thr3ads.net - Shorewall users - [Shorewall-users] Problems with trying to access Internet [Nov 2003]

If this information is useful, please help other people find it:
Share via:

james

2003-Nov-13 06:54 UTC

[Shorewall-users] Problems with trying to access Internet

I''ve been experiencing problems with trying to get single computer
within
the local network to access the Internet directly through the firewall. I
have entered the default gateway of the computer in question to the IP
address of the Local NIC card 192.168.10.196 of the firewall. But when i
open
a browser to a website it times out and i can''t get to any site at all.
I''m
not sure what policy or rule i could be missing. Any help would greatly be
appreciated.

Thank you,
James


Shorewall version 1.4.6b

Redhat Linux 7.2

ip addr show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:4b:2c:f9:26 brd ff:ff:ff:ff:ff:ff
    inet 69.110.185.151/29 brd 65.115.171.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:e0:29:92:a7:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.1/24 brd 192.168.4.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:ba:ad:69:8c brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.196/24 brd 192.168.10.255 scope global eth2

ip route show

65.115.171.252 dev eth1  scope link
65.115.171.250 dev eth1  scope link
65.115.171.248/29 dev eth0  scope link
192.168.5.0/24 dev eth2  scope link
192.168.4.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 65.115.171.249 dev eth0

Shorewall Rules

ACCEPT  loc  fw  icmp 8
ACCEPT  loc  dmz  icmp 8
ACCEPT  dmz  fw  icmp 8
ACCEPT  dmz  loc  icmp 8
ACCEPT dmz net icmp 8 -
ACCEPT  fw  loc  icmp 8
ACCEPT  fw  dmz  icmp 8
ACCEPT fw net icmp 8 -
DROP net fw icmp 8 -
DROP net dmz icmp 8 -
DROP net loc icmp 8 -
DNAT loc dmz:65.115.171.252 all - - 192.168.4.1
DNAT:info net loc:192.168.5.10 tcp 1723 - 65.115.171.251
DNAT:info net loc:192.168.5.10 47 - - 65.115.171.251
ACCEPT:info net dmz:65.115.171.250 tcp 53,80 -
ACCEPT net dmz:65.115.171.250 udp 53 -
ACCEPT:info net dmz:65.115.171.252 tcp 25 -
ACCEPT $FW loc udp 53 -
DNAT dmz:65.115.171.252 loc:192.168.5.205 tcp 25 - 192.168.4.1
ACCEPT loc $FW tcp 22,10000,25,80,8080 -


Shorewall Policy

net all DROP info
all all REJECT -
$FW net ACCEPT -
dmz net ACCEPT -

Tom Eastep

2003-Nov-13 07:01 UTC

head link

[Shorewall-users] Problems with trying to access Internet

On Thu, 13 Nov 2003, james wrote:
>
> Shorewall Policy
>
> net all DROP info
> all all REJECT -
> $FW net ACCEPT -
> dmz net ACCEPT -
loc net ACCEPT

And move the "all all" policy to last -- your last two policies
aren''t
doing anything because they are masked by "all all".

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Nov 2003 - Problems with trying to access Internet

[Shorewall-users] Problems with trying to access Internet

[Shorewall-users] Problems with trying to access Internet