Hi everybody. I''m sorry to bother you because I''m probably doing something wrong, but I have already read the documentation and I have been using shorewall for quite a long time. I recently installed 3.2.3 from source (but there was the same problem with 3.0.7 from apt-get ... -t unstable) The thing is, that I can''t get masq working. Maybe this is because something changed in masq since I have been using similar configuration in 2.x But I can''t see what... There is nothing in messages so it doesn''t point me in the right direction. No REJECT, no loc2something... No communication like loc2net is logged when I try to get through (ping, dns, telnet...) It is not a vmware-related issue since the same problem is when I try to masq a real computer like from eth1. THANKS! This is my config: interfaces: net eth2 detect dhcp # wan -- to cable modem loc eth1 detect loc vmnet0 detect masq: eth2 vmnet0 # the same with eth1 modules: default from /usr/share/doc/shorewall/default-config/ # version 3.0.7 policy: fw all ACCEPT loc all ACCEPT info net all DROP info all all REJECT info rules: there is no rule like ACCEPT/REJECT/... loc net/fw - - - just a few like ACCEPT net:a.b.c.d fw tcp 21,22,443 - routestopped: eth2 x.x.x.x eth2 y.y.y.y zones: fw firewall net ipv4 loc ipv4 shorewall.conf: (i think it''s default but not shure) STARTUP_ENABLED=Yes LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATELOGBURSTLOGALLNEWBLACKLIST_LOGLEVELMACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILEIPSECFILE=zones FWIP_FORWARDING=Keep ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIXDISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTLSAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP -- Matej -- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Matej wrote:> Hi everybody. > > I''m sorry to bother you because I''m probably doing something wrong, but > I have already read the documentation and I have been using shorewall > for quite a long time. > > I recently installed 3.2.3 from source (but there was the same problem > with 3.0.7 from apt-get ... -t unstable) > > The thing is, that I can''t get masq working. Maybe this is because > something changed in masq since I have been using similar configuration > in 2.x"can''t get masq working" means what? a) You have looked at the outgoing packets with tcpdump and see that the source IP address has not been altered? b) When you try to access the internet from your local network(s), it fails (with some symptoms known only to you)? c) When you try to access the internet from your local network(s), there are no packets forwarded to the internet and the attempt fails with a "no route" error? d) Other?> > But I can''t see what... There is nothing in messages so it doesn''t point > me in the right direction. No REJECT, no loc2something... No > communication like loc2net is logged when I try to get through (ping, > dns, telnet...) > > It is not a vmware-related issue since the same problem is when I try to > masq a real computer like from eth1. > > THANKS! > > This is my config:In the future, please refer to http://www.shorewall.net/support.htm for instructions on submitting a problem report.> > shorewall.conf: (i think it''s default but not shure)...> IP_FORWARDING=Keep >The Debian maintainer sets the above in the default shorewall.conf as a security measure. You probably want to change the setting to ''On'' unless you have enabled forwarding in sysctl.conf. Note: When upgrading Shorewall on Debian or it''s derivatives, it is wise to decline the offer to upgrade shorewall.conf; this sort of problem is the result if you accept. If that doesn''t help then please submit a problem report as described in the URL that I mentioned above. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>IP_FORWARDING=KeepI''m guessing you''re using Debian? Try FAQ #15 http://shorewall.net/FAQ.htm#faq15 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Yes, I do... Thank you very much, it helped of course :)> > ------------------------------------------------------------------------ > > Subject: > Re: [Shorewall-users] masq problem > From: > "Russel" <rusabus@hotmail.com> > Date: > Tue, 29 Aug 2006 12:55:59 -0600 > To: > "Shorewall Users" <shorewall-users@lists.sourceforge.net> > > To: > "Shorewall Users" <shorewall-users@lists.sourceforge.net> > > >> IP_FORWARDING=Keep > > I''m guessing you''re using Debian? > > Try FAQ #15 > http://shorewall.net/FAQ.htm#faq15------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642