Shorewall users - Apr 2003 - Internet Sharing Problem

Hi Good Day i just installed latest shorewall and iptables... both
working well but my problem is on Setup side.... I downloaded two-interfaces
setup and modify it coz` eth0 is my internal and eth1 is my External  and it
works fine.

    Heres the Problem:
    1] When i put in policy to  ACCEPT All traffic from eth0 and eth1 My
Workstations can BROWSE and Access the Internet when i use my linux(trustix)
with shorewall as a GATEWAY.

    2] The PROBLEM is when i REMOVED to ACCEPT Any any in policy im getting
the following errors (Shorewall:FOrward:REJECT) the only ruleset that left
is
Loc Any <-- net ACCEPT
net Any DROP
Any Any Reject

    - Thats the default rule thats in two-interface sample If i replace
REJECT any any to ACCEPT any any interface  BROWSING will be ok... but when
it came back to ANY ANy REJECt the last part of the rule will DENY all
internet access. Pls Check out the following INFOs:

    Any Recommendation would be greatly Appreciated how can i work out this
thing How do i Enable INTERNET SHARING so that all my Workstations Can
connect to the internet. Thanks!

Interfaces:
eth0 is my Internal Interface
eth1 is my External Interface

Setup used:
i downloaded two-interface.tgz  then i followed the instructions to put it
in /etc/shorewall

LOG in /var/log/messages:

Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.200 DST=216.239.37.99 LEN=573 TOS=0x00 PREC=0x00 TTL=127
ID=4242 DF PROTO=TCP SPT=1201 DPT=80 WINDOW=63962 RES=0x00 ACK PSH URGP=0
Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.200 DST=216.239.37.99 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=4244 DF PROTO=TCP SPT=1205 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.200 DST=216.239.37.99 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=4246 DF PROTO=TCP SPT=1205 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
root@sl-dev ~# shorewall version
1.4.1a

root@sl-dev ~# uname -a
Linux sl-dev 2.4.20 #2 SMP Wed Apr 30 08:38:50 PHT 2003 i686 unknown

root@sl-dev ~# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:30:4f:10:36:8a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::230:4fff:fe10:368a/10 scope link
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:00:1c:df:23:89 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::200:1cff:fedf:2389/10 scope link
4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

root@sl-dev ~# lsmod
Module                  Size  Used by
ipt_TOS                 1120  12  (autoclean)
ipt_MASQUERADE          2016   1  (autoclean)
ipt_state                656  30  (autoclean)
ip_nat_irc              3008   0  (unused)
ip_nat_ftp              3968   0  (unused)
iptable_nat            22176   3  [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc        3488   1  [ip_nat_irc]
ip_conntrack_ftp        4416   1  [ip_nat_ftp]


Abraham

Hi Good Day i just installed latest shorewall and iptables... both
 working well but my problem is on Setup side.... I downloaded
two-interfaces
 setup and modify it coz` eth0 is my internal and eth1 is my External  and
it
 works fine.

     Heres the Problem:
     1] When i put in policy to  ACCEPT All traffic from eth0 and eth1 My
 Workstations can BROWSE and Access the Internet when i use my
linux(trustix)
 with shorewall as a GATEWAY.

     2] The PROBLEM is when i REMOVED to ACCEPT Any any in policy im getting
 the following errors (Shorewall:FOrward:REJECT) the only ruleset that left
 is
 Loc Any <-- net ACCEPT
 net Any DROP
 Any Any Reject

     - Thats the default rule thats in two-interface sample If i replace
 REJECT any any to ACCEPT any any interface  BROWSING will be ok... but when
 it came back to ANY ANy REJECt the last part of the rule will DENY all
 internet access. Pls Check out the following INFOs:

     Any Recommendation would be greatly Appreciated how can i work out this
 thing How do i Enable INTERNET SHARING so that all my Workstations Can
 connect to the internet. Thanks!
> Interfaces:
> eth0 is my Internal Interface
> eth1 is my External Interface
>
> Setup used:
> i downloaded two-interface.tgz  then i followed the instructions to put it
> in /etc/shorewall
>
> LOG in /var/log/messages:
>
> Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
> SRC=192.168.1.200 DST=216.239.37.99 LEN=573 TOS=0x00 PREC=0x00 TTL=127
> ID=4242 DF PROTO=TCP SPT=1201 DPT=80 WINDOW=63962 RES=0x00 ACK PSH URGP=0
> Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
> SRC=192.168.1.200 DST=216.239.37.99 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=4244 DF PROTO=TCP SPT=1205 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
> Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
> SRC=192.168.1.200 DST=216.239.37.99 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=4246 DF PROTO=TCP SPT=1205 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
> root@sl-dev ~# shorewall version
> 1.4.1a
>
> root@sl-dev ~# uname -a
> Linux sl-dev 2.4.20 #2 SMP Wed Apr 30 08:38:50 PHT 2003 i686 unknown
>
> root@sl-dev ~# ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>     inet6 ::1/128 scope host
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:30:4f:10:36:8a brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
>     inet6 fe80::230:4fff:fe10:368a/10 scope link
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:00:1c:df:23:89 brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::200:1cff:fedf:2389/10 scope link
> 4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
>     link/ipip 0.0.0.0 brd 0.0.0.0
> 5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
>
> root@sl-dev ~# lsmod
> Module                  Size  Used by
> ipt_TOS                 1120  12  (autoclean)
> ipt_MASQUERADE          2016   1  (autoclean)
> ipt_state                656  30  (autoclean)
> ip_nat_irc              3008   0  (unused)
> ip_nat_ftp              3968   0  (unused)
> iptable_nat            22176   3  [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
> ip_conntrack_irc        3488   1  [ip_nat_irc]
> ip_conntrack_ftp        4416   1  [ip_nat_ftp]
>
>
> Abraham
>
>
>
>

The log you have cited at the bottom indicates that the routing is messed
up, ie, that the firewall thinks that the default route is out eth0, which
is your private interface in this case, when it should be eth1, as you have
indicated.

I would guess that you forgot to modify /etc/shorewall/masq to reflect your
backwards interface names.

The default configuration as provided with the two interface sample should
work fine for your setup.
This means that you should not mess with the policy file, if you have,
revert to the version that came with the two interface sample.

Since your eth0 is your local network (loc) and eth1 is the internet zone
(net) you would only have to make the following changes to the default two
interface sample files with the shorewall 1.4.2 distribution:

/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth1  detect  dhcp,routefilter,norfc1918
loc eth0  detect

/etc/shorewall/masq:
#INTERFACE  SUBNET  ADDRESS
eth1   eth0

/etc/shorewall/routestopped:
#INTERFACE HOST(S)
eth0  -

If you read the excellent documentation it will indicate the changes
necessary ;)

Let me know if this helps,

Alex Martin
Rett Consulting
http://www.rettc.com


----- Original Message -----
From: "Abraham Lincoln" <sunninja@securitynerds.org>
To: <shorewall-users@lists.shorewall.net>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Wednesday, April 30, 2003 6:14 PM
Subject: [Shorewall-users] Internet Sharing Problem

> Hi Good Day i just installed latest shorewall and iptables... both
>  working well but my problem is on Setup side.... I downloaded
> two-interfaces
>  setup and modify it coz` eth0 is my internal and eth1 is my External  and
> it
>  works fine.
>
>      Heres the Problem:
>      1] When i put in policy to  ACCEPT All traffic from eth0 and eth1 My
>  Workstations can BROWSE and Access the Internet when i use my
> linux(trustix)
>  with shorewall as a GATEWAY.
>
>      2] The PROBLEM is when i REMOVED to ACCEPT Any any in policy im
getting
>  the following errors (Shorewall:FOrward:REJECT) the only ruleset that
left
>  is
>  Loc Any <-- net ACCEPT
>  net Any DROP
>  Any Any Reject
>
>      - Thats the default rule thats in two-interface sample If i replace
>  REJECT any any to ACCEPT any any interface  BROWSING will be ok... but
when
>  it came back to ANY ANy REJECt the last part of the rule will DENY all
>  internet access. Pls Check out the following INFOs:
>
>      Any Recommendation would be greatly Appreciated how can i work out
this
>  thing How do i Enable INTERNET SHARING so that all my Workstations Can
>  connect to the internet. Thanks!
>
> > Interfaces:
> > eth0 is my Internal Interface
> > eth1 is my External Interface
> >
> > Setup used:
> > i downloaded two-interface.tgz  then i followed the instructions to
put
it
> > in /etc/shorewall
> >
> > LOG in /var/log/messages:
> >
> > Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0
> > SRC=192.168.1.200 DST=216.239.37.99 LEN=573 TOS=0x00 PREC=0x00 TTL=127
> > ID=4242 DF PROTO=TCP SPT=1201 DPT=80 WINDOW=63962 RES=0x00 ACK PSH
URGP=0
> > Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0
> > SRC=192.168.1.200 DST=216.239.37.99 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> > ID=4244 DF PROTO=TCP SPT=1205 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
> > Apr 30 18:15:46 sl-dev kernel: Shorewall:FORWARD:REJECT:IN=eth0
OUT=eth0
> > SRC=192.168.1.200 DST=216.239.37.99 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> > ID=4246 DF PROTO=TCP SPT=1205 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
> > root@sl-dev ~# shorewall version
> > 1.4.1a
> >
> > root@sl-dev ~# uname -a
> > Linux sl-dev 2.4.20 #2 SMP Wed Apr 30 08:38:50 PHT 2003 i686 unknown
> >
> > root@sl-dev ~# ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> >     inet6 ::1/128 scope host
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:30:4f:10:36:8a brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
> >     inet6 fe80::230:4fff:fe10:368a/10 scope link
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:00:1c:df:23:89 brd ff:ff:ff:ff:ff:ff
> >     inet6 fe80::200:1cff:fedf:2389/10 scope link
> > 4: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
> >     link/ipip 0.0.0.0 brd 0.0.0.0
> > 5: sit0@NONE: <NOARP> mtu 1480 qdisc noop
> >     link/sit 0.0.0.0 brd 0.0.0.0
> >
> > root@sl-dev ~# lsmod
> > Module                  Size  Used by
> > ipt_TOS                 1120  12  (autoclean)
> > ipt_MASQUERADE          2016   1  (autoclean)
> > ipt_state                656  30  (autoclean)
> > ip_nat_irc              3008   0  (unused)
> > ip_nat_ftp              3968   0  (unused)
> > iptable_nat            22176   3  [ipt_MASQUERADE ip_nat_irc
ip_nat_ftp]
> > ip_conntrack_irc        3488   1  [ip_nat_irc]
> > ip_conntrack_ftp        4416   1  [ip_nat_ftp]
> >
> >
> > Abraham
> >
> >
> >
> >
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>