Prabu Subroto
2003-May-23 20:20 UTC
[Shorewall-users] shorewall with TDSL/ADSL can not run.
Dear my friends.... I am using shorewall 1.3.10, SuSE Linux 8.2 and TDSL (Germany ADSL). I have a very small LAN at home (2 computers). One which SuSE Linux 8.2 works as the internet gateway. I installed and configured BIND 9 and Squid, they run properly. Now the problem is if I my shorewall is up. I configured my shorewall absolutely the same as the example in "two-interfaces" case that I found and download from "http://www.shorewall.net". After my shorewall is up (command : "shorewall start") than my internet connection is absolutely stucked. The error message was : "can not find host http://www.yahoo.com" if I tried to visit yahoo site after my shorewall is up. What''s wrong? What should I do? Where is the mistake? Please tell me, my friends... Thank you very much. __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-May-23 20:51 UTC
Fwd: [Shorewall-users] shorewall with TDSL/ADSL can not run.
------- Forwarded message ------- From: Prabu Subroto <prabu_subroto@yahoo.com> To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] shorewall with TDSL/ADSL can not run. Date: Fri, 23 May 2003 20:20:12 -0700 (PDT)> Dear my friends.... > > I am using shorewall 1.3.10, SuSE Linux 8.2 and TDSL > (Germany ADSL). > I have a very small LAN at home (2 computers). One > which SuSE Linux 8.2 works as the internet gateway. > I installed and configured BIND 9 and Squid, they run > properly. > > Now the problem is if I my shorewall is up. I > configured my shorewall absolutely the same as the > example in "two-interfaces" case that I found and > download from "http://www.shorewall.net". > > After my shorewall is up (command : "shorewall start") > than my internet connection is absolutely stucked. The > error message was : "can not find host > http://www.yahoo.com" if I tried to visit yahoo site > after my shorewall is up. > > What''s wrong? What should I do? Where is the mistake?You have told us NOTHING about what you did -- how can we know what you didn''t do or did wrong? You haven''t even told us which of your two computers is experiencing the problem (or if both are). You are running Bind on your firewall -- did you follow the instructions at http://www.shorewall.net/two-interface.htm regarding running a DNS server on your firewall? You are running Squid on your firewall -- did you follow the instructions at http://www.shorewall.net/Shorewall_Squid_Usage.html? Is the "can not find host" message being generated by your Browser or by Squid? (If it is being generated by Squid, it will say so at the bottom). Have you looked at the Shorewall log at all? Have you tried to determine if the problem is a DNS problem or a connectivity problem (by using ip addresses rather than DNS names)? You want our help -- please provide the information that we ask for at http://www.shorewall.net/support.htm? The "shorewall status" output is particularly useful in cases like this... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Prabu Subroto
2003-May-23 21:31 UTC
Fwd: [Shorewall-users] shorewall with TDSL/ADSL can not run.
Dear Tom. I think my eth0 which experienced the problem. Because I tried to surf the internet from the gateway computer. Here is my "common.def" : run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP Here is my "interfaces" : net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect routestopped Here is my "masq": eth0 eth1 Here is my "rules" : #untuk http squid proxy ACCEPT loc fw tcp 3128 ACCEPT loc fw udp 3128 ACCEPT fw net tcp 3128 ACCEPT fw net udp 3128 #untuk query DNS ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 #untuk FTP ACCEPT loc fw tcp 21 ACCEPT loc fw udp 21 #untuk DHCP client ACCEPT fw net tcp 67 ACCEPT fw net udp 67 ACCEPT fw net tcp 546 ACCEPT fw net udp 546 #http ACCEPT fw net tcp 80 ACCEPT fw net udp 80 ACCEPT fw net tcp 8080 ACCEPT fw net udp 8080 #ssh ACCEPT loc fw tcp 22 Here is my "shorewall.conf": PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED=yes MODULESDIRLOGRATELOGBURSTLOGUNCLEAN=info LOGFILE=/var/log/messages NAT_ENABLED=Yes MANGLE_ENABLED=Yes IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVELCLAMPMSS=Yes ROUTE_FILTER=No NAT_BEFORE_RULES=Yes MULTIPORT=No The interface which facing the internet is eth0 and the one which facing local network is eth1. Is the information about what I have done is enough already? Thank you Tom. --- Tom Eastep <teastep@shorewall.net> wrote:> > > ------- Forwarded message ------- > From: Prabu Subroto <prabu_subroto@yahoo.com> > To: shorewall-users@lists.shorewall.net > Subject: [Shorewall-users] shorewall with TDSL/ADSL > can not run. > Date: Fri, 23 May 2003 20:20:12 -0700 (PDT) > > > Dear my friends.... > > > > I am using shorewall 1.3.10, SuSE Linux 8.2 and > TDSL > > (Germany ADSL). > > I have a very small LAN at home (2 computers). One > > which SuSE Linux 8.2 works as the internet > gateway. > > I installed and configured BIND 9 and Squid, they > run > > properly. > > > > Now the problem is if I my shorewall is up. I > > configured my shorewall absolutely the same as the > > example in "two-interfaces" case that I found and > > download from "http://www.shorewall.net". > > > > After my shorewall is up (command : "shorewall > start") > > than my internet connection is absolutely stucked. > The > > error message was : "can not find host > > http://www.yahoo.com" if I tried to visit yahoo > site > > after my shorewall is up. > > > > What''s wrong? What should I do? Where is the > mistake? > > You have told us NOTHING about what you did -- how > can we know what you > didn''t do or did wrong? You haven''t even told us > which of your two > computers is experiencing the problem (or if both > are). > > You are running Bind on your firewall -- did you > follow the instructions at > http://www.shorewall.net/two-interface.htm regarding > running a DNS server > on your firewall? > > You are running Squid on your firewall -- did you > follow the instructions > at > http://www.shorewall.net/Shorewall_Squid_Usage.html? > > Is the "can not find host" message being generated > by your Browser or by > Squid? (If it is being generated by Squid, it will > say so at the bottom). > > Have you looked at the Shorewall log at all? > > Have you tried to determine if the problem is a DNS > problem or a > connectivity problem (by using ip addresses rather > than DNS names)? > > You want our help -- please provide the information > that we ask for at > http://www.shorewall.net/support.htm? The "shorewall > status" output is > particularly useful in cases like this... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
John Andersen
2003-May-23 21:39 UTC
[Shorewall-users] shorewall with TDSL/ADSL can not run.
On Friday 23 May 2003 07:20 pm, Prabu Subroto wrote:> Dear my friends.... >> After my shorewall is up (command : "shorewall start") > than my internet connection is absolutely stucked. The > error message was : "can not find host > http://www.yahoo.com" if I tried to visit yahoo site > after my shorewall is up.Why run bind and squid? Shorewall will be happy to pass dns and www requests thru for you, and the saveings in bandwidth utilization are likely to be minimal with only a couple stations... What are your interfaces ? If using dsl did you follow the bit in the two interface docs about using pppo instead of eth? . Usually with dsl, your external nic is not really used directly but rather you use pppo, and (as best I can tell) you dont even have to assign an ip to eth0 (if that is your outside nic) -- John Andersen - NORCOM http://www.norcomsoftware.com/
Tom Eastep
2003-May-23 21:45 UTC
Fwd: [Shorewall-users] shorewall with TDSL/ADSL can not run.
On Fri, 23 May 2003 21:31:36 -0700 (PDT), Prabu Subroto <prabu_subroto@yahoo.com> wrote:> Dear Tom. > > I think my eth0 which experienced the problem. Because > I tried to surf the internet from the gateway > computer.I don''t see anything in your rules that would prevent that -- the only problem I see is that you have lots of extra rules (see below).> > Here is my "common.def" : > run_iptables -A common -p udp --sport 53 -mstate > --state NEW -j DROP >There should be more than that in common.def -- Since you are running Shorewall 1.3, your ''common'' file should have that rule as well as ". /etc/shorewall/common.def".> Here is my "interfaces" : > net eth0 detect dhcp,routefilter,norfc1918 > loc eth1 detect routestopped > > Here is my "masq": > eth0 eth1 > > Here is my "rules" : > #untuk http squid proxy > ACCEPT loc fw tcp 3128So you aren''t using Squid as a transparent proxy?> ACCEPT loc fw udp 3128Above UDP rule is unnecessary.> ACCEPT fw net tcp 3128 > ACCEPT fw net udp 3128The above UDP rule is unnecessary -- I don''t know why you would want the tcp rule.> #untuk query DNS > ACCEPT loc fw tcp 53 > ACCEPT loc fw udp 53 > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > #untuk FTP > ACCEPT loc fw tcp 21 > ACCEPT loc fw udp 21 > #untuk DHCP client > ACCEPT fw net tcp 67 > ACCEPT fw net udp 67The above two rules are unnecessary -- you have specified ''dhcp'' on your net interface.> ACCEPT fw net tcp 546 > ACCEPT fw net udp 546 > #http > ACCEPT fw net tcp 80 > ACCEPT fw net udp 80Above UDP rule is unnecessary.> ACCEPT fw net tcp 8080 > ACCEPT fw net udp 8080Don''t think you need either of those unless your Squid is using another upstream http cache.> #ssh > ACCEPT loc fw tcp 22 > > Here is my "shorewall.conf": > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > FW=fw > SUBSYSLOCK=/var/lock/subsys/shorewall > STATEDIR=/var/lib/shorewall > ALLOWRELATED=yes > MODULESDIR> LOGRATE> LOGBURST> LOGUNCLEAN=info > LOGFILE=/var/log/messages > NAT_ENABLED=Yes > MANGLE_ENABLED=Yes > IP_FORWARDING=On > ADD_IP_ALIASES=Yes > ADD_SNAT_ALIASES=No > TC_ENABLED=No > BLACKLIST_DISPOSITION=DROP > BLACKLIST_LOGLEVEL> CLAMPMSS=Yes > ROUTE_FILTER=No > NAT_BEFORE_RULES=Yes > MULTIPORT=No > > The interface which facing the internet is eth0 > and the one which facing local network is eth1. > > Is the information about what I have done is enough > already?When you try to surf, what new messages does "shorewall show log" give you? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
As you are using ADSL (TSDL is a product name, still ADSL), do you have an ppp0 interface? Try # ifconfig ppp0 If that does not generate an error, you are likely using ppp0 instead of eth0. Check weather you have a proper default gateway: # route -n Can you reach the Internet from your firewall? # ping -c 2 216.211.130.20> Here is my "interfaces" : > net eth0 detect dhcp,routefilter,norfc1918 > loc eth1 detect routestoppedIFF you have ppp0 interface, change this: net ppp0 - dhcp,routefilter,norfc1918 loc eth1 detect routestopped> Here is my "masq": > eth0 eth1IFF you have ppp0 interface, change this: ppp0 eth1 HTH -- karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!