At this point I''m rather certain my issue is not specific to
shorewall, but likely something lower level that I have configured
wrong.
The box is running Proxmox (Debian Lenny basically) as the base.
eth0 is the outside interface connected to the ISP.
eth1 is the lan/bridge physical interface used to connect everything
to the box (internal virtual machines and outside physical machines).
vmbr0 is the bridge interface using eth1 that actual has the IP address.
The box is running bind/dhcpd/etc. as usual.
Machines (physical and virtual) get IP addresses, etc. just fine.
The router can connect to the internet just fine.
Lan machines can ping internet machines just fine.
Lan machines can connect to each other just fine.
That''s where the problems start.
Lan machines cannot connect to web pages (normal or ssl), ssh out,
retrieve pop3 mail (the client will authenticate but that''s as far as
it gets), etc.
Port forwards are not successfully making a full connection.
I know it is most likely something terribly simple, but I can''t find
it.
I''ve been banging my head on it all evening.
I''m assuming it''s some sort of routing or nat issue.
Thanks.
Configurations below.
Mark II
/etc/network/interfaces:
# network interface settings
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
iface eth1 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.10.42.1
netmask 255.255.255.0
broadcast 10.10.42.255
bridge_ports eth1
bridge_stp off
bridge_fd 0
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs
loc vmbr0 detect tcpflags,nosmurfs,routeback,dhcp
/etc/shorewall/masq
eth0 10.10.42.0/24
/etc/shorewall/policy
(this will be drop so I can lock it down tight once I get it all
working right again)
loc<---><------>net<---><------>ACCEPT
loc<---><------>$FW<---><------>ACCEPT
loc<---><------>loc<---><------>ACCEPT
$FW<---><------>net<---><------>ACCEPT
$FW<---><------>loc<---><------>ACCEPT
net<---><------>all<---><------>DROP<--><------>warn
# THE FOLLOWING POLICY MUST BE LAST
all<---><------>all<---><------>REJECT<><------>info
--
Mark D. Montgomery II
http://www.techiem2.net
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/9/10 9:22 PM, Mark D. Montgomery II wrote:> At this point I''m rather certain my issue is not specific to shorewall, > but likely something lower level that I have configured wrong. > The box is running Proxmox (Debian Lenny basically) as the base. > eth0 is the outside interface connected to the ISP. > eth1 is the lan/bridge physical interface used to connect everything to > the box (internal virtual machines and outside physical machines). > vmbr0 is the bridge interface using eth1 that actual has the IP address. > The box is running bind/dhcpd/etc. as usual. > > Machines (physical and virtual) get IP addresses, etc. just fine. > > The router can connect to the internet just fine. > Lan machines can ping internet machines just fine. > Lan machines can connect to each other just fine. > > That''s where the problems start. > Lan machines cannot connect to web pages (normal or ssl), ssh out, > retrieve pop3 mail (the client will authenticate but that''s as far as it > gets), etc. > Port forwards are not successfully making a full connection. > > I know it is most likely something terribly simple, but I can''t find it. > I''ve been banging my head on it all evening.Have you enabled ip forwarding (IP_FORWARDING=On in shorewall.conf)? If so, what is the MTU of eth0? If it is less than 1500 (Comcast has been known to configure MTU=576 on their consumer DHCP setups), then try setting CLAMPMSS=Yes in shorewall.conf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> Have you enabled ip forwarding (IP_FORWARDING=On in shorewall.conf)?Yup.> > If so, what is the MTU of eth0? If it is less than 1500 (Comcast has > been known to configure MTU=576 on their consumer DHCP setups), then try > setting CLAMPMSS=Yes in shorewall.conf.Bingo! That was it exactly. I wonder if they just started doing that here and my router here at the house hasn''t gotten hit by it yet (it hasn''t been rebooted in quite a while), or if they just have it set for the business accounts the one I just set up is on... Thanks! Once again you''ve saved my sanity. :)> > -TomMark II> -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first