Michael Mansour
2003-Jun-30 18:42 UTC
[Shorewall-users] Allowing traceroute from one machine to another
Hi, I have two machines, server1 and server2. server1 (203.x.x.8) acts as a router for server2 (203.x.x.9), and server1 has the internet link to forward packets out. Both server1 and server2 exist in the same subnet and have the same domain name, just different host names. server1 aliases a couple of other networks also. I''ve allowed all traffic between both server1 and server2 with commands like: ACCEPT fw dom1 tcp - ACCEPT fw dom1 udp - ACCEPT fw dom2 tcp - ACCEPT fw dom2 udp - and so on. However, when I do a traceroute from server2 the following happens: [root@server2 root]# traceroute www.whatever.net.au traceroute to www.whatever.net.au (202.x.x.x), 30 hops max, 38 byte packets 1 * * * 2 fe-0-3.xxx.xxxx.xx.net.au (202.x.x.x) 144.307 ms 159.902 ms 127.847 ms 3 * webserver.xx.net.au (202.x.x.x) 324.847 ms * With the following showing up in my firewall log: Jul 1 11:35:02 server1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=203.x.x.8 DST=203.x.x.9 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 ID=12898 PROTO=ICMP TYPE=11 CODE=0 [SRC=203.x.x.9 DST=202.x.x.2 LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=50045 PROTO=UDP SPT=38167 DPT=33435 LEN=18 ] Jul 1 11:35:07 server1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=203.x.x.8 DST=203.x.x.9 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 ID=12899 PROTO=ICMP TYPE=11 CODE=0 [SRC=203.x.x.9 DST=202.x.x.2 LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=50046 PROTO=UDP SPT=38167 DPT=33436 LEN=18 ] Jul 1 11:35:12 server1 kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=203.x.x.8 DST=203.x.x.9 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 ID=12900 PROTO=ICMP TYPE=11 CODE=0 [SRC=203.x.x.9 DST=202.x.x.2 LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=50047 PROTO=UDP SPT=38167 DPT=33437 LEN=18 ] We can see that all2all traps this with the default REJECT rule, so why is it happening this way? I want server2 to traceroute correctly through server1. Any ideas? Thanks. Michael. __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Tom Eastep
2003-Jun-30 18:54 UTC
[Shorewall-users] Allowing traceroute from one machine to another
On Mon, 30 Jun 2003 18:42:05 -0700 (PDT), Michael Mansour <micoots@yahoo.com> wrote:> Hi, > > I have two machines, server1 and server2. server1 > (203.x.x.8) acts as a router for server2 (203.x.x.9), > and server1 has the internet link to forward packets > out. > > Both server1 and server2 exist in the same subnet and > have the same domain name, just different host names. > server1 aliases a couple of other networks also. > > I''ve allowed all traffic between both server1 and > server2 with commands like: > > ACCEPT fw dom1 tcp - > ACCEPT fw dom1 udp - > ACCEPT fw dom2 tcp - > ACCEPT fw dom2 udp - >NO YOU HAVEN''T!!! You have enabled traffic between dom1 and the firewall and between dom2 and the firewall and you have done it wrong (with rules rather than policies). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-30 19:03 UTC
[Shorewall-users] Allowing traceroute from one machine to another
On Mon, 30 Jun 2003 18:42:05 -0700 (PDT), Michael Mansour <micoots@yahoo.com> wrote:> Hi, > > I have two machines, server1 and server2. server1 > (203.x.x.8) acts as a router for server2 (203.x.x.9), > and server1 has the internet link to forward packets > out. > > Both server1 and server2 exist in the same subnet and > have the same domain name, just different host names. > server1 aliases a couple of other networks also. > > I''ve allowed all traffic between both server1 and > server2 with commands like: > > ACCEPT fw dom1 tcp - > ACCEPT fw dom1 udp - > ACCEPT fw dom2 tcp - > ACCEPT fw dom2 udp - > > and so on. However, when I do a traceroute from > server2 the following happens: > > [root@server2 root]# traceroute www.whatever.net.au > traceroute to www.whatever.net.au (202.x.x.x), 30 hops > max, 38 byte packets > 1 * * * > 2 fe-0-3.xxx.xxxx.xx.net.au (202.x.x.x) 144.307 ms 159.902 ms 127.847 > ms > 3 * webserver.xx.net.au (202.x.x.x) 324.847 ms * > > With the following showing up in my firewall log: > > Jul 1 11:35:02 server1 kernel: > Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=203.x.x.8 > DST=203.x.x.9 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 > ID=12898 PROTO=ICMP TYPE=11 CODE=0 [SRC=203.x.x.9 > DST=202.x.x.2 LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=50045 > PROTO=UDP SPT=38167 DPT=33435 LEN=18 ] > Jul 1 11:35:07 server1 kernel: > Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=203.x.x.8 > DST=203.x.x.9 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 > ID=12899 PROTO=ICMP TYPE=11 CODE=0 [SRC=203.x.x.9 > DST=202.x.x.2 LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=50046 > PROTO=UDP SPT=38167 DPT=33436 LEN=18 ] > Jul 1 11:35:12 server1 kernel: > Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=203.x.x.8 > DST=203.x.x.9 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 > ID=12900 PROTO=ICMP TYPE=11 CODE=0 [SRC=203.x.x.9 > DST=202.x.x.2 LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=50047 > PROTO=UDP SPT=38167 DPT=33437 LEN=18 ] > > We can see that all2all traps this with the default > REJECT rule, so why is it happening this way? I want > server2 to traceroute correctly through server1. > > Any ideas?Actually, looking at your report again I don''t understand your setup: a) You talk about two systems yet you have three zones -- fw, dom1 and dom2. b) I assume that you also have a ''net'' zone? c) What do your /etc/shorewall/interfaces and /etc/shorewall/hosts files look like? d) What does you /etc/shorewall/policies file look like? e) Which quickstart Guide did you follow? (you did use one right?) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jun-30 19:10 UTC
[Shorewall-users] Allowing traceroute from one machine to another
On Mon, 30 Jun 2003 18:53:56 -0700, Tom Eastep <teastep@shorewall.net> wrote:> > NO YOU HAVEN''T!!! >I apologize for yelling -- Your post arrived just as I had a minor problem with my health (a cronic problem unfortunately) and you got the blame :-( Sorry, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net