Dump attached. So, I have this situation. Pretty straight-forward masq situation, but with an odd wrinkle I can''t figure out. All machines DHCP. All can ping the router, get IP addresses, etc. Some machines can ping past the router, some cannot. Logging the loc2net chain shows it hitting the ACCEPCT rule, but it cannot connecting to anything beyond the firewall. The machine that currently cannot ping past the firewall is a KVM/qemu guest, but it *can* ping the firewall. The machine that can''t get past the firewall has the following line in nat: xx.xx.131.63 eth0 192.168.100.248 no no If I try to connect to another system where I''ve set up logging on a port, I get: Jun 4 12:15:28 azariah kernel: [5305753.084529] Shorewall:net2fw:LOG:IN=ppp0 OUT= MAC= SRC=xx.xxx.131.63 DST=xxx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=22600 DF PROTO=TCP SPT=58446 DPT=5000 WINDOW=14600 RES=0x00 SYN URGP=0 So, its source address is correct, but it''s never making it back to the nat''ed system. I''m at a loss. Ideas? Links? Silly mistakes? j -- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com - Fairbanks, AK PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Solved it. Contrary to what http://www.shorewall.net/NAT.htm implies, ADD_IP_ALIASES does not default to ''yes,'' at least not on Ubuntu. Once I did that, all started working. Thanks to bleve on #shorewall! j On Monday, June 04, 2012, Joshua J. Kugler elucidated thus:> Dump attached. > > So, I have this situation. Pretty straight-forward masq situation, > but with an odd wrinkle I can''t figure out. All machines DHCP. All > can ping the router, get IP addresses, etc. Some machines can ping > past the router, some cannot. Logging the loc2net chain shows it > hitting the ACCEPCT rule, but it cannot connecting to anything > beyond the firewall. > > The machine that currently cannot ping past the firewall is a > KVM/qemu guest, but it *can* ping the firewall. > > The machine that can''t get past the firewall has the following line > in nat: > > xx.xx.131.63 eth0 192.168.100.248 no no > > If I try to connect to another system where I''ve set up logging on a > port, I get: > > Jun 4 12:15:28 azariah kernel: [5305753.084529] > Shorewall:net2fw:LOG:IN=ppp0 OUT= MAC= SRC=xx.xxx.131.63 > DST=xxx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=22600 DF > PROTO=TCP SPT=58446 DPT=5000 WINDOW=14600 RES=0x00 SYN URGP=0 > > So, its source address is correct, but it''s never making it back to > the nat''ed system. > > I''m at a loss. Ideas? Links? Silly mistakes? > > j-- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com - Fairbanks, AK PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 6/4/12 3:06 PM, Joshua J. Kugler wrote:> Solved it. Contrary to what http://www.shorewall.net/NAT.htm implies, > ADD_IP_ALIASES does not default to ''yes,'' at least not on Ubuntu.The copyright on that page is 2001-2004, meaning that page was likely last updated in 2004. That''s important to realize when you are looking at Shorewall online documentation. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/