thr3ads.net - Shorewall users - [Shorewall-users] Shorewall with ProxyARP [Feb 2003]

If this information is useful, please help other people find it:
Share via:

sivamurugu

2003-Feb-22 22:42 UTC

[Shorewall-users] Shorewall with ProxyARP

Hi,

    Thanks for your reply . I am attaching the files needed by you 
herewith.   The NAT device is called Pronto gateway which has two 
interfaces , namely eth0 and eth1. ''eth0'' has an ip address of
203.124.152.66 and eth1 has an ip address of 192.168.1.3 . All the 
client PCs are in 192.168.1.0 network [behind the NAT, the Pronto 
gateway] and use 192.168.1.3 as the default gateway. Till now This 
Pronto gateway is doing the NAT for internet connection for the 
intranet. Now, once I use shorewall with ProxyARP, the client PCs behind 
the NAT device [pronto gateway] are not able to browse internet and use 
ftp.

                               The shorewall,in our setup, has two 
interfaces namely eth0 and eth1. eth0 is defined as net zone and eth1 is 
defined as dmz zone. the eth0 has an address of 203.124.152.74 and the 
eth1 interface has an address of 192.168.1.100[ arbitrary address for 
ProxyARP].  The shorewall is the only system connected between the ISP 
connection box[Alvarion] and the D-link switch .All the servers and IP 
phones [VOIP] including the NAT device[pronto gateway] are connected to 
eth1 interface of shorewall through the D-link switch forming the
''dmz''
zone.

Problem No 1

The VOIP phones are not communicating . These phones have to cross the 
firewall , connect to VOIP BOX in internet with IP of  216.200.134.135 
and the connect to other VOIP phoes. We have two ip phones with 
203.124.152.69 and 203.124.152.73 addresses. Eventhough they are in our 
premises , the y still have to cross internet to communicate each other.

Problem No 2

The Client PCs using the NAT device as their default gateway are not 
able to connect to ISP''s DNS and resolve internet names and browse. The
packets do not seem to go beyond the firewall. The shorewall just 
accepts those and do nothing further. This is checked using "tail -vf 
/var/log/messages '' command.


Please reply with a solution.


Policy

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
dmz             net             ACCEPT          info
fw              net             ACCEPT          info
net             all             DROP            info
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


Rules


##############################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST

ACCEPT   net      dmz:203.124.152.67     tcp    80      -

ACCEPT   net      dmz:203.124.152.68     tcp    80      -

ACCEPT   net      dmz:203.124.152.67     tcp    443     -

ACCEPT   net      dmz:203.124.152.67     tcp    8001    -

ACCEPT   net      dmz:203.124.152.67     tcp    8002    -

ACCEPT   net      dmz:203.124.152.67     tcp    22      -

ACCEPT   net      dmz                    icmp  echo-request

ACCEPT   dmz      fw                     icmp  echo-request

ACCEPT   net:216.200.134.135    dmz:203.124.152.69      related

ACCEPT   net:216.200.134.135    dmz:203.124.152.73      related












[root@localhost root]# shorewall version
1.3.14
[root@localhost root]# ip route shaow
Command "shaow" is unknown, try "ip route help".
[root@localhost root]# ip route show
203.124.152.72 dev eth1  scope link
203.124.152.73 dev eth1  scope link
203.124.152.68 dev eth1  scope link
203.124.152.69 dev eth1  scope link
203.124.152.70 dev eth1  scope link
203.124.152.71 dev eth1  scope link
203.124.152.66 dev eth1  scope link
203.124.152.67 dev eth1  scope link
203.124.152.64/28 dev eth0  scope link
192.168.1.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 203.124.152.65 dev eth0
[root@localhost root]#


Interfaces


##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS

net     eth0            203.124.152.79

dmz     eth1            192.168.1.255




root@localhost root]# uname -a
Linux localhost.localdomain 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 
i686 i686 i386 GNU/Linux
[root@localhost root]#
[root@localhost root]#
[root@localhost root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:c0:4f:4d:fd:a4 brd ff:ff:ff:ff:ff:ff
    inet 203.124.152.74/28 brd 203.124.152.79 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0b:2b:01:87:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.100/24 brd 192.168.1.255 scope global eth1
[root@localhost root]#
[root@localhost root]#
[root@localhost root]#
[root@localhost root]# lsmod
Module                  Size  Used by    Not tainted
soundcore               6532   0  (autoclean)
autofs                 13348   0  (autoclean) (unused)
ipt_TOS                 1656  12  (autoclean)
ipt_LOG                 4184   7  (autoclean)
ipt_REJECT              3736   4  (autoclean)
ipt_state               1048  21  (autoclean)
iptable_mangle          2776   1  (autoclean)
ip_nat_irc              3504   0  (unused)
ip_nat_ftp              4240   0  (unused)
iptable_nat            19960   2  [ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        3520   0  (unused)
ip_conntrack_ftp        5088   0  (unused)
ip_conntrack           21244   4  [ipt_state ip_nat_irc ip_nat_ftp 
iptable_nat ip_conntrack_irc ip_conntrack_ftp]
8139too                17704   1
mii                     2156   0  [8139too]
3c59x                  30640   1
iptable_filter          2412   1  (autoclean)
ip_tables              14936   9  [ipt_TOS ipt_LOG ipt_REJECT ipt_state 
iptable_mangle iptable_nat iptable_filter]
mousedev                5524   1
keybdev                 2976   0  (unused)
hid                    22244   0  (unused)
input                   5888   0  [mousedev keybdev hid]
usb-uhci               26188   0  (unused)
usbcore                77024   1  [hid usb-uhci]
ext3                   70368   4
jbd                    52212   4  [ext3]
[root@localhost root]#



-------------- next part --------------
[H[2JShorewall-1.3.14 Status at localhost.localdomain - Sun Feb 23 12:09:07 IST
2003

Counters reset Sun Feb 23 12:04:33 IST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   11  1181 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  414 26802 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    3   168 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   11  1181 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    7   697 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445 reject-with icmp-port-unreachable
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    4   484 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       all  --  *      *       0.0.0.0/0           
203.124.152.79
    0     0 DROP       all  --  *      *       0.0.0.0/0           
192.168.1.255

Chain dmz2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
   11  1181 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    1    40 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
  413 26762 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:dmz2net:ACCEPT:''
  413 26762 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2dmz    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  414 26802 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
  414 26802 dmz2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   11  1181 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   11  1181 dmz2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:fw2net:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
203.124.152.67     state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
203.124.152.68     state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
203.124.152.67     state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
203.124.152.67     state NEW tcp dpt:8001
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
203.124.152.67     state NEW tcp dpt:8002
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
203.124.152.67     state NEW tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 ACCEPT     all  --  *      *       216.200.134.135     
203.124.152.69     state RELATED
    0     0 ACCEPT     all  --  *      *       216.200.134.135     
203.124.152.73     state RELATED
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (6 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Tom Eastep

2003-Feb-23 06:38 UTC

head link

[Shorewall-users] Shorewall with ProxyARP

--On Sunday, February 23, 2003 12:16:27 PM +0530 sivamurugu 
<sivamurugu@indscape.com> wrote:
> Hi,
>
>     Thanks for your reply . I am attaching the files needed by you
> herewith.   The NAT device is called Pronto gateway which has two
> interfaces , namely eth0 and eth1. ''eth0'' has an ip
address of
> 203.124.152.66 and eth1 has an ip address of 192.168.1.3 . All the client
> PCs are in 192.168.1.0 network [behind the NAT, the Pronto gateway] and
> use 192.168.1.3 as the default gateway. Till now This Pronto gateway is
> doing the NAT for internet connection for the intranet. Now, once I use
> shorewall with ProxyARP, the client PCs behind the NAT device [pronto
> gateway] are not able to browse internet and use ftp.
>
>                                The shorewall,in our setup, has two
> interfaces namely eth0 and eth1. eth0 is defined as net zone and eth1 is
> defined as dmz zone. the eth0 has an address of 203.124.152.74 and the
> eth1 interface has an address of 192.168.1.100[ arbitrary address for
> ProxyARP].  The shorewall is the only system connected between the ISP
> connection box[Alvarion] and the D-link switch .All the servers and IP
> phones [VOIP] including the NAT device[pronto gateway] are connected to
> eth1 interface of shorewall through the D-link switch forming the
''dmz''
> zone.
>
> Problem No 1
>
> The VOIP phones are not communicating . These phones have to cross the
> firewall , connect to VOIP BOX in internet with IP of  216.200.134.135
> and the connect to other VOIP phoes. We have two ip phones with
> 203.124.152.69 and 203.124.152.73 addresses. Eventhough they are in our
> premises , the y still have to cross internet to communicate each other.
>
> Problem No 2
>
> The Client PCs using the NAT device as their default gateway are not able
> to connect to ISP''s DNS and resolve internet names and browse. The
> packets do not seem to go beyond the firewall. The shorewall just accepts
> those and do nothing further. This is checked using "tail -vf
> /var/log/messages '' command.
>
>
> Please reply with a solution.
>
>
1) I asked you to send me the output of "Shorewall status" after you
did a
"shorewall reset" and tried to connect and you didn''t do
that.

2) I also asked you to explain the ''related'' rules in your
rules file and
you didn''t do that.

3) You sent me the same documentation that I already had.

4) Have you confirmed that the upstream router (probably at your ISP) has 
the correct MAC address for 203.124.142.[69,73,74] in its cache as 
described at http://www.shorewall.net/ProxyARP.htm? Please read that page 
carefully starting with the paragraph "A word of warning is in order 
here....". Connection problems lasting several hours are typical after you 
have moved hosts behind a Shorewall gateway using static NAT or Proxy ARP.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Tom Eastep

2003-Feb-23 07:16 UTC

head link

[Shorewall-users] Shorewall with ProxyARP

--On Sunday, February 23, 2003 08:27:55 PM +0530 Sivamurugu 
<sivamurugu@indscape.com> wrote:
> Hi,
>
>  I remember I had sent you the attachment called status.txt. That was
> after running the reset command.
Oops -- my bad. I found it but it is incomplete. There is no NAT, MANGLE, 
Log or connection tracking information included.

Do all of the following commands produce no output:

a) shorewall show nat
b) shorewall show mangle
c) shorewall show log
d) shorewall show connections

All of that information should have been in the status output and
wasn''t.
>From what I can see from what you are showing me, there are NO replies from the net. In fact, not ONE SINGLE PACKET was received on eth0. This is 
consistent with an upstream ARP cache problem OR bad source addresses in 
the packets. tcpdump or ethereal running against eth0 on the firewall would 
allow you to see that (and would also allow you to see MAC problems if you 
use the "-e" option as described on the Proxy ARP page).

Also, I presume that eth0 and eth1 aren''t connected to the same switch.
>
> 1) The related entries are put just because the "all" entries
didnot work
>
Well, the ''related'' entries don''t do anything either
because you have
ALLOWRELATED=Yes in shorewall.conf which means that there is already a 
RELATED rule at the beginning of the net2dmz chain.

> 2) I am able to connect to net from all the dmz zone servers. The problem
> is only that the client PCs, connected to the Custom NAT device [pronto
> gateway], which is also in dmz, are not able to connect to internet ,
> meaning that they are not able to access our ISP''s DNS
[203.124.140.19]
> for name resolution. So the the problems due to incorrect MAC cache at
> ISP side router is not there right??
Do you mean that you can ping your ISP''s router from the custom NAT
device.
If so, can you ping your ISP''s router by ip address from the client
PC''s?
>
> 3) Do I have to add rules in rules file  individually for all dmz systems
> even though I had added "ACCEPT entries for dmz to net "?
>
No. the ACCEPT policy is enough.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Tom Eastep

2003-Feb-23 07:22 UTC

head link

[Shorewall-users] Shorewall with ProxyARP

--On Sunday, February 23, 2003 07:16:37 AM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
> This is
> consistent with an upstream ARP cache problem OR bad source addresses in
> the packets.
By that I mean "in the outgoing packets" of course.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Tom Eastep

2003-Feb-24 19:38 UTC

head link

[Shorewall-users] Shorewall with ProxyARP

--On Tuesday, February 25, 2003 09:08:54 AM +0530 Sivamurugu 
<sivamurugu@indscape.com> wrote:
> Hi,
>
> Here you have
>
>
> 1)I have done the ping test from the firewall system iteslf.
Which is absolutely pointless. You need to test from the NAT box or from a 
system behind the NAT box.>
>
> 2) The NAT box just simply doing the NATting and nothing else.
>
>
> 3) No dyanmic routing protocols are used .
>
Until you do a ''ping'' test from behind the NAT box, we
won''t know what is
really happening.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Maybe Matching Threads

Search for more seemingly similar threads

Shorewall users - Feb 2003 - Shorewall with ProxyARP

[Shorewall-users] Shorewall with ProxyARP

[Shorewall-users] Shorewall with ProxyARP

[Shorewall-users] Shorewall with ProxyARP

[Shorewall-users] Shorewall with ProxyARP

[Shorewall-users] Shorewall with ProxyARP

Maybe Matching Threads