Shorewall users - Jun 2007 - Multiple ISP setup: problems with masq-file

Dear list,

Trying to setup a firewall with two isp links (eth1, eth2) and one 
internal interface (eth0). All the information and guidelines in the 
MultipleISP-document are followed. But when I issue ''shorewall
restart''
the process halts with the following message:

Setting up Masquerading/SNAT...
iptables v1.3.6: Need TCP or UDP with port specification
Try `iptables -h'' or ''iptables --help'' for more
information.
   ERROR: Command "/sbin/iptables -t nat -A eth1_masq -s 89.98.247.0/24 
-d 0.0.0.0/0 -j MASQUERADE --to-ports eth1" Failed

I run the latest shorewall 3.4.4, freshly downloaded and installed this 
morning.

My /etc/shorewall/masq file looks like:
# cross-connection-masq
eth1                    $ETH2_IP        $ETH1_IP
eth2                    $ETH1_IP        $ETH2_IP

The variables are setup in /etc/shorewall/params:
ETH1_IP=($find_first_interface_address eth1)
ETH2_IP=($find_first_interface_address eth2)

The syntax of the iptables-command is wrong, but I can''t figure out why
Shorewall issues its commands this way. Off course, when this basic 
setup gets trough, entries have to be added to masq traffic from the 
local network etc.

Any ideas on this one?

--
Best regards,
Sjon Wijnolst

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Sjon Wijnolst wrote:
> Dear list,
> 
> Trying to setup a firewall with two isp links (eth1, eth2) and one 
> internal interface (eth0). All the information and guidelines in the 
> MultipleISP-document are followed. But when I issue ''shorewall
restart''
> the process halts with the following message:
> 
> Setting up Masquerading/SNAT...
> iptables v1.3.6: Need TCP or UDP with port specification
> Try `iptables -h'' or ''iptables --help'' for more
information.
>    ERROR: Command "/sbin/iptables -t nat -A eth1_masq -s
89.98.247.0/24
> -d 0.0.0.0/0 -j MASQUERADE --to-ports eth1" Failed
> 
> I run the latest shorewall 3.4.4, freshly downloaded and installed this 
> morning.
> 
> My /etc/shorewall/masq file looks like:
> # cross-connection-masq
> eth1                    $ETH2_IP        $ETH1_IP
> eth2                    $ETH1_IP        $ETH2_IP
> 
> The variables are setup in /etc/shorewall/params:
> ETH1_IP=($find_first_interface_address eth1)
> ETH2_IP=($find_first_interface_address eth2)
The syntax of those two commands is wrong (The ''$'' should be
before the
''('').

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep schreef:
> Sjon Wijnolst wrote:
>   
>> The variables are setup in /etc/shorewall/params:
>> ETH1_IP=($find_first_interface_address eth1)
>> ETH2_IP=($find_first_interface_address eth2)
>>     
> The syntax of those two commands is wrong (The ''$'' should
be before the
> ''('').
>   
Thanks Tom, it solved the issue! Very sorry to bother you with such a 
simple mistake, shame on me...

Maybe it''s an idea to add a check on the ''params''
file to ''shorewall
check''? Just for those few people like me.

--
Best regards,
Sjon

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Sjon Wijnolst|Salisbury BV wrote:
> Tom Eastep schreef:
>> Sjon Wijnolst wrote:
>>   
>>> The variables are setup in /etc/shorewall/params:
>>> ETH1_IP=($find_first_interface_address eth1)
>>> ETH2_IP=($find_first_interface_address eth2)
>>>     
>> The syntax of those two commands is wrong (The ''$''
should be before the
>> ''('').
>>   
> Thanks Tom, it solved the issue! Very sorry to bother you with such a 
> simple mistake, shame on me...
> 
> Maybe it''s an idea to add a check on the
''params'' file to ''shorewall
> check''? Just for those few people like me.
The params file is checked during ''shorewall check''. The
problem is that
/etc/shorewall/params can contain arbitrary shell code. Your shell code
didn''t do what you wanted it to do but it was not incorrect in and of
itself; it was perfectly valid code.

FWIW, Shorewall-perl would have caught your error at compile time rather
than at run-time; but the problem probably would not have been any easier to
analyze.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/