Hello shorewall gurus, I have read all of the FAQ and have done a shorewall archive search via google. The google search returned the following help/howto: http://lists.shorewall.net/pipermail/shorewall-users/2003-August/007918.html I have created in: /etc/shorewall/zones vpn I have created in: /etc/shorewall/interfaces ppp+ - I hvae created in: /etc/shorewall/hosts vpn ppp+:10.0.0.0/8 When a client machine dials in (such as a windows XP box) a popup terminal is displayed with the host server machine hostname and login prompt. The login is successful but there appears to be no route to eth0. The results of the route command show no such interface. mgetty answers the phone and kicks off PPPd. Hence, the interface ppp0 does not exist until the if-up script is run. Howto route data packets back out eth0 to get internet access via dialup. Or is this not even a Shorewall problem? Please advise, David.
David: For us to have a better picture and a faster fix, please see: http://shorewall.net/support.htm#id2807775 What do you have in the policy & masq files?? On a side note, the options that your using with pppd might be important also (proxyarp), but that isn''t shorewall.. Jerry Vonau> Hello shorewall gurus, I have read all of the FAQ and have done ashorewall archive search via google. The google search returned the following help/howto:> >http://lists.shorewall.net/pipermail/shorewall-users/2003-August/00791 8.html> > I have created in: /etc/shorewall/zones > > vpn > > > I have created in: /etc/shorewall/interfaces > > ppp+ - > > > I hvae created in: /etc/shorewall/hosts > > vpn ppp+:10.0.0.0/8 > > > When a client machine dials in (such as a windows XP box) a popupterminal is displayed with the host server machine hostname and login prompt. The login is successful but there appears to be no route to eth0. The results of the route command show no such interface. mgetty answers the phone and kicks off PPPd. Hence, the interface ppp0 does not exist until the if-up script is run. Howto route data packets back out eth0 to get internet access via dialup. Or is this not even a Shorewall problem? Please advise, David.
Jerry Vonau <jvonau@shaw.ca> wrote ..> David: > For us to have a better picture and a faster fix, please see: > http://shorewall.net/support.htm#id2807775 > > What do you have in the policy & masq files?? > > On a side note, the options that your using with pppd might > be important also (proxyarp), but that isn''t shorewall.. > > Jerry Vonau > > > Hello shorewall gurus, I have read all of the FAQ and have done a > shorewall archive search via google. The google search returned the > following help/howto: > > > > > http://lists.shorewall.net/pipermail/shorewall-users/2003-August/00791 > 8.html > > > > I have created in: /etc/shorewall/zones > > > > vpn > > > > > > I have created in: /etc/shorewall/interfaces > > > > ppp+ - > > > > > > I hvae created in: /etc/shorewall/hosts > > > > vpn ppp+:10.0.0.0/8 > > > > > > When a client machine dials in (such as a windows XP box) a popup > terminal is displayed with the host server machine hostname and login > prompt. The login is successful but there appears to be no route to > eth0. The results of the route command show no such interface. mgetty > answers the phone and kicks off PPPd. Hence, the interface ppp0 does > not exist until the if-up script is run. Howto route data packets back > out eth0 to get internet access via dialup. Or is this not even a > Shorewall problem? Please advise, David. > > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmHello Jerry, thanks for the speedy reply. Contents of masq: #INTERFACE SUBNET ADDRESS eth0 eth1 Contents of policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT debug net all DROP info all all REJECT info net loc ACCEPT debug Contents of proxyarp: nada I have 3 client machines and 1 XBOX on a Class C subnet hanging off of eth1 all with TCP/IP connectivity (ping, traceroute, etc.) and access to the public via HTTP, SFTP etc. The ppp+ interface cannot be routed equally as eth+. Attempts to create the ppp0 or ppp+ interface, route it and add a line to masq result in an error when shorewall is restarted. The error is along the lines of: Cannot determine routing for interface: ppp. Thanks, David.
Jerry Vonau <jvonau@shaw.ca> wrote ..> David: > For us to have a better picture and a faster fix, please see: > http://shorewall.net/support.htm#id2807775 > > What do you have in the policy & masq files?? > > On a side note, the options that your using with pppd might > be important also (proxyarp), but that isn''t shorewall.. > > Jerry Vonau > > > Hello shorewall gurus, I have read all of the FAQ and have done a > shorewall archive search via google. The google search returned the > following help/howto: > > > > > http://lists.shorewall.net/pipermail/shorewall-users/2003-August/00791 > 8.html > > > > I have created in: /etc/shorewall/zones > > > > vpn > > > > > > I have created in: /etc/shorewall/interfaces > > > > ppp+ - > > > > > > I hvae created in: /etc/shorewall/hosts > > > > vpn ppp+:10.0.0.0/8 > > > > > > When a client machine dials in (such as a windows XP box) a popup > terminal is displayed with the host server machine hostname and login > prompt. The login is successful but there appears to be no route to > eth0. The results of the route command show no such interface. mgetty > answers the phone and kicks off PPPd. Hence, the interface ppp0 does > not exist until the if-up script is run. Howto route data packets back > out eth0 to get internet access via dialup. Or is this not even a > Shorewall problem? Please advise, David. > > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmHello Jerry, sorry about the top post but I meant to include this info with the previous email message to you. shorewall version: 1.4.0 ip addr show: 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:f4:1f:92:f4 brd ff:ff:ff:ff:ff:ff inet 208.240.66.100/24 brd 208.240.66.255 scope global eth0 inet 208.240.66.101/24 brd 208.240.66.255 scope global secondary eth0:0 inet 208.240.66.102/24 brd 208.240.66.255 scope global secondary eth0:1 inet 208.240.66.103/24 brd 208.240.66.255 scope global secondary eth0:2 inet 208.240.66.104/24 brd 208.240.66.255 scope global secondary eth0:3 inet 208.240.66.4/24 brd 208.240.66.4 scope global secondary eth0:4 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:f4:1f:95:15 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 ip route show: 208.240.66.0/24 dev eth0 scope link 192.168.1.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 208.240.66.1 dev eth0 default via 208.240.66.1 dev eth0 src 208.240.66.4 metric 1 default via 208.240.66.1 dev eth0 src 208.240.66.104 metric 1 default via 208.240.66.1 dev eth0 src 208.240.66.103 metric 1 default via 208.240.66.1 dev eth0 src 208.240.66.102 metric 1 default via 208.240.66.1 dev eth0 src 208.240.66.101 metric 1 Thanks, David
David:> shorewall version: 1.4.0I''d update that... looking for old notes.....> > ip addr show: > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:40:f4:1f:92:f4 brd ff:ff:ff:ff:ff:ff > inet 208.240.66.100/24 brd 208.240.66.255 scope global eth0 > inet 208.240.66.101/24 brd 208.240.66.255 scope global secondaryeth0:0> inet 208.240.66.102/24 brd 208.240.66.255 scope global secondaryeth0:1> inet 208.240.66.103/24 brd 208.240.66.255 scope global secondaryeth0:2> inet 208.240.66.104/24 brd 208.240.66.255 scope global secondaryeth0:3> inet 208.240.66.4/24 brd 208.240.66.4 scope global secondaryeth0:4 Got a couple of subnets?? just to get a clearer picture..> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:40:f4:1f:95:15 brd ff:ff:ff:ff:ff:ff > inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 > > ip route show: > 208.240.66.0/24 dev eth0 scope link > 192.168.1.0/24 dev eth1 scope link > 127.0.0.0/8 dev lo scope link > default via 208.240.66.1 dev eth0 > default via 208.240.66.1 dev eth0 src 208.240.66.4 metric 1 > default via 208.240.66.1 dev eth0 src 208.240.66.104 metric 1 > default via 208.240.66.1 dev eth0 src 208.240.66.103 metric 1 > default via 208.240.66.1 dev eth0 src 208.240.66.102 metric 1 > default via 208.240.66.1 dev eth0 src 208.240.66.101 metric 1 > > Thanks, DavidOK, lets backup abit... post all the files you modified... nat? rules? hosts? What ip address is the dialup getting when connected? Jerry Vonau
Jerry Vonau <jvonau@shaw.ca> wrote ..> David: > > > shorewall version: 1.4.0 > > I''d update that... looking for old notes..... > > > > > ip addr show: > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:40:f4:1f:92:f4 brd ff:ff:ff:ff:ff:ff > > inet 208.240.66.100/24 brd 208.240.66.255 scope global eth0 > > inet 208.240.66.101/24 brd 208.240.66.255 scope global secondary > eth0:0 > > inet 208.240.66.102/24 brd 208.240.66.255 scope global secondary > eth0:1 > > inet 208.240.66.103/24 brd 208.240.66.255 scope global secondary > eth0:2 > > inet 208.240.66.104/24 brd 208.240.66.255 scope global secondary > eth0:3 > > inet 208.240.66.4/24 brd 208.240.66.4 scope global secondary > eth0:4 > > Got a couple of subnets?? just to get a clearer picture.. > > > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:40:f4:1f:95:15 brd ff:ff:ff:ff:ff:ff > > inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 > > > > ip route show: > > 208.240.66.0/24 dev eth0 scope link > > 192.168.1.0/24 dev eth1 scope link > > 127.0.0.0/8 dev lo scope link > > default via 208.240.66.1 dev eth0 > > default via 208.240.66.1 dev eth0 src 208.240.66.4 metric 1 > > default via 208.240.66.1 dev eth0 src 208.240.66.104 metric 1 > > default via 208.240.66.1 dev eth0 src 208.240.66.103 metric 1 > > default via 208.240.66.1 dev eth0 src 208.240.66.102 metric 1 > > default via 208.240.66.1 dev eth0 src 208.240.66.101 metric 1 > > > > Thanks, David > > OK, lets backup abit... post all the files you modified... nat? rules? > hosts? > What ip address is the dialup getting when connected? > > Jerry Vonau > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmHello Jerry, thanks for the efforts. Here are the files I have modified since attempting to route ppp0 to the external internet (eth0). rules: ############################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 # # Accept SSH connections from the local network for administration # ACCEPT fw net udp 53 # # Allow Ping To And From Firewall # ACCEPT all fw tcp 53 - ACCEPT all fw udp 53 - ACCEPT loc:192.168.1.2,loc:192.168.1.1,loc:192.168.1.3 net tcp - - ACCEPT loc:192.168.1.2,loc:192.168.1.1,loc:192.168.1.3 fw tcp 53 - ACCEPT loc fw tcp 22 # ACCEPT net fw tcp 25 - ACCEPT fw net tcp 25 - ACCEPT:debug net fw tcp 80 - ACCEPT:debug loc fw tcp 80 - ACCEPT:debug fw net tcp 80 - ACCEPT:debug fw loc tcp 80 - ACCEPT net:136.183.11.24 loc tcp - 119 ACCEPT fw net:136.183.11.24 tcp 119 - ACCEPT net:207.46.248.16 loc tcp - 119 ACCEPT fw net:207.46.248.16 tcp 119 - ACCEPT net:129.6.15.29,129.6.15.28,192.43.244.18 fw tcp - - ACCEPT fw net:129.6.15.29,129.6.15.28,192.43.244.18 tcp - - ACCEPT all fw tcp 443 - ACCEPT loc $FW tcp 443 - ACCEPT loc fw tcp 1521 - ACCEPT fw loc tcp 1521 - # Jabber client ACCEPT net fw tcp 5222 - ACCEPT fw net tcp - 5222 ACCEPT loc fw tcp 5222 - #ACCEPT net fw tcp 5223 - #ACCEPT fw net tcp - 5223 #ACCEPT loc fw tcp 5223 - # IRCd ACCEPT net fw tcp 6667 - ACCEPT fw net tcp - 6667 ACCEPT loc fw tcp 6667 - ACCEPT net fw tcp 8007 - ACCEPT all fw tcp 8080 - ACCEPT net fw tcp 8443 - ACCEPT loc fw tcp 8443 - ACCEPT loc fw tcp 10000 - ACCEPT fw loc tcp 10000 - #ACCEPT net:64.75.135.183 fw tcp 10000 - ACCEPT fw net tcp 10000 - ACCEPT net fw:208.240.66.100 tcp 10000 - ACCEPT loc fw tcp 20000 - ACCEPT fw loc tcp 20000 - #ACCEPT net:64.75.135.183 fw tcp 20000 - ACCEPT fw net tcp 20000 - ACCEPT net fw:208.240.66.100 tcp 20000 - ACCEPT net fw:208.240.66.102 tcp 20000 - ACCEPT net fw:208.240.66.103 tcp 20000 - ACCEPT net fw:208.240.66.104 tcp 20000 - ACCEPT net fw:208.240.66.4 tcp 20000 - ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 #ACCEPT net fw tcp 143 - #ACCEPT fw net tcp - 143 #ACCEPT loc fw tcp 143 - ACCEPT loc fw tcp 953 - ACCEPT fw loc tcp 953 - ACCEPT fw net tcp 43 - ACCEPT loc:192.168.1.1,192.168.1.2,192.168.1.3 loc:192.168.1.1,192.168.1.2,192.168.1.3 udp 10000 - ACCEPT:debug loc:192.68.1.1,192.168.1.2 fw tcp 23 - ACCEPT:debug loc:192.168.1.1,192.168.1.2 fw tcp 110 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE zones: #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks vpn VPN Virtual Private Network for PPP interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect norfc1918,routefilter,blacklist loc eth1 detect vpn ppp0 - #ZONE HOST(S) OPTIONS vpn ppp0:192.168.1.5 masq: #INTERFACE SUBNET ADDRESS eth0 eth1 I am assuming the client machine gets the address: 192.168.1.5. Thanks, David.
On Fri, 2 Jan 2004, David W. Brown wrote:> > interfaces: > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect norfc1918,routefilter,blacklist > loc eth1 detect > vpn ppp0 - > > #ZONE HOST(S) OPTIONS > vpn ppp0:192.168.1.5 >I guess I''m going to have to start making this a warning since people don''t seem to get it. If you use the /etc/shorewall/hosts file, then in 99.999999999% of the cases, you want "-" in the ZONE column of the associated /etc/shorewall/interface file entries. The way that you have defined the vpn zone, it contains: a) All hosts interfacing through ppp0 b) 192.168.1.5 when interfacing through ppp0 Clearly a) is a super-set of b) This has nothing to do with your problem though -- in all of your policies and rules, I don''t see one instance of ''vpn'' in the SOURCE column (although you have a couple of all->fw rules) Hence, the all->all policy is covering almost all traffic from the VPN client. Oh -- and you have a policy AFTER the all->all policy. I hope that you are running an old version of Shorewall because recent versions of /etc/shorewall/policy are very clear that the all->all policy should be last. -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net