I have allowed ALL of the local users to ping the internet but they currently get the following error and cannot access the internet ! I know it is something I have done wrong (I think it is a routing problem but just cannot find out what) The error is:- Reply from 212.219.13.74: destination host unreachable. My eth1 is 10.0.0.1 and the users can ping that OK My eth0 is 212.219.13.74 (connected to the internet) and users can ping that OK. They just cannot access or ping any address on the internet, I have "eth0 10.0.0.0/8 212.219.13.74" in my masq file. I also have "AllowPing loc net" in my rules file I have "loc net ACCEPT" in my policy file I have read the FAQ and manuals but MUST be missing something stupid. I get the same results with shorewall stopped and cleared as with shorewall running Many thanks Denis -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
What does your routing table look like? With shorewall stopped can you reach the internet from your firewall? Nick On Fri, 2004-08-20 at 07:23, Denis Croombs wrote:> I have allowed ALL of the local users to ping the internet but they > currently get the following error and cannot access the internet ! > I know it is something I have done wrong (I think it is a routing problem > but just cannot find out what) > The error is:- > Reply from 212.219.13.74: destination host unreachable. > > My eth1 is 10.0.0.1 and the users can ping that OK > My eth0 is 212.219.13.74 (connected to the internet) and users can ping that > OK. > > They just cannot access or ping any address on the internet, > I have "eth0 10.0.0.0/8 212.219.13.74" in my masq file. > I also have "AllowPing loc net" in my rules file > I have "loc net ACCEPT" in my policy file > > I have read the FAQ and manuals but MUST be missing something stupid. > > I get the same results with shorewall stopped and cleared as with shorewall > running > > Many thanks > > Denis > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Marvin the E-Mail scanner > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. If you have any questions please contact nick@precisionmillworks.com Mailscanner thanks transtec Computers for their support.
> I have "eth0 10.0.0.0/8 212.219.13.74" in my masq file.Look at example 4 again and then.... try this instead: ######################################### #INTERFACE SUBNET ADDRESS eth0 eth1 # shorewall stop # shoreall start Example 4: # # You want all outgoing traffic from 192.168.1.0/24 through # eth0 to use source address 206.124.146.176 which is NOT the # primary address of eth0. You want 206.124.146.176 to # be added to eth0 with name eth0:0. # # eth0:0 192.168.1.0/24 206.124.146.176
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JBanks wrote: | |> I have "eth0 10.0.0.0/8 212.219.13.74" in my masq file. | | | Look at example 4 again and then.... | | try this instead: | ######################################### | #INTERFACE SUBNET ADDRESS | eth0 eth1 | | # shorewall stop | # shoreall start | | | Example 4: | # | # You want all outgoing traffic from 192.168.1.0/24 through | # eth0 to use source address 206.124.146.176 which is | NOT the | # primary address of eth0. You want 206.124.146.176 to | # be added to eth0 with name eth0:0. | # | # eth0:0 192.168.1.0/24 206.124.146.176 There is nothing wrong with the OP''s masq entry (assuming that the internal network is 10.0.0.0/8 and the external IP address is 212.219.13.74). Have you properly configured the default gateway address on the internal hosts? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJgI+O/MAbZfjDLIRAoRKAJ9mAudAZNNtTS8fIk4BExKL8b3zygCgnNDR Z4+AXb3XrjeHWtMOucBglDk=llxR -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | | There is nothing wrong with the OP''s masq entry (assuming that the | internal network is 10.0.0.0/8 and the external IP address is | 212.219.13.74). Have you properly configured the default gateway address | on the internal hosts? Hm -- haven''t had my coffee yet; if you can ping the router''s external IP from an internal host, the latter''s default gateway should be correctly set. Are you seeing any messages in your log? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJgPPO/MAbZfjDLIRApFQAJ0arwV2pkRpMPEQ+3kjPdIIlT8A3ACcDbY7 eFdm5SpbZoDdOefuTWuZ2kw=3UGa -----END PGP SIGNATURE-----
Tom Eastep wrote:> There is nothing wrong with the OP''s masq entry (assuming that the > internal network is 10.0.0.0/8 and the external IP address is > 212.219.13.74). Have you properly configured the default gateway > address on the internal hosts?>> Hm -- haven''t had my coffee yet; if you can ping the router''s >> external IP from an internal host, the latter''s default gateway should be >> correctly set.What I was getting at was is the ip the OP is using in their "masq" file the primary ip or an alias off of eth0. Even know they stated that it is eth0 it sounded as though the ip wasn''t the primary eth0 interface ip address. If so then the OP forgot to append the "0" to "eth0:0" or "eth0:1" or what ever it is... I thought that I did the same mistake at one time and got the same weird results that they are getting.. Joshua Banks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JBanks wrote: | Tom Eastep wrote: | |>There is nothing wrong with the OP''s masq entry (assuming that the |>internal network is 10.0.0.0/8 and the external IP address is |>212.219.13.74). Have you properly configured the default gateway |>address on the internal hosts? | | |>>Hm -- haven''t had my coffee yet; if you can ping the router''s |>>external IP from an internal host, the latter''s default gateway should be |>>correctly set. | | | What I was getting at was is the ip the OP is using in their "masq" file the | primary ip or an alias off of eth0. | Even know they stated that it is eth0 it sounded as though the ip wasn''t the | primary eth0 interface ip address. If so then the OP forgot to append the | "0" to "eth0:0" or "eth0:1" or what ever it is... I thought that I did the | same mistake at one time and got the same weird results that they are | getting.. | The only time that the :0 has any significance whatsoever is if ADD_SNAT_ALIASES=Yes in which case, Shorewall will add the :0 label to the address. In is *abolutely no effect on traffic*. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJgxHO/MAbZfjDLIRAqn5AKCK4i69SwTFxgkl1uO8C+ZxISWpAQCgp8Rz s1fYsTgBkIJt7nLZ4Ow9ZaM=a8uu -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | JBanks wrote: | | Tom Eastep wrote: | | | |>There is nothing wrong with the OP''s masq entry (assuming that the | |>internal network is 10.0.0.0/8 and the external IP address is | |>212.219.13.74). Have you properly configured the default gateway | |>address on the internal hosts? | | | | | |>>Hm -- haven''t had my coffee yet; if you can ping the router''s | |>>external IP from an internal host, the latter''s default gateway | should be | |>>correctly set. | | | | | | What I was getting at was is the ip the OP is using in their "masq" | file the | | primary ip or an alias off of eth0. | | Even know they stated that it is eth0 it sounded as though the ip | wasn''t the | | primary eth0 interface ip address. If so then the OP forgot to append the | | "0" to "eth0:0" or "eth0:1" or what ever it is... I thought that I did | the | | same mistake at one time and got the same weird results that they are | | getting.. | | | | The only time that the :0 has any significance whatsoever is if | ADD_SNAT_ALIASES=Yes in which case, Shorewall will add the :0 label to | the address. In is *abolutely no effect on traffic*. | I of course meant to write "It has ..." - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBJg2JO/MAbZfjDLIRAqT+AJ9/njBUtZ/yQBDClvVTEg3uUbpnkgCdGvpJ EsSlaxTiZKNy/IoFVbo97iw=sV0V -----END PGP SIGNATURE-----
Denis Croombs
2004-Aug-20 14:48 UTC
Re: Cannot ping an address on the internet ! *** Solved ***
Many thanks for ALL of the ideas I found that in the routing table all the local trafic was trying to go to ETH3 not ETH1 as I thought, so I moved the default router IP address frm ETH1 to ETH3 and I can now access the internet. Just need to check all is secure and setup squid now. Again thanks for all the ideas. Regards Denis> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > JBanks wrote: > | Tom Eastep wrote: > | > |>There is nothing wrong with the OP''s masq entry (assuming that the > |>internal network is 10.0.0.0/8 and the external IP address is > |>212.219.13.74). Have you properly configured the default gateway > |>address on the internal hosts? > | > | > |>>Hm -- haven''t had my coffee yet; if you can ping the router''s > |>>external IP from an internal host, the latter''s default gateway shouldbe> |>>correctly set. > | > | > | What I was getting at was is the ip the OP is using in their "masq" > file the > | primary ip or an alias off of eth0. > | Even know they stated that it is eth0 it sounded as though the ip > wasn''t the > | primary eth0 interface ip address. If so then the OP forgot to appendthe> | "0" to "eth0:0" or "eth0:1" or what ever it is... I thought that I did > the > | same mistake at one time and got the same weird results that they are > | getting.. > | > > The only time that the :0 has any significance whatsoever is if > ADD_SNAT_ALIASES=Yes in which case, Shorewall will add the :0 label to > the address. In is *abolutely no effect on traffic*. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBJgxHO/MAbZfjDLIRAqn5AKCK4i69SwTFxgkl1uO8C+ZxISWpAQCgp8Rz > s1fYsTgBkIJt7nLZ4Ow9ZaM> =a8uu > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Marvin the E-Mail scanner--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.742 / Virus Database: 495 - Release Date: 19/08/2004 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner
Denis Croombs wrote:>> I have allowed ALL of the local users to ping the internet but they >> currently get the following error and cannot access the internet ! >> I know it is something I have done wrong (I think it is a routing >> problem >> but just cannot find out what) >> The error is:- >> Reply from 212.219.13.74: destination host unreachable. >> >> My eth1 is 10.0.0.1 and the users can ping that OK >> My eth0 is 212.219.13.74 (connected to the internet) and users can >> ping that >> OK.Hmmm. Can you get out to the internet from the Shorewall box or do "ping -I eth0 (the ip of the connected routing/bridging device)" If that works then do the same out to 66.94.230.42 (which is yahoo.com). If that works then do the same but this time use "ping -I eth1 (the ip of the connected routing/bridging device)" If that works then do the same out to 66.94.230.42 again. What is the output of "ifconfig eth0" and what is the ip address and subnetmask assigned to your the cable/dsl modem? The more details you can provide the better. All I can do is guess with the info you have provided so far. Thanks, Joshua Banks
Denis Croombs wrote:>> Many thanks for ALL of the ideas I found that in the routing table >> all the >> local trafic was trying to go to ETH3 not ETH1 as I thought, so I >> moved the default router IP address frm ETH1 to ETH3 and I can now >> access the >> internet.LOL. Denis, you never mentioned eth3 in your initial post. Thanks for clearing up the mystery though Joshua Banks
Denis Croombs
2004-Aug-20 15:12 UTC
Re: Cannot ping an address on the internet !***Solved ***
> >> Many thanks for ALL of the ideas I found that in the routing table > >> all the > >> local trafic was trying to go to ETH3 not ETH1 as I thought, so I > >> moved the default router IP address frm ETH1 to ETH3 and I can now > >> access the > >> internet. > > LOL. Denis, you never mentioned eth3 in your initial post. Thanks forclearing> up the mystery thoughWell I had taken ALL the settings out for ETH3 because of the problems I was having ! So cut it back to a BASIC system for debuging ? Well we are now up and running but with more outgoing ports open that I wanted, but that is also to allow debugging, so back to adding rules. Thanks for you time. Denis --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.742 / Virus Database: 495 - Release Date: 19/08/2004 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Marvin the E-Mail scanner