Shorewall users - Sep 2002 - Newbie: Setup problem...

On Monday 02 September 2002 10:58 am, Mariano Kamp wrote:
>
> masq:
>
> eth0    ppp0
>
That''s backwards!!

You want:

ppp0	eth0

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Hi list, 

  sorry for the bad subject, but I can''t think of a better punchline at
the moment ;-)

  I am new to shorewall and also not very proficient with networking. 

  My setup 
 
	firewall "xeon1g", eth0 192.168.0.1 -> local network	 
			 eth1 dsl modem, ppp0 -> net 
			 (not sure, where to mention eth1, if at all)

	some client "hamlet", 192.168.0.2

  After starting shorewall I can connect to the outside net as before,
but I cannot connect to the internet from the hamlet. A ping to
195.8.224.1 doesn''t get through and a telnet 129.43.19.99 80 (IBM
website) doesn''t work too.

  tcpdump on xeon1g shows the following:


xeon1g:~ # tcpdump     
tcpdump: listening on eth0
19:32:05.864393 192.168.0.2.32959 > www.ibm.com.http: S
187801077:187801077(0) win 5840 <mss 1460,sackOK,timestamp 283695
0,nop,wscale 0> (DF) [tos 0x10] 
19:32:08.858273 192.168.0.2.32959 > www.ibm.com.http: S
187801077:187801077(0) win 5840 <mss 1460,sackOK,timestamp 283995
0,nop,wscale 0> (DF) [tos 0x10] 
19:32:10.858349 arp who-has xeon1g.jlogic.com tell 192.168.0.2
19:32:10.858376 arp reply xeon1g.jlogic.com is-at 0:2:a5:63:c:72
19:32:14.858536 192.168.0.2.32959 > www.ibm.com.http: S
187801077:187801077(0) win 5840 <mss 1460,sackOK,timestamp 284595
0,nop,wscale 0> (DF) [tos 0x10] 
19:32:26.859053 192.168.0.2.32959 > www.ibm.com.http: S
187801077:187801077(0) win 5840 <mss 1460,sackOK,timestamp 285795
0,nop,wscale 0> (DF) [tos 0x10] 
19:32:50.860098 192.168.0.2.32959 > www.ibm.com.http: S
187801077:187801077(0) win 5840 <mss 1460,sackOK,timestamp 288195
0,nop,wscale 0> (DF) [tos 0x10] 
19:33:38.862189 192.168.0.2.32959 > www.ibm.com.http: S
187801077:187801077(0) win 5840 <mss 1460,sackOK,timestamp 292995
0,nop,wscale 0> (DF) [tos 0x10] 
19:33:43.862393 arp who-has xeon1g.jlogic.com tell 192.168.0.2
19:33:43.862421 arp reply xeon1g.jlogic.com is-at 0:2:a5:63:c:72


So it seems that the routing on hamlet is ok, doesn''t it? The requests
did arrive at xeon1g (firewall).

This is the routing on xeon1g (firewall). 

xeon1g:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
145.253.1.132   *               255.255.255.255 UH    0      0        0
ppp0
192.168.0.0     *               255.255.255.0   U     0      0        0
eth0
default         145.253.1.132   0.0.0.0         UG    0      0        0
ppp0


Ok, this is how tcpdump looks like on xeon1g/eth1 -> DSL.
This sample is issued when trying to telnet the ibm website from
hamlet!!

xeon1g:~ # tcpdump -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1
19:43:20.880221 PPPoE  [ses 0x86b] IP 62: 192.168.0.2.32960 >
www.ibm.com.http: S 905988514:905988514(0) win 5840 <mss
1452,sackOK,timestamp 351194 0,nop,wscale 0> (DF) [tos 0x10] 
19:43:20.881465 PPPoE  [ses 0x86b] IP 73:
dsl-213-023-053-144.arcor-ip.net.32796 > ns1.arcor-ip.de.domain:  60845+
PTR? 99.19.42.129.in-addr.arpa. (43) (DF)
19:43:20.906727 PPPoE  [ses 0x86b] IP 212: ns1.arcor-ip.de.domain >
dsl-213-023-053-144.arcor-ip.net.32796:  60845 1/3/3 (182) (DF)
19:43:20.907108 PPPoE  [ses 0x86b] IP 72:
dsl-213-023-053-144.arcor-ip.net.32796 > ns1.arcor-ip.de.domain:  60846+
PTR? 2.0.168.192.in-addr.arpa. (42) (DF)
19:43:20.923670 PPPoE  [ses 0x86b] IP 147: ns1.arcor-ip.de.domain >
dsl-213-023-053-144.arcor-ip.net.32796:  60846* 0/1/0 (117) (DF)
19:43:20.923999 PPPoE  [ses 0x86b] IP 73:
dsl-213-023-053-144.arcor-ip.net.32796 > ns1.arcor-ip.de.domain:  60847+
PTR? 11.2.253.145.in-addr.arpa. (43) (DF)
19:43:20.942249 PPPoE  [ses 0x86b] IP 12: [|ip]
19:43:20.942633 PPPoE  [ses 0x86b] IP 74:
dsl-213-023-053-144.arcor-ip.net.32796 > ns1.arcor-ip.de.domain:  60848+
PTR? 144.53.23.213.in-addr.arpa. (44) (DF)
19:43:20.961000 PPPoE  [ses 0x86b] IP 45: truncated-ip - 256 bytes
missing!ns1.arcor-ip.de.domain >
dsl-213-023-053-144.arcor-ip.net.32796:  60848*[|domain] (DF)
19:43:23.877698 PPPoE  [ses 0x86b] IP 62: 192.168.0.2.32960 >
www.ibm.com.http: S 905988514:905988514(0) win 5840 <mss
1452,sackOK,timestamp 351494 0,nop,wscale 0> (DF) [tos 0x10] 
19:43:25.304095 PPPoE  [ses 0x86b] LCP 10: Echo-Req(118),
Magic-Num=6516ae17
19:43:25.304263 PPPoE  [ses 0x86b] LCP 10: Echo-Rep(118),
Magic-Num=95c6a4f3
19:43:29.877956 PPPoE  [ses 0x86b] IP 62: 192.168.0.2.32960 >
www.ibm.com.http: S 905988514:905988514(0) win 5840 <mss
1452,sackOK,timestamp 352094 0,nop,wscale 0> (DF) [tos 0x10] 

The last line says www.ibm.com. I did actually telnet the ip address,
but at least it looks like the request is leaving the firewall with the
direction of my isp, is it?

/var/log/messages does say nothing.


I also included the config files I changed.

zones: uncommented the DMZ

interfaces:
		  net     ppp0    detect  norfc1918, logunclean
                  loc     eth0    detect  logunclean

policy:

loc             net             ACCEPT
net             all             DROP            info
fw              net             ACCEPT
all             all             REJECT          info


masq:

eth0    ppp0

shorewall.conf:
I also did minor changes to this file, but afaik it was just:

CLAMPMSS=yes


/sbin/ip is available.

In case you wanna know. I am running Suse 8.0 on intel. 

Anything else I can provide to help you to help me? ;-)


Mariano

This was it.

Thank you very much for the quick response.

Great product!

Mariano


On Mon, 2002-09-02 at 18:29, Tom Eastep wrote:
> On Monday 02 September 2002 10:58 am, Mariano Kamp wrote:
> 
> >
> > masq:
> >
> > eth0    ppp0
> >
> 
> That''s backwards!!
> 
> You want:
> 
> ppp0	eth0
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>