-----Original Message----- From: Paolo <[email protected]> To: [email protected] <[email protected]> Subject: Re: Using shorewall Date: Thu, 12 Feb 2009 21:47:17 +0100 Mailer: Mutt/1.3.28i
On Thu, Feb 12, 2009 at 03:05:14PM -0500, john wrote: ... > I have set up shorewall with eth0 going to my existing d-link router. > eth1 and eth2 are planned for a dmz and a loc. I have used the setup and what's your final /etc/network/interfaces ? what do ifconfig(8) or ip(8) report? > lines from /var/log/shorewall-init.log): > > Setting up masquerading/SNAT.... > ERROR: Unable to determine routes through interface "eth1" perhaps some more log line would help ? ... -- paolo I should have mentioned that I'm running lenny (up to date). My /etc/network/interfaces file reads: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet dhcp My /etc/shorewall file reads: net eth0 detect dhcp,routefilter,tcpflags dmz eth1 detect dhcp loc eth2 detect dhcp /var/log/shorewall-init.log reads: 22:43:52 Compiling... Loading /usr/share/shorewall/lib.base... Loading /usr/share/shorewall/lib.config... 22:43:52 Processing /etc/shorewall/shorewall.conf... 22:43:52 Loading Modules... 22:43:54 Loading library /usr/share/shorewall-shell/lib.actions... 22:43:54 Loading library /usr/share/shorewall-shell/lib.nat... 22:43:54 Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available New Connection Tracking Match Syntax: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available NFQUEUE Target: Available 22:43:55 Determining Zones... IPv4 Zones: net dmz loc Firewall Zone: fw 22:43:55 Validating interfaces file... 22:43:55 Validating hosts file... 22:43:55 Pre-processing Actions... 22:43:55 Pre-processing /usr/share/shorewall/action.Drop... 22:43:55 ..Expanding Macro /usr/share/shorewall/macro.Auth... 22:43:55 ..End Macro 22:43:55 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... 22:43:55 ..End Macro 22:43:55 ..Expanding Macro /usr/share/shorewall/macro.SMB... 22:43:55 ..End Macro 22:43:55 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... 22:43:55 ..End Macro 22:43:55 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... 22:43:55 ..End Macro 22:43:55 Pre-processing /usr/share/shorewall/action.Reject... 22:43:55 Validating Policy file... 22:43:55 Policy for net to dmz is DROP using chain net2all 22:43:55 Policy for net to loc is DROP using chain net2all 22:43:55 Policy for net to fw is DROP using chain net2all 22:43:55 Policy for dmz to net is REJECT using chain dmz2all 22:43:55 Policy for dmz to loc is REJECT using chain dmz2all 22:43:55 Policy for dmz to fw is REJECT using chain dmz2all 22:43:55 Policy for loc to net is REJECT using chain loc2all 22:43:55 Policy for loc to dmz is REJECT using chain loc2all 22:43:55 Policy for loc to fw is REJECT using chain loc2all 22:43:55 Policy for fw to net is ACCEPT using chain fw2all 22:43:55 Policy for fw to dmz is ACCEPT using chain fw2all 22:43:55 Policy for fw to loc is ACCEPT using chain fw2all 22:43:55 Determining Hosts in Zones... net Zone: eth0:0.0.0.0/0 dmz Zone: eth1:0.0.0.0/0 loc Zone: eth2:0.0.0.0/0 22:43:55 Deleting user chains... 22:43:55 Compiling /etc/shorewall/routestopped ... 22:43:55 Creating Interface Chains... 22:43:55 Compiling Common Rules 22:43:55 Adding rules for DHCP 22:43:55 Compiling TCP Flags checking... 22:43:55 Compiling Kernel Route Filtering... 22:43:55 Compiling Martian Logging... 22:43:55 Compiling IPSEC... 22:43:55 Compiling /etc/shorewall/rules... 22:43:55 Rule "ACCEPT loc net tcp 80,443 " compiled. 22:43:55 Rule "ACCEPT loc fw udp 53 " compiled. 22:43:55 Rule "ACCEPT net dmz tcp 80 " compiled. 22:43:55 Rule "ACCEPT loc dmz tcp 80 " compiled. 22:43:55 Rule "ACCEPT fw dmz tcp 80 " compiled. 22:43:56 Rule "ACCEPT dmz net:206.167.141.10 tcp 80 " compiled. 22:43:56 Rule "ACCEPT dmz net:128.31.0.36 tcp 80 " compiled. 22:43:56 Compiling Actions... 22:43:56 Generating Transitive Closure of Used-action List... 22:43:56 Compiling /usr/share/shorewall/action.Drop for Chain Drop... 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.Auth... 22:43:56 Rule "REJECT - - tcp 113 - - " compiled. 22:43:56 ..End Macro 22:43:56 Rule "dropBcast " compiled. 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... 22:43:56 Rule "ACCEPT - - icmp fragmentation-needed - - " compiled. 22:43:56 Rule "ACCEPT - - icmp time-exceeded - - " compiled. 22:43:56 ..End Macro 22:43:56 Rule "dropInvalid " compiled. 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.SMB... 22:43:56 Rule "DROP - - udp 135,445 - - " compiled. 22:43:56 Rule "DROP - - udp 137:139 - - " compiled. 22:43:56 Rule "DROP - - udp 1024: 137 - " compiled. 22:43:56 Rule "DROP - - tcp 135,139,445 - - " compiled. 22:43:56 ..End Macro 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... 22:43:56 Rule "DROP - - udp 1900 - - " compiled. 22:43:56 ..End Macro 22:43:56 Rule "dropNotSyn - - tcp " compiled. 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... 22:43:56 Rule "DROP - - udp - 53 - " compiled. 22:43:56 ..End Macro 22:43:56 Compiling /usr/share/shorewall/action.Reject for Chain Reject... 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.Auth... 22:43:56 Rule "REJECT - - tcp 113 - - " compiled. 22:43:56 ..End Macro 22:43:56 Rule "dropBcast " compiled. 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... 22:43:56 Rule "ACCEPT - - icmp fragmentation-needed - - " compiled. 22:43:56 Rule "ACCEPT - - icmp time-exceeded - - " compiled. 22:43:56 ..End Macro 22:43:56 Rule "dropInvalid " compiled. 22:43:56 ..Expanding Macro /usr/share/shorewall/macro.SMB... 22:43:56 Rule "REJECT - - udp 135,445 - - " compiled. 22:43:56 Rule "REJECT - - udp 137:139 - - " compiled. 22:43:57 Rule "REJECT - - udp 1024: 137 - " compiled. 22:43:57 Rule "REJECT - - tcp 135,139,445 - - " compiled. 22:43:57 ..End Macro 22:43:57 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... 22:43:57 Rule "DROP - - udp 1900 - - " compiled. 22:43:57 ..End Macro 22:43:57 Rule "dropNotSyn - - tcp " compiled. 22:43:57 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... 22:43:57 Rule "DROP - - udp - 53 - " compiled. 22:43:57 ..End Macro 22:43:57 Compiling /etc/shorewall/policy... 22:43:57 Policy ACCEPT for fw to dmz using chain fw2all 22:43:57 Policy DROP for net to dmz using chain net2all 22:43:57 Policy REJECT for dmz to net using chain dmz2all 22:43:57 Policy REJECT for loc to fw using chain loc2all 22:43:57 Policy REJECT for loc to net using chain loc2all 22:43:57 Policy REJECT for loc to dmz using chain loc2all 22:43:57 Compiling Masquerading/SNAT 22:43:57 Compiling Traffic Control Rules... 22:43:57 Compiling Rule Activation... 22:43:57 Compiling IP Forwarding... 22:43:57 Shorewall configuration compiled to /var/lib/shorewall/.start 22:43:58 Starting Shorewall.... 22:43:58 Initializing... 22:43:58 Loading Modules... 22:43:58 Clearing Traffic Control/QOS 22:43:58 Deleting user chains... 22:43:58 Enabling Loopback and DNS Lookups 22:43:58 Creating Interface Chains... 22:43:58 Setting up SMURF control... 22:43:58 Setting up Black List... 22:43:58 Setting up rules for DHCP... 22:43:58 Setting up TCP Flags checking... 22:43:59 Setting up ARP filtering... 22:43:59 Setting up Route Filtering... 22:43:59 Setting up Martian Logging... 22:43:59 Setting up Accept Source Routing... 22:43:59 Setting up SYN Flood Protection... 22:43:59 Setting up Rules... 22:43:59 Rule "ACCEPT loc net tcp 80,443 " added. 22:43:59 Rule "ACCEPT loc fw udp 53 " added. 22:43:59 Rule "ACCEPT net dmz tcp 80 " added. 22:43:59 Rule "ACCEPT loc dmz tcp 80 " added. 22:43:59 Rule "ACCEPT fw dmz tcp 80 " added. 22:43:59 Rule "ACCEPT dmz net:206.167.141.10 tcp 80 " added. 22:43:59 Rule "ACCEPT dmz net:128.31.0.36 tcp 80 " added. 22:43:59 Setting up Actions... 22:43:59 Creating action chain Drop 22:43:59 Rule "REJECT - - tcp 113 - - " added. 22:43:59 Rule "dropBcast " added. 22:43:59 Rule "ACCEPT - - icmp fragmentation-needed - - " added. 22:43:59 Rule "ACCEPT - - icmp time-exceeded - - " added. 22:43:59 Rule "dropInvalid " added. 22:43:59 Rule "DROP - - udp 135,445 - - " added. 22:43:59 Rule "DROP - - udp 137:139 - - " added. 22:43:59 Rule "DROP - - udp 1024: 137 - " added. 22:43:59 Rule "DROP - - tcp 135,139,445 - - " added. 22:43:59 Rule "DROP - - udp 1900 - - " added. 22:43:59 Rule "dropNotSyn - - tcp " added. 22:43:59 Rule "DROP - - udp - 53 - " added. 22:43:59 Creating action chain Reject 22:43:59 Rule "REJECT - - tcp 113 - - " added. 22:43:59 Rule "dropBcast " added. 22:43:59 Rule "ACCEPT - - icmp fragmentation-needed - - " added. 22:43:59 Rule "ACCEPT - - icmp time-exceeded - - " added. 22:43:59 Rule "dropInvalid " added. 22:43:59 Rule "REJECT - - udp 135,445 - - " added. 22:43:59 Rule "REJECT - - udp 137:139 - - " added. 22:43:59 Rule "REJECT - - udp 1024: 137 - " added. 22:43:59 Rule "REJECT - - tcp 135,139,445 - - " added. 22:43:59 Rule "DROP - - udp 1900 - - " added. 22:43:59 Rule "dropNotSyn - - tcp " added. 22:43:59 Rule "DROP - - udp - 53 - " added. 22:43:59 Creating action chain dropBcast 22:43:59 Creating action chain dropInvalid 22:43:59 Creating action chain dropNotSyn 22:43:59 Applying Policies... 22:43:59 Setting up Masquerading/SNAT... ERROR: Unable to determine the routes through interface "eth1" 22:43:59 IP Forwarding Enabled Terminated Thanks - John. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
