Hi, my shorewall has two interfaces and a two interface config named: eth0 (public internet) with a 201.x.x.x eth1 (lan in main office) 192.168.1.25 / 255.255.255.0 a router has been added internally to reach other segments (192.168.5.x network) and all the LAN computers have as the default gateway the shorewall machine. The IP of the new internal router is 192.168.1.60. I have already enabled ip-forward on the shorewall machine, but i still get these in the logs, i am sure i am missing something else so her ei am asking for some advice. [root@mail root]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 201.x.x.x 0.0.0.0 255.255.255.248 U 0 0 0 eth0 192.168.5.0 192.168.1.60 255.255.255.0 UG 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 201.x.x.x 0.0.0.0 UG 0 0 0 eth0 /var/log/messages Nov 29 12:24:58 mail kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.1.156 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45607 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=7936 Nov 29 12:25:02 mail kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.1.156 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=31 ID=45863 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=8192 thanks in advance. -- ------------------------------------------- Erick Perez Linux User 376588 http://counter.li.org/ (Get counted!!!) Panama, Republic of Panama ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Tuesday 29 November 2005 11:20, Erick Perez wrote:> > /var/log/messages > Nov 29 12:24:58 mail kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 > SRC=192.168.1.156 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=31 > ID=45607 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=7936 > > Nov 29 12:25:02 mail kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 > SRC=192.168.1.156 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=31 > ID=45863 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=8192 > > thanks in advance.Sure wish people would at least let us know which version of Shorewall they are running when then ask for help... If you are running 2.x, please see http://www.shorewall.net/2.0/Multiple_Zones.html If you are running 3.x, please see http://www.shorewall.net/Multiple_Zones.html Among other things, you appear to need the ''routeback'' option on eth1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Right, my fault. Im using 2.0.13 and just added the routeback option now the message changes: Nov 29 14:32:15 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=62405 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46592 Nov 29 14:32:20 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=62451 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46848 so im still blocked Thanks, On 11/29/05, Tom Eastep <teastep@shorewall.net> wrote:> On Tuesday 29 November 2005 11:20, Erick Perez wrote: > > > > > /var/log/messages > > Nov 29 12:24:58 mail kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 > > SRC=192.168.1.156 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=31 > > ID=45607 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=7936 > > > > Nov 29 12:25:02 mail kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 > > SRC=192.168.1.156 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=31 > > ID=45863 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=8192 > > > > thanks in advance. > > Sure wish people would at least let us know which version of Shorewall they > are running when then ask for help... > > If you are running 2.x, please see > http://www.shorewall.net/2.0/Multiple_Zones.html > > If you are running 3.x, please see > http://www.shorewall.net/Multiple_Zones.html > > Among other things, you appear to need the ''routeback'' option on eth1. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >-- ------------------------------------------- Erick Perez Linux User 376588 http://counter.li.org/ (Get counted!!!) Panama, Republic of Panama ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Tuesday 29 November 2005 11:40, Erick Perez wrote:> Right, my fault. Im using 2.0.13 and just added the routeback option > now the message changes: > > Nov 29 14:32:15 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 > SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=62405 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46592 > Nov 29 14:32:20 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 > SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=62451 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46848 > > so im still blockedLooks like you need additional rules -- YOU can see your configuration. We can''t. Either fix your own problem or submit a proper problem report. See http://www.shorewall.net/2.0/support.htm. But first, you might sit down and read the article that I pointed you at in my last post. It should help... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tuesday 29 November 2005 11:45, Tom Eastep wrote:> On Tuesday 29 November 2005 11:40, Erick Perez wrote: > > Right, my fault. Im using 2.0.13 and just added the routeback option > > now the message changes: > > > > Nov 29 14:32:15 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 > > SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > > ID=62405 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46592 > > Nov 29 14:32:20 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 > > SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > > ID=62451 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46848 > > > > so im still blocked > > Looks like you need additional rules -- YOU can see your configuration. We > can''t. Either fix your own problem or submit a proper problem report. See > http://www.shorewall.net/2.0/support.htm. > > But first, you might sit down and read the article that I pointed you at in > my last post. It should help...And you should make plans to upgrade your Shorewall installation ASAP -- support for versions 2.0 and 2.2 ends at midnight tomorrow night... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
simply adding the route did not work so I tried the next steps outlined in the file you sent. Now it''s working. I had to add: routeback and newnotsyn to ETH1 in the interfaces file, so now it''s loc eth1 detect dhcp,tcpflags,routeback,newnotsyn and I had to add a loc loc ACCEPT rule so now it''s #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net DROP fw net ACCEPT fw loc ACCEPT loc loc ACCEPT #this was added. now it works. net all DROP info all all REJECT info BTW the loc/loc ACCEPT.....it''s ok? looks weird. Thanks Tom. On 11/29/05, Tom Eastep <teastep@shorewall.net> wrote:> On Tuesday 29 November 2005 11:45, Tom Eastep wrote: > > On Tuesday 29 November 2005 11:40, Erick Perez wrote: > > > Right, my fault. Im using 2.0.13 and just added the routeback option > > > now the message changes: > > > > > > Nov 29 14:32:15 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 > > > SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > > > ID=62405 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46592 > > > Nov 29 14:32:20 mail kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=eth1 > > > SRC=192.168.1.231 DST=192.168.5.8 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > > > ID=62451 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=46848 > > > > > > so im still blocked > > > > Looks like you need additional rules -- YOU can see your configuration. We > > can''t. Either fix your own problem or submit a proper problem report. See > > http://www.shorewall.net/2.0/support.htm. > > > > But first, you might sit down and read the article that I pointed you at in > > my last post. It should help... > > And you should make plans to upgrade your Shorewall installation ASAP -- > support for versions 2.0 and 2.2 ends at midnight tomorrow night... > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >-- ------------------------------------------- Erick Perez Linux User 376588 http://counter.li.org/ (Get counted!!!) Panama, Republic of Panama ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Tuesday 29 November 2005 12:05, Erick Perez wrote:> > BTW the loc/loc ACCEPT.....it''s ok? looks weird. >After you upgrade, you won''t need it. It''s fine now. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key