Shorewall users - Dec 2008 - Two-interface cluster setup

I installed Shorewall on my cluster per the instructions for two- 
interface setup. However, now I can''t ssh from the master node to any  
other node -- it simply says "ssh: connect to host node2 port 22: No  
route to host." (same for all other nodes). Additionally, I can''t
SSH
into the cluster anymore from my remote clients.

I thought that the tutorial said SSH would be enabled? When I shut off  
Shorewall, I still can''t ssh between nodes, but I am able to ssh into  
the cluster from my remote clients. Even when I do a "shorewall clear"
I still cannot get to my other nodes. I imagine this is a simple fix,  
but I don''t know how based on the tutorial and my lack of IP
vocabulary.

A little info on my system:
-1 master node, 15 slave nodes
-Master node has two network cards: eth0 is attached to the local  
network, eth1 is attached to the outside network (I made sure to  
change the default files to account for this since the tutorial  
assumes eth0 is the external interface)
-I''m configuring it remotely by ssh-ing into the master node as the  
root user, but the cluster does have a direct interface I can use if  
necessary (I''m just not sitting at it right now).
-I''m running Ubuntu 8.04 Server
-I installed Shorewall 4.0.6 from the Ubuntu repositories
-All of my configuration files are essentially the default (as in the  
tutorial) except for the eth1 / eth0 switch.

Sorry, this is a real rookie problem, but I don''t know what''s
going
on. Thanks guys.

---------------------------------------------
Christopher Tanner
Space Systems Design Laboratory
Georgia Institute of Technology
christopher.tanner@gatech.edu
----------------------------------------------


------------------------------------------------------------------------------

Christopher Tanner wrote:
> I installed Shorewall on my cluster per the instructions for two- 
> interface setup. However, now I can''t ssh from the master node to
any
> other node -- it simply says "ssh: connect to host node2 port 22: No  
> route to host." (same for all other nodes). Additionally, I
can''t SSH
> into the cluster anymore from my remote clients.
> 
> I thought that the tutorial said SSH would be enabled?
You keep mentioning ''the tutorial''. What tutorial? There is a
two-interface tutorial at shorewall.net
(http://www.shorewall.net/two-interfaces.htm) but it definitely
*doesn''t* say that ''SSH is enabled by default''. And
it doesn''t mention
clusters.
> When I shut off  
> Shorewall, I still can''t ssh between nodes, but I am able to ssh
into
> the cluster from my remote clients.
And how exactly do you ''shut off shorewall''?
> Even when I do a "shorewall clear"  
> I still cannot get to my other nodes. I imagine this is a simple fix,  
> but I don''t know how based on the tutorial and my lack of IP
vocabulary.
> 
> A little info on my system:
We would much rather have the information we ask for at
http://www.shorewall.net/support.htm#Guidelines; the email you received
when you subscribed to this list urged you to look at that page before
posting.




------------------------------------------------------------------------------

Sorry...

Ok, I''m having a traffic shaping problem. The status.txt.gz is
attached.

The tutorial is used was this one <http://www.shorewall.net/two-interface.htm
 >. I misspoke in my previous email... By ''SSH enabled by
default'' I
meant the SSH/ACCEPT line in the sample ''rules'' file was left
alone,
such that SSH was accepted. ''Shut off shorewall'' means
''shorewall
stop'' and ''shorewall clear''. Even though the tutorial
didn''t mention
clusters, I thought it might be a good starting point b/c the master  
node is a two-interface system.

Since my setup is basically that of the sample files provided, I''ll  
try to explain what I want to do:
-I have a cluster (1 master, 15 slave nodes) which is already behind a  
university firewall.
-The master node is the only node connected to the university/outside  
network (on eth1) with a static IP. The other nodes are all connected  
to the master (on eth0) through a switch. The master node is a DHCP  
server and assigns each node a static internal IP in the range of  
10.0.0.1 to 10.0.0.16. Each node is connected to the master on eth0.
-I would like Shorewall to make it such that the slave nodes can see  
the outside internet -- i.e. make them use the master node''s IP  
address and send data to/receive data from sources outside the  
cluster''s internal network (IP masquerading and SNAT, I think). I also
need to be able to SSH into the master node from a remote terminal and  
SSH from the master node to any other node in the cluster.
-I do not need it to be a firewall because the whole system is already  
behind one. I''m hoping this should make the policy and rules setup  
much easier and the firewall shouldn''t prevent anything from happening.

Right now I can SSH into the cluster from a remote computer, but I  
can''t SSH to any of the other nodes. And I have no idea if the other  
nodes can communicate beyond the local network.

Any more help would be greatly appreciated. I hope this is more clear  
than my previous email. Thanks.

---------------------------------------------
Christopher Tanner
Space Systems Design Laboratory
Georgia Institute of Technology
christopher.tanner@gatech.edu
----------------------------------------------



On Dec 22, 2008, at 6:02 PM, Shorewall Geek wrote:
> Christopher Tanner wrote:
>> I installed Shorewall on my cluster per the instructions for two-
>> interface setup. However, now I can''t ssh from the master node
to any
>> other node -- it simply says "ssh: connect to host node2 port 22:
No
>> route to host." (same for all other nodes). Additionally, I
can''t SSH
>> into the cluster anymore from my remote clients.
>>
>> I thought that the tutorial said SSH would be enabled?
>
> You keep mentioning ''the tutorial''. What tutorial? There
is a
> two-interface tutorial at shorewall.net
> (http://www.shorewall.net/two-interfaces.htm) but it definitely
> *doesn''t* say that ''SSH is enabled by default''.
And it doesn''t mention
> clusters.
>
>> When I shut off
>> Shorewall, I still can''t ssh between nodes, but I am able to
ssh into
>> the cluster from my remote clients.
>
> And how exactly do you ''shut off shorewall''?
>
>> Even when I do a "shorewall clear"
>> I still cannot get to my other nodes. I imagine this is a simple fix,
>> but I don''t know how based on the tutorial and my lack of IP  
>> vocabulary.
>>
>> A little info on my system:
>
> We would much rather have the information we ask for at
> http://www.shorewall.net/support.htm#Guidelines; the email you  
> received
> when you subscribed to this list urged you to look at that page before
> posting.
>
>
>
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------

Christopher Tanner wrote:
> -I have a cluster (1 master, 15 slave nodes) which is already behind a
> university firewall.
> -The master node is the only node connected to the university/outside
> network (on eth1) with a static IP. The other nodes are all connected to
> the master (on eth0) through a switch. The master node is a DHCP server
> and assigns each node a static internal IP in the range of 10.0.0.1 to
> 10.0.0.16. Each node is connected to the master on eth0.
> -I would like Shorewall to make it such that the slave nodes can see the
> outside internet -- i.e. make them use the master node''s IP
address and
> send data to/receive data from sources outside the cluster''s
internal
> network (IP masquerading and SNAT, I think). I also need to be able to
> SSH into the master node from a remote terminal and SSH from the master
> node to any other node in the cluster.
> -I do not need it to be a firewall because the whole system is already
> behind one. I''m hoping this should make the policy and rules setup
much
> easier and the firewall shouldn''t prevent anything from happening.
Then you certainly don''t need one of the most complex Linux firewalls
available installed on the box.

a) Uninstall Shorewall.
b) Arrange for this command to be executed at boot time:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE

Hint: you can add it to /etc/network/interfaces as a post-up command

c) Set the default gateway on the other nodes to 10.0.0.1 (you needed to
do that for Shorewall anyway).




------------------------------------------------------------------------------

Thanks for your help. I uninstalled Shorewall (apt-get purge  
shorewall), but all of the iptable stuff that Shorewall setup is still  
there, thus I still cannot SSH to my other nodes from the master node.  
I still get the error:
"ssh: connect to host node2 port 22: No route to host"

If I do ''iptables --flush", it''ll completely clear out
all iptable
rules, then nothing works. After searching, I cannot find the iptables  
command that will enable a) ssh into the master node from a remote  
computer and b) ssh to other nodes from the master node. Does anyone  
know how to do this?

I know, it''s not specifically shorewall related, but I don''t
know of
anywhere else to specifically ask about iptable configuration.

Thanks in advance.

---------------------------------------------
Christopher Tanner
Space Systems Design Laboratory
Georgia Institute of Technology
christopher.tanner@gatech.edu
----------------------------------------------

On Dec 23, 2008, at 7:33 PM, Shorewall Geek wrote:
> Christopher Tanner wrote:
>
>> -I have a cluster (1 master, 15 slave nodes) which is already  
>> behind a
>> university firewall.
>> -The master node is the only node connected to the university/outside
>> network (on eth1) with a static IP. The other nodes are all  
>> connected to
>> the master (on eth0) through a switch. The master node is a DHCP  
>> server
>> and assigns each node a static internal IP in the range of 10.0.0.1  
>> to
>> 10.0.0.16. Each node is connected to the master on eth0.
>> -I would like Shorewall to make it such that the slave nodes can  
>> see the
>> outside internet -- i.e. make them use the master node''s IP
address
>> and
>> send data to/receive data from sources outside the cluster''s
internal
>> network (IP masquerading and SNAT, I think). I also need to be able  
>> to
>> SSH into the master node from a remote terminal and SSH from the  
>> master
>> node to any other node in the cluster.
>> -I do not need it to be a firewall because the whole system is  
>> already
>> behind one. I''m hoping this should make the policy and rules
setup
>> much
>> easier and the firewall shouldn''t prevent anything from
happening.
>
> Then you certainly don''t need one of the most complex Linux
firewalls
> available installed on the box.
>
> a) Uninstall Shorewall.
> b) Arrange for this command to be executed at boot time:
>
> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
>
> Hint: you can add it to /etc/network/interfaces as a post-up command
>
> c) Set the default gateway on the other nodes to 10.0.0.1 (you  
> needed to
> do that for Shorewall anyway).
>
>
>
>
>
------------------------------------------------------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------

Christopher Tanner wrote:
> Thanks for your help. I uninstalled Shorewall (apt-get purge  
> shorewall), but all of the iptable stuff that Shorewall setup is still  
> there, 
No it is not.
> thus I still cannot SSH to my other nodes from the master node.  
> I still get the error:
> "ssh: connect to host node2 port 22: No route to host"
Then you routing is screwed up -- and Shorewall has nothing to do with
local routing -- EVER. Shorewall can set up policy routing for multiple
ISPs but that still won''t break the ability to connect within a local
network.
> 
> If I do ''iptables --flush", it''ll completely clear
out all iptable
> rules, then nothing works
Not all networking problems are due to netfilter -- did you test your
network connectivity BEFORE installing and starting Shorewall?

 After searching, I cannot find the iptables
> command that will enable a) ssh into the master node from a remote  
> computer and b) ssh to other nodes from the master node. Does anyone  
> know how to do this?
Again, ''no route to host'' has nothing to do with either
Shorewall or
iptables.

------------------------------------------------------------------------------

Shorewall Geek wrote:
> 
> Again, ''no route to host'' has nothing to do with either
Shorewall or
> iptables.
You may be able to recover your configured routes by
"/etc/init.d/network restart". Or by rebooting the hosts...


------------------------------------------------------------------------------