Hi list,
I am having a problem that is going to start causing hair loss soon unless I
can sort it out (hopefully this is where you people come in :). I have a
machine running Shorewall that is acting as a firewall/router protecting my
LAN to a wireless network that has all of a sudden just stopped working.
After a pile of problems I rebuilt the machine and now noone can get in to,
or out of my network. A quick rundown of my setup:
Network:
- Internal network runs 192.168.0.0/24 range (eth0)
- Wireless network runs a 10.10.0.0/27 range (eth1)
- Machine forwards tcp/1723 and GRE/- to an internal PPTPd linux server
Machine:
- Machine is running Debian/woody
- Shorewall version: 1.4.6c
- ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:24:29:2a:ce brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
link/ipip 0.0.0.0 brd 0.0.0.0
4: gre0@NONE: <NOARP> mtu 1476 qdisc noop
link/gre 0.0.0.0 brd 0.0.0.0
5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:e0:63:83:09:34 brd ff:ff:ff:ff:ff:ff
inet 10.10.0.100/27 brd 10.10.0.127 scope global eth1
- ip route show:
10.10.0.96/27 dev eth1 proto kernel scope link src 10.10.0.100
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
- the output of /sbin/shorewall status is attached
- my config files are also attached
When I log into the machine I can''t even seem to ssh out of it onto my
local
LAN (messagge: kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.2
DST=192.168.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1025
DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0). I realise it must be a config
problem somewhere but I can''t seem to narrow down exactly what the
problem
is. I have run through the FAQ''s etc but couldn''t find
anything to help.
Any advise appreciated.
Thanks guys.
**********************************************************************
This message is intended for the addressee named and may contain
privileged information or confidential information or both. If you
are not the intended recipient please delete it and notify the sender.
**********************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shorewall.tar.gz
Type: application/x-gzip
Size: 31470 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030922/1e9e9e42/shorewall.tar-0001.bin
On Mon, 22 Sep 2003, Simon Eriksson wrote:> can sort it out (hopefully this is where you people come in :). I have a > machine running Shorewall that is acting as a firewall/router protecting my > LAN to a wireless network that has all of a sudden just stopped working.Right!! The "I didn''t do a thing and it just stopped working* problem.... Thus destroying all clues about what your original problem was.> > When I log into the machine I can''t even seem to ssh out of it onto my local > LAN (messagge: kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.2 > DST=192.168.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1025 > DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0). I realise it must be a config > problem somewhere but I can''t seem to narrow down exactly what the problem > is. I have run through the FAQ''s etc but couldn''t find anything to help. > > Any advise appreciated. >a) Go to http://shorewall.net/shorewall_quickstart_guide.htm b) Select the QuickStart guide that applies to your configuration. c) *Folllow the instructions that you find in the guide* If it doesn''t work then *go back and recheck each of the steps flagged with a red arrow*. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Maybe I''m missing something... I don''t see a rule permitting ssh from fw zone to loc zone. Are you saying you log into shorewall machine and can''t ssh out? -Alan Simon Eriksson said:> Hi list, > > I am having a problem that is going to start causing hair loss soon > unless I can sort it out (hopefully this is where you people come in :). > I have a machine running Shorewall that is acting as a firewall/router > protecting my LAN to a wireless network that has all of a sudden just > stopped working. After a pile of problems I rebuilt the machine and now > noone can get in to, or out of my network. A quick rundown of my setup: > > Network: > - Internal network runs 192.168.0.0/24 range (eth0) > - Wireless network runs a 10.10.0.0/27 range (eth1) > - Machine forwards tcp/1723 and GRE/- to an internal PPTPd linux server > > Machine: > - Machine is running Debian/woody > - Shorewall version: 1.4.6c > - ip addr show: > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:a0:24:29:2a:ce brd ff:ff:ff:ff:ff:ff > inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0 > 3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop > link/ipip 0.0.0.0 brd 0.0.0.0 > 4: gre0@NONE: <NOARP> mtu 1476 qdisc noop > link/gre 0.0.0.0 brd 0.0.0.0 > 5: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:e0:63:83:09:34 brd ff:ff:ff:ff:ff:ff > inet 10.10.0.100/27 brd 10.10.0.127 scope global eth1 > - ip route show: > 10.10.0.96/27 dev eth1 proto kernel scope link src 10.10.0.100 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2 - the > output of /sbin/shorewall status is attached > - my config files are also attached > > When I log into the machine I can''t even seem to ssh out of it onto my > local LAN (messagge: kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 > SRC=192.168.0.2 DST=192.168.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0 > DF PROTO=TCP SPT=1025 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0). I realise > it must be a config problem somewhere but I can''t seem to narrow down > exactly what the problem is. I have run through the FAQ''s etc but > couldn''t find anything to help. > > Any advise appreciated. > > Thanks guys. > > ********************************************************************** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you are > not the intended recipient please delete it and notify the sender. > **********************************************************************==========Alan Sparks, UNIX/Linux Systems Administrator <asparks@doublesparks.net>
The original problem was that the VPN stopped working (according to the other end). After diagnosing the problem, it related to something non-shorewall (ie. a faulty HDD). The new problem is that the machine doesn''t seem to be forwarding the VPN traffic at all. I did the SSH out as a test, and didn''t think I needed a rule to allow SSH out from the machine to LOC. I also didn''t realize I would get flamed for asking questions. Thanks anyway. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Monday, 22 September 2003 11:33 AM To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] installation problems, confused! On Mon, 22 Sep 2003, Simon Eriksson wrote:> can sort it out (hopefully this is where you people come in :). I have a > machine running Shorewall that is acting as a firewall/router protectingmy> LAN to a wireless network that has all of a sudden just stopped working.Right!! The "I didn''t do a thing and it just stopped working* problem.... Thus destroying all clues about what your original problem was.> > When I log into the machine I can''t even seem to ssh out of it onto mylocal> LAN (messagge: kernel: Shorewall:all2all:REJECT:IN= OUT=eth0SRC=192.168.0.2> DST=192.168.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCPSPT=1025> DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0). I realise it must be a config > problem somewhere but I can''t seem to narrow down exactly what the problem > is. I have run through the FAQ''s etc but couldn''t find anything to help. > > Any advise appreciated. >a) Go to http://shorewall.net/shorewall_quickstart_guide.htm b) Select the QuickStart guide that applies to your configuration. c) *Folllow the instructions that you find in the guide* If it doesn''t work then *go back and recheck each of the steps flagged with a red arrow*. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **********************************************************************
On Mon, 22 Sep 2003, Simon Eriksson wrote:> The original problem was that the VPN stopped working (according to the > other end). After diagnosing the problem, it related to something > non-shorewall (ie. a faulty HDD). The new problem is that the machine > doesn''t seem to be forwarding the VPN traffic at all. I did the SSH out as a > test, and didn''t think I needed a rule to allow SSH out from the machine to > LOC. >You were wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Ok well that''s now fixed, I can ssh out to LOC. One problem fixed, ill try and sort this VPN issue out myself to avoid dealing with people like you. Thanks Tom! -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Monday, 22 September 2003 12:15 PM To: Shorewall Users Mailing List Subject: RE: [Shorewall-users] installation problems, confused! On Mon, 22 Sep 2003, Simon Eriksson wrote:> The original problem was that the VPN stopped working (according to the > other end). After diagnosing the problem, it related to something > non-shorewall (ie. a faulty HDD). The new problem is that the machine > doesn''t seem to be forwarding the VPN traffic at all. I did the SSH out asa> test, and didn''t think I needed a rule to allow SSH out from the machineto> LOC. >You were wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. **********************************************************************