thr3ads.net - Shorewall users - [Shorewall-users] remote subnet cannot access the internet [Aug 2003]

If this information is useful, please help other people find it:
Share via:

Jim Williams

2003-Aug-31 12:48 UTC

[Shorewall-users] remote subnet cannot access the internet

I have shorewall 1.3.14 setup with 2 interfaces.  I have 2 offices
connected by a point to point T1.  The remote users cannot access the
internet.  Everything works locally - mail, web server, web access.  The
remote network is 10.10.2.0/24 and the local is 10.10.1.0/24.  The
remote subnet can access the webserver on the firewall, so I do not
think it is a routing issue.  I am using static nat for a couple of web
servers and mail server. 

Thanks! 
> ip addr show1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:c0:f0:3b:50:60 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.101/24 brd 10.10.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/ether 00:c0:f0:40:03:a0 brd ff:ff:ff:ff:ff:ff
    inet 67.66.46.54/28 brd 67.66.46.63 scope global eth1
    inet 67.66.46.51/28 brd 67.66.46.63 scope global secondary eth1:0
    inet 67.66.46.50/28 brd 67.66.46.63 scope global secondary
eth1:1> ip route show67.66.46.48/28 dev eth1  scope link 
10.10.2.0/24 via 10.10.1.6 dev eth0 
10.10.1.0/24 dev eth0  scope link 
127.0.0.0/8 dev lo  scope link 
default dev eth1  scope link 
> shorewall statusShorewall-1.3.14 Status at nl1.null-lairson.com - Sat Aug 30 12:08:17
CDT 2003

Counters reset Sat Aug 30 11:49:04 CDT 2003

Chain INPUT (policy DROP 1 packets, 92 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    2   196 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0          
  379 59105 eth0_in    all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          
   61  5460 eth1_in    all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain FORWARD (policy DROP 3 packets, 232 bytes)
 pkts bytes target     prot opt in     out     source
destination         
 6685  644K eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          
 2403 1940K eth1_fwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'' 
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    2   196 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0          
    7   670 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
   18  2424 fw2net     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 fw2net     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
  294  107K fw2loc     all  --  *      eth0    0.0.0.0/0
10.10.1.0/24       
    0     0 fw2loc     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
    0     0 all2all    all  --  *      eth0    0.0.0.0/0
10.10.2.0/24       
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''

    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain all2all (5 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
  137 21741 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    4   240 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'' 
    4   240 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain common (5 references)
 pkts bytes target     prot opt in     out     source
destination         
  171 15604 icmpdef    icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 
   71 11719 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139 reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445 reject-with icmp-port-unreachable 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:1900 
   27  8040 DROP       all  --  *      *       0.0.0.0/0
255.255.255.255    
    0     0 DROP       all  --  *      *       0.0.0.0/0
224.0.0.0/4        
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:113 
   38  1976 DROP       all  --  *      *       0.0.0.0/0
10.10.1.255        
    0     0 DROP       all  --  *      *       0.0.0.0/0
67.66.46.63        

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 6685  644K dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 1936  268K loc2net    all  --  *      eth1    10.10.1.0/24
0.0.0.0/0          
    0     0 loc2net    all  --  *      eth1    10.10.1.0/24
0.0.0.0/0          
  320 15901 loc2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 loc2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 loc2loc    all  --  *      eth0    10.10.1.0/24
10.10.1.0/24       
 2044 92776 loc2loc    all  --  *      eth0    10.10.1.0/24
0.0.0.0/0          
 2385  267K loc2loc    all  --  *      eth0    0.0.0.0/0
10.10.1.0/24       
    0     0 loc2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
    0     0 gal2net    all  --  *      eth1    10.10.2.0/24
0.0.0.0/0          
    0     0 gal2net    all  --  *      eth1    10.10.2.0/24
0.0.0.0/0          

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  379 59105 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
  374 58522 loc2fw     all  --  *      *       10.10.1.0/24
0.0.0.0/0          
    5   583 loc2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 all2all    all  --  *      *       10.10.2.0/24
0.0.0.0/0          

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 2403 1940K dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 net2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 net2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 net2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 net2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
 2403 1940K net2loc    all  --  *      eth0    0.0.0.0/0
10.10.1.0/24       
    0     0 net2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
    0     0 net2loc    all  --  *      eth0    0.0.0.0/0
10.10.1.0/24       
    0     0 net2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
    0     0 net2gal    all  --  *      eth0    0.0.0.0/0
10.10.2.0/24       
    0     0 net2gal    all  --  *      eth0    0.0.0.0/0
10.10.2.0/24       

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   61  5460 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   61  5460 net2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 net2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2loc (2 references)
 pkts bytes target     prot opt in     out     source
destination         
  290  106K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    4   960 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2net (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:80 
   18  2424 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain gal2net (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:80 
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain loc2fw (2 references)
 pkts bytes target     prot opt in     out     source
destination         
  234 38540 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:80 
   26  1248 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:10000 
  119 19317 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2loc (4 references)
 pkts bytes target     prot opt in     out     source
destination         
 4429  359K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2net (4 references)
 pkts bytes target     prot opt in     out     source
destination         
 1761  259K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       10.10.1.2
0.0.0.0/0          state NEW tcp dpt:53 
    7   507 ACCEPT     udp  --  *      *       10.10.1.2
0.0.0.0/0          state NEW udp dpt:53 
  378 18144 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:80 
  110  6171 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2all (4 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
  172 15732 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
  169 15498 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
  169 15498 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2fw (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    2    96 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:135 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:113 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:80 
   59  5364 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2gal (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:135 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:113 
    0     0 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2loc (4 references)
 pkts bytes target     prot opt in     out     source
destination         
 2283 1929K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    4   192 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:135 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp dpt:113 
    3   144 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.10.1.3          state NEW tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.10.1.3          state NEW tcp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.10.1.3          state NEW tcp dpt:110 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.10.1.3          state NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.10.1.88         state NEW tcp dpt:80 
  113 10368 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2net (4 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain newnotsyn (12 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain reject (6 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset 
    4   240 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination         

Aug 30 12:06:01 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.66.202.224
DST=10.10.1.88 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=27435 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=10798 
Aug 30 12:06:01 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.66.202.224
DST=10.10.1.3 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=27436 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=11054 
Aug 30 12:06:01 net2all:DROP:IN=eth1 OUT= SRC=67.66.202.224
DST=67.66.46.54 LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=27441 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=11822 
Aug 30 12:06:11 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.64.207.225
DST=10.10.1.88 LEN=92 TOS=0x00 PREC=0x00 TTL=116 ID=60992 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=34454 
Aug 30 12:06:11 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.64.207.225
DST=10.10.1.3 LEN=92 TOS=0x00 PREC=0x00 TTL=116 ID=60993 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=34710 
Aug 30 12:06:11 net2all:DROP:IN=eth1 OUT= SRC=67.64.207.225
DST=67.66.46.54 LEN=92 TOS=0x00 PREC=0x00 TTL=117 ID=60996 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=35478 
Aug 30 12:06:14 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.66.63.165
DST=10.10.1.88 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=44926 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=31017 
Aug 30 12:06:14 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.66.63.165
DST=10.10.1.3 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=44927 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=31273 
Aug 30 12:06:14 net2all:DROP:IN=eth1 OUT= SRC=67.66.63.165
DST=67.66.46.54 LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=44930 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=32041 
Aug 30 12:06:45 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.65.167.42
DST=10.10.1.88 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=9680 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=28007 
Aug 30 12:06:45 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.65.167.42
DST=10.10.1.3 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=9681 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=28263 
Aug 30 12:06:45 net2all:DROP:IN=eth1 OUT= SRC=67.65.167.42
DST=67.66.46.54 LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=9685 PROTO=ICMP
TYPE=8 CODE=0 ID=512 SEQ=29031 
Aug 30 12:07:28 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.69.168.123
DST=10.10.1.88 LEN=92 TOS=0x00 PREC=0x00 TTL=109 ID=46701 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=2860 
Aug 30 12:07:28 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.69.168.123
DST=10.10.1.3 LEN=92 TOS=0x00 PREC=0x00 TTL=109 ID=46702 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=3116 
Aug 30 12:07:28 net2all:DROP:IN=eth1 OUT= SRC=67.69.168.123
DST=67.66.46.54 LEN=92 TOS=0x00 PREC=0x00 TTL=110 ID=46712 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=3884 
Aug 30 12:08:00 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.66.253.164
DST=10.10.1.88 LEN=92 TOS=0x00 PREC=0x00 TTL=115 ID=9629 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=48117 
Aug 30 12:08:00 net2all:DROP:IN=eth1 OUT= SRC=67.66.253.164
DST=67.66.46.54 LEN=92 TOS=0x00 PREC=0x00 TTL=116 ID=9633 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=49141 
Aug 30 12:08:19 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.66.50.88
DST=10.10.1.88 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=29638 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=10286 
Aug 30 12:08:19 net2all:DROP:IN=eth1 OUT=eth0 SRC=67.66.50.88
DST=10.10.1.3 LEN=92 TOS=0x00 PREC=0x00 TTL=122 ID=29639 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=10542 
Aug 30 12:08:19 net2all:DROP:IN=eth1 OUT= SRC=67.66.50.88
DST=67.66.46.54 LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=29642 PROTO=ICMP
TYPE=8 CODE=0 ID=768 SEQ=11310 

NAT Table

Chain PREROUTING (policy ACCEPT 32759 packets, 6010K bytes)
 pkts bytes target     prot opt in     out     source
destination         
  597 49600 nat_in     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain POSTROUTING (policy ACCEPT 1848 packets, 162K bytes)
 pkts bytes target     prot opt in     out     source
destination         
  277 14227 nat_out    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
  254 12646 eth1_masq  all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 1597 packets, 190K bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DNAT       all  --  *      *       0.0.0.0/0
67.66.46.51        to:10.10.1.3 
    0     0 DNAT       all  --  *      *       0.0.0.0/0
67.66.46.50        to:10.10.1.88 

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  147  7347 SNAT       all  --  *      *       10.10.1.0/24
0.0.0.0/0          to:67.66.46.54 

Chain nat_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   62  5470 DNAT       all  --  *      *       0.0.0.0/0
67.66.46.51        to:10.10.1.3 
   60  5418 DNAT       all  --  *      *       0.0.0.0/0
67.66.46.50        to:10.10.1.88 

Chain nat_out (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   16   809 SNAT       all  --  *      *       10.10.1.3
0.0.0.0/0          to:67.66.46.51 
    1    48 SNAT       all  --  *      *       10.10.1.88
0.0.0.0/0          to:67.66.46.50 

Mangle Table

Chain PREROUTING (policy ACCEPT 391K packets, 121M bytes)
 pkts bytes target     prot opt in     out     source
destination         
 9602 2691K pretos     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain INPUT (policy ACCEPT 67491 packets, 8065K bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain FORWARD (policy ACCEPT 324K packets, 113M bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 89165 packets, 68M bytes)
 pkts bytes target     prot opt in     out     source
destination         
  336  111K outtos     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain POSTROUTING (policy ACCEPT 412K packets, 180M bytes)
 pkts bytes target     prot opt in     out     source
destination         

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08 

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08 

tcp      6 38 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3717
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3717
[ASSURED] use=1 
tcp      6 431995 ESTABLISHED src=10.10.1.55 dst=206.29.192.130
sport=3710 dport=80 src=206.29.192.130 dst=67.66.46.54 sport=80
dport=3710 [ASSURED] use=1 
tcp      6 431946 ESTABLISHED src=10.10.1.88 dst=10.10.2.3 sport=1913
dport=5900 src=10.10.2.3 dst=67.66.46.50 sport=5900 dport=1913 [ASSURED]
use=1 
tcp      6 60 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3718
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3718
[ASSURED] use=1 
tcp      6 431886 ESTABLISHED src=10.10.1.88 dst=205.188.179.78
sport=1499 dport=5190 src=205.188.179.78 dst=67.66.46.50 sport=5190
dport=1499 [ASSURED] use=1 
tcp      6 85 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3719
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3719
[ASSURED] use=1 
tcp      6 58 TIME_WAIT src=10.10.1.88 dst=10.10.1.101 sport=2051
dport=10000 src=10.10.1.101 dst=10.10.1.88 sport=10000 dport=2051
[ASSURED] use=1 
tcp      6 101 SYN_SENT src=10.10.2.3 dst=64.156.220.104 sport=1948
dport=80 [UNREPLIED] src=64.156.220.104 dst=10.10.2.3 sport=80
dport=1948 use=1 
tcp      6 431992 ESTABLISHED src=10.10.1.88 dst=10.10.1.101 sport=2052
dport=10000 src=10.10.1.101 dst=10.10.1.88 sport=10000 dport=2052
[ASSURED] use=1 
tcp      6 99 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3721
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3721
[ASSURED] use=1 
tcp      6 118 SYN_SENT src=10.10.2.3 dst=64.156.220.105 sport=1949
dport=80 [UNREPLIED] src=64.156.220.105 dst=10.10.2.3 sport=80
dport=1949 use=1 
tcp      6 79 SYN_SENT src=10.10.2.222 dst=64.12.161.153 sport=1104
dport=5190 [UNREPLIED] src=64.12.161.153 dst=10.10.2.222 sport=5190
dport=1104 use=1 
tcp      6 10 SYN_SENT src=10.10.2.3 dst=63.209.144.169 sport=1944
dport=80 [UNREPLIED] src=63.209.144.169 dst=10.10.2.3 sport=80
dport=1944 use=1 
tcp      6 106 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3722
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3722
[ASSURED] use=1 
tcp      6 32 SYN_SENT src=10.10.2.3 dst=63.209.144.179 sport=1945
dport=80 [UNREPLIED] src=63.209.144.179 dst=10.10.2.3 sport=80
dport=1945 use=1 
tcp      6 111 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3723
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3723
[ASSURED] use=1 
tcp      6 55 SYN_SENT src=10.10.2.3 dst=63.209.144.180 sport=1946
dport=80 [UNREPLIED] src=63.209.144.180 dst=10.10.2.3 sport=80
dport=1946 use=1 
tcp      6 115 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3724
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3724
[ASSURED] use=1 
tcp      6 50 SYN_SENT src=10.10.2.41 dst=216.88.76.7 sport=1326
dport=80 [UNREPLIED] src=216.88.76.7 dst=10.10.2.41 sport=80 dport=1326
use=1 
tcp      6 78 SYN_SENT src=10.10.2.3 dst=63.209.144.182 sport=1947
dport=80 [UNREPLIED] src=63.209.144.182 dst=10.10.2.3 sport=80
dport=1947 use=1 
tcp      6 431884 ESTABLISHED src=10.10.1.88 dst=205.188.8.213
sport=1489 dport=5190 src=205.188.8.213 dst=67.66.46.50 sport=5190
dport=1489 [ASSURED] use=1 
tcp      6 27 TIME_WAIT src=10.10.1.55 dst=207.68.172.237 sport=3711
dport=80 src=207.68.172.237 dst=67.66.46.54 sport=80 dport=3711
[ASSURED] use=1 
tcp      6 39 SYN_SENT src=10.10.2.39 dst=165.254.12.202 sport=1171
dport=80 [UNREPLIED] src=165.254.12.202 dst=10.10.2.39 sport=80
dport=1171 use=1 
tcp      6 431995 ESTABLISHED src=10.10.1.55 dst=206.29.192.200
sport=3703 dport=80 src=206.29.192.200 dst=67.66.46.54 sport=80
dport=3703 [ASSURED] use=1 
tcp      6 70 SYN_SENT src=10.10.2.39 dst=165.254.12.202 sport=1172
dport=80 [UNREPLIED] src=165.254.12.202 dst=10.10.2.39 sport=80
dport=1172 use=1 
tcp      6 109 SYN_SENT src=10.10.2.39 dst=64.12.161.153 sport=1173
dport=5190 [UNREPLIED] src=64.12.161.153 dst=10.10.2.39 sport=5190
dport=1173 use=1 
tcp      6 431991 ESTABLISHED src=10.10.1.55 dst=64.147.66.183
sport=3707 dport=80 src=64.147.66.183 dst=67.66.46.54 sport=80
dport=3707 [ASSURED] use=1 
udp      17 102 src=10.10.1.2 dst=64.147.64.10 sport=1193 dport=53
src=64.147.64.10 dst=67.66.46.54 sport=53 dport=1193 [ASSURED] use=1 
tcp      6 431995 ESTABLISHED src=10.10.1.55 dst=64.147.66.183
sport=3708 dport=80 src=64.147.66.183 dst=67.66.46.54 sport=80
dport=3708 [ASSURED] use=1 
tcp      6 431995 ESTABLISHED src=10.10.1.55 dst=64.147.66.183
sport=3709 dport=80 src=64.147.66.183 dst=67.66.46.54 sport=80
dport=3709 [ASSURED] use=1 
tcp      6 111 SYN_SENT src=10.10.2.39 dst=165.254.12.202 sport=1175
dport=80 [UNREPLIED] src=165.254.12.202 dst=10.10.2.39 sport=80
dport=1175 use=1 

hosts
#ZONE		HOST(S)		OPTIONS
loc		eth0:10.10.1.0/24
gal		eth0:10.10.2.0/24
net		eth1:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

zones
#ZONE	DISPLAY		COMMENTS
net	Net		Internet 
loc	Local		Local networks
gal	Galveston	Galveston Office
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

rules
#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S)
ADDRESS
DROP			net	 all		tcp	135
DROP			net	 all		tcp	113
ACCEPT		loc	 fw		tcp	www
#mail server
ACCEPT		net	 loc:10.10.1.3	tcp	25,53,110,80
#DNS server
ACCEPT		loc:10.10.1.2	net	tcp	53
ACCEPT		loc:10.10.1.2	net	udp	53
#web server
ACCEPT		net	loc:10.10.1.88	tcp	80
#
ACCEPT		loc	  fw		tcp	10000
#ACCEPT		net	  fw		tcp	10000
ACCEPT		fw	  net		tcp	www
ACCEPT		net	  fw		tcp	www
ACCEPT		loc	  net		tcp	www
ACCEPT		gal	  net		tcp	www
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

interfaces
#ZONE	 INTERFACE	BROADCAST	OPTIONS
loc	eth0		detect
net	eth1		detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

nat
#EXTERNAL	INTERFACE	INTERNAL	ALL INTERFACES
LOCAL
#mail  and web servers
67.66.46.51	eth1:0	10.10.1.3	Yes	Yes
67.66.46.50	eth1:1	10.10.1.88	Yes	Yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Joshua Banks

2003-Sep-01 00:30 UTC

head link

[Shorewall-users] remote subnet cannot access the internet

You didn''t submit your masq file.

I saw a rule for Gal to net www, but I didn''t see any specific rule for
Gal to Net regarding dns.

Can you ping from the remote network out to the internet by ip?


So I''m assuming that if your routing is configured correctly at all
needed points then you just
have a rule for Gal zone allowing dns resolution or your not Masqing the
10.10.2.x network?


Hope this helps.

JBanks

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Jim Williams

2003-Sep-01 14:29 UTC

head link

[Shorewall-users] remote subnet cannot access the internet

Joshua - 
 
Thanks for the response.  That was it, no entry for the remote subnet in
the masq file.
 
 

	-----Original Message----- 
	From: shorewall-users-request@lists.shorewall.net 
	Sent: Mon 9/1/2003 2:00 PM 
	To: shorewall-users@lists.shorewall.net 
	Cc: 
	Subject: Shorewall-users Digest, Vol 10, Issue 1
	
	
	 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4142 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030901/3fcdde19/attachment.bin

Joshua Banks

2003-Sep-01 16:54 UTC

head link

[Shorewall-users] remote subnet cannot access the internet

--- Jim Williams <jwilliams@null-lairson.com>
wrote:> Joshua - 
>  
> Thanks for the response.  That was it, no entry for the remote subnet in
> the masq file.

Coo. :)

JBanks

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Shorewall users - Aug 2003 - remote subnet cannot access the internet

[Shorewall-users] remote subnet cannot access the internet

[Shorewall-users] remote subnet cannot access the internet

[Shorewall-users] remote subnet cannot access the internet

[Shorewall-users] remote subnet cannot access the internet