Hello,
I''m not sure if this has been asked before but I would like to
ask assistance for this problem I have.
I installed gentoo for my firewall/gateway and installed dhcp and shorewall.
Currently, I can ssh, ftp, remote desktop connect, ping, etc (anything
I can think of) from an internal computer inside my network to an
external IP, except I cannot surf the net. I can ssh/ftp to my
firewall/gateway, but if I have apache running, I cannot connect to
the web server on there.
Looking at /etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT info
fw net ACCEPT info
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE
I''ve added and removed things to tinker with my setup. This however is
how it is currently.
Looking at /etc/shorewall/rules. I know it''s overkill. I''ll
clean it
up as soon as I get masquerading to work.
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S)
DEST LIMIT GROUP
REDIRECT loc 3128 tcp www -
ACCEPT fw net tcp www
#ACCEPT fw loc tcp www
ACCEPT net fw udp
53,137,138,139,5500,5900,5901
ACCEPT net fw tcp
80,443,53,22,20,21,25,109,110,143,137,138,139,5500,5900,5901 -
ACCEPT net fw udp
80,443,53,22,20,21,25,109,110,143,137,138,139,5500,5900,5901 -
ACCEPT loc fw udp
53,137,138,139,5500,5900,5901
ACCEPT loc fw tcp
80,443,53,22,20,21,25,109,110,143,137,138,139,5500,5900,5901 -
ACCEPT loc fw udp
80,443,53,22,20,21,25,109,110,143,137,138,139,5500,5900,5901 -
ACCEPT net fw icmp echo-request
ACCEPT loc fw icmp echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
For /etc/shorewall/masq (I was under the impression this is where I
put in the masquerading info)
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 192.168.1.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
I only have dhcp and shorewall running.
If I do not have dhcp and shorewall running but if I run the follow
lines in a bash script, it works, but I''d like to have shorewall
running.
/usr/sbin/iptables -A FORWARD -s 192.166.1.0/24 -j ACCEPT
/usr/sbin/iptables --table nat --append POSTROUTING --out-interface
eth0 -j MASQUERADE
/usr/sbin/iptables --append FORWARD -s 192.168.1.0/24 -j ACCEPT
Any ideas? if you have any questions, please feel free to ask. If any
of this is unclear, please let me know, I''ll try to explain as best as
I can.
Thanks!
Tom
On Wednesday 26 January 2005 05:03 pm, Tom Cruickshank wrote:> Hello, > I''m not sure if this has been asked before but I would like to > ask assistance for this problem I have. > > I installed gentoo for my firewall/gateway and installed dhcp and > shorewall. > > Currently, I can ssh, ftp, remote desktop connect, ping, etc (anything > I can think of) from an internal computer inside my network to an > external IP, except I cannot surf the net. I can ssh/ftp to my > firewall/gateway, but if I have apache running, I cannot connect to > the web server on there. > > Looking at /etc/shorewall/policy > > #SOURCE DEST POLICY LOG > LIMIT:BURST # LEVEL > loc net ACCEPT info > fw net ACCEPT info > net all DROP info > # > # THE FOLLOWING POLICY MUST BE LAST > # > all all REJECT info > #LAST LINE -- DO NOT REMOVE > > I''ve added and removed things to tinker with my setup. This however is > how it is currently. > > Looking at /etc/shorewall/rules. I know it''s overkill. I''ll clean it > up as soon as I get masquerading to work. > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) > DEST LIMIT GROUP > REDIRECT loc 3128 tcp www - > ACCEPT fw net tcp www > #ACCEPT fw loc tcp www > > ACCEPT net fw udp > 53,137,138,139,5500,5900,5901 > ACCEPT net fw tcp > 80,443,53,22,20,21,25,109,110,143,137,138,139,5500,5900,5901 -How bout a LOC --> NET for some things like port 80 and 443 Or a Policy allowing all outbound conections... (less desirable). -- John Andersen - NORCOM http://www.norcomsoftware.com/
> Hello, > I''m not sure if this has been asked before but I would like to > ask assistance for this problem I have. > > I installed gentoo for my firewall/gateway and installed dhcp and > shorewall. > > Currently, I can ssh, ftp, remote desktop connect, ping, etc (anything > I can think of) from an internal computer inside my network to an > external IP, except I cannot surf the net. I can ssh/ftp to my > firewall/gateway, but if I have apache running, I cannot connect to > the web server on there. > > Looking at /etc/shorewall/policy > > #SOURCE DEST POLICY LOG > LIMIT:BURST > # LEVEL > loc net ACCEPT info > fw net ACCEPT info > net all DROP info > # > # THE FOLLOWING POLICY MUST BE LAST > # > all all REJECT info > #LAST LINE -- DO NOT REMOVE > > I''ve added and removed things to tinker with my setup. This however is > how it is currently. > > Looking at /etc/shorewall/rules. I know it''s overkill. I''ll clean it > up as soon as I get masquerading to work. > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) > DEST LIMIT GROUP > REDIRECT loc 3128 tcp www - > ACCEPT fw net tcp www > #ACCEPT fw loc tcp wwwPlease check and see that squid is actually running and that it is listening on port 3128. Also check the Squid ACL''s and see that you are being permitted to access the cache. Another thought, have you configured squid to act as a transparrent proxy? There is more to it than just redirecting outbound port 80 to FW port 3128. Just my 2 bits. T
John Andersen wrote:>> >>Looking at /etc/shorewall/policy >> >>#SOURCE DEST POLICY LOG >>LIMIT:BURST # LEVEL >>loc net ACCEPT info >>fw net ACCEPT info >>net all DROP info >># >># THE FOLLOWING POLICY MUST BE LAST >># >>all all REJECT info >>#LAST LINE -- DO NOT REMOVE> > > How bout a LOC --> NET for some things like port 80 and 443 > Or a Policy allowing all outbound conections... (less desirable). >There is a loc->net ACCEPT policy. Tom is even logging those connections just to be sure there is plenty of load on his firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> John Andersen wrote: > > >>>Looking at /etc/shorewall/policy >>> >>>#SOURCE DEST POLICY LOG >>>LIMIT:BURST # LEVEL >>>loc net ACCEPT info >>>fw net ACCEPT info >>>net all DROP info >>># >>># THE FOLLOWING POLICY MUST BE LAST >>># >>>all all REJECT info >>>#LAST LINE -- DO NOT REMOVE > > >> >> >>How bout a LOC --> NET for some things like port 80 and 443 >>Or a Policy allowing all outbound conections... (less desirable). >> > > > There is a loc->net ACCEPT policy. Tom is even logging those connections > just to be sure there is plenty of load on his firewall. > >My question here is more fundamental. Tom doesn''t seem to have used the two-interface QuickStart Guide (http://shorewall.net/two-interface.htm) to configure his firewall. Also, his post for help doesn''t include a single item mentioned in the Shorewall support guide (http://shorewall.net/support.htm). So my questions are: a) How did Shorewall come to be installed on your gateway/firewall? b) Why did you configure Shorewall without benefit of the QuickStart Guides (most people successfully configure their first firewall in 30 minutes or so when they use the QuickStart Guides). c) Given that you didn''t include the information we ask for to help solve connection problems, how did you learn about this mailing list? My questions are not facetious -- I really need to understand how people are installing Shorewall, configuration Shorewall and reporting problems about Shorewall without ever seeing the core documentation. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Terry H. Gilsenan wrote:>>Hello, >> I''m not sure if this has been asked before but I would like to >>ask assistance for this problem I have. >> >>I installed gentoo for my firewall/gateway and installed dhcp and >>shorewall. >> >>Currently, I can ssh, ftp, remote desktop connect, ping, etc (anything >>I can think of) from an internal computer inside my network to an >>external IP, except I cannot surf the net. I can ssh/ftp to my >>firewall/gateway, but if I have apache running, I cannot connect to >>the web server on there. >> >>Looking at /etc/shorewall/policy >> >>#SOURCE DEST POLICY LOG >>LIMIT:BURST >># LEVEL >>loc net ACCEPT info >>fw net ACCEPT info >>net all DROP info >># >># THE FOLLOWING POLICY MUST BE LAST >># >>all all REJECT info >>#LAST LINE -- DO NOT REMOVE >> >>I''ve added and removed things to tinker with my setup. This however is >>how it is currently. >> >>Looking at /etc/shorewall/rules. I know it''s overkill. I''ll clean it >>up as soon as I get masquerading to work. >> >>#ACTION SOURCE DEST PROTO DEST SOURCE >>ORIGINAL RATE USER/ >># PORT PORT(S) >>DEST LIMIT GROUP >>REDIRECT loc 3128 tcp www - >>ACCEPT fw net tcp www >>#ACCEPT fw loc tcp www > > > Please check and see that squid is actually running and that it is > listening on port 3128. > > Also check the Squid ACL''s and see that you are being permitted to access > the cache. > > Another thought, have you configured squid to act as a transparrent proxy? > There is more to it than just redirecting outbound port 80 to FW port > 3128.Good spotting -- I missed that Tom was using Squid. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Terry H. Gilsenan wrote:>>>Looking at /etc/shorewall/rules. I know it''s overkill. I''ll clean it >>>up as soon as I get masquerading to work. >>> >>>#ACTION SOURCE DEST PROTO DEST SOURCE >>>ORIGINAL RATE USER/ >>># PORT PORT(S) >>>DEST LIMIT GROUP >>>REDIRECT loc 3128 tcp www - >>>ACCEPT fw net tcp www >>>#ACCEPT fw loc tcp www >> >> >>Please check and see that squid is actually running and that it is >>listening on port 3128. >> >>Also check the Squid ACL''s and see that you are being permitted to access >>the cache. >> >>Another thought, have you configured squid to act as a transparrent proxy? >>There is more to it than just redirecting outbound port 80 to FW port >>3128. > > > Good spotting -- I missed that Tom was using Squid. >I should also point out that since a proxy is being used for HTTP traffic (which is what doesn''t work apparently), the subject of this thread is misleading. When a proxy is running on the firewall, no masquerding of the proxied traffic occurs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you. I seem to of been missing squid. Hopefully that works! Thanks for your help! Tom -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Terry H. Gilsenan Sent: Wednesday, January 26, 2005 9:27 PM To: shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] problem with masquerading with shorewall> Hello, > I''m not sure if this has been asked before but I would like to > ask assistance for this problem I have. > > I installed gentoo for my firewall/gateway and installed dhcp and > shorewall. > > Currently, I can ssh, ftp, remote desktop connect, ping, etc (anything > I can think of) from an internal computer inside my network to an > external IP, except I cannot surf the net. I can ssh/ftp to my > firewall/gateway, but if I have apache running, I cannot connect to > the web server on there. > > Looking at /etc/shorewall/policy > > #SOURCE DEST POLICY LOG > LIMIT:BURST > # LEVEL > loc net ACCEPT info > fw net ACCEPT info > net all DROP info > # > # THE FOLLOWING POLICY MUST BE LAST > # > all all REJECT info > #LAST LINE -- DO NOT REMOVE > > I''ve added and removed things to tinker with my setup. This however is > how it is currently. > > Looking at /etc/shorewall/rules. I know it''s overkill. I''ll clean it > up as soon as I get masquerading to work. > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE USER/ > # PORT PORT(S) > DEST LIMIT GROUP > REDIRECT loc 3128 tcp www - > ACCEPT fw net tcp www > #ACCEPT fw loc tcp wwwPlease check and see that squid is actually running and that it is listening on port 3128. Also check the Squid ACL''s and see that you are being permitted to access the cache. Another thought, have you configured squid to act as a transparrent proxy? There is more to it than just redirecting outbound port 80 to FW port 3128. Just my 2 bits. T _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.7.2 - Release Date: 1/21/2005
Hi all, I have a 3 nic interface setup. I''ve installed a vpn router in my DMZ and added a route to the shorewall box for it and added routeback to interfaces and hosts. But now packets from loc are being routed through to dmz. How do I stop this? dmz is 192.168.69.0/24 other end of VPN is: 192.168.40.0/24 route on shorewall is: 192.168.40.0 192.168.69.45 255.255.255.0 UG 0 0 0 eth2 interfaces: net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dmz eth2 detect routeback hosts: vpn eth2:192.168.40.0/24,192.168.69.0/24 routeback Thanks for any help Jon
Jon Booth wrote:> Hi all, > I have a 3 nic interface setup. > I''ve installed a vpn router in my DMZ and added a route to the shorewall > box for it and added routeback to interfaces and hosts. > But now packets from loc are being routed through to dmz. > How do I stop this? > > dmz is 192.168.69.0/24 > other end of VPN is: 192.168.40.0/24 > route on shorewall is: 192.168.40.0 192.168.69.45 255.255.255.0 > UG 0 0 0 eth2 > > interfaces: > net eth0 detect dhcp,routefilter,norfc1918 > loc eth1 detect > dmz eth2 detect routeback > > hosts: > vpn eth2:192.168.40.0/24,192.168.69.0/24 routeback >Paul Gear had better answer this since he is the only reason that Shorewall still has ANYTHING to do with routing :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> ... > Paul Gear had better answer this since he is the only reason that > Shorewall still has ANYTHING to do with routing :-)It''s nice to know i have made *some* contribution to the community. :-) I don''t know anything about routeback troubleshooting, however. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Jon Booth wrote:> I have a 3 nic interface setup. > I''ve installed a vpn router in my DMZ and added a route to the shorewall > box for it and added routeback to interfaces and hosts. > But now packets from loc are being routed through to dmz. > How do I stop this? >A couple of things: a) SHOREWALL HAS NOTHING TO DO WITH ROUTING (except if your are using Proxy ARP and have NO in the HAVEROUTE column). b) From the above description, I couldn''t even draw a diagram of your network, let alone describe your problem. In particular, it is completely unclear what you mean by "packets from loc are being routed through to dmz". Please give us details -- see http://shorewall.net/support.htm for guidelines. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom, Yes you are right, this was not a routing issue it was a mistake I had made in the policy file. The fact that I added the extra routes at the time I noticed this issue was just a coincidence and confused me. Sorry for wasting anyones time. Jon ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Saturday, January 29, 2005 2:31 AM Subject: Re: [Shorewall-users] Routing trouble> Jon Booth wrote: > >> I have a 3 nic interface setup. >> I''ve installed a vpn router in my DMZ and added a route to the shorewall >> box for it and added routeback to interfaces and hosts. >> But now packets from loc are being routed through to dmz. >> How do I stop this? >> > > A couple of things: > > a) SHOREWALL HAS NOTHING TO DO WITH ROUTING (except if your are using > Proxy ARP and have NO in the HAVEROUTE column). > > b) From the above description, I couldn''t even draw a diagram of your > network, let alone describe your problem. In particular, it is > completely unclear what you mean by "packets from loc are being routed > through to dmz". > > Please give us details -- see http://shorewall.net/support.htm for > guidelines. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm