Hey Mattia;
Looks like you might have a few problems so I thought I should ''chime
in''
before Tom wakes up and starts beating on you ;)
Judging by what you have shown us (BTW you should start with a sample
tarball from the shorewall.net site or at least review the files in it)...
You haven''t populated the interface file. This might explain why you
have
that error.
I suggest you add the following;
hdsl eth0
roma eth1
loc eth2
that should solve your mis-configuration but as to your ''masq
trick'' I can''t
speculate. Try typing ''shorewall support'' in google and follow
the
guidelines on the first hit.
(BTW Tom, I have fought with my users for years regarding RTFM without
success and eventually found that the less I work at it, the happier I am.
You should look on the bright side - you have helped thousands of people
across the globe judging by the results of simply typing
''shorewall'' in
google!)
Jeff
----- Original Message -----
From: "Mattia" <mattia@sinapto.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, February 02, 2005 7:12 AM
Subject: [Shorewall-users] Masq errors?
> Hi all,
> I have a problem with a new Shorewall box I''m trying to migrate
from
> iptables rules to shorewall 2.2.0.
> I have a 3 interfaces setup:
>
> - eth0 ---> internet (ip address)
> - eth1 ---> remote office (10.0.0.0/8)
> - eth2 ---> lan (192.168.16.0/24)
>
> I''m using a very simple and common setup, with just a few DNAT
rules in
> my /etc/shorewall/rules file, and about twenty entries in
> /etc/shorewall/masq file.
> They are all very similar and look like this one:
>
>
############################################################################
##> #INTERFACE SUBNET ADDRESS
> PROTO PORT(S) IPSEC
> eth1:10.150.30.100/32 192.168.16.40/32 10.108.5.5/32
>
> what I would accomplish is to make 192.168.16.40 appear on the remote
> office lan as 10.150.30.100. Am I doing it in the right way?
> I''m asking this because this is the message I get when I try a
"service
> shorewall start"
>
> Loading /usr/share/shorewall/functions...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Starting Shorewall...
> Initializing...
> Shorewall has detected the following iptables/netfilter capabilities:
> NAT: Available
> Packet Mangling: Available
> Multi-port Match: Available
> Connection Tracking Match: Available
> Packet Type Match: Available
> Policy Match: Not available
> Physdev Match: Not available
> IP range Match: Not available
> Determining Zones...
> Zones: hdsl roma loc
> Validating interfaces file...
> Validating hosts file...
> Validating Policy file...
> Determining Hosts in Zones...
> Warning: Zone hdsl is empty
> Warning: Zone roma is empty
> Warning: Zone loc is empty
> Processing /etc/shorewall/init ...
> Pre-processing Actions...
> Pre-processing /usr/share/shorewall/action.DropSMB...
> Pre-processing /usr/share/shorewall/action.RejectSMB...
> Pre-processing /usr/share/shorewall/action.DropUPnP...
> Pre-processing /usr/share/shorewall/action.RejectAuth...
> Pre-processing /usr/share/shorewall/action.DropPing...
> Pre-processing /usr/share/shorewall/action.DropDNSrep...
> Pre-processing /usr/share/shorewall/action.AllowPing...
> Pre-processing /usr/share/shorewall/action.AllowFTP...
> Pre-processing /usr/share/shorewall/action.AllowDNS...
> Pre-processing /usr/share/shorewall/action.AllowSSH...
> Pre-processing /usr/share/shorewall/action.AllowWeb...
> Pre-processing /usr/share/shorewall/action.AllowSMB...
> Pre-processing /usr/share/shorewall/action.AllowAuth...
> Pre-processing /usr/share/shorewall/action.AllowSMTP...
> Pre-processing /usr/share/shorewall/action.AllowPOP3...
> Pre-processing /usr/share/shorewall/action.AllowICMPs...
> Pre-processing /usr/share/shorewall/action.AllowIMAP...
> Pre-processing /usr/share/shorewall/action.AllowTelnet...
> Pre-processing /usr/share/shorewall/action.AllowVNC...
> Pre-processing /usr/share/shorewall/action.AllowVNCL...
> Pre-processing /usr/share/shorewall/action.AllowNTP...
> Pre-processing /usr/share/shorewall/action.AllowRdate...
> Pre-processing /usr/share/shorewall/action.AllowNNTP...
> Pre-processing /usr/share/shorewall/action.AllowTrcrt...
> Pre-processing /usr/share/shorewall/action.AllowSNMP...
> Pre-processing /usr/share/shorewall/action.AllowPCA...
> Pre-processing /usr/share/shorewall/action.Drop...
> Pre-processing /usr/share/shorewall/action.Reject...
> Deleting user chains...
> Setting up Accounting...
> Creating Interface Chains...
> Configuring Proxy ARP
> Setting up NAT...
> Setting up NETMAP...
> Adding Common Rules
> Processing /etc/shorewall/initdone ...
> IP Forwarding Enabled
> Processing /etc/shorewall/tunnels...
> Processing /etc/shorewall/ipsec...
> Processing /etc/shorewall/rules...
> Rule "ACCEPT:ULOG fw loc icmp" added.
> Rule "ACCEPT:ULOG all fw tcp 22" added.
> Rule "ACCEPT:ULOG all fw tcp 22" added.
> Rule "ACCEPT:ULOG all fw tcp 22" added.
> iptables v1.2.11: unknown protocol `-'' specified
> Try `iptables -h'' or ''iptables --help'' for more
information.
> ERROR: Command "/sbin/iptables -t nat -A roma_dnat -p - -d
> 10.108.5.14 -j DNAT --to-destination 192.168.16.49" Failed
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> /sbin/service: line 68: 5820 Terminated env -i LANG=$LANG
> PATH=$PATH TERM=$TERM "${SERVICEDIR}/${SERVICE}" ${OPTIONS}
>
> Does anyone has idea aout where the mistake could be?
> thanks a lot!
>
> Bye
>
> Mattia
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>