Shorewall users - Sep 2004 - After upgrade people can no longer connect

Hello Tom,

I''ve been using Shorewall for years without problems. My previous
version of
shorewall was 1.4.6b-1. Everything worked just fine. Today I upgraded using 
rpm to 2.0.8-1. After update no one can connect to any interface from net. 
Server can connect to outside world fine and those described in routestopped 
have no problem connecting. Any help correcting this problem would be 
appreciated.

Redhat Linux kernel 2.4.20-20.7smp

/sbin/shorewall version
2.0.8

/sbin/ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:18:02:3c:41 brd ff:ff:ff:ff:ff:ff
    inet 64.140.165.132/27 brd 64.140.165.159 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:06:5b:8c:18:1f brd ff:ff:ff:ff:ff:ff
    inet 64.140.165.133/27 brd 64.140.165.159 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:06:5b:8c:18:20 brd ff:ff:ff:ff:ff:ff
    inet 64.140.165.134/27 brd 64.140.165.159 scope global eth2
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 3
    link/ppp
    inet 192.168.234.235 peer 192.168.234.236/32 scope global ppp0

/sbin/ip route show
192.168.234.236 dev ppp0  proto kernel  scope link  src 192.168.234.235
64.140.165.128/27 dev eth2  scope link
64.140.165.128/27 dev eth1  proto kernel  scope link  src 64.140.165.133
64.140.165.128/27 dev eth2  proto kernel  scope link  src 64.140.165.134
127.0.0.0/8 dev lo  scope link
default via 64.140.165.129 dev eth0

/etc/shorewall/interfaces
net	eth0		detect		routefilter,blacklist
net	eth1		detect		routefilter,blacklist
net	eth2		detect		routefilter,blacklist

/etc/shorewall/policy
fw		all		ACCEPT
net		all		DROP		err
all		all		REJECT		err

/etc/shorewall/routestopped
eth0		64.140.165.128/27
eth1		64.140.165.128/27
eth2		64.140.165.128/27

/etc/shorewall/rules
ACCEPT	net:64.140.165.128/27	fw			all
ACCEPT	fw			net			udp	53
ACCEPT	fw			net			tcp	53
ACCEPT	net			fw			udp	53
ACCEPT	net			fw:64.140.165.132	tcp	smtp
ACCEPT	net			fw:64.140.165.134	tcp	http,https,smtp
ACCEPT	net			fw:64.140.165.134	tcp	1311
DROP	net			fw			udp	32769
DROP	net			fw			icmp	8

/etc/shorewall/zones
net	Net		Internet

/etc/shorewall/start
(currently empty, but use to have)
run_iptables -t nat -I POSTROUTING -p tcp --dport 25 -j SNAT --to-source 
64.140.165.132
run_iptables -t nat -I POSTROUTING -p tcp --dport 80 -j SNAT --to-source 
64.140.165.132-64.140.165.133
/bin/dmesg -n 3
/sbin/iptables -N greedy
/sbin/iptables -I INPUT -j greedy

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it''s
FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

be sure to read corresponding upgrade issues with shorewall 

http://www.shorewall.net/upgrade_issues.htm


On Sun, 19 Sep 2004 17:03:55 -0700, J and T <j_and_t@hotmail.com>
wrote:
> Hello Tom,
> 
> I''ve been using Shorewall for years without problems. My previous
version of
> shorewall was 1.4.6b-1. Everything worked just fine. Today I upgraded using
> rpm to 2.0.8-1. After update no one can connect to any interface from net.
> Server can connect to outside world fine and those described in
routestopped
> have no problem connecting. Any help correcting this problem would be
> appreciated.
> 
> Redhat Linux kernel 2.4.20-20.7smp
> 
> /sbin/shorewall version
> 2.0.8
> 
> /sbin/ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:10:18:02:3c:41 brd ff:ff:ff:ff:ff:ff
>     inet 64.140.165.132/27 brd 64.140.165.159 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:06:5b:8c:18:1f brd ff:ff:ff:ff:ff:ff
>     inet 64.140.165.133/27 brd 64.140.165.159 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:06:5b:8c:18:20 brd ff:ff:ff:ff:ff:ff
>     inet 64.140.165.134/27 brd 64.140.165.159 scope global eth2
> 5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast
qlen 3
>     link/ppp
>     inet 192.168.234.235 peer 192.168.234.236/32 scope global ppp0
> 
> /sbin/ip route show
> 192.168.234.236 dev ppp0  proto kernel  scope link  src 192.168.234.235
> 64.140.165.128/27 dev eth2  scope link
> 64.140.165.128/27 dev eth1  proto kernel  scope link  src 64.140.165.133
> 64.140.165.128/27 dev eth2  proto kernel  scope link  src 64.140.165.134
> 127.0.0.0/8 dev lo  scope link
> default via 64.140.165.129 dev eth0
> 
> /etc/shorewall/interfaces
> net     eth0            detect          routefilter,blacklist
> net     eth1            detect          routefilter,blacklist
> net     eth2            detect          routefilter,blacklist
> 
> /etc/shorewall/policy
> fw              all             ACCEPT
> net             all             DROP            err
> all             all             REJECT          err
> 
> /etc/shorewall/routestopped
> eth0            64.140.165.128/27
> eth1            64.140.165.128/27
> eth2            64.140.165.128/27
> 
> /etc/shorewall/rules
> ACCEPT  net:64.140.165.128/27   fw                      all
> ACCEPT  fw                      net                     udp     53
> ACCEPT  fw                      net                     tcp     53
> ACCEPT  net                     fw                      udp     53
> ACCEPT  net                     fw:64.140.165.132       tcp     smtp
> ACCEPT  net                     fw:64.140.165.134       tcp    
http,https,smtp
> ACCEPT  net                     fw:64.140.165.134       tcp     1311
> DROP    net                     fw                      udp     32769
> DROP    net                     fw                      icmp    8
> 
> /etc/shorewall/zones
> net     Net             Internet
> 
> /etc/shorewall/start
> (currently empty, but use to have)
> run_iptables -t nat -I POSTROUTING -p tcp --dport 25 -j SNAT --to-source
> 64.140.165.132
> run_iptables -t nat -I POSTROUTING -p tcp --dport 80 -j SNAT --to-source
> 64.140.165.132-64.140.165.133
> /bin/dmesg -n 3
> /sbin/iptables -N greedy
> /sbin/iptables -I INPUT -j greedy
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today -
it''s FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> 
> 
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

J and T wrote:

| I''ve been using Shorewall for years without problems. My previous
| version of shorewall was 1.4.6b-1. Everything worked just fine. Today I
| upgraded using rpm to 2.0.8-1. After update no one can connect to any
| interface from net. Server can connect to outside world fine and those
| described in routestopped have no problem connecting. Any help
| correcting this problem would be appreciated.

In the material you included, I didn''t see anything wrong.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBTu2bO/MAbZfjDLIRAja5AKCYuarZX8OPzMQd7KawE1Gh4XElpwCgnHIh
FEUHQSt/8rQzZPH06lUckyQ=seUP
-----END PGP SIGNATURE-----