Hello, I have a box with two networkcards eth0 and eth1 which i would use as a gateway for my local network. eth0 points to the local network with ip 192.168.0.122 and eth1 points to the ADSL-Modem with IP 10.0.0.140. policy file looks like this: loc net ACCEPT info loc fw ACCEPT info loc modem ACCEPT info # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT fw modem ACCEPT fw loc ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all DROP info -------------------------------------------------------------------------- Then i have set some special rules in the rules file and masq-file looks like this: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth1 eth0 in etc/shorewall/shorewall.conf i have set: IP_FORWARDING=On and CLAMPMSS=Yes (both settings as described). The correct IP of the nameserver(s) are set on the clients and as well on the gateway box. However if i try to connect from a Client to the internet it doesn´t do anything (no messages in any of the logfile on the gateway), for example if i to a ping google.com on a client i can see the correct IP-Address if google.com but ping doesn´t print out stuff. (and again no messages in any logfile). if i do iptables -L -t nat i get the following (borsti.ISS is the local domain): Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ppp0_masq all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain ppp0_masq (1 references) target prot opt source destination MASQUERADE all -- borsti.ISS/24 anywhere Can someone give me a hint what´s going wrong here? Have i overseen some settings for shorewall, maybe? Thanks, BF. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bernhard Frühmesser wrote:> > Can someone give me a hint what´s going wrong here? Have i overseen some > settings for shorewall, maybe?It''s impossible to say. You have given us a glimpse of your configuration but not what we ask for at http://www.shorewall.net/support.htm (notice that those instructions also explicitly recommend against posting the output of ''iptables -L''). If I had to guess, I would suggest that the default route on the systems in the local network is probably wrong but with so little to go on that is only a wild guess. I suggest that you review each of the "Red Arrow" steps in the two-interface QuickStart Guide. If you still can''t find a solution then please follow the instructions at the URL above. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Bernhard Frühmesser wrote: > > >>Can someone give me a hint what´s going wrong here? Have i overseen some >>settings for shorewall, maybe? > > > It''s impossible to say. You have given us a glimpse of your > configuration but not what we ask for at > http://www.shorewall.net/support.htm (notice that those instructions > also explicitly recommend against posting the output of ''iptables -L''). > > If I had to guess, I would suggest that the default route on the systems > in the local network is probably wrong but with so little to go on that > is only a wild guess.I have re-checked the files in /etc/shorewall but so far everything looks good to me, and as described in the support section i have attached a gzip compressed file (status.tar.gz) from the output of shorewall dump while i was trying to access the internet from a client in the local network ( i tried to ping tuxgames.com with IP 81.168.26.52). All config files that i have changed are attached (Config.tar.gz) In Slackware 10.2 (in /etc/rc.d) is a file called rc.ip_forward which has set permissions to 755 (so the file is "started") while bootup. And cat /proc/sys/net/ipv4/ip_forward reports "1" whereas it reports "0" when ip_forwarding is disabled. Thanks, BF.> I suggest that you review each of the "Red Arrow" steps in the > two-interface QuickStart Guide. If you still can''t find a solution then > please follow the instructions at the URL above. > > -Tom
Bernhard Frühmesser wrote:>> If I had to guess, I would suggest that the default route on the systems >> in the local network is probably wrong but with so little to go on that >> is only a wild guess.This still looks like it is the problem. Can you ping 194.166.207.200 from any of the local hosts? I doubt it. There was NO TRAFFIC FROM THE LOCAL NET TO BE FORWARDED BY THE FIREWALL -- NONE! Your Shorewall gateway cannot forward packets that aren''t sent to it. So check the default gateway on the local system that you are trying to ping from -- its default gateway should be set to 192.168.0.122. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Bernhard Frühmesser wrote: > > >>>If I had to guess, I would suggest that the default route on the systems >>>in the local network is probably wrong but with so little to go on that >>>is only a wild guess. > > > This still looks like it is the problem. Can you ping 194.166.207.200 > from any of the local hosts? I doubt it. There was NO TRAFFIC FROM THE > LOCAL NET TO BE FORWARDED BY THE FIREWALL -- NONE! Your Shorewall > gateway cannot forward packets that aren''t sent to it. > > So check the default gateway on the local system that you are trying to > ping from -- its default gateway should be set to 192.168.0.122.On all local clients i have set the default gateway to 192.168.0.122. From all local clients i can ping 192.168.0.122. Bernhard> -Tom------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bernhard Frühmesser wrote:> Tom Eastep wrote: >> Bernhard Frühmesser wrote: >> >> >>>> If I had to guess, I would suggest that the default route on the >>>> systems >>>> in the local network is probably wrong but with so little to go on >>>> that >>>> is only a wild guess. >> >> >> This still looks like it is the problem. Can you ping 194.166.207.200 >> from any of the local hosts? I doubt it. There was NO TRAFFIC FROM THE >> LOCAL NET TO BE FORWARDED BY THE FIREWALL -- NONE! Your Shorewall >> gateway cannot forward packets that aren''t sent to it. >> >> So check the default gateway on the local system that you are trying to >> ping from -- its default gateway should be set to 192.168.0.122. > > On all local clients i have set the default gateway to 192.168.0.122. > From all local clients i can ping 192.168.0.122. >Tom asked to ping 194.166.207.200 not the gateway.> Bernhard > >> -Tom > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Bernhard Frühmesser wrote:> On all local clients i have set the default gateway to 192.168.0.122. > From all local clients i can ping 192.168.0.122.Well, your /etc/shorewall/masq file is definitely wrong. You have: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth1 eth0 But your external interface is ppp0. So at the very least, you need to add: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC ppp0 eth0 I''m guessing that the line you have will still be needed to enable access to your modem has an IP address in the 10.0.0.0/24 range. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote: 0> > I''m guessing that the line you have will still be needed to enable > access to your modem has an IP address in the 10.0.0.0/24 range. >Should be "...access to your modem *if it* has an IP ..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Bernhard Frühmesser wrote: > > >>On all local clients i have set the default gateway to 192.168.0.122. >>From all local clients i can ping 192.168.0.122. > > > Well, your /etc/shorewall/masq file is definitely wrong. You have: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > eth1 eth0 > > But your external interface is ppp0. So at the very least, you need to add: > > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > ppp0 eth0 > > I''m guessing that the line you have will still be needed to enable > access to your modem has an IP address in the 10.0.0.0/24 range.I changed the settings in masq but that didn´t help, so i completely removed shorewall (also everything inside /etc/shorewall) after that i reinstalled the latest version and installed the "two-interface" sample which i have modified. Now it works fine. Could it be that the new shorewall version got something wrong from the "old" config-files which i kept before? But i remember when i upgraded Shorewall from Version 2.2 to 3.0.6 i did "shorewall check" after installation, which didn´t show anything wrong. Thanks, BF.> -Tom------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642