I install Shorewall and configured it according to the two-interface method. I uncommented the optional fw,net,ACCEPT policy. Shorewall starts, but I can''t access the outside (tried ping, http, ssh). The intenet device is a Motorola SURFboard cable modem. I can connect my Win2k box to the cable and get an internet connection. The IP info on my external NIC (eth0) is the same as on the Win2k box. What could the problem be? # /etc/rc.d/init.d/shorewall start Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP Enabling RFC1918 Filtering Setting up Kernel Route Filtering... IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT loc fw tcp 22" added. Rule "ACCEPT net fw tcp 22" added. Rule "ACCEPT loc fw icmp 8" added. Rule "ACCEPT net fw icmp 8" added. Rule "ACCEPT net fw tcp 80" added. Rule "ACCEPT loc fw tcp 80" added. Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy DROP for net to fw using chain net2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.0.1/32 through eth0 using 24.234.142.65 To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using 24.234.142.65 To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using 24.234.142.65 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Activating Rules... Processing /etc/shorewall/start ... Shorewall Started # ping 24.234.43.1 PING 24.234.43.1 (24.234.43.1) from 24.234.142.71 : 56(84) bytes of data.>From 24.234.142.71: Destination Host Unreachable--- 24.234.43.1 ping statistics --- 121 packets transmitted, 0 packets received, +2 errors, 100% packet loss # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 24.234.142.71 * 255.255.255.255 UH 40 0 0 eth0 192.168.0.1 * 255.255.255.255 UH 40 0 0 eth1 24.234.142.64 24.234.142.71 255.255.255.224 UG 40 0 0 eth0 24.234.142.64 * 255.255.255.224 U 40 0 0 eth0 192.168.0.0 192.168.0.1 255.255.255.0 UG 40 0 0 eth1 192.168.0.0 * 255.255.255.0 U 40 0 0 eth1 127.0.0.0 * 255.0.0.0 U 40 0 0 lo (there''s a long pause here) default 24.234.142.65 0.0.0.0 UG 40 0 0 eth0 default 24.234.142.65 0.0.0.0 UG 40 0 0 eth0 Here is the configuration info: # shorewall version 1.3.14 # uname -a Linux masina 2.4.9 #3 Sat Feb 15 00:52:20 PST 2003 i686 unknown # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:20:78:13:e1:1f brd ff:ff:ff:ff:ff:ff inet 24.234.142.71/27 brd 24.234.142.95 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:33:d3:d4:f9 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 # ip route show 24.234.142.71 dev eth0 scope link 192.168.0.1 dev eth1 scope link 24.234.142.64/27 via 24.234.142.71 dev eth0 scope link 24.234.142.64/27 dev eth0 proto kernel scope link src 24.234.142.71 192.168.0.0/24 via 192.168.0.1 dev eth1 scope link 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 24.234.142.65 dev eth0 default via 24.234.142.65 dev eth0 metric 1 # lsmod Module Size Used by ipt_TOS 1248 12 (autoclean) iptable_mangle 2032 0 (autoclean) (unused) 8139too 11904 1 (autoclean) ne2k-pci 5536 1 (autoclean) 8390 6480 0 (autoclean) [ne2k-pci] The output of "shorewall status" is attatched: shorewall.txt Any help would be appreciated. Duncan __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine''s Day http://shopping.yahoo.com -------------- next part -------------- [H[2JShorewall-1.3.14 Status at masina - Sat Feb 15 01:39:01 PST 2003 Counters reset Sat Feb 15 01:00:39 PST 2003 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 310 32969 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 25 8356 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 812 49599 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 98 6437 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 310 32969 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 206 17962 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 242 18353 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 465 82465 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (2 references) pkts bytes target prot opt in out source destination 465 82465 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 125 13904 common all -- * * 0.0.0.0/0 0.0.0.0/0 27 1730 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 27 1730 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 98 12174 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 24.234.142.95 0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 25 8356 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 25 8356 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 98 6437 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 98 6437 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 812 49599 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 812 49599 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 242 18353 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 686 35647 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 125 13904 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 98 6437 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (27 references) pkts bytes target prot opt in out source destination 25 8356 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'' 25 8356 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (6 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (6 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 27 1730 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain rfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0 0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0 25 8356 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0 0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0 0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0 0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0 0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 222.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination Feb 15 01:07:11 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=32505 PROTO=UDP SPT=1841 DPT=53 LEN=44 Feb 15 01:07:15 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=32507 PROTO=UDP SPT=1841 DPT=53 LEN=44 Feb 15 01:07:51 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=1579 PROTO=UDP SPT=67 DPT=68 LEN=316 Feb 15 01:07:53 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=1581 PROTO=UDP SPT=67 DPT=68 LEN=316 Feb 15 01:07:55 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=1583 PROTO=UDP SPT=67 DPT=68 LEN=310 Feb 15 01:07:55 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=1585 PROTO=UDP SPT=67 DPT=68 LEN=310 Feb 15 01:08:03 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=32533 PROTO=UDP SPT=1844 DPT=53 LEN=44 Feb 15 01:08:03 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=1593 PROTO=UDP SPT=67 DPT=68 LEN=310 Feb 15 01:08:03 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=1595 PROTO=UDP SPT=67 DPT=68 LEN=310 Feb 15 01:08:07 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=32535 PROTO=UDP SPT=1844 DPT=53 LEN=44 Feb 15 01:08:08 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=1601 PROTO=UDP SPT=67 DPT=68 LEN=316 Feb 15 01:08:10 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255 LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=1605 PROTO=UDP SPT=67 DPT=68 LEN=316 Feb 15 01:28:38 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=59 TOS=0x00 PREC=0x00 TTL=128 ID=33454 PROTO=UDP SPT=1924 DPT=53 LEN=39 Feb 15 01:29:23 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=33511 PROTO=UDP SPT=1928 DPT=53 LEN=45 Feb 15 01:29:27 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=33514 PROTO=UDP SPT=1928 DPT=53 LEN=45 Feb 15 01:29:31 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=33516 PROTO=UDP SPT=1928 DPT=53 LEN=45 Feb 15 01:30:19 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=33525 PROTO=UDP SPT=1931 DPT=53 LEN=45 Feb 15 01:30:23 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=33532 PROTO=UDP SPT=1931 DPT=53 LEN=45 Feb 15 01:31:11 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=33627 PROTO=UDP SPT=1935 DPT=53 LEN=45 Feb 15 01:31:15 all2all:REJECT:IN=eth1 OUT= SRC=192.168.0.4 DST=192.168.0.1 LEN=65 TOS=0x00 PREC=0x00 TTL=128 ID=33638 PROTO=UDP SPT=1935 DPT=53 LEN=45 NAT Table Chain PREROUTING (policy ACCEPT 194 packets, 25566 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 228 packets, 17333 bytes) pkts bytes target prot opt in out source destination 232 17319 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 232 packets, 17625 bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 192.168.0.1 0.0.0.0/0 to:24.234.142.65 26 1714 SNAT all -- * * 192.168.0.0/24 0.0.0.0/0 to:24.234.142.65 0 0 SNAT all -- * * 192.168.0.0/24 0.0.0.0/0 to:24.234.142.65 Mangle Table Chain PREROUTING (policy ACCEPT 1447 packets, 110K bytes) pkts bytes target prot opt in out source destination 25 8356 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0 1252 97977 pretos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1414 packets, 167K bytes) pkts bytes target prot opt in out source destination 1225 152K outtos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (27 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain man1918 (1 references) pkts bytes target prot opt in out source destination 25 8356 RETURN all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 169.254.0.0/16 0 0 logdrop all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24 0 0 logdrop all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5 0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6 0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5 0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3 0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 222.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4 Chain outtos (1 references) pkts bytes target prot opt in out source destination 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 466 82589 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain pretos (1 references) pkts bytes target prot opt in out source destination 688 35735 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 udp 17 29 src=24.234.142.71 dst=131.216.16.9 sport=123 dport=123 [UNREPLIED] src=131.216.16.9 dst=24.234.142.71 sport=123 dport=123 use=2 tcp 6 431999 ESTABLISHED src=192.168.0.4 dst=192.168.0.1 sport=1932 dport=22 src=192.168.0.1 dst=192.168.0.4 sport=22 dport=1932 [ASSURED] use=1
Cowles, Steve
2003-Feb-15 04:35 UTC
[Shorewall-users] shorewall two-connection won''t work
> -----Original Message----- > From: Duncan Leaf > Sent: Saturday, February 15, 2003 3:07 AM > Subject: [Shorewall-users] shorewall two-connection won''t work > >See my inserts below> I install Shorewall and configured it according to the > two-interface method. I uncommented the optional > fw,net,ACCEPT policy. Shorewall starts, but I can''t > access the outside (tried ping, http, ssh). The > intenet device is a Motorola SURFboard cable modem. I > can connect my Win2k box to the cable and get an > internet connection. The IP info on my external NIC > (eth0) is the same as on the Win2k box. What could > the problem be? > > # /etc/rc.d/init.d/shorewall start > Processing /etc/shorewall/params ... > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0/0 > Local Zone: eth1:0.0.0.0/0 > Processing /etc/shorewall/init ... > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Adding rules for DHCP > Enabling RFC1918 Filtering > Setting up Kernel Route Filtering... > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Rule "ACCEPT loc fw tcp 22" added. > Rule "ACCEPT net fw tcp 22" added. > Rule "ACCEPT loc fw icmp 8" added. > Rule "ACCEPT net fw icmp 8" added. > Rule "ACCEPT net fw tcp 80" added. > Rule "ACCEPT loc fw tcp 80" added. > Processing /etc/shorewall/policy... > Policy ACCEPT for fw to net using chain fw2net > Policy DROP for net to fw using chain net2all > Policy REJECT for loc to fw using chain all2all > Policy ACCEPT for loc to net using chain loc2net > Masqueraded Subnets and Hosts: > To 0.0.0.0/0 from 192.168.0.1/32 through eth0 using > 24.234.142.65Huh? Why the host route?> To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using > 24.234.142.65 > To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using > 24.234.142.65Duplicate masq entries for the same subnet. Needs to be fixed.> Processing /etc/shorewall/tos... > Rule "all all tcp - ssh 16" added. > Rule "all all tcp ssh - 16" added. > Rule "all all tcp - ftp 16" added. > Rule "all all tcp ftp - 16" added. > Rule "all all tcp ftp-data - 8" added. > Rule "all all tcp - ftp-data 8" added. > Activating Rules... > Processing /etc/shorewall/start ... > Shorewall Started > > # ping 24.234.43.1 > PING 24.234.43.1 (24.234.43.1) from 24.234.142.71 : > 56(84) bytes of data. > >From 24.234.142.71: Destination Host Unreachable > > --- 24.234.43.1 ping statistics --- > 121 packets transmitted, 0 packets received, +2 > errors, 100% packet loss > > # netstat -r > Kernel IP routing table > Destination Gateway Genmask Flags > MSS Window irtt Iface > 24.234.142.71 * 255.255.255.255 UH > 40 0 0 eth0Why the host route? Not needed.> 192.168.0.1 * 255.255.255.255 UH > 40 0 0 eth1Why the host route? Not needed.> 24.234.142.64 24.234.142.71 255.255.255.224 UG > 40 0 0 eth0Network route pointing to host route. Why? Linux tcp/ip stack can figure out what interface to use. Not needed.> 24.234.142.64 * 255.255.255.224 U > 40 0 0 eth0Looks good!> 192.168.0.0 192.168.0.1 255.255.255.0 UG > 40 0 0 eth1Again! Network route pointing to host route. Why? Linux tcp/ip stack can figure out what interface to use. Not needed.> 192.168.0.0 * 255.255.255.0 U > 40 0 0 eth1Looks good!> 127.0.0.0 * 255.0.0.0 U > 40 0 0 lo > (there''s a long pause here) > default 24.234.142.65 0.0.0.0 UG > 40 0 0 eth0 > default 24.234.142.65 0.0.0.0 UG > 40 0 0 eth0Huh? You have two default routes. Needs to be fixed. BTW: The long pause is probably DNS timeouts for reverse lookup on 24.234.142.65. Fix routing problems/resolver lib config or type: netstat -rn to stop the long delays> > Here is the configuration info: > > # shorewall version > 1.3.14 > # uname -a > Linux masina 2.4.9 #3 Sat Feb 15 00:52:20 PST 2003 > i686 unknown > # ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd > 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:20:78:13:e1:1f brd ff:ff:ff:ff:ff:ff > inet 24.234.142.71/27 brd 24.234.142.95 scope > global eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:40:33:d3:d4:f9 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global > eth1 > # ip route show > 24.234.142.71 dev eth0 scope link > 192.168.0.1 dev eth1 scope link > 24.234.142.64/27 via 24.234.142.71 dev eth0 scope > link > 24.234.142.64/27 dev eth0 proto kernel scope link > src 24.234.142.71 > 192.168.0.0/24 via 192.168.0.1 dev eth1 scope link > 192.168.0.0/24 dev eth1 proto kernel scope link src > 192.168.0.1 > 127.0.0.0/8 dev lo scope link > default via 24.234.142.65 dev eth0 > default via 24.234.142.65 dev eth0 metric 1ip route show is equivelent to netstat -rn. Just a different output format. I''m sure Tom will correct me if I''m wrong, but I suspect shorewall is having a hard time decoding the output of netstat -rn based on the duplicate network routes and duplicate default gateways. I would try and fix these dups first, then re-run shorewall start. The following is the correct output for a route table in linux. Unlike windows brain dead tcp/ip stack, linux does not need host routes and the additional network routes that point to the bound ip address of a NIC. It can figure this out on its own (note the src field). Just the network route to the interface is all that is needed. [root@firewall] # ip route show x.x.xxx.176/30 dev eth0 proto kernel scope link src x.x.xxx.178 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.1 default via x.x.xxx.177 dev eth0 [root@firewall] # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100 link/ether 00:60:00:00:00:d4 brd ff:ff:ff:ff:ff:ff inet x.x.xxx.178/30 brd x.x.xxx.179 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 02:00:06:00:00:dc brd ff:ff:ff:ff:ff:ff inet 192.168.9.1/24 brd 192.168.9.255 scope global eth1 # Shorewall start... Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.9.0/24 through eth0 using x.x.xxx.178 Long pause!!!! Based on the output of shorewall start that you posted (dups removed),> Masqueraded Subnets and Hosts: > To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using > 24.234.142.65Shorewall is trying to masq 192.168.0.0/24 through your default route IP, not the IP address of your external interface. i.e. 24.234.142.71 Bzzzt!! Fix your routing problems first and then try shorewall start. Steve Cowles
Cowles, Steve wrote:>>Masqueraded Subnets and Hosts: >> To 0.0.0.0/0 from 192.168.0.1/32 through eth0 using >>24.234.142.65 > > > Huh? Why the host route? > > >> To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using >>24.234.142.65 >> To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using >>24.234.142.65 > > > Duplicate masq entries for the same subnet. Needs to be fixed. >These are a direct result of the erzatz routing table on the firewall box. Beginning with Shorewall 1.3.14, Shorewall uses the routing table to build the masquerade entries so each host or subnet routed through the interface in column 2 (eth1 in this case) is masqueraded.> > >>127.0.0.0 * 255.0.0.0 U >> 40 0 0 lo >>(there''s a long pause here)DNS Timeout... will go away if you use "netstat -rn">>default 24.234.142.65 0.0.0.0 UG >> 40 0 0 eth0 >>default 24.234.142.65 0.0.0.0 UG >> 40 0 0 eth0 > > > > > ip route show is equivelent to netstat -rn. Just a different output format. > > I''m sure Tom will correct me if I''m wrong, but I suspect shorewall is having > a hard time decoding the output of netstat -rn based on the duplicate > network routes and duplicate default gateways. I would try and fix these > dups first, then re-run shorewall start.Shorewall actually uses the output of "ip route show <device>".> > Fix your routing problems first and then try shorewall start. >Or change the second column in the MASQ file entry from "eth2" to "192.168.0.0/24". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Cowles, Steve wrote:> > Based on the output of shorewall start that you posted (dups removed), > >>Masqueraded Subnets and Hosts: >> To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using >>24.234.142.65 > > > Shorewall is trying to masq 192.168.0.0/24 through your default route IP, > not the IP address of your external interface. i.e. 24.234.142.71 Bzzzt!!I suspect that the original poster may have "24.234.142.65" in the third column of the /etc/shorewall/masq file entry. That''s certainly wrong. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
One more thing -- you are apparently running a DNS server on your firewall but you are not allowing DNS traffic from the local zone to the firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I tried to delete the bad entries in my routing table. I used "route del ...". I got the table to this point: # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.234.142.64 24.234.142.71 255.255.255.224 UG 0 0 0 eth0 24.234.142.64 0.0.0.0 255.255.255.224 U 0 0 0 eth0 192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 24.234.142.65 0.0.0.0 UG 1 0 0 eth0 A this point I was having trouble deleting the first and third entries. I tried "route del gw 24.234.142.71" but it would just hang. I thought bringing down eth0 might make it work. # ifdown eth0 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo # ifup eth0 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.234.142.71 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 24.234.142.64 0.0.0.0 255.255.255.224 U 0 0 0 eth0 192.168.0.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 24.234.142.65 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 24.234.142.65 0.0.0.0 UG 1 0 0 eth0 As you can see, I''m back where I started. So my question is: How do I "fix" my routing problems? Thanks for the help, Duncan --- "Cowles, Steve" <Steve@SteveCowles.com> wrote:> Fix your routing problems first and then try > shorewall start.__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine''s Day http://shopping.yahoo.com
You''re right. I have corrected that mistake and restarted shorewall, but my problem remains. Duncan --- Tom Eastep <teastep@shorewall.net> wrote:> I suspect that the original poster may have > "24.234.142.65" in the third > column of the /etc/shorewall/masq file entry. That''s > certainly wrong.__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine''s Day http://shopping.yahoo.com
The second column of masq contained "eth1". I tried changing it to "192.168.0.0/24" and restarted shorewall, but my problem remains. Duncan --- Tom Eastep <teastep@shorewall.net> wrote:> Or change the second column in the MASQ file entry > from "eth2" to > "192.168.0.0/24".__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine''s Day http://shopping.yahoo.com
Cowles, Steve
2003-Feb-15 11:54 UTC
[Shorewall-users] shorewall two-connection won''t work
> -----Original Message----- > From: Duncan Leaf > Sent: Saturday, February 15, 2003 12:35 PM > Subject: RE: [Shorewall-users] shorewall two-connection won''t work > > > I tried to delete the bad entries in my routing table. > I used "route del ...". I got the table to this > point: > > # route -n > Kernel IP routing table > Destination Gateway Genmask Flags > Metric Ref Use Iface > 24.234.142.64 24.234.142.71 255.255.255.224 UG > 0 0 0 eth0 > 24.234.142.64 0.0.0.0 255.255.255.224 U > 0 0 0 eth0 > 192.168.0.0 192.168.0.1 255.255.255.0 UG > 0 0 0 eth1 > 192.168.0.0 0.0.0.0 255.255.255.0 U > 0 0 0 eth1 > 127.0.0.0 0.0.0.0 255.0.0.0 U > 0 0 0 lo > 0.0.0.0 24.234.142.65 0.0.0.0 UG > 1 0 0 eth0 >So you have deleted the dup''d default gateway. good!> A this point I was having trouble deleting the first > and third entries. I tried "route del gw > 24.234.142.71" but it would just hang. I thought > bringing down eth0 might make it work.There is some entry in your systems network configuration files that is causing the duplicate network routes. If this is a redhat system; check /etc/sysconfig/network and /etc/sysconfig/network-scripts/ifcfg-eth* Also, since ifup and ifdown are scripts... your can add "-x" to the first line to put the script in debug mode. i.e. #!/bin/bash -x Now type: ifup eth0 Should help in locating where the duplicate route is coming from. Steve Cowles
I added the "-x" to ifup. I commented out the offending lines in the script, brought down interfaces and brought them back up. # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.234.142.64 0.0.0.0 255.255.255.224 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 24.234.142.65 0.0.0.0 UG 0 0 0 eth0 That looks good, right? # /etc/rc.d/init.d/shorewall restart Processing /etc/shorewall/params ... Restarting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Adding rules for DHCP Enabling RFC1918 Filtering Setting up Kernel Route Filtering... IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT loc fw tcp 22" added. Rule "ACCEPT net fw tcp 22" added. Rule "ACCEPT loc fw icmp 8" added. Rule "ACCEPT net fw icmp 8" added. Rule "ACCEPT net fw tcp 80" added. Rule "ACCEPT loc fw tcp 80" added. Rule "ACCEPT loc fw tcp 137" added. Rule "ACCEPT loc fw udp 137" added. Rule "ACCEPT loc fw tcp 138" added. Rule "ACCEPT loc fw udp 138" added. Rule "ACCEPT loc fw tcp 139" added. Rule "ACCEPT loc fw udp 139" added. Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy DROP for net to fw using chain net2all Policy REJECT for loc to fw using chain all2all Policy ACCEPT for loc to net using chain loc2net Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using 24.234.142.71 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Activating Rules... Processing /etc/shorewall/start ... Shorewall Restarted But the problem is the same... # ping 24.234.43.1 PING 24.234.43.1 (24.234.43.1) from 24.234.142.71 : 56(84) bytes of data.>From 24.234.142.71: Destination Host Unreachable--- 24.234.43.1 ping statistics --- 105 packets transmitted, 0 packets received, +2 errors, 100% packet loss --- "Cowles, Steve" <Steve@SteveCowles.com> wrote:> There is some entry in your systems network > configuration files that is > causing the duplicate network routes. If this is a > redhat system; check > /etc/sysconfig/network and > /etc/sysconfig/network-scripts/ifcfg-eth* > > Also, since ifup and ifdown are scripts... your can > add "-x" to the first > line to put the script in debug mode. i.e. > > #!/bin/bash -x > > Now type: ifup eth0 > > Should help in locating where the duplicate route is > coming from.__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine''s Day http://shopping.yahoo.com
Cowles, Steve
2003-Feb-16 11:27 UTC
[Shorewall-users] shorewall two-connection won''t work
> -----Original Message----- > From: Duncan Leaf > Sent: Sunday, February 16, 2003 12:51 PM > Subject: RE: [Shorewall-users] shorewall two-connection won''t work > > > I added the "-x" to ifup. I commented out the > offending lines in the script, brought down interfaces > and brought them back up.There should not have been any offending lines in ifup/ifdown. More likely one of your network configuration files has an extra entry that is causing this problem. You should find some time to fix this.> > # route -n > Kernel IP routing table > Destination Gateway Genmask Flags > Metric Ref Use Iface > 24.234.142.64 0.0.0.0 255.255.255.224 U > 0 0 0 eth0 > 192.168.0.0 0.0.0.0 255.255.255.0 U > 0 0 0 eth1 > 127.0.0.0 0.0.0.0 255.0.0.0 U > 0 0 0 lo > 0.0.0.0 24.234.142.65 0.0.0.0 UG > 0 0 0 eth0 > > That looks good, right? >Yes -- Looks good!> > # /etc/rc.d/init.d/shorewall restart > Processing /etc/shorewall/params ... > Restarting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0/0 > Local Zone: eth1:0.0.0.0/0 > Processing /etc/shorewall/init ... > Deleting user chains... > Creating input Chains... > Configuring Proxy ARP > Setting up NAT... > Adding Common Rules > Adding rules for DHCP > Enabling RFC1918 Filtering > Setting up Kernel Route Filtering... > IP Forwarding Enabled > Processing /etc/shorewall/tunnels... > Processing /etc/shorewall/rules... > Rule "ACCEPT loc fw tcp 22" added. > Rule "ACCEPT net fw tcp 22" added. > Rule "ACCEPT loc fw icmp 8" added. > Rule "ACCEPT net fw icmp 8" added. > Rule "ACCEPT net fw tcp 80" added. > Rule "ACCEPT loc fw tcp 80" added. > Rule "ACCEPT loc fw tcp 137" added. > Rule "ACCEPT loc fw udp 137" added. > Rule "ACCEPT loc fw tcp 138" added. > Rule "ACCEPT loc fw udp 138" added. > Rule "ACCEPT loc fw tcp 139" added. > Rule "ACCEPT loc fw udp 139" added. > Processing /etc/shorewall/policy... > Policy ACCEPT for fw to net using chain fw2net > Policy DROP for net to fw using chain net2all > Policy REJECT for loc to fw using chain all2all > Policy ACCEPT for loc to net using chain loc2net > Masqueraded Subnets and Hosts: > To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using > 24.234.142.71 > Processing /etc/shorewall/tos... > Rule "all all tcp - ssh 16" added. > Rule "all all tcp ssh - 16" added. > Rule "all all tcp - ftp 16" added. > Rule "all all tcp ftp - 16" added. > Rule "all all tcp ftp-data - 8" added. > Rule "all all tcp - ftp-data 8" added. > Activating Rules... > Processing /etc/shorewall/start ... > Shorewall Restarted > > > But the problem is the same... > > # ping 24.234.43.1 > PING 24.234.43.1 (24.234.43.1) from 24.234.142.71 : > 56(84) bytes of data. > >From 24.234.142.71: Destination Host Unreachable > >What version of shorewall are you using? Have you verified that your routing tables are working without shorewall running? i.e. shorewall stop; shorewall clear; ping... Can you ping from a system behind your firewall with shorewall running (loc->net)? Also, in order to get your loc->net working, you will need to move your loc->net accept in /etc/shorewall/policy to the top -or- before the first drop statement. i.e. loc net ACCEPT net all DROP info all all REJECT info BTW: Have you read about the filterping/noping option in /etc/shorewall/interfaces? Other than that, I do not see much wrong with your setup. Steve Cowles
Vincent Bernat
2003-Feb-17 08:31 UTC
[Shorewall-users] Re: shorewall two-connection won''t work
OoO Vers la fin de l''apr?s-midi du samedi 15 f?vrier 2003, vers 16:14, Tom Eastep <teastep@shorewall.net> disait:> These are a direct result of the erzatz routing table on the firewall > box. Beginning with Shorewall 1.3.14, Shorewall uses the routing table > to build the masquerade entries so each host or subnet routed through > the interface in column 2 (eth1 in this case) is masqueraded.I am not yet using 1.3.14 but I have a fairly complicated routing table and, I have for example, an interface which does not appear at all in the main table (it appears in another table). Will I meet trouble when I will upgrade to 1.3.14 ?> Shorewall actually uses the output of "ip route show <device>".device ? That doesn''t work here.>> Fix your routing problems first and then try shorewall start.> Or change the second column in the MASQ file entry from "eth2" to > "192.168.0.0/24".So, it would be a workaround for my not-already-met problem :). -- printk("ufs_read_super: fucking Sun blows me\n"); 2.0.38 /usr/src/linux/fs/ufs/ufs_super.c
Gilson Soares
2003-Feb-17 10:55 UTC
[Shorewall-users] shorewall two-connection won''t work
At 2/16/2003 16:26, Cowles, Steve wrote:> > -----Original Message----- > > From: Duncan Leaf > > Sent: Sunday, February 16, 2003 12:51 PM > > Subject: RE: [Shorewall-users] shorewall two-connection won''t work > > > > > > I added the "-x" to ifup. I commented out the > > offending lines in the script, brought down interfaces > > and brought them back up. > >There should not have been any offending lines in ifup/ifdown. More likely >one of your network configuration files has an extra entry that is causing >this problem. You should find some time to fix this.AFAIK, for Redhat systems, routes are inside: /etc/sysconfig/static-routes /etc/sysconfig/network (lines containing GATEWAY=X.X.X.X and GATEWAYDEV=ethX ) /etc/sysconfig/network-scripts/ifcfg-eth(X) (line containing GATEWAY=X.X.X.X) -Gilson
Tom Eastep
2003-Feb-17 16:04 UTC
[Shorewall-users] Re: shorewall two-connection won''t work
Vincent Bernat wrote:> > I am not yet using 1.3.14 but I have a fairly complicated routing > table and, I have for example, an interface which does not appear at > all in the main table (it appears in another table). Will I meet > trouble when I will upgrade to 1.3.14 ?Have you bothered to read the upgrade issues yet>> > >>Shorewall actually uses the output of "ip route show <device>". > > > device ? That doesn''t work here.Example?> > >>>Fix your routing problems first and then try shorewall start. >> > >>Or change the second column in the MASQ file entry from "eth2" to >>"192.168.0.0/24". > > > So, it would be a workaround for my not-already-met problem :).Again, READ THE UPGRADE ISSUES.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Duncan Leaf wrote:> Processing /etc/shorewall/start ...What do you have in /etc/shorewall/start?> Shorewall Restarted > > > But the problem is the same... > > # ping 24.234.43.1 > PING 24.234.43.1 (24.234.43.1) from 24.234.142.71 : > 56(84) bytes of data. >>From 24.234.142.71: Destination Host Unreachable > > > --- 24.234.43.1 ping statistics --- > 105 packets transmitted, 0 packets received, +2 > errors, 100% packet loss >Just to be sure that we are all on the same page: a) These failing pings you keep showing us are: 1) From the firewall system. 2) From a system behind the firewall. 3) From your neighbor''s system down the block. b) If these failed pings are from the firewall system and you "shorewall clear", does the ping still fail? c) If the pings are from a system behind the firewall and you: shorewall clear iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE does the ping still fail? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net