In /etc/shorewall/masq I have: eth0 eth1 eth0 vmnet1 eth0 vmnet8 ------------- eth0 is my default route to the Linksys router connected to the cable modem. eth1 is my connection to 192.168.1 subnet and it is the gateway for all other machines on this subnet. My routing table is: # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 When I start shorewall at bootup or manually after bootup, I get the following error output: . . . Masqueraded Networks and Hosts: To 0.0.0.0/0 (all) from 192.168.1.0/24 through eth0 Error: Unable to determine the routes through interface Processing /etc/shorewall/stop ... Because of this error, none the machines on subnet1 can connect to the internet. Joe __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail
On Sat, 2004-11-27 at 12:02 -0800, Joseph Davida wrote:> In /etc/shorewall/masq I have: > > eth0 eth1 > eth0 vmnet1 > eth0 vmnet8 > > eth0 is my default route to the Linksys > router connected to the cable modem. > > eth1 is my connection to 192.168.1 subnet > and it is the gateway for all other machines > on this subnet. > > My routing table is: > # netstat -nr > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt Iface > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0There are no routes through either interface vmnet1 or vmnet8 so I suspect that neither interface is started. Both the comments in /etc/shorewallmasq and the documentation for that file clearly state that in the SUBNET column: If you give the name of an interface, you must have iproute installed and the interface must be up before you start the firewall. Netfilter has a restriction that rules (such as SNAT/MASQUERADE) in the POSTROUTING chains cannot be conditional on the input interface. Therefore, when you specify an interface name as the source in /etc/shorewall/masq, Shorewall must use the routing table to determine the hosts connected through the interface. As you can see from the above routing table, there is no routing information for the vmnet devices. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Appologies for the previous post. Problem fixed. Cheers, Joe __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Thank you tom. I figured out the cause just after I had sent the message. Sorry for the spam! Since I dont keep the vmware up all the time, the interfaces were unconfig''ed and I had forgotten about the effect on the firewall. Cheers, Joe> Message: 2 > Date: Sat, 27 Nov 2004 12:15:52 -0800 > From: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] /etc/shorewall/masq > To: Shorewall Users <shorewall-users@lists.shorewall.net> > Message-ID: <1101586552.22463.37.camel@tipper.shorewall.net> > Content-Type: text/plain > > On Sat, 2004-11-27 at 12:02 -0800, Joseph Davida wrote: > > In /etc/shorewall/masq I have: > > > > eth0 eth1 > > eth0 vmnet1 > > eth0 vmnet8 > > > > eth0 is my default route to the Linksys > > router connected to the cable modem. > > > > eth1 is my connection to 192.168.1 subnet > > and it is the gateway for all other machines > > on this subnet. > > > > My routing table is: > > # netstat -nr > > Kernel IP routing table > > Destination Gateway Genmask Flags MSS Window irtt > Iface > > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > eth1 > > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 > eth0 > > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 > eth0 > > There are no routes through either interface vmnet1 or vmnet8 so I > suspect that neither interface is started. Both the comments > in /etc/shorewallmasq and the documentation for that file clearly state > that in the SUBNET column: > > If you give the name of an interface, you must have iproute > installed and the interface must be up before you start the > firewall. > > Netfilter has a restriction that rules (such as SNAT/MASQUERADE) in the > POSTROUTING chains cannot be conditional on the input interface. > Therefore, when you specify an interface name as the source > in /etc/shorewall/masq, Shorewall must use the routing table to > determine the hosts connected through the interface. As you can see from > the above routing table, there is no routing information for the vmnet > devices. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail