Shorewall users - Sep 2003 - Please help...

Hi,

I''m having a hard time figuring this out... I''m getting this
in my log:

Sep 15 21:48:07 firewall Shorewall:all2all:REJECT: IN=eth1
OUT= MAC=00:00:24:c0:01:09:00:00:cd:04:fd:48:08:00 
SRC=164.144.32.10 DST=38.118.152.30 LEN=52 TOS=00 PREC=0x00
TTL=109 ID=54839 DF PROTO=TCP SPT=31202 DPT=80
SEQ=2467470235 ACK=0 WINDOW=6144 SYN URGP=0

However, I do have 38.118.152.30 setup to accept http
requests. I have this in my rules file:

ACCEPT  net     loc             tcp     80
DNAT    net     loc:192.168.1.246       tcp     80      -   
   38.118.152.244
DNAT    net     loc:192.168.1.252       tcp     80      -   
   38.118.152.29
DNAT    net     loc:192.168.1.251       tcp     80      -   
   38.118.152.30
DNAT    net     loc:192.168.1.250       tcp     80      -   
   38.118.152.31

HTTP requests to 38.118.152.31, as well as to 38.118.152.244
work fine. However, requests to the .30 IP get rejected, as
is shown in the all2all:REJECT line above.

What could be wrong?

Ricardo

On Mon, 15 Sep 2003, Ricardo Kleemann wrote:
> Hi,
>
> I''m having a hard time figuring this out... I''m getting
this
> in my log:
>
> Sep 15 21:48:07 firewall Shorewall:all2all:REJECT: IN=eth1
> OUT= MAC=00:00:24:c0:01:09:00:00:cd:04:fd:48:08:00
> SRC=164.144.32.10 DST=38.118.152.30 LEN=52 TOS=00 PREC=0x00
> TTL=109 ID=54839 DF PROTO=TCP SPT=31202 DPT=80
> SEQ=2467470235 ACK=0 WINDOW=6144 SYN URGP=0
>
> However, I do have 38.118.152.30 setup to accept http
> requests. I have this in my rules file:
>
> ACCEPT  net     loc             tcp     80
What is the above rule supposed to do? It is probably superfluous.
> DNAT    net     loc:192.168.1.246       tcp     80      -
>    38.118.152.244
> DNAT    net     loc:192.168.1.252       tcp     80      -
>    38.118.152.29
> DNAT    net     loc:192.168.1.251       tcp     80      -
>    38.118.152.30
> DNAT    net     loc:192.168.1.250       tcp     80      -
>    38.118.152.31
>
> HTTP requests to 38.118.152.31, as well as to 38.118.152.244
> work fine. However, requests to the .30 IP get rejected, as
> is shown in the all2all:REJECT line above.
>
> What could be wrong?
a) Is eth1 your ''net'' interface?
b) Do you have any entries in /etc/shorewall/nat or
/etc/shorewall/proxyarp?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Mon, 15 Sep 2003, Tom Eastep wrote:
> >
> > What could be wrong?
>
> a) Is eth1 your ''net'' interface?
> b) Do you have any entries in /etc/shorewall/nat or
> /etc/shorewall/proxyarp?
>
Also, what does "shorewall show nat" show?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom,

Thanks for your quick reply.
> >
> > a) Is eth1 your ''net'' interface?
Actually, it''s not supposed to be. I''m not sure why it shows
up as eth1. Here''s my ip addr

# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 100
    link/ether 00:00:24:c0:01:08 brd ff:ff:ff:ff:ff:ff
    inet 38.118.152.244/24 brd 38.118.152.255 scope global
eth0
    inet 38.118.152.245/24 brd 38.118.152.255 scope global
secondary eth0
    inet 38.118.152.246/24 brd 38.118.152.255 scope global
secondary eth0
    inet 38.118.152.247/24 brd 38.118.152.255 scope global
secondary eth0
    inet 38.118.152.248/24 brd 38.118.152.255 scope global
secondary eth0
    inet 38.118.152.29/24 brd 38.118.152.255 scope global
secondary eth0
    inet 38.118.152.30/24 brd 38.118.152.255 scope global
secondary eth0
    inet 38.118.152.31/24 brd 38.118.152.255 scope global
secondary eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 100
    link/ether 00:00:24:c0:01:09 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global
eth1
5: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
    link/ether 00:00:24:c0:01:0a brd ff:ff:ff:ff:ff:ff

My interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect         
routefilter,blacklist
loc     eth1            detect

> > b) Do you have any entries in /etc/shorewall/nat or
> > /etc/shorewall/proxyarp?
My nat file:

#EXTERNAL       INTERFACE       INTERNAL        ALL
INTERFACES          LOCAL
38.118.152.245  eth0            192.168.1.245   no          
           no
38.118.152.246  eth0            192.168.1.246   no          
           no
38.118.152.247  eth0            192.168.1.247   no          
           no
38.118.152.248  eth0            192.168.1.248   no          
           no
38.118.152.29   eth0            192.168.1.252   no          
           no
38.118.152.30   eth0            192.168.1.251   no          
           no
38.118.152.31   eth0            192.168.1.250   no          
           no

> >
> 
> Also, what does "shorewall show nat" show?
# shorewall show nat
Shorewall-1.4.2 NAT at firewall - Mon Sep 15 22:46:29 UTC
2003

Counters reset Mon Sep 15 21:47:41 UTC 2003

Chain PREROUTING (policy ACCEPT 8743K packets, 645M bytes)
 pkts bytes target     prot opt in     out     source       
       destination     
27818 1743K eth0_in    all  --  eth0   *       0.0.0.0/0    
       0.0.0.0/0       
12529  932K net_dnat   all  --  eth0   *       0.0.0.0/0    
       0.0.0.0/0       

Chain POSTROUTING (policy ACCEPT 5686K packets, 309M bytes)
 pkts bytes target     prot opt in     out     source       
       destination     
41747 2068K eth0_out   all  --  *      eth0    0.0.0.0/0    
       0.0.0.0/0       
28917 1220K eth0_masq  all  --  *      eth0    0.0.0.0/0    
       0.0.0.0/0       

Chain OUTPUT (policy ACCEPT 1644K packets, 101M bytes)
 pkts bytes target     prot opt in     out     source       
       destination     

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source       
       destination     
   29  2214 DNAT       all  --  *      *       0.0.0.0/0    
       38.118.152.245     to:192.168.1.245
 5987  319K DNAT       all  --  *      *       0.0.0.0/0    
       38.118.152.246     to:192.168.1.246
 3225  159K DNAT       all  --  *      *       0.0.0.0/0    
       38.118.152.247     to:192.168.1.247
   31  2310 DNAT       all  --  *      *       0.0.0.0/0    
       38.118.152.248     to:192.168.1.248
  452 24836 DNAT       all  --  *      *       0.0.0.0/0    
       38.118.152.29      to:192.168.1.252
    0     0 DNAT       all  --  *      *       0.0.0.0/0    
       38.118.152.30      to:192.168.1.251
 5565  303K DNAT       all  --  *      *       0.0.0.0/0    
       38.118.152.31      to:192.168.1.250

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source       
       destination     
    0     0 MASQUERADE  all  --  *      *      
192.168.1.0/24       0.0.0.0/0      

Chain eth0_out (1 references)
 pkts bytes target     prot opt in     out     source       
       destination     
   10   400 SNAT       all  --  *      *       192.168.1.245
       0.0.0.0/0          to:38.118.152.245
12741  844K SNAT       all  --  *      *       192.168.1.246
       0.0.0.0/0          to:38.118.152.246
   12   480 SNAT       all  --  *      *       192.168.1.247
       0.0.0.0/0          to:38.118.152.247
   12   480 SNAT       all  --  *      *       192.168.1.248
       0.0.0.0/0          to:38.118.152.248
   35  2034 SNAT       all  --  *      *       192.168.1.252
       0.0.0.0/0          to:38.118.152.29
    0     0 SNAT       all  --  *      *       192.168.1.251
       0.0.0.0/0          to:38.118.152.30
   12   480 SNAT       all  --  *      *       192.168.1.250
       0.0.0.0/0          to:38.118.152.31

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source       
       destination     
   69  3312 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.244     tcp dpt:53 to:192.168.1.246
 7193  468K DNAT       udp  --  *      *       0.0.0.0/0    
       38.118.152.244     udp dpt:53 to:192.168.1.246
  144  7132 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.244     tcp dpt:80 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.245     tcp dpt:80 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.246     tcp dpt:80 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.244     tcp dpt:443 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.245     tcp dpt:443 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.246     tcp dpt:443 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.245     tcp dpt:25 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.246     tcp dpt:25 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.245     tcp dpt:143 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.246     tcp dpt:143 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.245     tcp dpt:110 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.246     tcp dpt:110 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.246     tcp dpt:21 to:192.168.1.246
    1    48 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.244     tcp dpt:21 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.244     tcp spt:2201 dpt:22
to:192.168.1.245
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.244     tcp spt:2202 dpt:22
to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.244     tcp spt:2203 dpt:22
to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:22 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:80 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.30      tcp dpt:80 to:192.168.1.251
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.31      tcp dpt:80 to:192.168.1.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:8088 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.30      tcp dpt:8088 to:192.168.1.251
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.31      tcp dpt:8088 to:192.168.1.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:443 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.30      tcp dpt:443 to:192.168.1.251
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.31      tcp dpt:443 to:192.168.1.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:25 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.30      tcp dpt:25 to:192.168.1.251
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.31      tcp dpt:25 to:192.168.1.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:23 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.30      tcp dpt:23 to:192.168.1.251
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.31      tcp dpt:23 to:192.168.1.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:21 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.30      tcp dpt:21 to:192.168.1.251
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.31      tcp dpt:21 to:192.168.1.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.29      tcp dpt:110 to:192.168.1.252
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.30      tcp dpt:110 to:192.168.1.251
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0    
       38.118.152.31      tcp dpt:110 to:192.168.1.250

On Mon, 15 Sep 2003, Ricardo Kleemann wrote:
>
> Hi Tom,
>
> Thanks for your quick reply.
>
> > >
> > > a) Is eth1 your ''net'' interface?
>
> Actually, it''s not supposed to be. I''m not sure why it
shows
> up as eth1. Here''s my ip addr
>
Are eth0 and eth1 connected to the same HUB/Switch?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi,
> > > >
> > > > a) Is eth1 your ''net'' interface?
> >
> > Actually, it''s not supposed to be. I''m not sure why
it
> > shows up as eth1. Here''s my ip addr
> >
> 
> Are eth0 and eth1 connected to the same HUB/Switch?
Yes... I guess that''s the problem...? :-(

On Mon, 15 Sep 2003, Ricardo Kleemann wrote:
>
> Hi,
>
> > > > >
> > > > > a) Is eth1 your ''net'' interface?
> > >
> > > Actually, it''s not supposed to be. I''m not sure
why it
> > > shows up as eth1. Here''s my ip addr
> > >
> >
> > Are eth0 and eth1 connected to the same HUB/Switch?
>
> Yes... I guess that''s the problem...? :-(
>
Yes.

a) All of the multiple-interface QuickStart Guides tell you not to do
that.
b) The troubleshooting guide tells you not to do that.
c) The current Beta allows you to do arp filtering for interfaces
connected to a common HUB/Switch but it still is intented for test
environments only.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net