Srinivasa R Kotu
2003-Feb-08  07:43 UTC
[Shorewall-users] Need some help on Cofiguring shorewall for a 2 interface setup using a Cable Modem with static IP
Hi, I am having a problem in configuring my machine to use shorewall. Here is my setup Operating System : Mandrake Network Firewall Linux based on Mandrake Linux 8.2 Network Connection : eth0 Connecting to my internal LAN with IP 192.168.1.9 eth1 Connecting to my cable modem with a static IP address 202.88.191.31 When i start with shorewall not configured to start at boot time I can browse the net from my LAN using a squid proxy server installed on this machine. I can even ping machines on the net from the forewall machine. When I start shorewall manually using the command '' service shorewall start'' it ends with the following error # service shorewall start Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: lan wan Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... LAN Zone: eth0:192.168.1.0/24 eth0:0.0.0.0/0 NET Zone: eth1:0.0.0.0/0 Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Host 192.168.1.1 NAT 202.88.191.31 on eth1 Adding Common Rules Adding rules for DHCP Enabling RFC1918 Filtering Setting up Blacklisting... Blacklisting enabled on eth1 Setting up Kernel Route Filtering... Warning: Cannot set route filtering on eth1 IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT fw wan tcp 53 -" added. Rule "ACCEPT fw wan udp 53 -" added. Rule "ACCEPT lan wan udp 53 -" added. Rule "REJECT wan fw tcp 113 -" added. Rule "ACCEPT lan fw tcp 22 -" added. Rule "ACCEPT lan fw tcp 8443 -" added. Rule "ACCEPT fw lan icmp 8 -" added. Rule "ACCEPT lan fw icmp 8 -" added. Rule "ACCEPT lan wan tcp pop3 -" added. Rule "ACCEPT lan wan tcp smtp -" added. Rule "ACCEPT lan wan tcp http -" added. Rule "ACCEPT lan wan tcp https -" added. Rule "ACCEPT:info lan wan tcp ssh -" added. Rule "ACCEPT lan wan tcp ftp -" added. Rule "ACCEPT lan wan tcp nntp -" added. Rule "ACCEPT fw wan udp ntp -" added. Rule "ACCEPT lan wan tcp imap -" added. Rule "ACCEPT fw wan:20022 tcp ftp -" added. Rule "ACCEPT lan fw udp 53 -" added. Rule "ACCEPT lan wan tcp ftp-data -" added. Rule "ACCEPT lan fw::3328 tcp www - all" added. Rule "ACCEPT fw wan tcp www -" added. Setting up ICMP Echo handling... Processing /etc/shorewall/policy... Policy ACCEPT for fw to lan using chain fw2lan Policy ACCEPT for fw to wan using chain fw2wan Policy ACCEPT for lan to fw using chain lan2all Policy ACCEPT for lan to lan using chain lan2all Policy ACCEPT for lan to wan using chain lan2wan Policy DROP for wan to fw using chain wan2all Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.1.0/24 through eth1 using 202.88.191.31 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "lan wan tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp - ftp-data 8" added. Rule "all all tcp ftp-data - 8" added. Activating Rules... Adding IP Addresses... Can''t determine the IP address of eth1 /sbin/service: line 148: 4630 Terminated $debug $servicedir/$service $options After that i can''t ping from the firewall machine to any host on the internet with the error ''connect: Network is unreachable''. And if i restart my network using the command '' service network restart'' and I ping from this machine i get the following ping 202.88.191.1 PING 202.88.191.1 (202.88.191.1) from 202.88.191.31 : 56(84) bytes of data. ping: sendto: Operation not permitted After which i can''t browse the net even from my lan using my proxy server it gives the error '' squidGuard connection refused'' Can somebody tell me why my internet connection is going down after i start shorewall. Kotu -- Best regards, Kotu mailto:kotu@ocimumbio.com Srinivasa R Kotu Systems Analyst Ocimum Biosolutions Ltd. Phone: 91 040 55627200 Fax: 91 040 55627205 www.ocimumbio.com *************************************************************************************************************************** Disclaimer: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Tom Eastep
2003-Feb-08  08:31 UTC
[Shorewall-users] Need some help on Cofiguring shorewall for a 2 interface setup using a Cable Modem with static IP
Srinivasa R Kotu wrote:> Hi, > > I am having a problem in configuring my machine to use shorewall. > > Here is my setup > > Operating System : Mandrake Network Firewall Linux based on Mandrake > Linux 8.2 > Network Connection : eth0 Connecting to my internal LAN > with IP 192.168.1.9 > eth1 Connecting to my cable modem with a static IP address > 202.88.191.31 > > When i start with shorewall not configured to start at boot time I can browse > the net from my LAN using a squid proxy server installed on this > machine. I can even ping machines on the net from the forewall > machine. > When I start shorewall manually using the command '' service shorewall > start'' it ends with the following error > > > # service shorewall start > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: lan wan > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > LAN Zone: eth0:192.168.1.0/24 eth0:0.0.0.0/0 > NET Zone: eth1:0.0.0.0/0 > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Host 192.168.1.1 NAT 202.88.191.31 on eth1<snip>> Rule "all all tcp ftp-data - 8" added. > Activating Rules... > Adding IP Addresses... > Can''t determine the IP address of eth1 > /sbin/service: line 148: 4630 Terminated $debug $servicedir/$service $options > > After that i can''t ping from the firewall machine to any host on the > internet with the error ''connect: Network is unreachable''. > > And if i restart my network using the command '' service network > restart'' and I ping from this machine i get the following > > ping 202.88.191.1 > PING 202.88.191.1 (202.88.191.1) from 202.88.191.31 : 56(84) bytes of data. > ping: sendto: Operation not permitted > > After which i can''t browse the net even from my lan using my proxy > server it gives the error '' squidGuard connection refused'' > > Can somebody tell me why my internet connection is going down after i > start shorewall.Look at the state diagram at: http://www.shorewall.net/starting_and_stopping_shorewall.htm. It should be clear what is happening (failed ''start'' command). As to the error message you are getting, your /etc/shorewall/nat file (do you REALLY want to do static NAT?) is all screwed up (you can''t NAT the primary IP address on an interface) and you probably don''t have the ip utility (iproute package) installed. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net