Hi everybody.
I''m sorry to bother you because I''m probably doing something
wrong, but
I have already read the documentation and I have been using shorewall
for quite a long time.
I recently installed 3.2.3 from source (but there was the same problem
with 3.0.7 from apt-get ... -t unstable)
The thing is, that I can''t get masq working. Maybe this is because
something changed in masq since I have been using similar configuration
in 2.x
But I can''t see what... There is nothing in messages so it
doesn''t point
me in the right direction. No REJECT, no loc2something... No
communication like loc2net is logged when I try to get through (ping,
dns, telnet...)
It is not a vmware-related issue since the same problem is when I try to
masq a real computer like from eth1.
THANKS!
This is my config:
interfaces:
net eth2 detect dhcp # wan -- to cable modem
loc eth1 detect
loc vmnet0 detect
masq:
eth2 vmnet0 # the same with eth1
modules:
default from /usr/share/doc/shorewall/default-config/ # version 3.0.7
policy:
fw all ACCEPT
loc all ACCEPT info
net all DROP info
all all REJECT info
rules:
there is no rule like
ACCEPT/REJECT/... loc net/fw - - -
just a few like
ACCEPT net:a.b.c.d fw tcp 21,22,443 -
routestopped:
eth2 x.x.x.x
eth2 y.y.y.y
zones:
fw firewall
net ipv4
loc ipv4
shorewall.conf: (i think it''s default but not shure)
STARTUP_ENABLED=Yes
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATELOGBURSTLOGALLNEWBLACKLIST_LOGLEVELMACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILEIPSECFILE=zones
FWIP_FORWARDING=Keep
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIXDISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTLSAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
-- Matej --
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Matej wrote:> Hi everybody. > > I''m sorry to bother you because I''m probably doing something wrong, but > I have already read the documentation and I have been using shorewall > for quite a long time. > > I recently installed 3.2.3 from source (but there was the same problem > with 3.0.7 from apt-get ... -t unstable) > > The thing is, that I can''t get masq working. Maybe this is because > something changed in masq since I have been using similar configuration > in 2.x"can''t get masq working" means what? a) You have looked at the outgoing packets with tcpdump and see that the source IP address has not been altered? b) When you try to access the internet from your local network(s), it fails (with some symptoms known only to you)? c) When you try to access the internet from your local network(s), there are no packets forwarded to the internet and the attempt fails with a "no route" error? d) Other?> > But I can''t see what... There is nothing in messages so it doesn''t point > me in the right direction. No REJECT, no loc2something... No > communication like loc2net is logged when I try to get through (ping, > dns, telnet...) > > It is not a vmware-related issue since the same problem is when I try to > masq a real computer like from eth1. > > THANKS! > > This is my config:In the future, please refer to http://www.shorewall.net/support.htm for instructions on submitting a problem report.> > shorewall.conf: (i think it''s default but not shure)...> IP_FORWARDING=Keep >The Debian maintainer sets the above in the default shorewall.conf as a security measure. You probably want to change the setting to ''On'' unless you have enabled forwarding in sysctl.conf. Note: When upgrading Shorewall on Debian or it''s derivatives, it is wise to decline the offer to upgrade shorewall.conf; this sort of problem is the result if you accept. If that doesn''t help then please submit a problem report as described in the URL that I mentioned above. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>IP_FORWARDING=KeepI''m guessing you''re using Debian? Try FAQ #15 http://shorewall.net/FAQ.htm#faq15 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Yes, I do... Thank you very much, it helped of course :)> > ------------------------------------------------------------------------ > > Subject: > Re: [Shorewall-users] masq problem > From: > "Russel" <rusabus@hotmail.com> > Date: > Tue, 29 Aug 2006 12:55:59 -0600 > To: > "Shorewall Users" <shorewall-users@lists.sourceforge.net> > > To: > "Shorewall Users" <shorewall-users@lists.sourceforge.net> > > >> IP_FORWARDING=Keep > > I''m guessing you''re using Debian? > > Try FAQ #15 > http://shorewall.net/FAQ.htm#faq15------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642