Shorewall users - Jun 2004 - Problems with shorewall - cant get to isp gateway

Hello,

I am not currently subscribed to the email list so please include me in any
responses. :)

Up till now I have been using my own custom iptables scripts. I have a dual
homed Linux box with 1 ADSL (pppoe) connection (static IP), and a second nic
connected to a small switch with a few machines using SNAT for inet access.
Everything works with my own scripts.

I stumbled on Shorewall and decided it looks very nice and its worth a try.
I used the two-interface sample, read the docs and read the guides but now I
am asking for some help as I can not even get to my ISP gateway after I
start shorewall. (Even after doing a ''shorewall clear'' I have
to reboot in
order that my own scripts work again) I think I''m close, but must be
missing
something (hopefully obvious and small :))

Any suggestions are appreciated,
Regards,
Jaxon

#################
interface:
net     ppp0            detect          dhcp,norfc1918,tcpflags
loc     eth1            detect          tcpflags

masq:
ppp0                    10.0.0.0/24     66.11.174.55

policy:
loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

rules:
# SSH
ACCEPT  loc             fw              tcp     ssh
ACCEPT  net             fw              tcp     ssh
# HTTPD
ACCEPT  loc             fw              tcp     http
ACCEPT  net             fw              tcp     http
# DNS connections from the firewall to the network
ACCEPT  fw              net             tcp     53
ACCEPT  fw              net             udp     53
#       Allow Ping To And From Firewall
ACCEPT  net             fw              icmp    8
ACCEPT  net             loc             icmp    echo-request
ACCEPT  fw              loc             icmp
ACCEPT  fw              net             icmp

zones:
net     Net             Internet
loc     Local           Local networks
#dmz    DMZ             Demilitarized zone

shorewall version
2.0.3

ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:97:a1:6f:03 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:76:57:c3:0d brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global eth1
4: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 66.11.174.55 peer 66.11.190.1/32 scope global ppp0

ip route show
66.11.190.1 dev ppp0  proto kernel  scope link  src 66.11.174.55
10.0.0.0/24 dev eth1  proto kernel  scope link  src 10.0.0.1
127.0.0.0/8 via 127.0.0.1 dev lo  scope link
default via 66.11.190.1 dev ppp0

Scott Jackson wrote:
> Hello,
> 
> I am not currently subscribed to the email list so please include me in any
> responses. :)
> 
> Up till now I have been using my own custom iptables scripts. I have a dual
> homed Linux box with 1 ADSL (pppoe) connection (static IP), and a second
nic
> connected to a small switch with a few machines using SNAT for inet access.
> Everything works with my own scripts.
> 
> I stumbled on Shorewall and decided it looks very nice and its worth a try.
> I used the two-interface sample, read the docs and read the guides but now
I
> am asking for some help as I can not even get to my ISP gateway after I
> start shorewall.(Even after doing a ''shorewall clear'' I
have to reboot in
> order that my own scripts work again)I think I''m close, but must
be missing
> something (hopefully obvious and small :))
> 
> Any suggestions are appreciated,
The only thing that I see is that you have an entry in
/etc/shorewall/nat that could never work. For your simple setup, *you
don''t have to do anything other than what is described in the
Two-interface Guide*; in particular, you don''t need any entries in
/etc/shorewall/nat and any entry that you make there is very likely to
break something (like in your case where you can''t do anything after a 
"shorewall clear).

If removing the nat entry doesn''t fix it then please clarify what
"can
not even get to my ISP gateway" means:

a) can you ping the gateway by IP address from the firewall?
b) can you ping the gateway by IP address from a system behind the firewall?
c) can you ping the gateway by host name from the firewall?
d) can you ping the gateway by host name from a system behind the firewall?

For any "no" answer, what error messages if any do you see from ping?
If
any of these tests fail, forward the output of "shorewall status"
after
the tests.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom,

I tried as you suggest and removed the entry all together from the nat file.
Still the same thing problem...
What I meant by not being able to get to my ISP gateway is I am unable to
ping it from the fw or any machine on my private network. I have attached a
new status.txt file with the updated nat.

#From firewall
ping 66.11.190.1
connect: Network is unreachable
>If removing the nat entry doesn''t fix it then please clarify what
"can
>not even get to my ISP gateway" means:
>a) can you ping the gateway by IP address from the firewall?
NO
>b) can you ping the gateway by IP address from a system behind the
firewall?
NO
>c) can you ping the gateway by host name from the firewall?
NO
>d) can you ping the gateway by host name from a system behind the firewall?
NO

I am still thinking its something simple since after I reboot the box and
run my own scripts, all is well.

The suggestions are appreciated,
Jaxon

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Sunday, June 27, 2004 9:29 PM
To: Mailing List for Shorewall Users; scott@jaxon.net
Subject: Re: [Shorewall-users] Problems with shorewall - cant get to isp
gateway


Scott Jackson wrote:
> Hello,
>
> I am not currently subscribed to the email list so please include me in
any
> responses. :)
>
> Up till now I have been using my own custom iptables scripts. I have a
dual
> homed Linux box with 1 ADSL (pppoe) connection (static IP), and a second
nic
> connected to a small switch with a few machines using SNAT for inet
access.
> Everything works with my own scripts.
>
> I stumbled on Shorewall and decided it looks very nice and its worth a
try.
> I used the two-interface sample, read the docs and read the guides but now
I
> am asking for some help as I can not even get to my ISP gateway after I
> start shorewall.(Even after doing a ''shorewall clear'' I
have to reboot in
> order that my own scripts work again)I think I''m close, but must
be
missing
> something (hopefully obvious and small :))
>
> Any suggestions are appreciated,
The only thing that I see is that you have an entry in
/etc/shorewall/nat that could never work. For your simple setup, *you
don''t have to do anything other than what is described in the
Two-interface Guide*; in particular, you don''t need any entries in
/etc/shorewall/nat and any entry that you make there is very likely to
break something (like in your case where you can''t do anything after a
"shorewall clear).

If removing the nat entry doesn''t fix it then please clarify what
"can
not even get to my ISP gateway" means:

a) can you ping the gateway by IP address from the firewall?
b) can you ping the gateway by IP address from a system behind the firewall?
c) can you ping the gateway by host name from the firewall?
d) can you ping the gateway by host name from a system behind the firewall?

For any "no" answer, what error messages if any do you see from ping?
If
any of these tests fail, forward the output of "shorewall status"
after
the tests.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Scott Jackson wrote:
> Hi Tom,
> 
> I tried as you suggest and removed the entry all together from the nat
file.
> Still the same thing problem...
> What I meant by not being able to get to my ISP gateway is I am unable to
> ping it from the fw or any machine on my private network. I have attached a
> new status.txt file with the updated nat.
> 
> #From firewall
> ping 66.11.190.1
> connect: Network is unreachable
Hmmm -- Shorewall-generated rules aren''t causing the failure (search
the
status.txt for REJECT and you''ll see what I mean). After you see this 
message, what does the routing table look like?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> Hmmm -- Shorewall-generated rules aren''t causing the failure
(search the
> status.txt for REJECT and you''ll see what I mean). After you see
this
> message, what does the routing table look like?
> 
I should point out that with the /etc/shorewll/nat file entry in place, 
"shorewall start" *removed the primary IP address from ppp0*! The 
instructions in the nat file for the EXTERNAL column clearly say not to 
list the interface''s primary IP address in that column; now you know
why.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi,

I have the latest shorewall, with iptables 1.2.9 and ipv6 enabled system.
I have a question:
when I set a rule to drop someting, is it valid for ipv6 connections too ?
Or only for normal ipv4 traffic ?

Thanks

I did read where the instructions say not to list the interface''s
primary IP
address in that column. I was actually just experimenting at that point.

Isn''t NAT better to use (more efficient) than masquerading? I thought
one
would only use masq if their peer assigined the IP dynamcly? In my case I
have a static IP.

Some questions about shorewall...
You say "*removed the primary IP address from ppp0*". Removed it from
where?
ifconfig still showed the IP assigned with ppp0. When would one want to use
the NAT file? What is an example of an External IP Address used in the NAT
file? It''s a bit confusing because on the one hand the instructions say
"EXTERNAL - External IP Address", then "INTERFACE - Interface
that you want
to EXTERNAL address to appear"

Some good news, I have managed to get Shorewall working. It seems to be an
issue of routing. In my pppoe.conf file I changed the option "Make the
PPPoE
connection your default route" to NO and rebooted. I then set my default
route by hand and started shorewall.

Looks like Im on the right track. Thanks for your input, thanks for
answering all my questions (I really want to understand what shorewall is
doing) and I will let you know how I make out. :)

Jaxon

ps - shorewall looks really nice so far :)

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Sunday, June 27, 2004 10:26 PM
To: Mailing List for Shorewall Users
Cc: scott@jaxon.net
Subject: Re: [Shorewall-users] Problems with shorewall - cant get to isp
gateway


Tom Eastep wrote:
>
> Hmmm -- Shorewall-generated rules aren''t causing the failure
(search the
> status.txt for REJECT and you''ll see what I mean). After you see
this
> message, what does the routing table look like?
>
I should point out that with the /etc/shorewll/nat file entry in place,
"shorewall start" *removed the primary IP address from ppp0*! The
instructions in the nat file for the EXTERNAL column clearly say not to
list the interface''s primary IP address in that column; now you know
why.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Salvatore wrote:
> Hi,
> 
> I have the latest shorewall, with iptables 1.2.9 and ipv6 enabled system.
> I have a question:
> when I set a rule to drop someting, is it valid for ipv6 connections too ?
> Or only for normal ipv4 traffic ?
The latter.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Scott Jackson wrote:
> Isn''t NAT better to use (more efficient) than masquerading? I
thought one
> would only use masq if their peer assigined the IP dynamcly? In my case I
> have a static IP.
SNAT is preferable to MASQUERADE when you have a static IP address. By 
specifying your external IP address in the ADDRESS column of 
/etc/shorewall/masq, you are using SNAT rather than MASQUERADE.
> 
> Some questions about shorewall...
> You say "*removed the primary IP address from ppp0*". Removed it
from where?
> ifconfig still showed the IP assigned with ppp0.
That''s because Shorewall added it back. I have the infrastructure in 
place to improve this part of the code to avoid the unnecessary 
delete/add of ip addresses when ADD_IP_ALIASES=Yes but I haven''t got 
around to doing that yet.
> When would one want to use
> the NAT file? What is an example of an External IP Address used in the NAT
> file? It''s a bit confusing because on the one hand the
instructions say
> "EXTERNAL - External IP Address", then "INTERFACE -
Interface that you want
> to EXTERNAL address to appear"
The Shorewall Setup Guide gives an example where one-to-one NAT is 
appropriate. Static NAT is appropriate where you want to give a host 
embedded in an RFC1918 network the appearance of having an external IP 
address. I use it here (see http://shorewall.net/myfiles.htm).
> 
> Some good news, I have managed to get Shorewall working. It seems to be an
> issue of routing. In my pppoe.conf file I changed the option "Make the
PPPoE
> connection your default route" to NO and rebooted. I then set my
default
> route by hand and started shorewall.
That shouldn''t be necessary now that you have removed the entry from 
/etc/shorewall/nat. When Shorewall added the address back onto ppp0, it 
of course did not restore the default route.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

the latter ? What is it?


----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Monday, June 28, 2004 3:30 PM
Subject: Re: [Shorewall-users] Rules: ipv4 and/or ipv6 ?

> Salvatore wrote:
> > Hi,
> >
> > I have the latest shorewall, with iptables 1.2.9 and ipv6 enabled
system.
> > I have a question:
> > when I set a rule to drop someting, is it valid for ipv6 connections
too
?
> > Or only for normal ipv4 traffic ?
>
> The latter.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Am Montag, 28. Juni 2004 17:19 schrieb Salvatore:
> the latter ? What is it?
I read "only for ipv4".

If you are looking for an ipv6 companion to shorewall google for 6wall.

kp
>
> ----- Original Message -----
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Mailing List for Shorewall Users"
> <shorewall-users@lists.shorewall.net> Sent: Monday, June 28, 2004
3:30 PM
> Subject: Re: [Shorewall-users] Rules: ipv4 and/or ipv6 ?
>
> > Salvatore wrote:
> > > Hi,
> > >
> > > I have the latest shorewall, with iptables 1.2.9 and ipv6 enabled
>
> system.
>
> > > I have a question:
> > > when I set a rule to drop someting, is it valid for ipv6
connections
> > > too
>
> ?
>
> > > Or only for normal ipv4 traffic ?
> >
> > The latter.
> >
> > -Tom
> > --
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
>
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

At 07:59 AM 6/28/2004, Tom Eastep wrote:
>Scott Jackson wrote:
>
>>Isn''t NAT better to use (more efficient) than masquerading? I
thought one
>>would only use masq if their peer assigined the IP dynamcly? In my case
I
>>have a static IP.
>
>SNAT is preferable to MASQUERADE when you have a static IP address. By 
>specifying your external IP address in the ADDRESS column of 
>/etc/shorewall/masq, you are using SNAT rather than MASQUERADE.
So assuming that the Internet-facing interface is eth0 and that this 
interface has a static IP address of 111.111.111.111, then in 
/etc/shorewall/masq one would write:

eth0    eth1    111.111.111.111

instead of just "eth0     eth1"? This would use SNAT instead of
masquerading?

May I ask for a brief "why this is better", or perhaps for pointers to
simple documentation I could read?

Thanks!


-- 
Rodolfo J. Paiz
rpaiz@simpaticus.com
http://www.simpaticus.com

Rodolfo J. Paiz wrote:
> 
> So assuming that the Internet-facing interface is eth0 and that this 
> interface has a static IP address of 111.111.111.111, then in 
> /etc/shorewall/masq one would write:
> 
> eth0    eth1    111.111.111.111
> 
> instead of just "eth0     eth1"? This would use SNAT instead of 
> masquerading?
Yes.
> 
> May I ask for a brief "why this is better", or perhaps for
pointers to
> simple documentation I could read?
> 
MASQUERADE has to worry about changing IP addresses whereas SNAT 
doesn''t. That makes SNAT slightly more efficient.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On Monday 28 June 2004 08:27, K.-P. Kirchdörfer wrote:
> Am Montag, 28. Juni 2004 17:19 schrieb Salvatore:
> > the latter ? What is it?
>
> I read "only for ipv4".
>
> If you are looking for an ipv6 companion to shorewall google for 6wall.
>
> kp
It is well documented.  The documentation looks very familiar ;-)  In fact, 
anyone familiar with shorewall should have few problems configuring it.

One caveat, it doesn''t appear to have its own mail list, so if you
encounter
something like,

# 6wall start
Processing /etc/6wall/params6 ...
Processing /etc/6wall/6wall.conf...
Starting 6wall...
   Error: 6wall version 1.0.1 does not work with kernel version 2.6.3-7mdk
Terminated

you are essentially on your own, finding the reason and solution.
- -- 
Robin Lynn Frank
Director of Operations
Paradigm-Omega, LLC
=====================In a perfect world there would be no politicians.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Sed quis custodiet ipsos custodes?

iD8DBQFA4IZFo0pgX8xyW4YRA+sgAKC0pid49kpQFV6QH1MWUPbFpn9/5gCgk5kz
PZQZnJUceVn5r6HijrAmSQU=tYyv
-----END PGP SIGNATURE-----