thr3ads.net - Shorewall users - [Shorewall-users] Cant ping certain things, but can others. [Jun 2003]

If this information is useful, please help other people find it:
Share via:

tufkal

2003-Jun-26 16:18 UTC

[Shorewall-users] Cant ping certain things, but can others.

Here is my network setup for a router doing IP_MASQ to a small
192.168.1.x network..  Ignore the VPN entries, the problem is not there.
>From the router, I can ping 192.168.1.150 which is a network camera.  Ican view the camera in my browser as well.  But 192.168.1.155 160 165
and 251 I cannot view or ping, they are also cameras, the same model. 
Here is the output of ping.

[root@dhcp-633-132 shorewall]# ping 192.168.1.150
PING 192.168.1.150 (192.168.1.150) 56(84) bytes of data.
64 bytes from 192.168.1.150: icmp_seq=1 ttl=64 time=996 ms
64 bytes from 192.168.1.150: icmp_seq=2 ttl=64 time=0.412 ms
64 bytes from 192.168.1.150: icmp_seq=3 ttl=64 time=0.356 ms
64 bytes from 192.168.1.150: icmp_seq=4 ttl=64 time=0.549 ms
64 bytes from 192.168.1.150: icmp_seq=5 ttl=64 time=0.401 ms
 
--- 192.168.1.150 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.356/199.570/996.136/398.283 ms

[root@dhcp-633-132 shorewall]# ping 192.168.1.165
PING 192.168.1.165 (192.168.1.165) 56(84) bytes of data.>From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=5 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=6 Destination Host Unreachable 
--- 192.168.1.165 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time
6022ms
, pipe 3
[root@dhcp-633-132 shorewall]#

They are identical cameras and there are no other routers or firewalls
in place.  eth1 on this machine goes to the uplink port on a switch
where everything else is connected to.  Machines on the network can ping
and view all the cameras, but the router can only see that one for some
reason.  Below is my config, any ideas?


/etc/shorewall/interfaces
net     eth0    detect
masq    eth1    detect
vpn     tun0    10.10.10.255

/etc/shorewall/masq
eth0    192.168.1.0/255.255.255.0

/etc/shorewall/policy
masq    net     ACCEPT
loc     net     ACCEPT
fw      net     ACCEPT
fw      masq    ACCEPT
masq    fw      ACCEPT
vpn     masq    ACCEPT
masq    vpn     ACCEPT
vpn     fw      ACCEPT
fw      vpn     ACCEPT
net     all     DROP    info
all     all     REJECT  info

/etc/shorewall/rules
ACCEPT  net     fw      tcp     22,23 -
ACCEPT  net     fw      udp     22,23 -

/etc/shorewall/zones
net     Net     Internet zone
masq    Masquerade      Masquerade Local
loc     Local   Local
vpn     VPN     Remote Subnet

Bill.Light@kp.org

2003-Jun-26 16:39 UTC

head link

[Shorewall-users] Cant ping certain things, but can others.

Don''t know if it''s the same, but I had a similar problem when
I first set
up...

What is your NETMASK on your card definition ?   It is possible to check 
with the "ifconfig" command.
If you do a "shorewall clear" does the problem still happen ?

Just a thought... 

=================================================================================
Here is my network setup for a router doing IP_MASQ to a small
192.168.1.x network..  Ignore the VPN entries, the problem is not there.
>From the router, I can ping 192.168.1.150 which is a network camera.  Ican view the camera in my browser as well.  But 192.168.1.155 160 165
and 251 I cannot view or ping, they are also cameras, the same model. 
Here is the output of ping.

[root@dhcp-633-132 shorewall]# ping 192.168.1.150
PING 192.168.1.150 (192.168.1.150) 56(84) bytes of data.
64 bytes from 192.168.1.150: icmp_seq=1 ttl=64 time=996 ms
64 bytes from 192.168.1.150: icmp_seq=2 ttl=64 time=0.412 ms
64 bytes from 192.168.1.150: icmp_seq=3 ttl=64 time=0.356 ms
64 bytes from 192.168.1.150: icmp_seq=4 ttl=64 time=0.549 ms
64 bytes from 192.168.1.150: icmp_seq=5 ttl=64 time=0.401 ms
 
--- 192.168.1.150 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.356/199.570/996.136/398.283 ms

[root@dhcp-633-132 shorewall]# ping 192.168.1.165
PING 192.168.1.165 (192.168.1.165) 56(84) bytes of data.>From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=5 Destination Host Unreachable
>From 192.168.1.1 icmp_seq=6 Destination Host Unreachable 
--- 192.168.1.165 ping statistics ---
7 packets transmitted, 0 received, +6 errors, 100% packet loss, time
6022ms
, pipe 3
[root@dhcp-633-132 shorewall]#

They are identical cameras and there are no other routers or firewalls
in place.  eth1 on this machine goes to the uplink port on a switch
where everything else is connected to.  Machines on the network can ping
and view all the cameras, but the router can only see that one for some
reason.  Below is my config, any ideas?


/etc/shorewall/interfaces
net     eth0    detect
masq    eth1    detect
vpn     tun0    10.10.10.255

/etc/shorewall/masq
eth0    192.168.1.0/255.255.255.0

/etc/shorewall/policy
masq    net     ACCEPT
loc     net     ACCEPT
fw      net     ACCEPT
fw      masq    ACCEPT
masq    fw      ACCEPT
vpn     masq    ACCEPT
masq    vpn     ACCEPT
vpn     fw      ACCEPT
fw      vpn     ACCEPT
net     all     DROP    info
all     all     REJECT  info

/etc/shorewall/rules
ACCEPT  net     fw      tcp     22,23 -
ACCEPT  net     fw      udp     22,23 -

/etc/shorewall/zones
net     Net     Internet zone
masq    Masquerade      Masquerade Local
loc     Local   Local
vpn     VPN     Remote Subnet



_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Tom Eastep

2003-Jun-26 17:05 UTC

head link

[Shorewall-users] Cant ping certain things, but can others.

On 26 Jun 2003 18:18:13 -0500, tufkal <tufkal@granola.mine.nu> wrote:
> Here is my network setup for a router doing IP_MASQ to a small
> 192.168.1.x network..  Ignore the VPN entries, the problem is not there.
>
>> From the router, I can ping 192.168.1.150 which is a network camera.  I
> can view the camera in my browser as well.  But 192.168.1.155 160 165
> and 251 I cannot view or ping, they are also cameras, the same model.
And if you "shorewall clear" then can you ping these devices?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-Jun-27 08:44 UTC

head link

[Shorewall-users] Cant ping certain things, but can others.

On Thu, 2003-06-26 at 21:33, tufkal wrote:> No after shorewall clear still no go on pings.
>
Then your problem has nothing to do with Shorewall. As Bill Light
suggested, check the netmask configuration on the systems that can''t be
accessed. Check the netmask on the Firewall''s local interface.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Jun 2003 - Cant ping certain things, but can others.

[Shorewall-users] Cant ping certain things, but can others.

[Shorewall-users] Cant ping certain things, but can others.

[Shorewall-users] Cant ping certain things, but can others.

[Shorewall-users] Cant ping certain things, but can others.