Christoph Moar
2002-Aug-14 14:37 UTC
[Shorewall-users] please help: chain forward not working in 1.3.6?
Hi,
i used to work with an older shorewall version and finally
went up to update to the fresh 1.3.6 version.
i did a clean deinstall and a clean reinstall of the rpm
package on a redhat system. i have a valid iptables package.
something went wrong with the forwarding queue. I removed
all my rules and started up from scratch to identify the problem.
now i have a minimal setup:
--- hosts ---
#ZONE HOST(S) OPTIONS
loc eth1:192.168.38.0/24
bic eth1:192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
--- interfaces ---
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect noping,norfc1918
loc eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- policy ---
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc all ACCEPT
fw all ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
so basically my lan is 192.168.38.x, eth0 is my wan interface and
eth1 is my lan segment. i have a router that goes from
192.168.38.1 to the 192.168.3.x segment (the "bic" zone).
everything works fine from the lan to net, fw to net, even
pinging the bic segment from the firewall is fine.
but i have problems going from lan to the bic segment. i get:
Aug 14 15:53:35 xxx kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
SRC=192.168.38.6 DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=38710
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33792
so i (192.168.38.6) am trying to reach the bic segment (192.168.3.1),
which i should be able to reach via a route on my firewall (which acts
as default gateway), but get denied in the forward queue.
--- the input chain ---
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt
in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
9 596 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0
LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/sec burst 5 LOG flags 0
level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
--- the forward chain ---
Chain FORWARD (policy DROP 2 packets, 149 bytes)
pkts bytes target prot opt
in out source destination
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0
LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/sec burst 5 LOG flags 0
level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
--- the eth1_fwd chain ---
Chain eth1_fwd (1 references)
pkts bytes target prot opt
in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2all all -- * eth0 192.168.38.0/24 0.0.0.0/0
0 0 loc2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth0 192.168.3.0/24 0.0.0.0/0
--- what happens when i start shorewall ..-
Restarting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc bic
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:192.168.38.0/24 eth1:0.0.0.0/0
Bic Zone: eth1:192.168.3.0/24
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Enabling RFC1918 Filtering
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
[...rules omitted...]
Adding rules for DHCP
Setting up ICMP Echo handling...
Processing /etc/shorewall/policy...
Policy DROP for net to fw using chain net2all
Policy ACCEPT for loc to loc using chain loc2all
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.38.0/24 through eth0
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Shorewall Restarted
----------------------------------------------------------
What is going wrong here?
Anybody a hint?
thanks,
regards
christoph
Tom Eastep
2002-Aug-14 15:15 UTC
[Shorewall-users] please help: chain forward not working in 1.3.6?
On Wed, 14 Aug 2002, Christoph Moar wrote:> > Hi, > i used to work with an older shorewall version and finally > went up to update to the fresh 1.3.6 version. > i did a clean deinstall and a clean reinstall of the rpm > package on a redhat system. i have a valid iptables package. > > something went wrong with the forwarding queue. I removed > all my rules and started up from scratch to identify the problem. > now i have a minimal setup: > > --- hosts --- > #ZONE HOST(S) OPTIONS > loc eth1:192.168.38.0/24 > bic eth1:192.168.3.0/24 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE > > --- interfaces --- > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect noping,norfc1918 > loc eth1 detectThe above should be: - eth1 192.168.38.255,192.168.3.255 multi -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Christoph Moar
2002-Aug-16 07:15 UTC
[Shorewall-users] please help: chain forward not working in 1.3.6?
At 14.08.2002 08:15, Tom Eastep wrote:>The above should be: > >- eth1 192.168.38.255,192.168.3.255 multi > >-Tomthanks tom, that was it! sorry - looks like this could have been a rtfm issue ;) regards christoph