thr3ads.net - Shorewall users - [Shorewall-users] FORWARD DROP Problem [Nov 2003]

If this information is useful, please help other people find it:
Share via:

Roman.Anger@kumatronik.de

2003-Nov-18 07:18 UTC

[Shorewall-users] FORWARD DROP Problem

Hello,

I have a question regarding my shorewall setup.

I?m not yet subscribed to the mailing list.

My firewall has two interfaces:

eth0      Link encap:Ethernet  HWaddr 00:04:76:96:B7:1A
          inet addr:10.48.20.30  Bcast:10.48.31.255  Mask:255.255.240.0
          inet6 addr: fe80::204:76ff:fe96:b71a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:206571 errors:0 dropped:0 overruns:1 frame:0
          TX packets:125132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:31985581 (30.5 Mb)  TX bytes:60776984 (57.9 Mb)
          Interrupt:11 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:04:76:97:B8:23
          inet addr:10.48.65.1  Bcast:10.48.65.255  Mask:255.255.255.0
          inet6 addr: fe80::204:76ff:fe97:b823/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5807045 errors:0 dropped:0 overruns:1 frame:0
          TX packets:8218872 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:403800238 (385.0 Mb)  TX bytes:600130124 (572.3 Mb)
          Interrupt:11 Base address:0x2080

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


Eth1 is the default gateway of all clients which are in the 10.48.65.0/24
network.
The default gateway of the firewall is 10.48.65.20.

Now a client from the 10.48.65.0/24 network, which is on the interface
eth1, tries to reach a server in the 10.50.16.0 /20 network, which can be
reached over the interface eth1, but all traffic is dropped by the FORWARD
rule.

How can I get shorewall to FORWARD the traffic??


Nov 18 14:13:52 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.248 LEN=34 TOS=0x00 PREC=0x00 TTL=127 ID=26122
PROTO=UDP SPT=4558 DPT=1505 LEN=14
Nov 18 14:13:52 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.249 LEN=34 TOS=0x00 PREC=0x00 TTL=127 ID=26123
PROTO=UDP SPT=4558 DPT=1505 LEN=14
Nov 18 14:13:52 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.250 LEN=34 TOS=0x00 PREC=0x00 TTL=127 ID=26124
PROTO=UDP SPT=4558 DPT=1505 LEN=14
Nov 18 14:13:52 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.251 LEN=34 TOS=0x00 PREC=0x00 TTL=127 ID=26125
PROTO=UDP SPT=4558 DPT=1505 LEN=14
Nov 18 14:13:52 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.252 LEN=34 TOS=0x00 PREC=0x00 TTL=127 ID=26126
PROTO=UDP SPT=4558 DPT=1505 LEN=14
Nov 18 14:13:52 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.253 LEN=34 TOS=0x00 PREC=0x00 TTL=127 ID=26127
PROTO=UDP SPT=4558 DPT=1505 LEN=14
Nov 18 14:13:52 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.254 LEN=34 TOS=0x00 PREC=0x00 TTL=127 ID=26128
PROTO=UDP SPT=4558 DPT=1505 LEN=14
Nov 18 14:14:50 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.104 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26262
DF PROTO=TCP SPT=4559 DPT=2513 WINDOW=64512 RES=0x00 SYN URGP=0
Nov 18 14:15:28 kshmakvsfw1 kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1
SRC=10.48.65.32 DST=10.50.20.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26588
DF PROTO=TCP SPT=4561 DPT=418 WINDOW=64512 RES=0x00 SYN URGP=0

Thanks in advance.


Best regards

Roman Anger

(See attached file: status.txt)


p.s. some usefull information about my setup.

kshmakvsfw1:/var/log # shorewall version
1.4.8


kshmakvsfw1:/var/log # ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:76:96:b7:1a brd ff:ff:ff:ff:ff:ff
    inet 10.48.20.30/20 brd 10.48.31.255 scope global eth0
    inet6 fe80::204:76ff:fe96:b71a/64 scope link
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:76:97:b8:23 brd ff:ff:ff:ff:ff:ff
    inet 10.48.65.1/24 brd 10.48.65.255 scope global eth1
    inet6 fe80::204:76ff:fe97:b823/64 scope link
4: sit0@NONE: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

kshmakvsfw1:/var/log # ip route show
10.51.1.1 via 10.48.16.27 dev eth0
10.48.65.0/24 dev eth1  proto kernel  scope link  src 10.48.65.1
10.16.56.0/21 via 10.48.20.1 dev eth0
10.16.16.0/20 via 10.48.20.1 dev eth0
10.48.16.0/20 dev eth0  proto kernel  scope link  src 10.48.20.30
10.50.16.0/20 via 10.48.65.20 dev eth1
10.48.80.0/20 via 10.48.20.1 dev eth0
10.48.112.0/20 via 10.48.20.1 dev eth0
10.48.96.0/20 via 10.48.20.1 dev eth0
10.63.0.0/16 via 10.48.20.1 dev eth0
default via 10.48.65.20 dev eth1


KUMATRONIK Systemhaus GmbH
Oberfischbach 3, 88677 Markdorf
Tel.:      +49(0)7544 966-112
FAX:     +49(0)7544 966-288
-------------- next part --------------
A non-text attachment was scrubbed...
Name: =?ISO-8859-1?Q?status=2Etxt?Type: application/octet-stream
Size: 12099 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20031118/52111665/ISO-8859-1Qstatus2Etxt-0001.obj

Tom Eastep

2003-Nov-18 07:28 UTC

head link

[Shorewall-users] FORWARD DROP Problem

On Tue, 2003-11-18 at 05:46, Roman.Anger@kumatronik.de wrote:
> 
> 
> Eth1 is the default gateway of all clients which are in the 10.48.65.0/24
> network.
> The default gateway of the firewall is 10.48.65.20.
> 
> Now a client from the 10.48.65.0/24 network, which is on the interface
> eth1, tries to reach a server in the 10.50.16.0 /20 network, which can be
> reached over the interface eth1, but all traffic is dropped by the FORWARD
> rule.
> 
> How can I get shorewall to FORWARD the traffic??
Don''t connect both firewall interfaces to the same HUB/switch.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Roman.Anger@kumatronik.de

2003-Nov-18 08:44 UTC

head link

[Shorewall-users] FORWARD DROP Problem

>
> How can I get shorewall to FORWARD the traffic??
>
>Don''t connect both firewall interfaces to the same HUB/switch.
>
Each firewall interface is connected to a different switch (HP Pro Curve
4000m).


Best regards.

Roman Anger

KUMATRONIK Systemhaus GmbH
Oberfischbach 3, 88677 Markdorf
Tel.:      +49(0)7544 966-112
FAX:     +49(0)7544 966-288

Tom Eastep

2003-Nov-18 09:06 UTC

head link

[Shorewall-users] FORWARD DROP Problem

On Tue, 2003-11-18 at 08:44, Roman.Anger@kumatronik.de
wrote:> 
> 
> 
> >
> > How can I get shorewall to FORWARD the traffic??
> >
> >Don''t connect both firewall interfaces to the same HUB/switch.
> >
> 
> Each firewall interface is connected to a different switch (HP Pro Curve
> 4000m).
Then set the ''routeback'' option for eth1 in
/etc/shorewall/interfaces.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Reasonably Related Threads

Search for more reasonably related threads

Shorewall users - Nov 2003 - FORWARD DROP Problem

[Shorewall-users] FORWARD DROP Problem

[Shorewall-users] FORWARD DROP Problem

[Shorewall-users] FORWARD DROP Problem

[Shorewall-users] FORWARD DROP Problem

Reasonably Related Threads