.104 sport=46538 dport=443 packets=13 bytes=1971 src=64.233.161.104 dst=192.168.3.10 sport=443 dport=46538 packets=9 bytes=3125 [ASSURED] mark=0 use=1 IP Configuration 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:13:46:8e:56:d1 brd ff:ff:ff:ff:ff:ff inet 216.215.164.36/28 brd 216.215.164.47 scope global eth0 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:13:46:8e:56:02 brd ff:ff:ff:ff:ff:ff inet 69.15.105.98/27 brd 69.15.105.127 scope global eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:8d:71:cd:ad brd ff:ff:ff:ff:ff:ff inet 192.168.1.10/24 brd 192.168.1.255 scope global eth2 inet 192.168.3.10/24 brd 192.168.3.255 scope global eth2 inet6 fe80::250:8dff:fe71:cdad/64 scope link valid_lft forever preferred_lft forever 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0d:88:2d:54:32 brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global eth3 6: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 IP Stats 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 3699524 2459 0 0 0 0 TX: bytes packets errors dropped carrier collsns 3699524 2459 0 0 0 0 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:13:46:8e:56:d1 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:13:46:8e:56:02 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:8d:71:cd:ad brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 13422254 21589 0 0 0 0 TX: bytes packets errors dropped carrier collsns 6357361 16270 0 0 0 0 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0d:88:2d:54:32 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 6: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 /proc /proc/version = Linux version 2.6.16-1.2080_FC5 (bhcompile@hs20-bc1-5.build.redhat.com) (gcc version 4.1.0 20060304 (Red Hat 4.1.0-3)) #1 Tue Mar 28 03:38:34 EST 2006 /proc/sys/net/ipv4/ip_forward = 0 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/arp_ignore = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 0 /proc/sys/net/ipv4/conf/all/log_martians = 0 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/arp_ignore = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 1 /proc/sys/net/ipv4/conf/default/log_martians = 0 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth0/rp_filter = 1 /proc/sys/net/ipv4/conf/eth0/log_martians = 0 /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth1/arp_filter = 0 /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth1/rp_filter = 1 /proc/sys/net/ipv4/conf/eth1/log_martians = 0 /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth2/arp_filter = 0 /proc/sys/net/ipv4/conf/eth2/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth2/rp_filter = 1 /proc/sys/net/ipv4/conf/eth2/log_martians = 0 /proc/sys/net/ipv4/conf/eth3/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth3/arp_filter = 0 /proc/sys/net/ipv4/conf/eth3/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth3/rp_filter = 1 /proc/sys/net/ipv4/conf/eth3/log_martians = 0 /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 /proc/sys/net/ipv4/conf/lo/arp_filter = 0 /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 /proc/sys/net/ipv4/conf/lo/rp_filter = 0 /proc/sys/net/ipv4/conf/lo/log_martians = 0 Routing Rules 0: from all lookup local 32766: from all lookup main 32767: from all lookup default Table default: Table local: broadcast 192.168.3.0 dev eth2 proto kernel scope link src 192.168.3.10 broadcast 192.168.2.255 dev eth3 proto kernel scope link src 192.168.2.1 broadcast 192.168.1.0 dev eth2 proto kernel scope link src 192.168.1.10 local 216.215.164.36 dev eth0 proto kernel scope host src 216.215.164.36 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 69.15.105.127 dev eth1 proto kernel scope link src 69.15.105.98 broadcast 216.215.164.32 dev eth0 proto kernel scope link src 216.215.164.36 local 192.168.2.1 dev eth3 proto kernel scope host src 192.168.2.1 broadcast 192.168.3.255 dev eth2 proto kernel scope link src 192.168.3.10 broadcast 192.168.2.0 dev eth3 proto kernel scope link src 192.168.2.1 broadcast 192.168.1.255 dev eth2 proto kernel scope link src 192.168.1.10 broadcast 216.215.164.47 dev eth0 proto kernel scope link src 216.215.164.36 local 192.168.3.10 dev eth2 proto kernel scope host src 192.168.3.10 local 192.168.1.10 dev eth2 proto kernel scope host src 192.168.1.10 broadcast 69.15.105.96 dev eth1 proto kernel scope link src 69.15.105.98 local 69.15.105.98 dev eth1 proto kernel scope host src 69.15.105.98 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 216.215.164.32/28 dev eth0 proto kernel scope link src 216.215.164.36 69.15.105.96/27 dev eth1 proto kernel scope link src 69.15.105.98 192.168.3.0/24 dev eth2 proto kernel scope link src 192.168.3.10 192.168.2.0/24 dev eth3 proto kernel scope link src 192.168.2.1 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.10 169.254.0.0/16 dev eth2 scope link default via 192.168.3.1 dev eth2 ARP ? (192.168.3.1) at 00:09:5B:1F:8E:ED [ether] on eth2 ? (192.168.3.17) at 00:0F:B0:6B:DE:FB [ether] on eth2 Modules ip_conntrack_ftp 7601 0 ip_conntrack_netbios_ns 3009 0 iptable_nat 8133 0 ip_nat 16621 1 iptable_nat iptable_mangle 2881 0 ipt_REJECT 5441 1 ip_conntrack 49261 5 ip_conntrack_ftp,ip_conntrack_netbios_ns,iptable_nat,ip_nat,xt_state iptable_filter 3137 1 ip_tables 11657 3 iptable_nat,iptable_mangle,iptable_filter Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available Traffic Control Device eth0: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device eth1: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device eth2: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 6357361 bytes 16270 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device eth3: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Traffic Filters Device eth0: Device eth1: Device eth2: Device eth3: On 4/20/06, Jerry Vonau <jvonau@shaw.ca> wrote:> Admin Pro Tools wrote: > > I tried attaching my config tar''d but it got rejected. I will list here in > > text the main files I have changed > > > > I appreciate very much your willingness to help with this, I have > > attached the entire etc/shorewall directory. I have explained my > > scenario below, eth0 and eth1 both have multiple IP''s assigned to > > them. I have removed almost all my firewall rules as when I was having > > an issue I thought I go back to basics to help troubleshoot, however > > there is simply a bunch of other DNAT rules for each server and > > service located in the DMZ. > > > > My shorewall dump is below (using fc5 and shorewall 3.0.6-1) > > > <snip> > > > > > > > ###MASQ > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > > eth0 216.215.XXX.XX 69.15.XXX.XX > > eth1 69.15.XXX.XX 216.215.XXX.XX > > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > > > Off the top of my head, if your using DNAT, as below, you have not > MASQ''d the return traffic, your missing something like: > > eth0 192.168.2.0/24 69.15.XXX.XX > eth1 192.168.2.0/24 216.215.XXX.XX > > > > ##RULES > > #All DMZ connections to net are allowed > > ACCEPT dmz net > > # > > ###### DNS Requests allowed ###### > > # > > DNS/ACCEPT $FW net > > DNS/ACCEPT dmz net > > DNS/ACCEPT dmz $FW > > # > > ##### PING OK ###### > > # > > Ping/ACCEPT dmz net > > Ping/ACCEPT dmz $FW > > Ping/ACCEPT net $FW > > Ping/ACCEPT $FW net > > # > > ##### Web browsing allowed from FW/loc ##### > > # > > Web/ACCEPT $FW net > > Web/ACCEPT dmz net > > # > > # > > #### Webmin ##### > > # > > ACCEPT net $FW tcp 10000 > > ACCEPT loc $FW tcp 10000 > > # > > # DMZ Servers Config > > ACCEPT net dmz tcp 80 > > DNAT net dmz:192.168.2.45 tcp 80 - 69.15.XXX.XX > > DNAT net dmz:192.168.2.45 tcp 80 - 216.215.XXX.XX > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > Your not using the NAT file are you? > How did you setup the providers file? > > The whole "shorewall dump" provides much more detail of how you have > configured shorewall and the network interfaces on your system. > > Jerry > > > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Admin Pro Tools wrote:> Excellent, I do not have those masq entries however this was working > without them, my issue was that I have multiple IP''s (external) on > eth0 & eth1 and the only traffic being accepted was from the 2 public > IP''s I had listed in the masq file. I was unsure how to list the > others (if necessary). I have removed all these extra IP''s for now > while I start from scratch but I have them normally added as eth0:1, > eth0:2, etc and eth1:1, eth1:2 etc > I apologize for the long post - here is my entire dump below >please review: http://www.shorewall.net/shorewall_setup_guide.htm http://www.shorewall.net/three-interface.htm http://www.shorewall.net/MultiISP.html> Counters reset Mon Apr 3 18:06:33 EDT 2006 > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 23454 16M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > 0.0.0.0/0 >You have fedora''s firewall configured (at least started) You need to stop the iptables "service" and then use chkconfig to disable its startup. Then start shorewall "/sbin/shorewall start" Perhaps you might want to post what you think should be in your config files, and we can try to spot any potential problems or omissions.> Chain OUTPUT (policy ACCEPT 18541 packets, 9136K bytes) > pkts bytes target prot opt in out source destination > > Chain RH-Firewall-1-INPUT (2 references) > pkts bytes target prot opt in out source destination > 2086 2979K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > 0.0.0.0/0 icmp type 255 > 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 > 100 12979 ACCEPT udp -- * * 0.0.0.0/0 > 224.0.0.251 udp dpt:5353 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:631 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:631 > 18263 13M ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:21 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:25 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:22 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:443 > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:80 > 1683 80784 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 state NEW tcp dpt:10000 > 1322 163K REJECT all -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-host-prohibited > > ><snip>> > Routing Rules > > 0: from all lookup local > 32766: from all lookup main > 32767: from all lookup default > > Table default: > > > Table local: > > broadcast 192.168.3.0 dev eth2 proto kernel scope link src 192.168.3.10 > broadcast 192.168.2.255 dev eth3 proto kernel scope link src 192.168.2.1 > broadcast 192.168.1.0 dev eth2 proto kernel scope link src 192.168.1.10 > local 216.215.164.36 dev eth0 proto kernel scope host src 216.215.164.36 > broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 > broadcast 69.15.105.127 dev eth1 proto kernel scope link src 69.15.105.98 > broadcast 216.215.164.32 dev eth0 proto kernel scope link src 216.215.164.36 > local 192.168.2.1 dev eth3 proto kernel scope host src 192.168.2.1 > broadcast 192.168.3.255 dev eth2 proto kernel scope link src 192.168.3.10 > broadcast 192.168.2.0 dev eth3 proto kernel scope link src 192.168.2.1 > broadcast 192.168.1.255 dev eth2 proto kernel scope link src 192.168.1.10 > broadcast 216.215.164.47 dev eth0 proto kernel scope link src 216.215.164.36 > local 192.168.3.10 dev eth2 proto kernel scope host src 192.168.3.10 > local 192.168.1.10 dev eth2 proto kernel scope host src 192.168.1.10 > broadcast 69.15.105.96 dev eth1 proto kernel scope link src 69.15.105.98 > local 69.15.105.98 dev eth1 proto kernel scope host src 69.15.105.98 > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > Table main: > > 216.215.164.32/28 dev eth0 proto kernel scope link src 216.215.164.36 > 69.15.105.96/27 dev eth1 proto kernel scope link src 69.15.105.98 > 192.168.3.0/24 dev eth2 proto kernel scope link src 192.168.3.10 > 192.168.2.0/24 dev eth3 proto kernel scope link src 192.168.2.1 > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.10 > 169.254.0.0/16 dev eth2 scope link > default via 192.168.3.1 dev eth2 >Shorewall is not started... No "shorewall chain" or advanced routing is present in this dump. Jerry ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I have followed your advice but have tried several times to re-post a new dump but have had no luck, it always seems to be rejected (message too large) I saved the attachment of the dump as tar.gz and it was only 4k and still got rejected. Do you have any advice on how to get this posted? Thank you kindly for you help On 4/20/06, Jerry Vonau <jvonau@shaw.ca> wrote:> > Admin Pro Tools wrote: > > Excellent, I do not have those masq entries however this was working > > without them, my issue was that I have multiple IP''s (external) on > > eth0 & eth1 and the only traffic being accepted was from the 2 public > > IP''s I had listed in the masq file. I was unsure how to list the > > others (if necessary). I have removed all these extra IP''s for now > > while I start from scratch but I have them normally added as eth0:1, > > eth0:2, etc and eth1:1, eth1:2 etc > > I apologize for the long post - here is my entire dump below > > > please review: > > http://www.shorewall.net/shorewall_setup_guide.htm > http://www.shorewall.net/three-interface.htm > http://www.shorewall.net/MultiISP.html > > > > Counters reset Mon Apr 3 18:06:33 EDT 2006 > > > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 23454 16M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 > > > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > destination > > 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 > > > > You have fedora''s firewall configured (at least started) You need to > stop the iptables "service" and then use chkconfig to disable its > startup. Then start shorewall "/sbin/shorewall start" Perhaps you might > want to post what you think should be in your config files, and we can > try to spot any potential problems or omissions. > > > > Chain OUTPUT (policy ACCEPT 18541 packets, 9136K bytes) > > pkts bytes target prot opt in out source > destination > > > > Chain RH-Firewall-1-INPUT (2 references) > > pkts bytes target prot opt in out source > destination > > 2086 2979K ACCEPT all -- lo * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > > 0.0.0.0/0 icmp type 255 > > 0 0 ACCEPT esp -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 0 0 ACCEPT ah -- * * 0.0.0.0/0 > 0.0.0.0/0 > > 100 12979 ACCEPT udp -- * * 0.0.0.0/0 > > 224.0.0.251 udp dpt:5353 > > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > > 0.0.0.0/0 udp dpt:631 > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 tcp dpt:631 > > 18263 13M ACCEPT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 state RELATED,ESTABLISHED > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 state NEW tcp dpt:21 > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 state NEW tcp dpt:25 > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 state NEW tcp dpt:22 > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 state NEW tcp dpt:443 > > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 state NEW tcp dpt:80 > > 1683 80784 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 state NEW tcp dpt:10000 > > 1322 163K REJECT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 reject-with icmp-host-prohibited > > > > > > > <snip> > > > > Routing Rules > > > > 0: from all lookup local > > 32766: from all lookup main > > 32767: from all lookup default > > > > Table default: > > > > > > Table local: > > > > broadcast 192.168.3.0 dev eth2 proto kernel scope link src > 192.168.3.10 > > broadcast 192.168.2.255 dev eth3 proto kernel scope link src > 192.168.2.1 > > broadcast 192.168.1.0 dev eth2 proto kernel scope link src > 192.168.1.10 > > local 216.215.164.36 dev eth0 proto kernel scope host src > 216.215.164.36 > > broadcast 127.255.255.255 dev lo proto kernel scope link src > 127.0.0.1 > > broadcast 69.15.105.127 dev eth1 proto kernel scope link src > 69.15.105.98 > > broadcast 216.215.164.32 dev eth0 proto kernel scope link src > 216.215.164.36 > > local 192.168.2.1 dev eth3 proto kernel scope host src 192.168.2.1 > > broadcast 192.168.3.255 dev eth2 proto kernel scope link src > 192.168.3.10 > > broadcast 192.168.2.0 dev eth3 proto kernel scope link src > 192.168.2.1 > > broadcast 192.168.1.255 dev eth2 proto kernel scope link src > 192.168.1.10 > > broadcast 216.215.164.47 dev eth0 proto kernel scope link src > 216.215.164.36 > > local 192.168.3.10 dev eth2 proto kernel scope host src 192.168.3.10 > > local 192.168.1.10 dev eth2 proto kernel scope host src 192.168.1.10 > > broadcast 69.15.105.96 dev eth1 proto kernel scope link src > 69.15.105.98 > > local 69.15.105.98 dev eth1 proto kernel scope host src 69.15.105.98 > > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > > > Table main: > > > > 216.215.164.32/28 dev eth0 proto kernel scope link src 216.215.164.36 > > 69.15.105.96/27 dev eth1 proto kernel scope link src 69.15.105.98 > > 192.168.3.0/24 dev eth2 proto kernel scope link src 192.168.3.10 > > 192.168.2.0/24 dev eth3 proto kernel scope link src 192.168.2.1 > > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.10 > > 169.254.0.0/16 dev eth2 scope link > > default via 192.168.3.1 dev eth2 > > > Shorewall is not started... No "shorewall chain" or advanced routing is > present in this dump. > > Jerry > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
Admin Pro Tools wrote:> I have followed your advice but have tried several times to re-post a new > dump but have had no luck, it always seems to be rejected (message too > large) I saved the attachment of the dump as tar.gz and it was only 4k and > still got rejected. Do you have any advice on how to get this posted? > > Thank you kindly for you help > > On 4/20/06, Jerry Vonau <jvonau@shaw.ca> wrote:You could send it just to me, off list, at the above address I guess... Jerry ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thanks to the wonderful advice and follow up from Jerry this appears to be resolved and we have our multi-isp setup working as desired. For those in a similar situation we have the following setup 3 NICS eth0 - ISP 1 eth1 - ISP 2 eth3 - DMZ fedora FC5, Kernel 2.6.16 The key changes appeared to be 1. shorewall.conf (changed FASTACCEPT from No to Yes) FASTACCEPT=Yes 2. Updated our masq file to also include the DMZ (eth2) masqueraded back to each NET interface ##MASQ File ## ISP1: 216.215.XXX.XX ## ISP 2: 69.15.XXX.XX eth0 216.215.XXX.XX 69.15.XXX.XX eth1 69.15.XXX.XX 216.215.164.39 eth0 192.168.2.0/24 216.215.XXX.XX eth1 192.168.2.0/24 69.15.XXX.XX 3. Updated the Providers file to include COPY FROM value, Set the ISP1 and ISP2 IP addresses to be the gateway address of each ISP as per the MultiISP docs ##providers File #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth0 216.215.XXX.XX track,balance eth3 ISP2 2 2 main eth1 69.15.XXX.XXtrack,balance eth3 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Thanks again Jerry and the Shorewall team for such a wonderful product! On 4/20/06, Jerry Vonau <jvonau@shaw.ca> wrote:> > Admin Pro Tools wrote: > > I have followed your advice but have tried several times to re-post a > new > > dump but have had no luck, it always seems to be rejected (message too > > large) I saved the attachment of the dump as tar.gz and it was only 4k > and > > still got rejected. Do you have any advice on how to get this posted? > > > > Thank you kindly for you help > > > > On 4/20/06, Jerry Vonau <jvonau@shaw.ca> wrote: > > You could send it just to me, off list, at the above address I guess... > > Jerry > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
On Thursday 20 April 2006 15:40, Admin Pro Tools wrote:> > The key changes appeared to be > > 1. shorewall.conf (changed FASTACCEPT from No to Yes) > FASTACCEPT=Yes >I''m curious to hear what problem you feel was solved by that change. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
To be honest it may not have solved the problem, it could have been solved before I made that change as I was testing from within 1 side of the firewall. This was simply a suggestion passed on to me by Jerry, everything else he suggested worked like a charm so I added it just in case. I have just tested now setting it back to No and it had no noticeable effect so it is most probably not very relevant. On 4/20/06, Tom Eastep <teastep@shorewall.net> wrote:> > On Thursday 20 April 2006 15:40, Admin Pro Tools wrote: > > > > > The key changes appeared to be > > > > 1. shorewall.conf (changed FASTACCEPT from No to Yes) > > FASTACCEPT=Yes > > > > I''m curious to hear what problem you feel was solved by that change. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >
I added last night the additional public IP''s to each interface and went live and I was right back where I started (no external IP''s responded) so there is still something unfortunately I am missing which leads me back to my original question, should the masq file have references to each IP for each interface. So I have multiple IP''s on each interface but only list the first IP from each NET interface in the MASQ file, if I should be listing each one somehow I am confused at the format? If I should be looking elsewhere please send me searching. The only difference from yesterday (working) and to live (not working) was that I added roughly 15 public IPs to eth0 & eth1 whereas in testing I was using 2 public IP''s on each that were not currently in use (I am working with a live environment so it is hard to fully test entire live scenario without bringing all our servers down) ##MASQ File ## ISP1: 216.215.XXX.XX ## ISP 2: 69.15.XXX.XX # eth0 216.215.XXX.XX # eth0:1 216.215.XXX.X1 # eth0:2 216.215.XXX.X2 # ... etc # eth1 69.15.XXX.XX # eth1:1 69.15.XXX.X1 # eth2:2 69.15.XXX.X2 # ... etc eth0 216.215.XXX.XX 69.15.XXX.XX eth1 69.15.XXX.XX 216.215.XXX.XX eth0 192.168.2.0/24 216.215.XXX.XX eth1 192.168.2.0/24 69.15.XXX.XX On 4/20/06, Admin Pro Tools <adminprotools@gmail.com> wrote:> > To be honest it may not have solved the problem, it could have been solved > before I made that change as I was testing from within 1 side of the > firewall. This was simply a suggestion passed on to me by Jerry, everything > else he suggested worked like a charm so I added it just in case. I have > just tested now setting it back to No and it had no noticeable effect so it > is most probably not very relevant. > > > On 4/20/06, Tom Eastep <teastep@shorewall.net > wrote: > > > > On Thursday 20 April 2006 15:40, Admin Pro Tools wrote: > > > > > > > > The key changes appeared to be > > > > > > 1. shorewall.conf (changed FASTACCEPT from No to Yes) > > > FASTACCEPT=Yes > > > > > > > I''m curious to hear what problem you feel was solved by that change. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > > >
On Fri, April 21, 2006 12:27, Admin Pro Tools wrote:> I added last night the additional public IP''s to each interface and went > live and I was right back where I started (no external IP''s responded) so > there is still something unfortunately I am missing which leads me back to > my original question, should the masq file have references to each IP for > each interface.The MASQ file has absolutely nothing to do with "no external IP''s responded", assuming that means you are having problems with connections from the internet. Entries in the /etc/shorewall/masq file are used for OUTGOING connection requests only. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
OK, so even if the MASQ file was misconfigured you should still be able to see all public IP''s? (assuming they are configured correctly and the rules allow it) -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, April 21, 2006 3:43 PM To: shorewall-users@lists.sourceforge.net Cc: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Re: MASQ Help (Multi-ISP setup) On Fri, April 21, 2006 12:27, Admin Pro Tools wrote:> I added last night the additional public IP''s to each interface and went > live and I was right back where I started (no external IP''s responded) so > there is still something unfortunately I am missing which leads me back to > my original question, should the masq file have references to each IP for > each interface.The MASQ file has absolutely nothing to do with "no external IP''s responded", assuming that means you are having problems with connections from the internet. Entries in the /etc/shorewall/masq file are used for OUTGOING connection requests only. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, April 21, 2006 13:12, Admin Pro Tools wrote:> OK, so even if the MASQ file was misconfigured you should still be able to > see all public IP''s? (assuming they are configured correctly and the rules > allow it)Well -- what does "see" mean? a) Visible to "ip addr ls"? b) Your system responds to ARP who-has requests for them? c) You try to connect to a service that you believe should be available on that IP address and you are getting some sort of error or timeout? My crystal ball has been in the shop for months and it isn''t likely to be working any time soon. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Obviously the goal is to view services available on these IP''s but by see I mean simply access them by whatever port is open (ping for example is enabled on all IP''s) I don''t need for you to have your crystal ball shined up, simply possess the ability to read my mind will suffice! The initial rules I setup yesterday in testing were as follows and this worked I was able to access a web server in the DMZ at 192.168.2.17 from both external IP''s, I added an additional public IP to each NET interface and then update the last rule below to add these additional IP''s and then I was able to access the same server from all 4 IP''s successfully. So then I went ahead and added the other public IP''s to each NET interface and all the remaining rules which are essentially a bunch of DNAT''s for each public IP/Service to a server in the DMZ and then things fell apart. I can''t think of where to look for the issue when it was working with only 2 public IP''s on each NET interface and 1 test server in the DMZ. Is there something that could be going on with the network seems as up until the cutover to this new Shorewall server these same public IP''s were being served by 2 different machines (both using Shorewall) on the same network (obviously they were unplugged from the switch''s before plugging this one in. #All DMZ connections to net are allowed ACCEPT dmz net # ###### DNS Requests allowed ###### # DNS/ACCEPT $FW net DNS/ACCEPT dmz net DNS/ACCEPT dmz $FW DNS/ACCEPT net $FW # ##### PING OK ###### # Ping/ACCEPT dmz net Ping/ACCEPT dmz $FW Ping/ACCEPT net $FW Ping/ACCEPT $FW net # ##### Web browsing allowed from FW/loc ##### # Web/ACCEPT $FW net Web/ACCEPT dmz net # # #### Webmin ##### # ACCEPT net $FW tcp 10000 ACCEPT dmz $FW tcp 10000 # # DMZ Servers Config #ACCEPT net dmz tcp 80 ####### TEST SERVER ####### DNAT net dmz:192.168.2.17 tcp 80 - 69.15.XXX.XX DNAT net dmz:192.168.2.17 tcp 80 - 216.215.XXX.XX ####### -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, April 21, 2006 4:24 PM To: shorewall-users@lists.sourceforge.net Cc: shorewall-users@lists.sourceforge.net Subject: RE: [Shorewall-users] Re: MASQ Help (Multi-ISP setup) On Fri, April 21, 2006 13:12, Admin Pro Tools wrote:> OK, so even if the MASQ file was misconfigured you should still be able to > see all public IP''s? (assuming they are configured correctly and the rules > allow it)Well -- what does "see" mean? a) Visible to "ip addr ls"? b) Your system responds to ARP who-has requests for them? c) You try to connect to a service that you believe should be available on that IP address and you are getting some sort of error or timeout? My crystal ball has been in the shop for months and it isn''t likely to be working any time soon. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642