Shorewall users - Aug 2011 - ip forward - debian - two interfaces scenario - failure :(

Hello,

I am trying to exactly replicate the two interface setup
(http://www.shorewall.net/two-interface.htm). I use the same naming
convention, the only difference is that eth0 is the loc interface and
eth1 the net one.
Connectivity from loc to fw works. Same for fw to loc.
Connectivity from fw to net works (traffic is dropped from net to fw
except for ssh, all this works fine).

I cannot manage to have traffic going from loc to net. I of course
read the documentation, faq and troubleshooting. I tried:
- to set /proc/sys/net/ipv4/ip_forward to 1 and have IP_FORWARDING=Keep
- to set /proc/sys/net/ipv4/ip_forward to 0 and have IP_FORWARDING=On
- to set /proc/sys/net/ipv4/ip_forward to 1 and have IP_FORWARDING=On
(for the sake of completeness)

In /etc/shorewall/masq I tried:
- eth1 eth0
- eth1 192.168.0.0/24 82.232.201.239 5 (I have a fixed public IP and
eventually want to do SNAT)
- eth1 192.168.0.0/24

The log does not show any packets when trying to initiate the traffic
from loc to an Internet IP.

I spend a few hours last night trying to figure out how to deal with
this problem but I am helpless. I apologize if I missed something
obvious but I really have no idea what that could be :)

Thank you in advance for any pointers,
Wojtek


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

Dnia 2011-08-18, czw o godzinie 10:11 +0200, Wojtek Swiatek
pisze:
> Hello,
> 
> I am trying to exactly replicate the two interface setup
> (http://www.shorewall.net/two-interface.htm). I use the same naming
> convention, the only difference is that eth0 is the loc interface and
> eth1 the net one.
> Connectivity from loc to fw works. Same for fw to loc.
> Connectivity from fw to net works (traffic is dropped from net to fw
> except for ssh, all this works fine).
> 
> I cannot manage to have traffic going from loc to net. I of course
> read the documentation, faq and troubleshooting. I tried:
> - to set /proc/sys/net/ipv4/ip_forward to 1 and have IP_FORWARDING=Keep
> - to set /proc/sys/net/ipv4/ip_forward to 0 and have IP_FORWARDING=On
> - to set /proc/sys/net/ipv4/ip_forward to 1 and have IP_FORWARDING=On
> (for the sake of completeness)
> 
> In /etc/shorewall/masq I tried:
> - eth1 eth0
> - eth1 192.168.0.0/24 82.232.201.239 5 (I have a fixed public IP and
> eventually want to do SNAT)
> - eth1 192.168.0.0/24
> 
> The log does not show any packets when trying to initiate the traffic
> from loc to an Internet IP.
> 
> I spend a few hours last night trying to figure out how to deal with
> this problem but I am helpless. I apologize if I missed something
> obvious but I really have no idea what that could be :)
> 
> Thank you in advance for any pointers,
> Wojtek
Hi,

As per the default policy, allowed packets will not generate any logs.
So the packets are either not reaching your gateway at all, or they are
passing through and the failure is related to SNAT somehow.
>From looking at the status file, I can''t really tell
what''s wrong with
the setup (although I''m not a status file oracle :P ). Have you checked
with tcpdump that your clients'' packets ever appear on the LAN side?
(-i
eth0). The connection table indicates that local clients are
communicating within the local network, so maybe the missing link is the
default gateway setting (a route to 0.0.0.0/0) on the clients?

When you have verified that they do indeed appear on eth0, check if they
are visible on eth1 too, i.e. if they get forwarded. A tcpdump run on
eth1 should also uncover any possible NAT problems.


------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

On Thu, Aug 18, 2011 at 11:59, Robert Kawecki <thewanderer@gim11.pl>
wrote:
> Dnia 2011-08-18, czw o godzinie 10:11 +0200, Wojtek Swiatek pisze:
>> I am trying to exactly replicate the two interface setup
>> (http://www.shorewall.net/two-interface.htm).
(...)
>> I cannot manage to have traffic going from loc to net.
> As per the default policy, allowed packets will not generate any logs.
> So the packets are either not reaching your gateway at all, or they are
> passing through and the failure is related to SNAT somehow.
I tried to log them with a
loc        net         ACCEPT   info
in /etc/shorewall/policy. I guess that if they were going through they
would have been logged?
> Have you checked
> with tcpdump that your clients'' packets ever appear on the LAN
side? (-i
> eth0).
I connect via ssh from a client on the LAN to the server so packets
get to the server LAN interface (eth0 in my case). I will check with
tcpdump for packets intended to net.
> The connection table indicates that local clients are
> communicating within the local network, so maybe the missing link is the
> default gateway setting (a route to 0.0.0.0/0) on the clients?
There is a default route on the clients which points to the IP
assigned to eth0 (the interface for loc)
> When you have verified that they do indeed appear on eth0, check if they
> are visible on eth1 too, i.e. if they get forwarded. A tcpdump run on
> eth1 should also uncover any possible NAT problems.
I will run a tcpdump on the eth1 interface (I expect not to see them
there, ie. to have a problem with ip forwarding)

Thanks for the message,
Wojtek

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

On Thu, Aug 18, 2011 at 12:54, Wojtek Swiatek <w@swtk.info> wrote:
>> The connection table indicates that local clients are
>> communicating within the local network, so maybe the missing link is
the
>> default gateway setting (a route to 0.0.0.0/0) on the clients?
>
> There is a default route on the clients which points to the IP
> assigned to eth0 (the interface for loc)
I just realized that there was a terrible typo in the gateway IP
distributed through DHCP to the clients (the effect of a long night
and renumbering of the network).
Everything works fine now, my apologies for the trouble - finally it
was not a shorewall or iptables issue.

Best regards,
Wojtek

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2