thr3ads.net - Shorewall users - [Shorewall-users] Masquerading Problem [Mar 2003]

If this information is useful, please help other people find it:
Share via:

David Usher

2003-Mar-17 02:24 UTC

[Shorewall-users] Masquerading Problem

Shorewall version: 1.3.14a
Linux Redhat 7.2 Kernal: 2.4.7-10


I have an ADSL connection and a static internet IP (81.6.x.x).
My ADSL router assigns my firewall a dynamic IP (192.168.0.2) = eth0
And the internal NIC on my firewall is set statically to 10.10.10.254 = eth1
My setup is essentially the same as the two interfaces example on the shorewall
site.
http://www.shorewall.net/two-interface.htm

Configuring rules on the firewall enables or disables services (e.g. ssh) from
the firewall, but as soon as I try to use a service (e.g. ssh) from an internal
computer connected through a network switch via eth1 the masquerading does not
seem to work.
I am not receiving any messages in /var/log/messages.
It seems as though shorewall cannot route packets from 10.10.10.x to 192.168.0.2

I also set up an DNS (BIND) server on the firewall which works ok and I can look
up addresses (internal and external) from the internal machine. (default gateway
is 10.10.10.254).
The firewall is also running an ssh server and I can connect to this also from
the internal computers.

Any help will be appreciated.

Regards,

David Usher

Richard

2003-Mar-17 06:52 UTC

head link

[Shorewall-users] Masquerading Problem

On Monday 17 March 2003 4:20 am, David Usher wrote:> Shorewall version: 1.3.14a
> Linux Redhat 7.2 Kernal: 2.4.7-10
> 
> 
> I have an ADSL connection and a static internet IP (81.6.x.x).
> My ADSL router assigns my firewall a dynamic IP (192.168.0.2) = eth0
> And the internal NIC on my firewall is set statically to 10.10.10.254 =
eth1
> My setup is essentially the same as the two interfaces example on the 
shorewall site.> http://www.shorewall.net/two-interface.htm
> 
> Configuring rules on the firewall enables or disables services (e.g. ssh) from the firewall, but as soon as I try to use a service (e.g. ssh) from an 
internal computer connected through a network switch via eth1 the 
masquerading does not seem to work.> I am not receiving any messages in /var/log/messages.
> It seems as though shorewall cannot route packets from 10.10.10.x to 
192.168.0.2> 
> I also set up an DNS (BIND) server on the firewall which works ok and I canlook up addresses (internal and external) from the internal machine. (default 
gateway is 10.10.10.254).> The firewall is also running an ssh server and I can connect to this also from the internal computers.
David, Have you setup a DNS on your subnet machines?  Dont know how RH does it 
as I use SuSE and that is a common omission.
Richard

Tom Eastep

2003-Mar-17 15:13 UTC

head link

[Shorewall-users] Masquerading Problem

--On Monday, March 17, 2003 10:20:48 AM +0000 David Usher 
<d.usher@btopenworld.com> wrote:
>
> I also set up an DNS (BIND) server on the firewall which works ok and I
> can look up addresses (internal and external) from the internal machine.
> (default gateway is 10.10.10.254). The firewall is also running an ssh
> server and I can connect to this also from the internal computers.
>
Please reread http://www.shorewall.net/support.htm for a description of the 
information we need when troubleshooting these sorts of connection problems.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

David Usher

2003-Mar-20 00:46 UTC

head link

[Shorewall-users] Masquerading Problem

Here is all of the data required regarding my setup:

Shorewall version: 1.3.14a
uname -a: Linux fw1 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:c0:4f:a9:85:1f brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.6/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:e3:12:01:72 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1

ip route show
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.6
10.10.10.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth0

lsmod - kernal is not modularized


Thanks,
Dave


----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "David Usher" <d.usher@btopenworld.com>;
<shorewall-users@lists.shorewall.net>
Sent: Monday, March 17, 2003 11:13 PM
Subject: Re: [Shorewall-users] Masquerading Problem

>
>
> --On Monday, March 17, 2003 10:20:48 AM +0000 David Usher
> <d.usher@btopenworld.com> wrote:
>
> >
> > I also set up an DNS (BIND) server on the firewall which works ok and
I
> > can look up addresses (internal and external) from the internal
machine.
> > (default gateway is 10.10.10.254). The firewall is also running an ssh
> > server and I can connect to this also from the internal computers.
> >
>
> Please reread http://www.shorewall.net/support.htm for a description of
the> information we need when troubleshooting these sorts of connection
problems.>
> -Tom
> --
> Tom Eastep   \ Shorewall - iptables made easy
> Shoreline,    \ http://www.shorewall.net
> Washington USA \ teastep@shorewall.net
>

Tom Eastep

2003-Mar-20 06:22 UTC

head link

[Shorewall-users] Masquerading Problem

On Thu, 20 Mar 2003, David Usher wrote:
> Here is all of the data required regarding my setup:
> 
> Shorewall version: 1.3.14a
> uname -a: Linux fw1 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown
> ip addr show:
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:c0:4f:a9:85:1f brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.6/24 brd 192.168.0.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:02:e3:12:01:72 brd ff:ff:ff:ff:ff:ff
>     inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1
> 
> ip route show
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.6
> 10.10.10.0/24 dev eth1  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 192.168.0.1 dev eth0
> 
> lsmod - kernal is not modularized
> 
Since you are having a connection problem, we also need the output 
of "shorewall status" captured as described in the support guide.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

David Usher

2003-Mar-20 07:01 UTC

head link

[Shorewall-users] Masquerading Problem

Apologies here is the output from ''Shorewall status'' and
shorewall how log
(as attachments)

Regards,

David Usher



----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "David Usher" <d.usher@btopenworld.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Thursday, March 20, 2003 2:22 PM
Subject: Re: [Shorewall-users] Masquerading Problem

> On Thu, 20 Mar 2003, David Usher wrote:
>
> > Here is all of the data required regarding my setup:
> >
> > Shorewall version: 1.3.14a
> > uname -a: Linux fw1 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686
unknown
> > ip addr show:
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: eth0: <BROADCAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen 100
> >     link/ether 00:c0:4f:a9:85:1f brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.0.6/24 brd 192.168.0.255 scope global eth0
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:02:e3:12:01:72 brd ff:ff:ff:ff:ff:ff
> >     inet 10.10.10.254/24 brd 10.10.10.255 scope global eth1
> >
> > ip route show
> > 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.6
> > 10.10.10.0/24 dev eth1  scope link
> > 127.0.0.0/8 dev lo  scope link
> > default via 192.168.0.1 dev eth0
> >
> > lsmod - kernal is not modularized
> >
>
> Since you are having a connection problem, we also need the output
> of "shorewall status" captured as described in the support guide.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>-------------- next part --------------
Shorewall-1.3.14a Log at fw1 - Thu Mar 20 07:04:58 GMT 2003

Counters reset Wed Mar 19 20:14:42 GMT 2003

Mar 16 17:39:01 all2all:REJECT:IN=eth1 OUT= SRC=10.10.10.2 DST=10.10.10.254
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=128 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=1280
Mar 16 18:30:33 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.2 DST=10.10.10.254 LEN=60
TOS=0x00 PREC=0x00 TTL=128 ID=744 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:34 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=748 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:36 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=753 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:38 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.2 DST=10.10.10.254 LEN=60
TOS=0x00 PREC=0x00 TTL=128 ID=757 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:38 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=758 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:42 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.2 DST=10.10.10.254 LEN=60
TOS=0x00 PREC=0x00 TTL=128 ID=762 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:42 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=763 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:50 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=773 PROTO=UDP SPT=1116 DPT=53 LEN=48
Mar 16 18:30:51 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=775 PROTO=UDP SPT=1116 DPT=53 LEN=48
Mar 16 18:30:52 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=777 PROTO=UDP SPT=1116 DPT=53 LEN=48
Mar 19 19:27:22 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196 SEQ=0
Mar 19 19:27:23 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=256
Mar 19 19:27:24 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=512
Mar 19 19:27:25 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=768
Mar 19 19:27:26 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=1024
Mar 19 19:27:27 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=1280
Mar 19 19:27:30 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.1 DST=10.10.10.254 LEN=71
TOS=0x00 PREC=0x00 TTL=64 ID=14148 DF PROTO=UDP SPT=1025 DPT=53 LEN=51
Mar 19 19:27:35 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.1 DST=10.10.10.254 LEN=71
TOS=0x00 PREC=0x00 TTL=64 ID=14149 DF PROTO=UDP SPT=1025 DPT=53 LEN=51
Mar 19 19:27:37 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.1 DST=10.10.10.254 LEN=71
TOS=0x00 PREC=0x00 TTL=64 ID=14815 DF PROTO=UDP SPT=1025 DPT=53 LEN=51
-------------- next part --------------
[H[2JShorewall-1.3.14a Status at fw1 - Thu Mar 20 07:04:14 GMT 2003

Counters reset Wed Mar 19 20:14:42 GMT 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  124  8048 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  207  124K eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  124  8048 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  136 11538 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
   85 11390 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445 reject-with icmp-port-unreachable
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0           
192.168.0.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.10.10.255

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 net2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
  207  124K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
  207  124K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
  122 10764 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    4   208 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    5   266 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    5   300 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:21
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   85 11390 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
  122  113K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
   85 11390 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (7 references)
 pkts bytes target     prot opt in     out     source               destination
    4   208 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Mar 16 17:39:01 all2all:REJECT:IN=eth1 OUT= SRC=10.10.10.2 DST=10.10.10.254
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=128 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=1280
Mar 16 18:30:33 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.2 DST=10.10.10.254 LEN=60
TOS=0x00 PREC=0x00 TTL=128 ID=744 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:34 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=748 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:36 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=753 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:38 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.2 DST=10.10.10.254 LEN=60
TOS=0x00 PREC=0x00 TTL=128 ID=757 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:38 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=758 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:42 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.2 DST=10.10.10.254 LEN=60
TOS=0x00 PREC=0x00 TTL=128 ID=762 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:42 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=763 PROTO=UDP SPT=1115 DPT=53 LEN=40
Mar 16 18:30:50 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=773 PROTO=UDP SPT=1116 DPT=53 LEN=48
Mar 16 18:30:51 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=775 PROTO=UDP SPT=1116 DPT=53 LEN=48
Mar 16 18:30:52 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 DST=195.112.4.7
LEN=68 TOS=0x00 PREC=0x00 TTL=127 ID=777 PROTO=UDP SPT=1116 DPT=53 LEN=48
Mar 19 19:27:22 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196 SEQ=0
Mar 19 19:27:23 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=256
Mar 19 19:27:24 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=512
Mar 19 19:27:25 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=768
Mar 19 19:27:26 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=1024
Mar 19 19:27:27 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.1 DST=192.168.0.1
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=8196
SEQ=1280
Mar 19 19:27:30 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.1 DST=10.10.10.254 LEN=71
TOS=0x00 PREC=0x00 TTL=64 ID=14148 DF PROTO=UDP SPT=1025 DPT=53 LEN=51
Mar 19 19:27:35 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.1 DST=10.10.10.254 LEN=71
TOS=0x00 PREC=0x00 TTL=64 ID=14149 DF PROTO=UDP SPT=1025 DPT=53 LEN=51
Mar 19 19:27:37 net2all:DROP:IN=eth0 OUT= SRC=10.10.10.1 DST=10.10.10.254 LEN=71
TOS=0x00 PREC=0x00 TTL=64 ID=14815 DF PROTO=UDP SPT=1025 DPT=53 LEN=51

NAT Table

Chain PREROUTING (policy ACCEPT 85 packets, 11390 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 24 packets, 1428 bytes)
 pkts bytes target     prot opt in     out     source               destination
   10   566 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 28 packets, 1636 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.10.10.0/24        0.0.0.0/0   
to:81.6.251.233

Mangle Table

Chain PREROUTING (policy ACCEPT 331 packets, 132K bytes)
 pkts bytes target     prot opt in     out     source               destination
  331  132K pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 260 packets, 19586 bytes)
 pkts bytes target     prot opt in     out     source               destination
  260 19586 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

udp      17 145 src=192.168.0.6 dst=195.112.4.4 sport=32771 dport=53
src=195.112.4.4 dst=192.168.0.6 sport=53 dport=32771 [ASSURED] use=1

Tom Eastep

2003-Mar-20 07:18 UTC

head link

[Shorewall-users] Masquerading Problem

On Thu, 20 Mar 2003, David Usher wrote:
> Apologies here is the output from ''Shorewall status'' and
shorewall how log
> (as attachments)
> 
Do you have both interfaces on your firewall connected to the same 
switch/hub?

Look at this:

Mar 16 18:30:42 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2 
DST=195.112.4.7 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=763 PROTO=UDP 
SPT=1115 DPT=53 LEN=40 

That''s a packet with SRC=10.10.10.2 entering your firewall on eth0!!

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

David Usher

2003-Mar-20 07:45 UTC

head link

[Shorewall-users] Masquerading Problem

No,

Firewall:
eth0 is connected directly to the ADSL Router
eth1 is connected via a separate switch

The computer on 10.10.10.1 (eth0) is connected to the separate switch.

ADSL ROUTER
          |
          |
   FW - eth0
          |
   FW - eth1
          |
       --------------------------
       |                                     |
 10.10.10.1 (eth0)         A.n.other computer


I hope that diagram makes sense.

As for 10.10.10.2 I tried connecting that machine after my efforts with
10.10.10.1 failed . This was connected via a crossover cable, is is possible
I connected it vias eth0 on the firewall by mistake.

Regards,

Dave


----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "David Usher" <d.usher@btopenworld.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Thursday, March 20, 2003 3:18 PM
Subject: Re: [Shorewall-users] Masquerading Problem

> On Thu, 20 Mar 2003, David Usher wrote:
>
> > Apologies here is the output from ''Shorewall status''
and shorewall how
log> > (as attachments)
> >
>
> Do you have both interfaces on your firewall connected to the same
> switch/hub?
>
> Look at this:
>
> Mar 16 18:30:42 FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=10.10.10.2
> DST=195.112.4.7 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=763 PROTO=UDP
> SPT=1115 DPT=53 LEN=40
>
> That''s a packet with SRC=10.10.10.2 entering your firewall on
eth0!!
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>

Tom Eastep

2003-Mar-20 08:58 UTC

head link

[Shorewall-users] Masquerading Problem

On Thu, 20 Mar 2003, David Usher wrote:
> No,
> 
> Firewall:
> eth0 is connected directly to the ADSL Router
> eth1 is connected via a separate switch
> 
> The computer on 10.10.10.1 (eth0) is connected to the separate switch.
> 
> ADSL ROUTER
>           |
>           |
>    FW - eth0
>           |
>    FW - eth1
>           |
>        --------------------------
>        |                                     |
>  10.10.10.1 (eth0)         A.n.other computer
> 
> 
> I hope that diagram makes sense.
> 
> As for 10.10.10.2 I tried connecting that machine after my efforts with
> 10.10.10.1 failed . This was connected via a crossover cable, is is
possible
> I connected it vias eth0 on the firewall by mistake.
> 
Ok -- so did you try to connect to the internet from 10.10.10.1 before 
capturing the "shorewall status"? Because if you did, your default
gateway
on 10.10.10.1 is wrong because NOT ONE SINGLE PACKET was received on eth1.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

David Usher

2003-Mar-20 09:36 UTC

head link

[Shorewall-users] Masquerading Problem

Yes, I did try from 10.10.10.1 and I set the default gateway to
10.10.10.254.
I could see by issuing a ''route'' command.

I will have another attempt at getting it to work, and let you know the
outcome as something ''funny'' must be going on.

Regards,

David Usher



----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "David Usher" <d.usher@btopenworld.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Thursday, March 20, 2003 4:58 PM
Subject: Re: [Shorewall-users] Masquerading Problem

> On Thu, 20 Mar 2003, David Usher wrote:
>
> > No,
> >
> > Firewall:
> > eth0 is connected directly to the ADSL Router
> > eth1 is connected via a separate switch
> >
> > The computer on 10.10.10.1 (eth0) is connected to the separate switch.
> >
> > ADSL ROUTER
> >           |
> >           |
> >    FW - eth0
> >           |
> >    FW - eth1
> >           |
> >        --------------------------
> >        |                                     |
> >  10.10.10.1 (eth0)         A.n.other computer
> >
> >
> > I hope that diagram makes sense.
> >
> > As for 10.10.10.2 I tried connecting that machine after my efforts
with
> > 10.10.10.1 failed . This was connected via a crossover cable, is is
possible> > I connected it vias eth0 on the firewall by mistake.
> >
>
> Ok -- so did you try to connect to the internet from 10.10.10.1 before
> capturing the "shorewall status"? Because if you did, your
default gateway
> on 10.10.10.1 is wrong because NOT ONE SINGLE PACKET was received on eth1.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.sf.net
> Washington USA  \ teastep@shorewall.net
>

Shorewall users - Mar 2003 - Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem

[Shorewall-users] Masquerading Problem