Hello, I am not currently subscribed to the email list so please include me in any responses. :) Up till now I have been using my own custom iptables scripts. I have a dual homed Linux box with 1 ADSL (pppoe) connection (static IP), and a second nic connected to a small switch with a few machines using SNAT for inet access. Everything works with my own scripts. I stumbled on Shorewall and decided it looks very nice and its worth a try. I used the two-interface sample, read the docs and read the guides but now I am asking for some help as I can not even get to my ISP gateway after I start shorewall. (Even after doing a ''shorewall clear'' I have to reboot in order that my own scripts work again) I think I''m close, but must be missing something (hopefully obvious and small :)) Any suggestions are appreciated, Regards, Jaxon ################# interface: net ppp0 detect dhcp,norfc1918,tcpflags loc eth1 detect tcpflags masq: ppp0 10.0.0.0/24 66.11.174.55 policy: loc net ACCEPT fw net ACCEPT net all DROP info all all REJECT info rules: # SSH ACCEPT loc fw tcp ssh ACCEPT net fw tcp ssh # HTTPD ACCEPT loc fw tcp http ACCEPT net fw tcp http # DNS connections from the firewall to the network ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Allow Ping To And From Firewall ACCEPT net fw icmp 8 ACCEPT net loc icmp echo-request ACCEPT fw loc icmp ACCEPT fw net icmp zones: net Net Internet loc Local Local networks #dmz DMZ Demilitarized zone shorewall version 2.0.3 ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:60:97:a1:6f:03 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:76:57:c3:0d brd ff:ff:ff:ff:ff:ff inet 10.0.0.1/24 brd 10.0.0.255 scope global eth1 4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 66.11.174.55 peer 66.11.190.1/32 scope global ppp0 ip route show 66.11.190.1 dev ppp0 proto kernel scope link src 66.11.174.55 10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.1 127.0.0.0/8 via 127.0.0.1 dev lo scope link default via 66.11.190.1 dev ppp0
Scott Jackson wrote:> Hello, > > I am not currently subscribed to the email list so please include me in any > responses. :) > > Up till now I have been using my own custom iptables scripts. I have a dual > homed Linux box with 1 ADSL (pppoe) connection (static IP), and a second nic > connected to a small switch with a few machines using SNAT for inet access. > Everything works with my own scripts. > > I stumbled on Shorewall and decided it looks very nice and its worth a try. > I used the two-interface sample, read the docs and read the guides but now I > am asking for some help as I can not even get to my ISP gateway after I > start shorewall.(Even after doing a ''shorewall clear'' I have to reboot in > order that my own scripts work again)I think I''m close, but must be missing > something (hopefully obvious and small :)) > > Any suggestions are appreciated,The only thing that I see is that you have an entry in /etc/shorewall/nat that could never work. For your simple setup, *you don''t have to do anything other than what is described in the Two-interface Guide*; in particular, you don''t need any entries in /etc/shorewall/nat and any entry that you make there is very likely to break something (like in your case where you can''t do anything after a "shorewall clear). If removing the nat entry doesn''t fix it then please clarify what "can not even get to my ISP gateway" means: a) can you ping the gateway by IP address from the firewall? b) can you ping the gateway by IP address from a system behind the firewall? c) can you ping the gateway by host name from the firewall? d) can you ping the gateway by host name from a system behind the firewall? For any "no" answer, what error messages if any do you see from ping? If any of these tests fail, forward the output of "shorewall status" after the tests. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, I tried as you suggest and removed the entry all together from the nat file. Still the same thing problem... What I meant by not being able to get to my ISP gateway is I am unable to ping it from the fw or any machine on my private network. I have attached a new status.txt file with the updated nat. #From firewall ping 66.11.190.1 connect: Network is unreachable>If removing the nat entry doesn''t fix it then please clarify what "can >not even get to my ISP gateway" means:>a) can you ping the gateway by IP address from the firewall?NO>b) can you ping the gateway by IP address from a system behind thefirewall? NO>c) can you ping the gateway by host name from the firewall?NO>d) can you ping the gateway by host name from a system behind the firewall?NO I am still thinking its something simple since after I reboot the box and run my own scripts, all is well. The suggestions are appreciated, Jaxon -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Sunday, June 27, 2004 9:29 PM To: Mailing List for Shorewall Users; scott@jaxon.net Subject: Re: [Shorewall-users] Problems with shorewall - cant get to isp gateway Scott Jackson wrote:> Hello, > > I am not currently subscribed to the email list so please include me inany> responses. :) > > Up till now I have been using my own custom iptables scripts. I have adual> homed Linux box with 1 ADSL (pppoe) connection (static IP), and a secondnic> connected to a small switch with a few machines using SNAT for inetaccess.> Everything works with my own scripts. > > I stumbled on Shorewall and decided it looks very nice and its worth atry.> I used the two-interface sample, read the docs and read the guides but nowI> am asking for some help as I can not even get to my ISP gateway after I > start shorewall.(Even after doing a ''shorewall clear'' I have to reboot in > order that my own scripts work again)I think I''m close, but must bemissing> something (hopefully obvious and small :)) > > Any suggestions are appreciated,The only thing that I see is that you have an entry in /etc/shorewall/nat that could never work. For your simple setup, *you don''t have to do anything other than what is described in the Two-interface Guide*; in particular, you don''t need any entries in /etc/shorewall/nat and any entry that you make there is very likely to break something (like in your case where you can''t do anything after a "shorewall clear). If removing the nat entry doesn''t fix it then please clarify what "can not even get to my ISP gateway" means: a) can you ping the gateway by IP address from the firewall? b) can you ping the gateway by IP address from a system behind the firewall? c) can you ping the gateway by host name from the firewall? d) can you ping the gateway by host name from a system behind the firewall? For any "no" answer, what error messages if any do you see from ping? If any of these tests fail, forward the output of "shorewall status" after the tests. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Scott Jackson wrote:> Hi Tom, > > I tried as you suggest and removed the entry all together from the nat file. > Still the same thing problem... > What I meant by not being able to get to my ISP gateway is I am unable to > ping it from the fw or any machine on my private network. I have attached a > new status.txt file with the updated nat. > > #From firewall > ping 66.11.190.1 > connect: Network is unreachableHmmm -- Shorewall-generated rules aren''t causing the failure (search the status.txt for REJECT and you''ll see what I mean). After you see this message, what does the routing table look like? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > Hmmm -- Shorewall-generated rules aren''t causing the failure (search the > status.txt for REJECT and you''ll see what I mean). After you see this > message, what does the routing table look like? >I should point out that with the /etc/shorewll/nat file entry in place, "shorewall start" *removed the primary IP address from ppp0*! The instructions in the nat file for the EXTERNAL column clearly say not to list the interface''s primary IP address in that column; now you know why. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, I have the latest shorewall, with iptables 1.2.9 and ipv6 enabled system. I have a question: when I set a rule to drop someting, is it valid for ipv6 connections too ? Or only for normal ipv4 traffic ? Thanks
I did read where the instructions say not to list the interface''s primary IP address in that column. I was actually just experimenting at that point. Isn''t NAT better to use (more efficient) than masquerading? I thought one would only use masq if their peer assigined the IP dynamcly? In my case I have a static IP. Some questions about shorewall... You say "*removed the primary IP address from ppp0*". Removed it from where? ifconfig still showed the IP assigned with ppp0. When would one want to use the NAT file? What is an example of an External IP Address used in the NAT file? It''s a bit confusing because on the one hand the instructions say "EXTERNAL - External IP Address", then "INTERFACE - Interface that you want to EXTERNAL address to appear" Some good news, I have managed to get Shorewall working. It seems to be an issue of routing. In my pppoe.conf file I changed the option "Make the PPPoE connection your default route" to NO and rebooted. I then set my default route by hand and started shorewall. Looks like Im on the right track. Thanks for your input, thanks for answering all my questions (I really want to understand what shorewall is doing) and I will let you know how I make out. :) Jaxon ps - shorewall looks really nice so far :) -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Sunday, June 27, 2004 10:26 PM To: Mailing List for Shorewall Users Cc: scott@jaxon.net Subject: Re: [Shorewall-users] Problems with shorewall - cant get to isp gateway Tom Eastep wrote:> > Hmmm -- Shorewall-generated rules aren''t causing the failure (search the > status.txt for REJECT and you''ll see what I mean). After you see this > message, what does the routing table look like? >I should point out that with the /etc/shorewll/nat file entry in place, "shorewall start" *removed the primary IP address from ppp0*! The instructions in the nat file for the EXTERNAL column clearly say not to list the interface''s primary IP address in that column; now you know why. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Salvatore wrote:> Hi, > > I have the latest shorewall, with iptables 1.2.9 and ipv6 enabled system. > I have a question: > when I set a rule to drop someting, is it valid for ipv6 connections too ? > Or only for normal ipv4 traffic ?The latter. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Scott Jackson wrote:> Isn''t NAT better to use (more efficient) than masquerading? I thought one > would only use masq if their peer assigined the IP dynamcly? In my case I > have a static IP.SNAT is preferable to MASQUERADE when you have a static IP address. By specifying your external IP address in the ADDRESS column of /etc/shorewall/masq, you are using SNAT rather than MASQUERADE.> > Some questions about shorewall... > You say "*removed the primary IP address from ppp0*". Removed it from where? > ifconfig still showed the IP assigned with ppp0.That''s because Shorewall added it back. I have the infrastructure in place to improve this part of the code to avoid the unnecessary delete/add of ip addresses when ADD_IP_ALIASES=Yes but I haven''t got around to doing that yet.> When would one want to use > the NAT file? What is an example of an External IP Address used in the NAT > file? It''s a bit confusing because on the one hand the instructions say > "EXTERNAL - External IP Address", then "INTERFACE - Interface that you want > to EXTERNAL address to appear"The Shorewall Setup Guide gives an example where one-to-one NAT is appropriate. Static NAT is appropriate where you want to give a host embedded in an RFC1918 network the appearance of having an external IP address. I use it here (see http://shorewall.net/myfiles.htm).> > Some good news, I have managed to get Shorewall working. It seems to be an > issue of routing. In my pppoe.conf file I changed the option "Make the PPPoE > connection your default route" to NO and rebooted. I then set my default > route by hand and started shorewall.That shouldn''t be necessary now that you have removed the entry from /etc/shorewall/nat. When Shorewall added the address back onto ppp0, it of course did not restore the default route. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
the latter ? What is it? ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, June 28, 2004 3:30 PM Subject: Re: [Shorewall-users] Rules: ipv4 and/or ipv6 ?> Salvatore wrote: > > Hi, > > > > I have the latest shorewall, with iptables 1.2.9 and ipv6 enabledsystem.> > I have a question: > > when I set a rule to drop someting, is it valid for ipv6 connections too?> > Or only for normal ipv4 traffic ? > > The latter. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Am Montag, 28. Juni 2004 17:19 schrieb Salvatore:> the latter ? What is it?I read "only for ipv4". If you are looking for an ipv6 companion to shorewall google for 6wall. kp> > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> Sent: Monday, June 28, 2004 3:30 PM > Subject: Re: [Shorewall-users] Rules: ipv4 and/or ipv6 ? > > > Salvatore wrote: > > > Hi, > > > > > > I have the latest shorewall, with iptables 1.2.9 and ipv6 enabled > > system. > > > > I have a question: > > > when I set a rule to drop someting, is it valid for ipv6 connections > > > too > > ? > > > > Or only for normal ipv4 traffic ? > > > > The latter. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Rodolfo J. Paiz
2004-Jun-28 17:53 UTC
Re: Problems with shorewall - cant get to isp gateway
At 07:59 AM 6/28/2004, Tom Eastep wrote:>Scott Jackson wrote: > >>Isn''t NAT better to use (more efficient) than masquerading? I thought one >>would only use masq if their peer assigined the IP dynamcly? In my case I >>have a static IP. > >SNAT is preferable to MASQUERADE when you have a static IP address. By >specifying your external IP address in the ADDRESS column of >/etc/shorewall/masq, you are using SNAT rather than MASQUERADE.So assuming that the Internet-facing interface is eth0 and that this interface has a static IP address of 111.111.111.111, then in /etc/shorewall/masq one would write: eth0 eth1 111.111.111.111 instead of just "eth0 eth1"? This would use SNAT instead of masquerading? May I ask for a brief "why this is better", or perhaps for pointers to simple documentation I could read? Thanks! -- Rodolfo J. Paiz rpaiz@simpaticus.com http://www.simpaticus.com
Rodolfo J. Paiz wrote:> > So assuming that the Internet-facing interface is eth0 and that this > interface has a static IP address of 111.111.111.111, then in > /etc/shorewall/masq one would write: > > eth0 eth1 111.111.111.111 > > instead of just "eth0 eth1"? This would use SNAT instead of > masquerading?Yes.> > May I ask for a brief "why this is better", or perhaps for pointers to > simple documentation I could read? >MASQUERADE has to worry about changing IP addresses whereas SNAT doesn''t. That makes SNAT slightly more efficient. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Monday 28 June 2004 08:27, K.-P. Kirchdörfer wrote:> Am Montag, 28. Juni 2004 17:19 schrieb Salvatore: > > the latter ? What is it? > > I read "only for ipv4". > > If you are looking for an ipv6 companion to shorewall google for 6wall. > > kpIt is well documented. The documentation looks very familiar ;-) In fact, anyone familiar with shorewall should have few problems configuring it. One caveat, it doesn''t appear to have its own mail list, so if you encounter something like, # 6wall start Processing /etc/6wall/params6 ... Processing /etc/6wall/6wall.conf... Starting 6wall... Error: 6wall version 1.0.1 does not work with kernel version 2.6.3-7mdk Terminated you are essentially on your own, finding the reason and solution. - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC =====================In a perfect world there would be no politicians. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA4IZFo0pgX8xyW4YRA+sgAKC0pid49kpQFV6QH1MWUPbFpn9/5gCgk5kz PZQZnJUceVn5r6HijrAmSQU=tYyv -----END PGP SIGNATURE-----