Having a problem with the 3 interface setup. I can get DMZ hosts, and
FW to see internet, but anything on LOC interface is unable to get
out. My first post to the list didn''t have the information needed,
sorry for that, but thank you for pointing me to more resources. I''ve
looked at the problem myself some more, but am still stuck.
Shorewall Version: 2.2.1
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:60:97:c9:c5:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
inet6 fe80::260:97ff:fec9:c5e7/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:04:77:a3:72 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
inet6 fe80::250:4ff:fe77:a372/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:a5:d0:92:7c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
inet6 fe80::202:a5ff:fed0:927c/64 scope link
valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet 216.240.7.166 peer 216.240.0.249/32 scope global ppp0
------------------------------------------------------------------------------------------------------------------------------
ip route show
216.240.0.249 dev ppp0 proto kernel scope link src 216.240.7.166
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
169.254.0.0/16 dev eth2 scope link
default via 216.240.0.249 dev ppp0
--------------------------------------------------------------------------------------------------------------------------------
Using 3 interface example files.
-Have added some DNAT rules for couple services on DMZ server, which
work no problem. No changes to any rules on the LOC network.
-No change to HOSTS file.
-Change to MASQ file was to change eth0 as NET interface, to ppp0
(DSL-PPPoE outgoing connection)
--------------------------------------------------------------------------------------------------------------------------------
Ping from XP client to LOC (as default gateway 192.168.1.254) gets error:
Request timed out.
Shorewall, at the same time generates the following:
Mar 5 19:35:52 punisher kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0
SRC=192.168.1.254 DST=192.168.1.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=40237 PROTO=ICMPTYPE=0 CODE=0 ID=512 SEQ=256
I feel like this is where my problems is, as it appears that pings
from the ''LOC'' network are for some reason being forwarded out
of
eth0. There is a rule (default included in 3 interface example),
ACCEPT Zone Local Firewall ICMP Any 8
Have setup caching only name server on same box, and it is listening
for requests on same IP as LOC network. To make sure the name server
was working, I pointed DMZ hosts to that ip for DNS, and it is
resolving queries.
Thank you in advance to anyone who is willing to take the time to
point me in the right direction.
Sean Clark
Sean Clark wrote:> Having a problem with the 3 interface setup. I can get DMZ hosts, and > FW to see internet, but anything on LOC interface is unable to get > out. My first post to the list didn''t have the information needed, > sorry for that, but thank you for pointing me to more resources. I''ve > looked at the problem myself some more, but am still stuck. > > Shorewall Version: 2.2.1 > > ip addr show > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:60:97:c9:c5:e7 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0 > inet6 fe80::260:97ff:fec9:c5e7/64 scope link > valid_lft forever preferred_lft foreverNOTE 1: eth0 has IP address 1192.168.1.1/24> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:50:04:77:a3:72 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 > inet6 fe80::250:4ff:fe77:a372/64 scope link > valid_lft forever preferred_lft foreverNOTE 2: eth1 has an IP in the same network: 192.168.1.254/24> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:02:a5:d0:92:7c brd ff:ff:ff:ff:ff:ff > inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2 > inet6 fe80::202:a5ff:fed0:927c/64 scope link > valid_lft forever preferred_lft forever > 5: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > 6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3 > link/ppp > inet 216.240.7.166 peer 216.240.0.249/32 scope global ppp0 > > ------------------------------------------------------------------------------------------------------------------------------ > ip route show > > 216.240.0.249 dev ppp0 proto kernel scope link src 216.240.7.166 > 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254NOTE 3: So the automatically-generated route for eth0 appears before the one for eth1.> 169.254.0.0/16 dev eth2 scope link > default via 216.240.0.249 dev ppp0 > -------------------------------------------------------------------------------------------------------------------------------- > Using 3 interface example files. > -Have added some DNAT rules for couple services on DMZ server, which > work no problem. No changes to any rules on the LOC network. > -No change to HOSTS file. > -Change to MASQ file was to change eth0 as NET interface, to ppp0 > (DSL-PPPoE outgoing connection) > -------------------------------------------------------------------------------------------------------------------------------- > Ping from XP client to LOC (as default gateway 192.168.1.254) gets error: > Request timed out. > Shorewall, at the same time generates the following: > Mar 5 19:35:52 punisher kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 > SRC=192.168.1.254 DST=192.168.1.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64 > ID=40237 PROTO=ICMPTYPE=0 CODE=0 ID=512 SEQ=256 > > I feel like this is where my problems is, as it appears that pings > from the ''LOC'' network are for some reason being forwarded out of > eth0.NOTE 4: How can you possibly be surprised given notes 1-3? There is a rule (default included in 3 interface example),> ACCEPT Zone Local Firewall ICMP Any 8 >As explained at http://shorewall.net/Shorewall_and_Routing.html, Routing determines where packets go -- the Shorewall-generated ruleset determines whether the packet is allowed to go there or not. In this case, it is not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key