Hi All, I have used Shorewall many times in the past and it has always worked very nicely. This time, however it is not working. In the past I have set up rules to allow access to servers in non-routeable private ip space using DNAT and such. This time I''m trying to replace a firewall that routes traffic to public type addresses. Our colo has allocated two sets of ip space for us. The zones for each of these is called "lan" and "opt". Traffic to these public type ip addresses goes thru the existing router that I''m trying to replace. I have made the policy file wide open to accept traffic between all net2opt, net2lan, lan2net,lan2opt zones. When we try to plug it in, I see traffic from lan2opt and opt2lan is traversing just fine. I can ping from the $FW to the "net" zone so I know connectivity is there. Trying to access anything behind the shorewall firewall though does not get thru. I would expect to see in the logs a messages saying ACCEPT, DROP, or REJECT from the "net2loc" or "net2opt" zones but I get nothing. Since traffic should go through the firewall to public type ip addresses I had removed everything from the "masq" file. There shouldn''t be masquerading going on just routing packets from the "net" to "opt" or "lan". So when someone types in our website address a DNS server will provide the ip and the client should go to that ip with no DNAT''ing just a straight through forward. I have tried on an alternate network to route traffic and it does route when natting to non-routeable ip space. I know the server will route between networks. I even did a tcpdump and I do see that packets are hitting the outside ip destined for ip addresses behind the firewall. I thought maybe the colo might have access control lists on our firewall''s mac so I even went so far as to spoof my new firewall''s mac address to match the old firewall and not luck. I even tried /sbin/shorewall clear and no luck. Maybe kernel param? Is there something in my shorewall.dump that shows why connections from the net would be blocked and not logged at all? If there''s any more info anyone needs please let me know. Attached is a dump. Thank you, Mitch ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Mitch Sheean wrote:> > Is there something in my shorewall.dump that shows why connections from > the net would be blocked and not logged at all? If there''s any more info > anyone needs please let me know. >Does this router behave properly without Shorewall (e.g., after ''shorewall clear'')? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
I did a shorewall clear and it still does not behave properly. I did try to set up a box on non-routeable ip space and was able to DNAT to it. I had done this before on a test network and thought it may be a problem with the production network. But the production network seems just fine. Packets will route inside to non-routeable addresses. Thank you, Mitch Tom Eastep wrote:> Mitch Sheean wrote: > > >> Is there something in my shorewall.dump that shows why connections from >> the net would be blocked and not logged at all? If there''s any more info >> anyone needs please let me know. >> >> > > Does this router behave properly without Shorewall (e.g., after > ''shorewall clear'')? > > -Tom >-- ------------------------------------------------------------------------ Mitchell Sheean | Systems Administrator Internet Identity | Portal: https://portal.powershark.com Office: +1 253-590-4087 | Mobile: +1 253-678-9456 ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
I think maybe the shorewall box needs routes or an arp table mapping to all the hosts behind it. Seems like packets get to the box then don''t know where to go. Tom Eastep wrote:> Mitch Sheean wrote: > > >> Is there something in my shorewall.dump that shows why connections from >> the net would be blocked and not logged at all? If there''s any more info >> anyone needs please let me know. >> >> > > Does this router behave properly without Shorewall (e.g., after > ''shorewall clear'')? > > -Tom >-- ------------------------------------------------------------------------ Mitchell Sheean | Systems Administrator Internet Identity | Portal: https://portal.powershark.com Office: +1 253-590-4087 | Mobile: +1 253-678-9456 ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Mitch Sheean wrote:> I did a shorewall clear and it still does not behave properly. > > I did try to set up a box on non-routeable ip space and was able to DNAT > to it. I had done this before on a test network and thought it may be a > problem with the production network. But the production network seems > just fine. Packets will route inside to non-routeable addresses. >Well, if a non-NAT router doesn''t work to begin with, configuring a firewall on it isn''t going to make it start working. Your routing is clearly broken -- probably the receiving host is attempting to route its responses through the wrong path. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Mitch Sheean wrote:> > I think maybe the shorewall box needs routes or an arp table mapping to > all the hosts behind it. Seems like packets get to the box then don''t > know where to go. >Again, I''ll bet it is the responses that are getting lost and the problem has nothing to do with the configuration of the Shorewall box. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
I think I will need to enable proxy_arp. It is disabled in the kernel by default. If I enable on the kernel level and do a "shorewall clear" then hopefully it will route. In your opinion do you think I would have to enable it only on the external "public" interface? I was reading this document today -> http://www.shorewall.net/ProxyARP.htm Does shorewall/iptables work at the layer 2 level? I thought it would only be layer 3. Thank you, Mitch Tom Eastep wrote:> Mitch Sheean wrote: > >> I think maybe the shorewall box needs routes or an arp table mapping to >> all the hosts behind it. Seems like packets get to the box then don''t >> know where to go. >> >> > > Again, I''ll bet it is the responses that are getting lost and the > problem has nothing to do with the configuration of the Shorewall box. > > -Tom >-- ------------------------------------------------------------------------ Mitchell Sheean | Systems Administrator Internet Identity | Portal: https://portal.powershark.com Office: +1 253-590-4087 | Mobile: +1 253-678-9456 ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Mitch Sheean wrote:> > I think I will need to enable proxy_arp. It is disabled in the kernel by > default. If I enable on the kernel level and do a "shorewall clear" then > hopefully it will route. > > In your opinion do you think I would have to enable it only on the > external "public" interface?If you had to enable it on the "public" interface, the traffic wouldn''t even get to your router if it were not set.> > I was reading this document today -> http://www.shorewall.net/ProxyARP.htm > > Does shorewall/iptables work at the layer 2 level? I thought it would > only be layer 3. >Shorewall/iptables work at layer 3. You appear to have a three-interface router with eth0 apparently being the interface that connects to the internet. Behind that router, you have two networks: a) 209.147.127.208/28 - eth2 b) 66:113.100.32/27 - eth1 All hosts in network a) must have their default gateway set to 209.147.127.209. All hosts in network b) must have their default gateway set to 66.113.100.33. from the internet, both of those networks must be routed via 66.113.102.253. If you configure your networks that way, then without Shorewall even installed, all hosts will be able to communicate with all other hosts. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev