Shorewall users - Apr 2004 - Is working only inside eth1...

Hi,
i´m trying to use shorewall as gateway server with Fedora, but only external 
interface
is working.

ETH0 IP ADDRESS: 200.200.200.22
ETH1 IP ADDRESS: 200.176.54.1

Firewall services (http, transparent proxy, dns master, ssh) is configured 
to run in eth1 (200.176.54.1), not eth0... i cannot change this.

My internal network is /24 and my e-mail/webmail server is using 
200.176.54.155 ip address.

Outside eth1, i ping 200.200.200.22, but cannot ping 200.176.54.1. Inside 
eth1,
everything is working.

I´m working in 200.176.54.7 and i have access to http, dns and ssh firewall 
services.

Here my config files:

INTERFACES:
net	 eth0		detect
loc 	 eth1		detect

MASQ:
eth0			eth1

POLICY:
loc		net		ACCEPT
net		all		DROP		info
fw		net		ACCEPT
all		all		REJECT		info

ROUTESTOPPED:
eth1		-

ACCEPT	 fw:200.176.54.1	net			tcp 	53
ACCEPT	 fw:200.176.54.1	net			udp	53
ACCEPT	 loc			net			tcp	53
ACCEPT	 loc			net			udp	53
ACCEPT	 all			fw:200.176.54.1 	udp	53
ACCEPT	 loc			net			tcp	20
ACCEPT	 loc			net			tcp	21
ACCEPT	 all			fw:200.176.54.1		tcp	22,53,80
ACCEPT	 all			fw:200.176.54.1		icmp	8
ACCEPT   all			fw			icmp	8
ACCEPT	 net			loc:200.176.54.1	icmp	8
ACCEPT   fw			loc			icmp	8
ACCEPT 	 fw			net			icmp	8
REDIRECT loc			3128			tcp	80
ACCEPT	 all			loc:200.176.54.155	tcp	80
ACCEPT	 loc			net			tcp	25
ACCEPT	 all			loc:200.176.54.155	tcp	25
ACCEPT 	 loc			net			tcp	110
ACCEPT	 all			loc:146.164.54.155	tcp	110

Any one can help me?

Thanks in advance,
Mauricio.

_________________________________________________________________
MSN Hotmail, o maior webmail do Brasil.  http://www.hotmail.com

Mauricio Cavalcanti wrote:
> Hi,
> i´m trying to use shorewall as gateway server with Fedora, but only 
> external interface
> is working.
> 
> ETH0 IP ADDRESS: 200.200.200.22
> ETH1 IP ADDRESS: 200.176.54.1
> 
> Firewall services (http, transparent proxy, dns master, ssh) is 
> configured to run in eth1 (200.176.54.1), not eth0... i cannot change this.
> 
> My internal network is /24 and my e-mail/webmail server is using 
> 200.176.54.155 ip address.
> 
> Outside eth1, i ping 200.200.200.22, but cannot ping 200.176.54.1. 
> Inside eth1,
> everything is working.
> 
> I´m working in 200.176.54.7 and i have access to http, dns and ssh 
> firewall services.
> 
> Here my config files:
> 
> INTERFACES:
> net     eth0        detect
> loc      eth1        detect
> 
> MASQ:
> eth0            eth1
> 
> POLICY:
> loc        net        ACCEPT
> net        all        DROP        info
> fw        net        ACCEPT
> all        all        REJECT        info
> 
> ROUTESTOPPED:
> eth1        -
> 
> ACCEPT     fw:200.176.54.1    net            tcp     53
> ACCEPT     fw:200.176.54.1    net            udp    53
> ACCEPT     loc            net            tcp    53
> ACCEPT     loc            net            udp    53
> ACCEPT     all            fw:200.176.54.1     udp    53
> ACCEPT     loc            net            tcp    20
> ACCEPT     loc            net            tcp    21
> ACCEPT     all            fw:200.176.54.1        tcp    22,53,80
> ACCEPT     all            fw:200.176.54.1        icmp    8
> ACCEPT   all            fw            icmp    8
> ACCEPT     net            loc:200.176.54.1    icmp    8
> ACCEPT   fw            loc            icmp    8
> ACCEPT      fw            net            icmp    8
> REDIRECT loc            3128            tcp    80
> ACCEPT     all            loc:200.176.54.155    tcp    80
> ACCEPT     loc            net            tcp    25
> ACCEPT     all            loc:200.176.54.155    tcp    25
> ACCEPT      loc            net            tcp    110
> ACCEPT     all            loc:146.164.54.155    tcp    110
> 
> Any one can help me?
Get rid of the entry in the masq file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi,
thanks for your help, but ridding of the line in masq file, computers 
connected to eth1 don´t see internet (one more problem) and the problem 
persists (computers from internet trying to connect to eth1 stops in eth0.

Mauricio.

_________________________________________________________________
MSN Hotmail, o maior webmail do Brasil.  http://www.hotmail.com

Mauricio Cavalcanti wrote:
> Hi,
> thanks for your help, but ridding of the line in masq file, computers 
> connected to eth1 don´t see internet (one more problem) and the problem 
> persists (computers from internet trying to connect to eth1 stops in eth0.
Then please give us the information we ask for at 
http://shorewall.net/support.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> Then please give us the information we ask for at 
> http://shorewall.net/support.htm
> 
And if you falsified your IP addresses in your first report then please 
don''t do it again. I based my first response on the addresses that your
reported and I don''t have the time or the patience to play games with 
people who believe that keeping their IP address structure a secret 
somehow keeps them safer.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> And if you falsified your IP addresses in your first report then please 
> don''t do it again. I based my first response on the addresses that
your
> reported and I don''t have the time or the patience to play games
with
> people who believe that keeping their IP address structure a secret 
> somehow keeps them safer.
Hmmmmm --- The more that I look at your rules, the less that I understand:

ACCEPT     fw:200.176.54.1    net            tcp     53

Fine -- you say that 200.176.54.1 is your eth1 IP address

ACCEPT     net            loc:200.176.54.1    icmp    8

Huh?? Now all of a sudden, 200.176.54.1 is the IP address of a system in 
the ''loc'' zone!!!!

ACCEPT     all            loc:200.176.54.155    tcp    80

So 200.176.54.155 must be the IP address of a web server in the local zone.

And finally we have:

ACCEPT     all            loc:146.164.54.155    tcp    110

So you appear to have a 146.164.155.* also in your local zone.

The point here that none of these IP addresses are reserved by RFC 1918. 
In fact, 200.176.54.155 is cm-net-cwb-C8B0369B.brdterra.com.br and the 
146.xxxx address also appears legitimate.

200.200.200.22 however smells like a fake.

The reason that I suggested removing the masq entry is because these 
perfectly valid public IP addresses should be internet accessible so 
traffic from them shouldn''t have to be masqueraded to the bogus 
200.200.xxx address. Since removing the the masq entry produces the 
result it did, I can only conclude that hosts on the eth0 side of your 
router don''t know how to route traffic to hosts on the eth1 side. That 
has nothing to do with the configuration of your firewall/router 
(although as I point out above, there are some configuration problems in 
that router).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Sorry twice. When i told the problem to administrator and that i was 
thinking to put in
list to get help, he ask me to fake ip addresses. Really sorry.

ETH0: external interface and ip address 146.164.26.22
ETH1: internal interface and ip address 146.164.54.1

So, loc:146.164.54.1 is right, but fw:146.164.54.1 is a crazy thing.
Thanks!

146.164.54.155 is a e-mail (smtp and pop) and http (webmail) server.

All of services must run in eth1 ip address (don´t ask me why, but have to).

If i´m in firewall console, i ping everything (eth0, eth1, inside network 
and internet).

If i´m in Windows machine connected to eth1, i ping eth0 and eth1 firewall 
interfaces,
but i cannot see or ping internet until i put "eth1 eth0" line in masq
files
and reload
shorewall. That´s why i think it´s not a router, but a firewall problem.

Nobody in internet see eth1, but ping eth0.

Thanks again,
Mauricio.

_________________________________________________________________
MSN Hotmail, o maior webmail do Brasil.  http://www.hotmail.com

Mauricio Cavalcanti wrote:
> Sorry twice. When i told the problem to administrator and that i was 
> thinking to put in
> list to get help, he ask me to fake ip addresses. Really sorry.
> 
> ETH0: external interface and ip address 146.164.26.22
> ETH1: internal interface and ip address 146.164.54.1
> 
> So, loc:146.164.54.1 is right, but fw:146.164.54.1 is a crazy thing.
> Thanks!
No -- loc:146.164.54.1 is nonsense if 146.164.54.1 the address of an 
interface on the firewall. All IP addresses owned by the firewall are in 
the fw zone!
> 
> 146.164.54.155 is a e-mail (smtp and pop) and http (webmail) server.
> 
> All of services must run in eth1 ip address (don´t ask me why, but have 
> to).
I don''t understand what that means.
> 
> If i´m in firewall console, i ping everything (eth0, eth1, inside 
> network and internet).
Fine.
> 
> If i´m in Windows machine connected to eth1, i ping eth0 and eth1 
> firewall interfaces,
> but i cannot see or ping internet until i put "eth1 eth0" line in
masq
> files and reload
> shorewall. That´s why i think it´s not a router, but a firewall problem.
No, it is *not* a firewall problem. Adding SNAT compensates for routing 
problems.
> 
> Nobody in internet see eth1, but ping eth0.
> 
It''s a routing problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:

>>
> 
> It''s a routing problem.
> 
And if you don''t believe me, do "shorewall clear"; that
totally removes
all firewall rules. Now does it work? I''m betting that it doesn.t.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Tom Eastep wrote:
> 
> 
>>>
>>
>> It''s a routing problem.
>>
> 
> And if you don''t believe me, do "shorewall clear"; that
totally removes
> all firewall rules. Now does it work? I''m betting that it doesn.t.
And with Shorewall in the cleared state, try a traceroute from a system 
on the eth0 side of your firewall to one of the systems on the eth1 
side. Is the first hop the firewall? Or is it another router?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

You are right... stops in firewall (54.1)... gateway for internal machines. 
I don´t know what is happening, because the old firewall is running ipchains 
rules and i copied the script to new firewall (disabling iptables) and 
didn´t work too (routing problem).

Comparing routing table (old/new firewall), their is no difference.

146.164.26.0 0.0.0.0 255.255.255.192 U 0 0 0 eth1
146.164.54.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 146.164.26.1 0.0.0.0 UG 0 0 0 eth1

Anyone can help me?

Mauricio.

>From: Tom Eastep <teastep@shorewall.net>
>Reply-To: Mailing List for Shorewall Users 
><shorewall-users@lists.shorewall.net>
>To: Mailing List for Shorewall Users
<shorewall-users@lists.shorewall.net>
>Subject: Re: [Shorewall-users] Is working only inside eth1...
>Date: Sat, 03 Apr 2004 14:04:51 -0800
>
>Tom Eastep wrote:
>
>>Tom Eastep wrote:
>>
>>
>>>>
>>>
>>>It''s a routing problem.
>>>
>>
>>And if you don''t believe me, do "shorewall clear";
that totally removes
>>all firewall rules. Now does it work? I''m betting that it
doesn.t.
>
>And with Shorewall in the cleared state, try a traceroute from a system on 
>the eth0 side of your firewall to one of the systems on the eth1 side. Is 
>the first hop the firewall? Or is it another router?
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
MSN Hotmail, o maior webmail do Brasil.  http://www.hotmail.com

Mauricio Cavalcanti wrote:
> 
> You are right... stops in firewall (54.1)... gateway for internal 
> machines. I don´t know what is happening, because the old firewall is 
> running ipchains rules and i copied the script to new firewall 
> (disabling iptables) and didn´t work too (routing problem).
> 
> Comparing routing table (old/new firewall), their is no difference.
> 
> 146.164.26.0 0.0.0.0 255.255.255.192 U 0 0 0 eth1
> 146.164.54.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 146.164.26.1 0.0.0.0 UG 0 0 0 eth1
> 
> Anyone can help me?
> 
> Mauricio.
Mauricio,

*The routing problem isn''t on the firewall/gateway.*

The client outside the firewall that you are testing from isn''t routing
requests to 146.164.54.0/24 to the firewall; the firewall cannot forward 
packets that it never gets.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net