Shorewall users - Apr 2011 - Having trouble with two-interfaces setup

Hi,

I''m having the worst time with Shorewall. I''m a complete noob
to it. I''ve
read all of the documentation regarding Shorewall and two-interfaces, and
I''ve loaded the example files from
''/usr/src/doc/shorewall/examples'' and I
didn''t change a thing. I still don''t understand what
I''m doing wrong. I''m
trying to get the internet from ''eth0'' which is connected to
my ISP, to
''eth1'' my Local Network.  I''m running Debian 6.0 and
I have Shorewall
4.4.11.6 installed.

Here''s my output from ''/etc/network/interfaces'':

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo eth0 eth1
iface lo inet loopback

#allow eth0 to receive a dhcp internet connection
iface eth0 inet dhcp

#setup eth1 as a router
iface eth1 inet static
     address 192.168.0.2
     network 192.168.0.1
     netmask 255.255.255.0

I defined a gateway here, and an address range. I have DNS-MASQ installed
and running which hands out IP addresses on 192.168.0.50/30. It''s
probably a
little ridiculous or redundant. I have no  clue if it really works. It says
it can''t bind to eth1 because eth1 is already in use. However, a laptop
connected to eth1 displays 192.168.0.76 for an IP address and the gateway
192.168.0.2. So, I know that works. I can partially ping
''www.google.com''.
It''ll resolve ''www.google.com'' to the correct IP
address and domain name,
but the packets keep timing out 100%. I can get the internet thru my devices
connected to ''eth1'' if I use ProxyARP, but it disables all of
my outgoing
traffic on ''eth0''. All I''m trying to do is gateway my
computer with two
ethernet NIC''s and I''m failing miserably at it and
I''ve been banging my head
against a wall for the past week trying to figure it out. Is there anyone
who might be able to point me to a simple command or something that would
get this all working? I''d really really really appreciate it.

Sincerely,
Dave


------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

> #setup eth1 as a router
> iface eth1 inet static
>      address 192.168.0.2
>      network 192.168.0.1
>      netmask 255.255.255.0
eth1 is not a "router"; however, that''s irrelevant as that is
just a
comment. Remove the line starting ''network'' - it is incorrect
above, and
isn''t necessary anyway.
> I can
> partially ping ''www.google.com''. It''ll resolve
''www.google.com'' to the
> correct IP address and domain name, but the packets keep timing out
Thus you cannot ping www.google.com at all. 

Get things working from your system without Shorewall fist (do a
''shorewall clear''). Make sure you can ping external
names/addresses. Then
follow http://www.shorewall.net/two-interface.htm
-- 
"You can have everything in life you want if you help enough other people
get what they want" - Zig Ziglar. 

Who did you help today?

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev

Dave Florek wrote:
>I''m having the worst time with Shorewall. I''m a complete
noob to it.
>I''ve read all of the documentation regarding Shorewall and 
>two-interfaces, and I''ve loaded the example files from 
>''/usr/src/doc/shorewall/examples'' and I didn''t
change a thing.
You do realise that example config files are just that - examples ? 
You are expected to configure them to your specific requirements.
>I still don''t understand what I''m doing wrong.
I''m trying to get the
>internet from ''eth0'' which is connected to my ISP
What do you get from "ifconfig eth0" ?
>I defined a gateway here, and an address range. I have DNS-MASQ 
>installed and running which hands out IP addresses on 
><http://192.168.0.50/30>192.168.0.50/30. It''s probably a
little
>ridiculous or redundant. I have no  clue if it really works.
Firstly, can you find the "plain text" option on your mailer so that 
when you put "192.168.0.50/30" it comes through as
"192.168.0.50/30"
and doesn''t get ''helpfully'' mangled to 
"<http://192.168.0.50/30>192.168.0.50/30" ? It''s just a
little thing,
but little things that make it harder to read and/or cause annoyance 
like that can make people less inclined to put the time in to help.

You need to find out if your local stuff works. If that doesn''t work, 
then trying to fix (if indeed it''s even broken) Shorewall is going to 
be a futile and frustrating experience.

You don''t actually need Shorewall running to get your network going , 
and in fact it is recommended to make sure your network runs BEFORE 
starting on Shorewall. If your network works and then stops when 
Shorewall is loaded then you look at your Shorewall config - if it 
doesn''t work at all then it''s not Shorewall.
"shorewall clear" will turn off everything Shorewall does and leave 
you with your basic network setup. Offhand I''m not sure what commands 
you need to give to enable MASQ - but if you are using the network 
manager from a GUI then I expect that has an option to tick (I don''t 
use the GUI as virtually everything I manage is a headless server).

BTW - 192.168.0.50/30 would normally mean a subnet starting at 
192.168.0.50 and with a netmask of 255.255.255.252. That would not be 
a suitable config to hand out to clients as they should have the 
exact same subnet mask as your gateway (255.255.255.0) - ie they 
should be in the network 192.168.0.0/24.

And I I check that bit of information, I see your eth1 config is 
wrong : the network address for that config is 192.168.0.0, and in 
fact you should just omit that lien anyway since the system will 
calculate the correct value for itself.

>It says it can''t bind to eth1 because eth1 is already in use. 
>However, a laptop connected to eth1 displays 192.168.0.76 for an IP 
>address and the gateway 192.168.0.2. So, I know that works.
Err, no you don''t know that works at all ! I''d hazard a guess
that
you have a DHCP server running on eth1, and that means you can''t 
start another one (as part of DNS-MASQ) since the prots it needs to 
use are already in use. 192.168.0.76 is not part of the address range 
you say you configured DNS-MASQ to hand out, which suggests it did 
come from there.
>I can partially ping ''www.google.com''. It''ll
resolve
>''www.google.com'' to the correct IP address and domain
name, but the
>packets keep timing out 100%. I can get the internet thru my devices 
>connected to ''eth1'' if I use ProxyARP, but it disables all
of my
>outgoing traffic on ''eth0''.
The old "this isn''t working so I''ll pick some random
thing and try
it" approach to fixing things !
>All I''m trying to do is gateway my computer with two ethernet
NIC''s
>and I''m failing miserably at it and I''ve been banging my
head
>against a wall for the past week trying to figure it out.
You might have less bruises if you''d asked for help earlier !

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev