Christoph Moar
2002-Aug-14 14:37 UTC
[Shorewall-users] please help: chain forward not working in 1.3.6?
Hi, i used to work with an older shorewall version and finally went up to update to the fresh 1.3.6 version. i did a clean deinstall and a clean reinstall of the rpm package on a redhat system. i have a valid iptables package. something went wrong with the forwarding queue. I removed all my rules and started up from scratch to identify the problem. now i have a minimal setup: --- hosts --- #ZONE HOST(S) OPTIONS loc eth1:192.168.38.0/24 bic eth1:192.168.3.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE --- interfaces --- #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect noping,norfc1918 loc eth1 detect #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE --- policy --- #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc all ACCEPT fw all ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE so basically my lan is 192.168.38.x, eth0 is my wan interface and eth1 is my lan segment. i have a router that goes from 192.168.38.1 to the 192.168.3.x segment (the "bic" zone). everything works fine from the lan to net, fw to net, even pinging the bic segment from the firewall is fine. but i have problems going from lan to the bic segment. i get: Aug 14 15:53:35 xxx kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.38.6 DST=192.168.3.1 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=38710 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33792 so i (192.168.38.6) am trying to reach the bic segment (192.168.3.1), which i should be able to reach via a route on my firewall (which acts as default gateway), but get denied in the forward queue. --- the input chain --- Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 9 596 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 --- the forward chain --- Chain FORWARD (policy DROP 2 packets, 149 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 --- the eth1_fwd chain --- Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2all all -- * eth0 192.168.38.0/24 0.0.0.0/0 0 0 loc2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth0 192.168.3.0/24 0.0.0.0/0 --- what happens when i start shorewall ..- Restarting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc bic Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local Zone: eth1:192.168.38.0/24 eth1:0.0.0.0/0 Bic Zone: eth1:192.168.3.0/24 Deleting user chains... Creating input Chains... Configuring Proxy ARP Setting up NAT... Adding Common Rules Enabling RFC1918 Filtering IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... [...rules omitted...] Adding rules for DHCP Setting up ICMP Echo handling... Processing /etc/shorewall/policy... Policy DROP for net to fw using chain net2all Policy ACCEPT for loc to loc using chain loc2all Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.38.0/24 through eth0 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Activating Rules... Shorewall Restarted ---------------------------------------------------------- What is going wrong here? Anybody a hint? thanks, regards christoph
Tom Eastep
2002-Aug-14 15:15 UTC
[Shorewall-users] please help: chain forward not working in 1.3.6?
On Wed, 14 Aug 2002, Christoph Moar wrote:> > Hi, > i used to work with an older shorewall version and finally > went up to update to the fresh 1.3.6 version. > i did a clean deinstall and a clean reinstall of the rpm > package on a redhat system. i have a valid iptables package. > > something went wrong with the forwarding queue. I removed > all my rules and started up from scratch to identify the problem. > now i have a minimal setup: > > --- hosts --- > #ZONE HOST(S) OPTIONS > loc eth1:192.168.38.0/24 > bic eth1:192.168.3.0/24 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE > > --- interfaces --- > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect noping,norfc1918 > loc eth1 detectThe above should be: - eth1 192.168.38.255,192.168.3.255 multi -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Christoph Moar
2002-Aug-16 07:15 UTC
[Shorewall-users] please help: chain forward not working in 1.3.6?
At 14.08.2002 08:15, Tom Eastep wrote:>The above should be: > >- eth1 192.168.38.255,192.168.3.255 multi > >-Tomthanks tom, that was it! sorry - looks like this could have been a rtfm issue ;) regards christoph