Hi all, install a shorewall 4 on a debian squeeze, configure the
interfaces and the files, but I can not have internet on the local
network.
I can connect to the shorewall pc from outside and from the local
network, I can connect to internet from the shorewall pc so I''m sure I
have something misconfigured.
ip route command throws me the following
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
xxx.xxx.xxx.0/24 dev eth0 proto kernel scope link src xxx.xxx.xxx.200
default via xxx.xxx.xxx.1 dev eth0
default via 192.168.2.1 dev eth1 scope link
ifconfig
eth0 Link encap:Ethernet HWaddr
inet addrxx.xxx.xxx.200 Bcastxx.xxx.xxx.255 Mask:255.255.255.0
inet6 addr: fe80::219:d1ff:fedd:afd1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2374 errors:0 dropped:0 overruns:0 frame:0
TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:284690 (278.0 KiB) TX bytes:13739 (13.4 KiB)
Interrupt:19 Base address:0x2100
eth1 Link encap:Ethernet HWaddr
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::227:19ff:feb1:6b69/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:204 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17521 (17.1 KiB) TX bytes:468 (468.0 B)
Interrupt:17 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 B) TX bytes:560 (560.0 B)
In shorewall:
interfaces file:
==================
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
loc eth1 detect bridge
policy file:
==============
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#loc net ACCEPT
#net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
#all all REJECT info
fw all ACCEPT
all all REJECT info
net all DROP info
rules file:
============
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK
# PORT PORT(S)
DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
ACCEPT net $FW tcp 22
ACCEPT loc net tcp 20,21,22,25,43,53,63
ACCEPT loc net tcp 110,123,143,443,465
ACCEPT loc net tcp 587,993,995
ACCEPT loc net udp 43,53,63,123
REDIRECT loc 8080 tcp 80,8080
ACCEPT loc fw tcp 20,21,22,53,67,68,80,10000
ACCEPT loc fw udp 53,67,68
Ping(ACCEPT) net $FW
Ping(ACCEPT) loc $FW
Ping(ACCEPT) loc net
masq file:
============
eth0 192.168.2.0/24
Hope someone can help me out with this.
Regards
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
On Mon, 2011-10-10 at 19:41 +0000, Carina V. Barca wrote:> Hi all, install a shorewall 4 on a debian squeeze, configure the > interfaces and the files, but I can not have internet on the local > network.Have you checked Shorewall FAQ 15? If that doesn''t solve your problem, please forward the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. -Tom>-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
Tom: thanks for the answer. I attach what you asked.. Regards From: Tom Eastep <teastep@shorewall.net> On Mon, 2011-10-10 at 19:41 +0000, Carina V. Barca wrote:> Hi all, install a shorewall 4 on a debian squeeze, configure the > interfaces and the files, but I can not have internet on the local > network.Have you checked Shorewall FAQ 15? If that doesn''t solve your problem, please forward the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines. -Tom>=20--=20 Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote:> > Tom: thanks for the answer. > I attach what you asked..But you clearly didn''t read FAQ 15. Point number 4: Forwarding is not enabled (This is often the problem for Debian users). Enter this command: cat /proc/sys/net/ipv4/ip_forward If the value displayed is 0 (zero) then set IP_FORWARDING=On in /etc/shorewall/shorewall.conf and restart Shorewall. From the output of ''shorewall dump'' that you posted (which is created from the above command): /proc/sys/net/ipv4/ip_forward = 0 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
I''m sorry, here it goes just like faq 15. I must add that I can ping 8.8.8.8 or www.google.com, but I can''t navigate. Regardss --Archivo adjunto de mensaje reenviado-- From: teastep@shorewall.net To: c Date: Tue, 11 Oct 2011 12:02:04 -0700 Subject: Re: [Shorewall-users] No internet in local net with shorewall On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote:> > Tom: thanks for the answer. > I attach what you asked..But you clearly didn''t read FAQ 15. Point number 4: Forwarding is not enabled (This is often the problem for Debian users). Enter this command: cat /proc/sys/net/ipv4/ip_forward If the value displayed is 0 (zero) then set IP_FORWARDING=On in /etc/shorewall/shorewall.conf and restart Shorewall.>From the output of ''shorewall dump'' that you posted (which is createdfrom the above command): /proc/sys/net/ipv4/ip_forward = 0 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
I don''t know if the email lost, that''s why I send it again. Sorry if I send this twice. From: carvandar@hotmail.com To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] No internet in local net with shorewall Date: Wed, 12 Oct 2011 11:45:42 +0000 I''m sorry, here it goes just like faq 15. I must add that I can ping 8.8.8.8 or www.google.com, but I can''t navigate. Regardss --Archivo adjunto de mensaje reenviado-- From: teastep@shorewall.net To: c Date: Tue, 11 Oct 2011 12:02:04 -0700 Subject: Re: [Shorewall-users] No internet in local net with shorewall On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote:> > Tom: thanks for the answer. > I attach what you asked..But you clearly didn''t read FAQ 15. Point number 4: Forwarding is not enabled (This is often the problem for Debian users). Enter this command: cat /proc/sys/net/ipv4/ip_forward If the value displayed is 0 (zero) then set IP_FORWARDING=On in /etc/shorewall/shorewall.conf and restart Shorewall.>From the output of ''shorewall dump'' that you posted (which is createdfrom the above command): /proc/sys/net/ipv4/ip_forward = 0 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
I have had cases where Shorewall did not properly set ip forwarding to true, even though IP_FORWARDING=On was set in the config file. I never bothered to investigated, I just put echo 1 > /proc/sys/net/ipv4/ip_forward in my /etc/rc.local file and called it a day. But this was an old version of Shorewall. What version are you using? j On Thursday, October 13, 2011, Carina V. Barca elucidated thus:> I don''t know if the email lost, that''s why I send it again. > Sorry if I send this twice. > From: carvandar@hotmail.com > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] No internet in local net with > shorewall Date: Wed, 12 Oct 2011 11:45:42 +0000 > > > > > > > > > I''m sorry, here it goes just like faq 15. > I must add that I can ping 8.8.8.8 or www.google.com, but I can''t > navigate. > > Regardss > > --Archivo adjunto de mensaje reenviado-- > From: teastep@shorewall.net > To: c > Date: Tue, 11 Oct 2011 12:02:04 -0700 > Subject: Re: [Shorewall-users] No internet in local net with > shorewall > > On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote: > > Tom: thanks for the answer. > > I attach what you asked.. > > But you clearly didn''t read FAQ 15. Point number 4: > > Forwarding is not enabled (This is often the problem for > Debian users). Enter this command: > > cat /proc/sys/net/ipv4/ip_forward > > If the value displayed is 0 (zero) then set IP_FORWARDING=On > in /etc/shorewall/shorewall.conf and restart Shorewall. > > >From the output of ''shorewall dump'' that you posted (which is > >created > > from the above command): > > /proc/sys/net/ipv4/ip_forward = 0 > > -Tom-- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com - Fairbanks, AK PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
Thanks for your reply. I am using Shorewall 4.4.11.6 and IP forwarding is set to 1 already: /proc/sys/net/ipv4/ip_forward = 1 Also for DNS resolution I had added following rules: ###Next 4 Lines for DNS Resolution#### ACCEPT loc $FW udp 53 ACCEPT loc $FW tcp 53 ACCEPT $FW net udp 53 ACCEPT $FW net tcp 53 Is there any limitation to add rules in /etc/shorewall/rules file ? Regards, Yogesh On Fri, Oct 14, 2011 at 2:42 AM, Carina V. Barca <carvandar@hotmail.com>wrote:> > I don''t know if the email lost, that''s why I send it again. > Sorry if I send this twice. > ------------------------------ > From: carvandar@hotmail.com > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] No internet in local net with shorewall > Date: Wed, 12 Oct 2011 11:45:42 +0000 > > I''m sorry, here it goes just like faq 15. > I must add that I can ping 8.8.8.8 or www.google.com, but I can''t > navigate. > > Regardss > > --Archivo adjunto de mensaje reenviado-- > From: teastep@shorewall.net > To: c > Date: Tue, 11 Oct 2011 12:02:04 -0700 > Subject: Re: [Shorewall-users] No internet in local net with shorewall > > On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote: > > > > Tom: thanks for the answer. > > I attach what you asked.. > > But you clearly didn''t read FAQ 15. Point number 4: > > Forwarding is not enabled (This is often the problem for Debian > > users). Enter this command: > > cat /proc/sys/net/ipv4/ip_forward > > If the value displayed is 0 (zero) then set IP_FORWARDING=On > in /etc/shorewall/shorewall.conf and restart Shorewall. > > > From the output of ''shorewall dump'' that you posted (which is created > from the above command): > > /proc/sys/net/ipv4/ip_forward = 0 > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- Best Regards, Yogesh Phatak. Email ID : yoogesh@gmail.com Cell : + 91 98233 00724 http://picasaweb.google.com/yoogesh ----------------------------- Before you start some work, always ask yourself three questions - Why am I doing it, What the results might be and Will I be successful. Only when you think deeply and find satisfactory answers to these questions, go ahead. ----------------------------- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 13, 2011, at 2:12 PM, Carina V. Barca wrote:> > I don''t know if the email lost, that''s why I send it again. > Sorry if I send this twice. > From: carvandar@hotmail.com > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] No internet in local net with shorewall > Date: Wed, 12 Oct 2011 11:45:42 +0000 > > I''m sorry, here it goes just like faq 15. > I must add that I can ping 8.8.8.8 or www.google.com, but I can''t navigate.I ignored your mail since I don''t understand what you mean by "I can''t navigate". That sounds like "…it doesn''t work" which isn''t helpful. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On Oct 13, 2011, at 6:20 PM, Yogesh Phatak wrote:> Thanks for your reply. I am using Shorewall 4.4.11.6 and IP forwarding is set to 1 already: > > /proc/sys/net/ipv4/ip_forward = 1 > Also for DNS resolution I had added following rules: > > ###Next 4 Lines for DNS Resolution#### > ACCEPT loc $FW udp 53 > ACCEPT loc $FW tcp 53 > ACCEPT $FW net udp 53 > ACCEPT $FW net tcp 53 > > Is there any limitation to add rules in /etc/shorewall/rules file ? >No. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct