Shorewall users - Feb 2008 - Cannot get accept rule to work for local network connection

Hello Shoreline Firewall users, I am running Shorewall with 2 ethernet cards:
eth0 and eth1. The eth0 is the public and the eth1 is the private lan. All the
issues I am having is strictly on the eth1 side of the world. I have several
machine behind the firwall attached to the eth1 side of my network. My private
side machines'' IP addresses are static and in the non-routable
192.168.1.0/24 class. The eth1 card is obviously the gateway for the local
network (192.168.1.1). So, all traffick essentially goes through the gateway
before it leaves eth1 outbound for the 192.168.1.0/24 destinations.

Here is the problem:

I have a Java testing and monitoring software that uses RMI for the network
communication. This communication protocol uses port 1099 (default). The
software will allow the control of 1 or more slave machines from a single
master. The master/slave machines topology is all behind eth1. And, to
communicate: all of their traffic is routed through the eth1 gateway. The only
problems is the Shoreline firewall is present and affecting the eth1 traffic
just as it monitors the eth0 traffic. I cannot seem to come up with a rule to
allow any and all client machines attached to eth1 to share traffic.

I have replaced the Java software testing with telnet to the target host at port
1099:

telnet 192.168.1.2 1099

The telnet connection attempts just like the Java software connection attempts
returns: Connection refused!

The topology follows:
        

        eth0 (pubic IP)
         |
         | 192.168.1.1
        eth1
       /    \
      /      \
192.168.1.2   192.168.1.14


The host 192.168.1.1 is blocking all of the traffic from either machine attached
the eth1 gateway @ 192.168.1.1.
All of the network traffic is masqueraded between eth0 and eth1.

Thanks, David.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

David Brown wrote:

David,

In the future, please refer to 
http://www.shorewall.net/support.htm#Guidelines when submitting a 
problem report. Also, please configure your mailer to fold lines at a 
reasonable length; each of your paragraphs are one long line which makes 
quoting from your post a complete PITA.

Thanks

> ... 2 ethernet cards: eth0 and eth1. The eth0 is the public and the eth1
 > is the private lan. All the issues I am having is strictly on the eth1
 > I have several machine behind the firwall attached to the eth1 side of
 > my network. My private side machines'' IP addresses are static and
in
> the non-routable 192.168.1.0/24 class. The eth1 card is obviously the
 > gateway for the local network (192.168.1.1). So, all traffick
 > essentially goes through the gateway before it leaves eth1 outbound
 > for the 192.168.1.0/24 destinations.

Traffic between the local hosts *does not* go through your firewall. So 
for example (referring to your diagram below), traffic between 
192.168.1.2 and 192.168.1.14 is not routed by your
firewall.
> 
> I have a Java testing and monitoring software that uses RMI for the
 > network communication. This communication protocol uses
 > port 1099 (default). The software will allow the control of 1
or
> more slave machines from a single master. The master/slave machines
 > topology is all behind eth1. And, to communicate: all of
their
> traffic is routed through the eth1 gateway.
If all of the machines are configured with addresses in 192.168.1.0/24 
and all of them have the same netmask (255.255.255.0), then again, 
traffic between them is *not* routed by your firewall.
> The only problems is the Shoreline firewall is present and affecting
 > the eth1 traffic just as it monitors the eth0
traffic.
> I cannot seem to come up with a rule to allow any and all client machines
 > attached to eth1 to share traffic.
> 
> I have replaced the Java software testing with telnet to the target host at
port 1099:
> 
> telnet 192.168.1.2 1099
> 
> The telnet connection attempts just like the Java software connection
attempts
 > returns: Connection refused!

You are running the telnet client on 192.168.1.14? If so, your firewall 
has nothing to do with this problem. To prove this to yourself:

a) ''shorewall clear''. That will remove all netfilter rules
from your
configuration.

b) Try the ''telnet'' command again. Does it work?

c) ''shorewall start''

Unless telnet is able to connect in step b), your problem is unrelated 
to Shorewall.
> 
> The topology follows:
>         
> 
>         eth0 (pubic IP)
>          |
>          | 192.168.1.1
>         eth1
>        /    \
>       /      \
> 192.168.1.2   192.168.1.14
If you find that telnet is able to connect with Shorewall cleared, then 
please submit another problem report that follows the guidelines at the 
URL I mention above.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/