Daer all,
I''m using Shorewall-3.2.8, and it works fine before, but now i face a
pboblem:
Some ip client IP can access internet, but some cannot! the following is
masq file:
---------------------------------------------------
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth1 192.168.1.0/27
eth1 192.168.1.67
eth1 192.168.1.72
eth1 192.168.1.75
eth1 192.168.1.76
eth1 192.168.1.78
eth1 192.168.1.84
eth1 192.168.1.139
eth1 192.168.1.140
eth1 192.168.1.153
eth1 192.168.1.160
eth1 192.168.1.161
eth1 192.168.1.188
eth1 192.168.1.253
eth1 192.168.1.69 - tcp 25,110
eth1 192.168.1.70 - tcp 25,110
eth1 192.168.1.71 - tcp 25,110
eth1 192.168.1.81 - tcp 25,110
eth1 192.168.1.83 - tcp 25,110
eth1 192.168.1.86 - tcp 25,110
eth1 192.168.1.87 - tcp 25,110
eth1 192.168.1.94 - tcp 25,110
eth1 192.168.1.90 - tcp 25,110
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
The address 192.168.1.140 can access internet before, but now it cannot! Why?
Another question:
I want to use MAC address to instead of IP address, it''s easy to do
this?
----------------------------------------------------------------------------------
I tried this:
modified masq file as:
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth1 192.168.1.0/27
eth1 192.168.1.139
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
and then update the client computer''s ip to 192.168.1.139. and it can
access internet!
Then change masq to :
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
eth1 192.168.1.0/27
eth1 192.168.1.140
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
then restart the shorewall,
and also update the client computer''s ip to 192.168.1.140, but it can
NOT access internet!
Why?
Thanks very much, guys!
(shorewall dump is attached)
200万种商品,最低价格,疯狂诱惑你
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
muiz wrote:> I tried this: > modified masq file as: > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth1 192.168.1.0/27 > eth1 192.168.1.139 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > and then update the client computer''s ip to 192.168.1.139. and it can > access internet! > > Then change masq to : > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > eth1 192.168.1.0/27 > eth1 192.168.1.140 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > then restart the shorewall, > and also update the client computer''s ip to 192.168.1.140, but it can > NOT access internet! > > Why?Whatever the cause of the problem, it is not your shorewall configuration. From the dump, there is no obvious reason. But then ''can NOT access internet'' tells us nothing: a) Can 192.168.1.140 ping 192.168.1.20? b) Can 192.168.1.140 ping 192.168.0.250? c) Can 192.168.1.140 ping 192.168.0.249? d) Can 192.168.1.140 ping 206.124.146.177? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
muiz wrote:> Another question: > I want to use MAC address to instead of IP address, it''s easy to do this?With Shorewall 3.2, it is impossible. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
Dear Tom,
Thanks very much for your help!
I try to ping those IP address, and get the following results:
a) ping 192.168.1.20
>> OK
b) ping 192.168.1.250
>> Host is not exists
c) ping 192.168.0.249
>> Host is not exists
d) ping 206.124.146.177
>> Failed, the connection lost
So what can I do then?
Muiz
在2009-07-18,"Tom Eastep" <teastep@shorewall.net>
写道:>muiz wrote:
>
>> I tried this:
>> modified masq file as:
>> #INTERFACE SUBNET ADDRESS PROTO PORT(S)
>> IPSEC
>> eth1 192.168.1.0/27
>> eth1 192.168.1.139
>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>> and then update the client computer''s ip to 192.168.1.139. and
it can
>> access internet!
>>
>> Then change masq to :
>> #INTERFACE SUBNET ADDRESS PROTO PORT(S)
>> IPSEC
>> eth1 192.168.1.0/27
>> eth1 192.168.1.140
>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>> then restart the shorewall,
>> and also update the client computer''s ip to 192.168.1.140, but
it can
>> NOT access internet!
>>
>> Why?
>
>Whatever the cause of the problem, it is not your shorewall
>configuration. From the dump, there is no obvious reason. But then
''can
>NOT access internet'' tells us nothing:
>
>a) Can 192.168.1.140 ping 192.168.1.20?
>b) Can 192.168.1.140 ping 192.168.0.250?
>c) Can 192.168.1.140 ping 192.168.0.249?
>d) Can 192.168.1.140 ping 206.124.146.177?
>
>-Tom
>
>--
>Tom Eastep \ When I die, I want to go like my Grandfather who
>Shoreline, \ died peacefully in his sleep. Not screaming like
>Washington, USA \ all of the passengers in his car
>http://shorewall.net \________________________________________________
>
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
muiz wrote:> Dear Tom, > Thanks very much for your help! > I try to ping those IP address, and get the following results: > a) ping 192.168.1.20 > >> OK > b) ping 192.168.1.250 > >> Host is not existsSorry -- this is the host I wanted you to ping: 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:19:d1:01:2f:45 brd ff:ff:ff:ff:ff:ff inet 192.168.0.250/29 brd 192.168.0.255 scope global eth1 ------------- inet6 fe80::219:d1ff:fe01:2f45/64 scope link valid_lft forever preferred_lft forever> c) ping 192.168.0.249 > >> Host is not existsBut it DOES exist -- it is your Shorewall box''s default gateway!!! Table main: 10.100.100.2 dev tun0 proto kernel scope link src 10.100.100.1 ... default via 192.168.0.249 dev eth1 -------------> d) ping 206.124.146.177 > >> Failed, the connection lost > So what can I do then?If you can''t ping 192.168.0.250, then the default route on 192.168.1.140 is incorrect. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
Dear Tom, I resolved the problem: ( I got the wrong gateway, 192.168.1.20 is my really gateway, but the host 192.168.1.140's gateway is pointed to a IPCop system which installed in 192.168.1.20 (it's a virtual machine). "But it DOES exist -- it is your Shorewall box's default gateway!!!" Thanks and best regards! 2009-07-19 muiz 发件人: Tom Eastep 发送时间: 2009-07-18 21:51:35 收件人: muiz 抄送: Shorewall Users 主题: Re: [Shorewall-users] Help: internet access and mac problem muiz wrote:> Dear Tom, > Thanks very much for your help! > I try to ping those IP address, and get the following results: > a) ping 192.168.1.20 > >> OK > b) ping 192.168.1.250 > >> Host is not existsSorry -- this is the host I wanted you to ping: 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:19:d1:01:2f:45 brd ff:ff:ff:ff:ff:ff inet 192.168.0.250/29 brd 192.168.0.255 scope global eth1 ------------- inet6 fe80::219:d1ff:fe01:2f45/64 scope link valid_lft forever preferred_lft forever> c) ping 192.168.0.249 > >> Host is not existsBut it DOES exist -- it is your Shorewall box's default gateway!!! Table main: 10.100.100.2 dev tun0 proto kernel scope link src 10.100.100.1 ... default via 192.168.0.249 dev eth1 -------------> d) ping 206.124.146.177 > >> Failed, the connection lost > So what can I do then?If you can't ping 192.168.0.250, then the default route on 192.168.1.140 is incorrect. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge