Hey All, I''m having problems routing between NICs that are assigned to the Local zone. I''ve got 4 machines connected to eth0 and 3 machines connected to eth1. eth2 is my cable modem and should be the default gateway for everything. eth0 and eth1 assign IP''s in two different ranges via dhcp and eth2 gets its ip via dhcp from the ISP. If it makes a difference the clients are Win2K and WinXP boxes and the firewall is running on a Gentoo Linux box. I know that I could get a bigger hub and attach all my machines to one NIC but I''m hoping a there''s a routing table or other similar simple solution I''m missing. I''ve been trying to follow the multiple subnet thread and looked at shorewall.net but the closest I seem to get it to try the routeback interface option. In my situation I not only have multiple subnets I have multiple NICs in the zone so it doesn''t seem like the advice applies. My routing table looks like so... Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 172.16.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 172.16.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 24.59.0.0 0.0.0.0 255.255.240.0 U 40 0 0 eth2 0.0.0.0 24.59.0.1 0.0.0.0 UG 40 0 0 eth2 I can ping and connect to services on machine within either the 172.16.0.0 range OR within the 172.16.1.0 range. I can always connect to and ping the firewall box and I can always connect to and ping the internet. What I can''t do is ping or connect to services between the 172.16.0.0 and 172.16.1.0 ranges. Thanks for any advice on where to look next... Matt
On Sun, 01 Jun 2003 16:50:38 -0400, Matt Neimeyer <lists@neimeyer.org> wrote:> What I can''t do is ping or connect to services between the 172.16.0.0 and > 172.16.1.0 ranges. >a) What version of Shorewall are you running. b) What do you have in your Shorewall policy, interfaces and hosts files? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
>>What I can''t do is ping or connect to services between the 172.16.0.0 and >>172.16.1.0 ranges. > >a) What version of Shorewall are you running. >b) What do you have in your Shorewall policy, interfaces and hosts files?Sorry... I''ve got 1.4.2 installed... There is an emerge of 1.4.4a available that I could update to if it would help. Leaving out all the comment lines ends up with an empty hosts file and... policy is... #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT - net all DROP info $FW net ACCEPT - all all REJECT info interfaces is... loc eth0 detect dhcp loc eth1 detect dhcp net eth2 detect dhcp,norfc1918,blacklist Thanks in advance again... Matt
On Sun, 01 Jun 2003 17:09:03 -0400, Matt Neimeyer <lists@neimeyer.org> wrote:> Leaving out all the comment lines ends up with an empty hosts file and... > > policy is... > > #SOURCE DEST POLICY LOG LEVEL > LIMIT:BURST > loc net ACCEPT - > net all DROP info > $FW net ACCEPT - > all all REJECT info > > > interfaces is... > > loc eth0 detect dhcp > loc eth1 detect dhcp > net eth2 detect dhcp,norfc1918,blacklist >Please post the output of: shorewall show eth0_fwd shorewall show eth1_fwd Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
>>Leaving out all the comment lines ends up with an empty hosts file and... >> >>policy is... >> >>#SOURCE DEST POLICY LOG LEVEL >>LIMIT:BURST >>loc net ACCEPT - >>net all DROP info >>$FW net ACCEPT - >>all all REJECT info >> >> >>interfaces is... >> >>loc eth0 detect dhcp >>loc eth1 detect dhcp >>net eth2 detect dhcp,norfc1918,blacklist > >Please post the output of: > > shorewall show eth0_fwd > shorewall show eth1_fwdCounters reset Sun May 4 22:47:25 EDT 2003 Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 474K 46M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 474K 46M loc2net all -- * eth2 0.0.0.0/0 0.0.0.0/0 4 240 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 Counters reset Sun May 4 22:47:25 EDT 2003 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 203 29232 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 203 29232 loc2net all -- * eth2 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 Matt
On Sun, 01 Jun 2003 17:22:13 -0400, Matt Neimeyer <lists@neimeyer.org> wrote:>> Please post the output of: >> >> shorewall show eth0_fwd >> shorewall show eth1_fwd > > Counters reset Sun May 4 22:47:25 EDT 2003 > > Chain eth0_fwd (1 references) > pkts bytes target prot opt in out source > destination > > 474K 46M dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 474K 46M loc2net all -- * eth2 0.0.0.0/0 > 0.0.0.0/0 > 4 240 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 > > Counters reset Sun May 4 22:47:25 EDT 2003 > > Chain eth1_fwd (1 references) > pkts bytes target prot opt in out source > destination > 203 29232 dynamic all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 203 29232 loc2net all -- * eth2 0.0.0.0/0 > 0.0.0.0/0 > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 >Your firewall is open between eth0 and eth1 -- All traffic is accepted in both directions. Looks like tcpdump time... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 01 Jun 2003 14:38:15 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> > > Your firewall is open between eth0 and eth1 -- All traffic is accepted in > both directions. > > Looks like tcpdump time... >One possibility: You are using class B addresses and your Windoze seleted the default netmask for a class B (255.255.240.0). In your setup, you need class C''s (255.255.255.0) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
>>Your firewall is open between eth0 and eth1 -- All traffic is accepted in >>both directions. >>Looks like tcpdump time... > >One possibility: You are using class B addresses and your Windoze seleted >the default netmask for a class B (255.255.240.0). In your setup, you need >class C''s (255.255.255.0)Nope... Both sides (the firewall and the Windows machines) have a netmask of 255.255.255.0... I don''t know if this makes a difference but when I ping 172.16.1.1 (eth1''s IP) from 172.16.0.254 (a win box) I get the following... Pinging 172.16.1.1 with 32 bytes of data: Reply from 172.16.1.1: Destination port unreachable. Reply from 172.16.1.1: Destination port unreachable. Reply from 172.16.1.1: Destination port unreachable. Reply from 172.16.1.1: Destination port unreachable. Ping statistics for 172.16.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms I can however ping to/from the firewall and to the internet (IE ping www.google.com works as expected) Thanks Matt
>Your firewall is open between eth0 and eth1 -- All traffic is accepted in >both directions. >Looks like tcpdump time...And um... what would I be looking for? (considering I''ve never had the need, through luck I assume, to require the services of tcpdump) Matt
On Sun, 01 Jun 2003 18:40:19 -0400, Matt Neimeyer <lists@neimeyer.org> wrote:> > Nope... Both sides (the firewall and the Windows machines) have a netmask > of 255.255.255.0... > > I don''t know if this makes a difference but when I ping 172.16.1.1 > (eth1''s IP) from 172.16.0.254 (a win box) I get the following... > > Pinging 172.16.1.1 with 32 bytes of data: > > Reply from 172.16.1.1: Destination port unreachable. > Reply from 172.16.1.1: Destination port unreachable. > Reply from 172.16.1.1: Destination port unreachable. > Reply from 172.16.1.1: Destination port unreachable. > > Ping statistics for 172.16.1.1: > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > Approximate round trip times in milli-seconds: > Minimum = 0ms, Maximum = 0ms, Average = 0ms > > I can however ping to/from the firewall and to the internet (IE ping > www.google.com works as expected)Hmmm -- that looks like Shorewall is blocking it. Please follow the instructions at http://www.shorewall.net/support.htm under the heading "If you are having connection problems of any kind:" -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 01 Jun 2003 18:40:19 -0400, Matt Neimeyer <lists@neimeyer.org> wrote:> >>> Your firewall is open between eth0 and eth1 -- All traffic is accepted >>> in both directions. >>> Looks like tcpdump time... >> >> One possibility: You are using class B addresses and your Windoze >> seleted the default netmask for a class B (255.255.240.0). In your >> setup, you need class C''s (255.255.255.0) > > Nope... Both sides (the firewall and the Windows machines) have a netmask > of 255.255.255.0... > > I don''t know if this makes a difference but when I ping 172.16.1.1 > (eth1''s IP) from 172.16.0.254 (a win box) I get the following... > > Pinging 172.16.1.1 with 32 bytes of data: > > Reply from 172.16.1.1: Destination port unreachable. > Reply from 172.16.1.1: Destination port unreachable. > Reply from 172.16.1.1: Destination port unreachable. > Reply from 172.16.1.1: Destination port unreachable. > > Ping statistics for 172.16.1.1: > Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), > Approximate round trip times in milli-seconds: > Minimum = 0ms, Maximum = 0ms, Average = 0ms > > I can however ping to/from the firewall and to the internet (IE ping > www.google.com works as expected)Something is really fishy here -- pinging 172.16.1.1 from 172.16.0.254 is a loc->fw connection. If you can ping one fw IP, you should be able to ping them all. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
>>>>Your firewall is open between eth0 and eth1 -- All traffic is accepted >>>>in both directions. >>>>Looks like tcpdump time... >>>Nope... Both sides (the firewall and the Windows machines) have a >>>netmask of 255.255.255.0... >>I don''t know if this makes a difference but when I ping 172.16.1.1 >>(eth1''s IP) from 172.16.0.254 (a win box) I get the following... >>I can however ping to/from the firewall and to the internet (IE ping >>www.google.com works as expected) >Something is really fishy here -- pinging 172.16.1.1 from 172.16.0.254 is >a loc->fw connection. If you can ping one fw IP, you should be able to >ping them all.Alright I lied... I don''t know if I had the firewall down at one point (cause I did at several points...) and I apologize. Tonight looking at it... (after a reboot to a "default" status) I can''t ping from the firewall to local either. I can however, ping from local to net or from fw to net. I can ping within a given local subnet. I can''t ping the firewall from the local or the local from the firewall. If I issue a shorewall clear I can ping from the firewall to local, local to firewall, local to local (between subnets on each NIC), but (obviously) I can''t do anything to the net except from the firewall itself. Matt
On Tue, 03 Jun 2003 00:23:49 -0400, Matt Neimeyer <lists@neimeyer.org> wrote:> > If I issue a shorewall clear I can ping from the firewall to local, local > to firewall, local to local (between subnets on each NIC), but > (obviously) I can''t do anything to the net except from the firewall > itself. >Matt -- I can''t do anything more for you until you send me the status output that I asked for. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net