Shorewall users - Jul 2013 - Among 3 interfaces LAN does not reach Internet Suddenly

Hi:

Two shorewall boxes are installed in two different places with latest
stable versions with three interfaces (eth0>>NET, eth1>>LAN and
eth2>>DMZ), and running without any hitches for 3 years with the same
configuration .

All of a sudden a few days back, the LAN in both places stopped
reaching internet without any warnings.

§1 Checked disk space and inodes, they are available adequately. So
diskspace is not a problem.

§2 LAN NIC is active, letting me connect to get the results below with
a crossover cable. So NIC is working fine and also shows that the
routing is fine.

§3 Checked for rootkits and found clean.

Any inputs to make LAN reach the internet shall be appreciated. Thanks!

The network looks like as of below:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

# shorewall show policies
Shorewall 4.5.17.1 Policies at gw - Tue Jul  2 19:54:47 CEST 2013

fw 	=>	net	ACCEPT using chain fw2net
fw 	=>	loc	REJECT using chain fw2loc
fw 	=>	dmz	REJECT using chain fw2dmz
net 	=>	fw	DROP using chain net2fw
net 	=>	loc	DROP using chain net2loc
net 	=>	dmz	ACCEPT using chain net2dmz
loc 	=>	fw	ACCEPT using chain loc2fw
loc 	=>	net	ACCEPT using chain loc2net
loc 	=>	dmz	ACCEPT using chain loc2dmz
dmz 	=>	fw	ACCEPT using chain dmz2fw
dmz 	=>	net	ACCEPT using chain dmz2net
dmz 	=>	loc	REJECT using chain dmz2loc
You have new mail in /var/spool/mail/root

# shorewall show config
Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
Default VARDIR is /var/lib/shorewall
LIBEXEC is /usr/libexec
SBINDIR is /sbin
CONFDIR is /etc

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

On 07/02/2013 09:07 AM, Zenny wrote:
> Hi:
> 
> Two shorewall boxes are installed in two different places with latest
> stable versions with three interfaces (eth0>>NET, eth1>>LAN and
> eth2>>DMZ), and running without any hitches for 3 years with the same
> configuration .
> 
> All of a sudden a few days back, the LAN in both places stopped
> reaching internet without any warnings.
> 
> §1 Checked disk space and inodes, they are available adequately. So
> diskspace is not a problem.
> 
> §2 LAN NIC is active, letting me connect to get the results below with
> a crossover cable. So NIC is working fine and also shows that the
> routing is fine.
> 
> §3 Checked for rootkits and found clean.
> 
> Any inputs to make LAN reach the internet shall be appreciated. Thanks!
> 
> The network looks like as of below:
> 
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
> 192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0
eth2
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0
eth1
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth2
> 0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0
eth0
> 
> # shorewall show policies
> Shorewall 4.5.17.1 Policies at gw - Tue Jul  2 19:54:47 CEST 2013
> 
> fw 	=>	net	ACCEPT using chain fw2net
> fw 	=>	loc	REJECT using chain fw2loc
> fw 	=>	dmz	REJECT using chain fw2dmz
> net 	=>	fw	DROP using chain net2fw
> net 	=>	loc	DROP using chain net2loc
> net 	=>	dmz	ACCEPT using chain net2dmz
> loc 	=>	fw	ACCEPT using chain loc2fw
> loc 	=>	net	ACCEPT using chain loc2net
> loc 	=>	dmz	ACCEPT using chain loc2dmz
> dmz 	=>	fw	ACCEPT using chain dmz2fw
> dmz 	=>	net	ACCEPT using chain dmz2net
> dmz 	=>	loc	REJECT using chain dmz2loc
> You have new mail in /var/spool/mail/root
> 
> # shorewall show config
> Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall
> Default VARDIR is /var/lib/shorewall
> LIBEXEC is /usr/libexec
> SBINDIR is /sbin
> CONFDIR is /etc

Please forward the output of ''shorewall dump'' collected as
described at
http://www.shorewall.net/support.htm#Guidelines.

You can send it to me privately if you like.

Thanks,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

On 07/04/2013 12:14 AM, Zenny wrote:
> Hi Tom:
> 
> Did you get the shorewall dump? Just wondering! Thanks!
> 
> zenny
>>>
>>> Please forward the output of ''shorewall dump''
collected as described at
>>> http://www.shorewall.net/support.htm#Guidelines.
>>>
>>> You can send it to me privately if you like.
>>>

I see no evidence that there was any attempt to forward traffic from the
loc zone. This usually means that the local host has an incorrectly
configured default gateway.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

Thanks Tom. But how come all of the sudden LOC stopped accessing
internet without any manaul configuration or upgrade in both of the
machines lying in two different places? That is what wondering me.

Do you see any problem with the configurations as of below? I could
not figure out any!

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.7.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.9.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

# cat /etc/sysconfig/network-scripts/ifcfg-eth1
# Accton Technology Corporation SMC2-1211TX
DEVICE=eth1
BOOTPROTO=static
BROADCAST=192.168.9.255
HWADDR=00:30:F1:10:9E:AE
IPADDR=192.168.9.254
NETMASK=255.255.255.0
NETWORK=192.168.9.0
ONBOOT=yes

Thanks and have a nice weekend!

On 7/5/13, Tom Eastep <teastep@shorewall.net>
wrote:
> On 07/04/2013 12:14 AM, Zenny wrote:
>> Hi Tom:
>>
>> Did you get the shorewall dump? Just wondering! Thanks!
>>
>> zenny
>
>>>>
>>>> Please forward the output of ''shorewall dump''
collected as described at
>>>> http://www.shorewall.net/support.htm#Guidelines.
>>>>
>>>> You can send it to me privately if you like.
>>>>
>
>
> I see no evidence that there was any attempt to forward traffic from the
> loc zone. This usually means that the local host has an incorrectly
> configured default gateway.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

On Jul 5, 2013, at 2:49 PM, Zenny <garbytrash@gmail.com> wrote:
> Thanks Tom. But how come all of the sudden LOC stopped accessing
> internet without any manaul configuration or upgrade in both of the
> machines lying in two different places? That is what wondering me.
How can we know? We aren''t there -- you are.
> 
> Do you see any problem with the configurations as of below? I could
> not figure out any!
There is nothing wrong with the routing on the firewall.

Can you ping 192.168.1.200 from the 192.168.9.0/24 network?

-Tom

Tom Eastep        \ Nothing is foolproof to a
Shoreline,         \ sufficiently talented fool
Washington, USA     \ 
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev