Shorewall users - Mar 2005 - 3 Interface problem

Having a problem with the 3 interface setup.  I can get DMZ hosts, and
FW to see internet, but anything on LOC interface is unable to get
out.  My first post to the list didn''t have the information needed,
sorry for that, but thank you for pointing me to more resources.  I''ve
looked at the problem myself some more, but am still stuck.

Shorewall Version: 2.2.1

ip addr show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:97:c9:c5:e7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::260:97ff:fec9:c5e7/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:04:77:a3:72 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
    inet6 fe80::250:4ff:fe77:a372/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:a5:d0:92:7c brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
    inet6 fe80::202:a5ff:fed0:927c/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 216.240.7.166 peer 216.240.0.249/32 scope global ppp0

------------------------------------------------------------------------------------------------------------------------------
ip route show

216.240.0.249 dev ppp0  proto kernel  scope link  src 216.240.7.166
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.254
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
169.254.0.0/16 dev eth2  scope link
default via 216.240.0.249 dev ppp0
--------------------------------------------------------------------------------------------------------------------------------
Using 3 interface example files.  
-Have added some DNAT rules for couple services on DMZ server, which
work no problem.  No changes to any rules on the LOC network.
-No change to HOSTS file. 
-Change to MASQ file was to change eth0 as NET interface, to ppp0
(DSL-PPPoE outgoing connection)
--------------------------------------------------------------------------------------------------------------------------------
Ping from XP client to LOC (as default gateway 192.168.1.254) gets error:
Request timed out.
Shorewall, at the same time generates the following:
Mar  5 19:35:52 punisher kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0
SRC=192.168.1.254 DST=192.168.1.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=40237 PROTO=ICMPTYPE=0 CODE=0 ID=512 SEQ=256

I feel like this is where my problems is, as it appears that pings
from the ''LOC'' network are for some reason being forwarded out
of
eth0.  There is a rule (default included in 3 interface example),
ACCEPT Zone Local 	Firewall 	ICMP 	Any 	8

Have setup caching only name server on same box, and it is listening
for requests on same IP as LOC network.  To make sure the name server
was working, I pointed DMZ hosts to that ip for DNS, and it is
resolving queries.

Thank you in advance to anyone who is willing to take the time to
point me in the right direction.

Sean Clark

Sean Clark wrote:
> Having a problem with the 3 interface setup.  I can get DMZ hosts, and
> FW to see internet, but anything on LOC interface is unable to get
> out.  My first post to the list didn''t have the information
needed,
> sorry for that, but thank you for pointing me to more resources. 
I''ve
> looked at the problem myself some more, but am still stuck.
> 
> Shorewall Version: 2.2.1
> 
> ip addr show
> 
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:60:97:c9:c5:e7 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
>     inet6 fe80::260:97ff:fec9:c5e7/64 scope link
>        valid_lft forever preferred_lft forever
NOTE 1: eth0 has IP address 1192.168.1.1/24
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:50:04:77:a3:72 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
>     inet6 fe80::250:4ff:fe77:a372/64 scope link
>        valid_lft forever preferred_lft forever
NOTE 2: eth1 has an IP in the same network: 192.168.1.254/24
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:02:a5:d0:92:7c brd ff:ff:ff:ff:ff:ff
>     inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
>     inet6 fe80::202:a5ff:fed0:927c/64 scope link
>        valid_lft forever preferred_lft forever
> 5: sit0: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
> 6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast
qlen 3
>     link/ppp
>     inet 216.240.7.166 peer 216.240.0.249/32 scope global ppp0
> 
>
------------------------------------------------------------------------------------------------------------------------------
> ip route show
> 
> 216.240.0.249 dev ppp0  proto kernel  scope link  src 216.240.7.166
> 192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.254
> 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.254
NOTE 3: So the automatically-generated route for eth0 appears before the
one for eth1.
> 169.254.0.0/16 dev eth2  scope link
> default via 216.240.0.249 dev ppp0
>
--------------------------------------------------------------------------------------------------------------------------------
> Using 3 interface example files.  
> -Have added some DNAT rules for couple services on DMZ server, which
> work no problem.  No changes to any rules on the LOC network.
> -No change to HOSTS file. 
> -Change to MASQ file was to change eth0 as NET interface, to ppp0
> (DSL-PPPoE outgoing connection)
>
--------------------------------------------------------------------------------------------------------------------------------
> Ping from XP client to LOC (as default gateway 192.168.1.254) gets error:
> Request timed out.
> Shorewall, at the same time generates the following:
> Mar  5 19:35:52 punisher kernel: Shorewall:OUTPUT:REJECT:IN= OUT=eth0
> SRC=192.168.1.254 DST=192.168.1.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> ID=40237 PROTO=ICMPTYPE=0 CODE=0 ID=512 SEQ=256
> 
> I feel like this is where my problems is, as it appears that pings
> from the ''LOC'' network are for some reason being
forwarded out of
> eth0. 
NOTE 4: How can you possibly be surprised given notes 1-3?

 There is a rule (default included in 3 interface
example),
> ACCEPT Zone Local 	Firewall 	ICMP 	Any 	8
> 
As explained at http://shorewall.net/Shorewall_and_Routing.html, Routing
determines where packets go -- the Shorewall-generated ruleset
determines whether the packet is allowed to go there or not. In this
case, it is not.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key