Hello.
I''m in the process of replacing an existing firewall with a
shorewall box. The current situation is a two network firewall,
with a external network to the internet (153.109.180.0/24)
and an internal network (192.33.221.0/24). Both are public
adresses networks. The router is 153.109.180.1.
For diverse reasons, we want to let the situation as it is for
now and just add a NAT "guest" network . The future situation
will look like :
+-------------------------------------------------------+
| Router (153.109.180.1) |
+-------------------------------------------------------+
|
| "net" : outsite
| network 153.109.180.0/24
|
|
| eth0 : 153.109.180.2
+-------------------------------------------------------+
| Firewall |
+-------------------------------------------------------+
| eth1 : 192.33.221.2 | eth2 : 192.168.221.254
| |
| |
| |
| |
| |
"local" : inner "guest" : dhcp/NAT
network : 192.33.221.0/24 network : 192.168.221.0/24
I''m using shorewall version 1.4.7 on a redhat 9 box
(rh kernel 2.4.20-19.9)
I''ve based my configuration on the three interfaces example
in the documentation.
Everything works as expected on the "guest" network. Threre,
you can access the internet with a web browser, ftp or ssh.
You can ping the router, it works. You can even access the DNS
inside the local network.
The problem is with the "local" zone : from there, I cannot
ping the router, and I can reach nothing outside the
local network. I''ve browsed the docs, the FAQ, the mailing
list archives and made different tests. I cannot figure out
why nothing goes out of (or comes into) this local network.
Is there something obious I do not see ?
Do I miss something about routing ? (read the howto too)
Here is the output of "ip route show" :
192.33.221.0/24 dev eth1 scope link
153.109.180.0/24 dev eth0 scope link
192.168.221.0/24 dev eth2 scope link
127.0.0.0/8 dev lo scope link
default via 153.109.180.1 dev eth0
I''ve setup my zones this way :
#ZONE DISPLAY COMMENTS
net Net Internet
local Local Local network
guest Visitors Network for visitors only
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
My interfaces :
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect tcpflags,blacklist
local eth1 detect
guest eth2 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
My policies :
#SOURCE DEST POLICY LOG LEVEL
#LIMIT:BURST
local net ACCEPT
local guest ACCEPT
local fw ACCEPT
guest fw DROP info
guest local ACCEPT
guest net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
My masq file :
#INTERFACE SUBNET ADDRESS
eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Attached are my /etc/shorewall/rules file, the iptables staus and
the output of a restart.
Regards
Norbert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules
Type: application/octet-stream
Size: 2634 bytes
Desc: not available
Url :
lists.shorewall.net/pipermail/shorewall-users/attachments/20031016/41523763/rules-0001.obj
-------------- next part --------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
eth0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
eth2_in all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:INPUT:REJECT:''
reject all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DROP !icmp -- anywhere anywhere state INVALID
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:FORWARD:REJECT:''
reject all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
fw2net all -- anywhere anywhere
fw2local all -- anywhere anywhere
fw2guest all -- anywhere anywhere
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:OUTPUT:REJECT:''
reject all -- anywhere anywhere
Chain all2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:all2all:REJECT:''
reject all -- anywhere anywhere
Chain blacklst (2 references)
target prot opt source destination
Chain common (6 references)
target prot opt source destination
icmpdef icmp -- anywhere anywhere
reject udp -- anywhere anywhere udp dpt:135
reject udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:135
DROP udp -- anywhere anywhere udp dpt:1900
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
reject tcp -- anywhere anywhere tcp dpt:auth
DROP udp -- anywhere anywhere udp spt:domain state
NEW
DROP all -- anywhere 153.109.180.255
DROP all -- anywhere 192.33.221.255
DROP all -- anywhere 192.168.221.255
Chain dynamic (6 references)
target prot opt source destination
Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
tcpflags tcp -- anywhere anywhere
blacklst all -- anywhere anywhere
net2local all -- anywhere anywhere
net2all all -- anywhere anywhere
Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
tcpflags tcp -- anywhere anywhere
blacklst all -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
local2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
local2guest all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
local2fw all -- anywhere anywhere
Chain eth2_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
guest2net all -- anywhere anywhere
guest2local all -- anywhere anywhere
Chain eth2_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere
guest2fw all -- anywhere anywhere
Chain fw2guest (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
all2all all -- anywhere anywhere
Chain fw2local (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere herens.idiap.ch state NEW tcp
spt:domain
ACCEPT udp -- anywhere herens.idiap.ch state NEW udp
spt:domain
all2all all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere multiport dports
ftp,ftp-data state NEW
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:domain
all2all all -- anywhere anywhere
Chain guest2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:guest2fw:DROP:''
DROP all -- anywhere anywhere
Chain guest2local (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere herens.idiap.ch state NEW tcp
dpt:domain
ACCEPT udp -- anywhere herens.idiap.ch state NEW udp
dpt:domain
ACCEPT all -- anywhere anywhere
Chain guest2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain icmpdef (1 references)
target prot opt source destination
Chain local2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT all -- amerix.idiap.ch anywhere state NEW
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain local2guest (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain local2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:domain
ACCEPT all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info
ip-options prefix `Shorewall:logflags:DROP:''
DROP all -- anywhere anywhere
Chain net2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
common all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:net2all:DROP:''
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT all -- amerix.idiap.ch anywhere state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp
spt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp
spt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:smtp
DROP icmp -- anywhere anywhere icmp echo-request
net2all all -- anywhere anywhere
Chain net2local (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp
flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere herens.idiap.ch state NEW tcp
dpt:domain
ACCEPT udp -- anywhere herens.idiap.ch state NEW udp
dpt:domain
net2all all -- anywhere anywhere
Chain newnotsyn (13 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info
prefix `Shorewall:newnotsyn:DROP:''
DROP all -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain tcpflags (2 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0
flags:SYN,RST,ACK/SYN
-------------- next part --------------
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Determining Zones...
Zones: net local guest
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Visitors Zone: eth2:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Setting up TCP Flags checking...
Setting up Blacklisting...
Blacklisting enabled on eth0
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Rule "ACCEPT local:192.33.221.156 fw all" added.
Rule "ACCEPT net:192.33.221.156 fw all" added.
Rule "ACCEPT net fw tcp - http" added.
Rule "ACCEPT fw net tcp http" added.
Rule "ACCEPT fw net tcp ftp,ftp-data" added.
Rule "ACCEPT net fw tcp ftp-data" added.
Rule "ACCEPT net fw tcp - smtp" added.
Rule "ACCEPT net fw tcp smtp" added.
Rule "ACCEPT guest fw icmp echo-request" added.
Rule "ACCEPT fw guest icmp echo-request" added.
Rule "ACCEPT local fw icmp echo-request" added.
Rule "ACCEPT fw local icmp echo-request" added.
Rule "ACCEPT local guest icmp echo-request" added.
Rule "ACCEPT guest local icmp echo-request" added.
Rule "ACCEPT guest net icmp echo-request" added.
Rule "ACCEPT local net icmp echo-request" added.
Rule "DROP net fw icmp echo-request" added.
Rule "ACCEPT fw net icmp echo-request" added.
Rule "ACCEPT fw local:192.33.221.1 tcp - domain" added.
Rule "ACCEPT fw local:192.33.221.1 udp - domain" added.
Rule "ACCEPT fw net tcp domain" added.
Rule "ACCEPT fw net udp domain" added.
Rule "ACCEPT net local:192.33.221.1 tcp domain" added.
Rule "ACCEPT net local:192.33.221.1 udp domain" added.
Rule "ACCEPT guest local:192.33.221.1 tcp domain" added.
Rule "ACCEPT guest local:192.33.221.1 udp domain" added.
Rule "ACCEPT local net tcp domain" added.
Rule "ACCEPT local net udp domain" added.
Processing /etc/shorewall/policy...
Policy REJECT for fw to net using chain all2all
Policy REJECT for fw to local using chain all2all
Policy REJECT for fw to guest using chain all2all
Policy DROP for net to fw using chain net2all
Policy DROP for net to local using chain net2all
Policy ACCEPT for local to fw using chain local2fw
Policy ACCEPT for local to net using chain local2net
Policy ACCEPT for local to guest using chain local2guest
Policy DROP for guest to fw using chain guest2fw
Policy ACCEPT for guest to net using chain guest2net
Policy ACCEPT for guest to local using chain guest2local
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.221.0/24 through eth0
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted