Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail
‐‐‐ Original Message ‐‐‐ On April 6, 2018 2:32 PM, Tom Eastepwrote: > > > On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote: > > > ‐‐‐ Original Message ‐‐‐ > > > > On April 6, 2018 11:58 AM, colony.th...@protonmail.ch wrote: > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote: > > > > > > > > After shorewall6 clear, ping6 just hangs. > > > > > > > > > > ping6 google.com > > > > > > > > > > > > > > > PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) > > > > > 56 data bytes > > > > > > > > > > ^C > > > > > > > > > > --- google.com ping statistics --- > > > > > > > > > > 20 packets transmitted, 0 received, 100% packet loss, time 19000ms > > > > > > > > You routing is all screwed up. You are trying to use the same /64 on > > > > > > > > three different networks. When you get a tunnel from HE, you get two /64 > > > > > > > > networks: one on the sit device, and one to use in your local > > > > network(s). > > > > > > > > You can subdivide the second /64 between multiple networks, but then the > > > > > > > > prefix length for those networks must be > 64 and you cannot use > > > > > > > > stateless autoconfiguration. > > > > > > > > -Tom > > > > > > > > Tom Eastep \ Q: What do you get when you cross a mobster with > > > > > > > > Shoreline, \ an international standard? > > > > > > > > Washington, USA \ A: Someone who makes you an offer you can't > > > > > > > > http://shorewall.org \ understand > > > > > > Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, > > > and for the LAN I've set 2001:470:b:c3::/64 like they say. > > > > > > ip -6 route > > > === > > > > > > unreachable ::/96 dev lo metric 1024 error -113 > > > > > > unreachable :::0.0.0.0/96 dev lo metric 1024 error -113 > > > > > > 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256 > > > > > > 2001:470:b:c3::/64 dev eth1 proto kernel metric 256 > > > > > > 2001:470:b:c3::/64 dev eth2 proto kernel metric 256 > > > > > > unreachable 2002:a00::/24 dev lo metric 1024 error -113 > > > > > > unreachable 2002:7f00::/24 dev lo metric 1024 error -113 > > > > > > unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 > > > > > > unreachable 2002:ac10::/28 dev lo metric 1024 error -113 > > > > > > unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 > > > > > > unreachable 2002:e000::/19 dev lo metric 1024 error -113 > > > > > > unreachable 3ffe:::/32 dev lo metric 1024 error -113 > > > > > > fe80::/64 dev eth1 proto kernel metric 256 > > > > > > fe80::/64 dev eth2 proto kernel metric 256 > > > > > > fe80::/64 dev eth0 proto kernel metric 256 > > > > > > fe80::/64 dev he-ipv6 proto kernel metric 256 > > > > > > default dev he-ipv6 metric 1024 > > > > > > True I don't have a gateway set on eth1, but that -is- the LAN gateway. > > > > > > To set up the tunnel I'm using the systemd service copied almost > > > word-for-word from the Arch doc: > > > > > > [Unit] > > > > > > Description=he.net IPv6 tunnel > > > > > > After=network.target > > > > > > [Service] > > > > > > Type=oneshot > > > > > > RemainAfterExit=yes > > > > > > ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 > > > local 50.47.100.167 ttl 255 > > > > > > ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480 > > > > > > ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6 > > > > > > ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6 > > > > > > ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6 > > > > > > ExecStop=/usr/sbin/ip link set he-ipv6 down > > > > > > ExecStop=/usr/sbin/ip tunnel del he-ipv6 > > > > > > [Install] > > > > > > WantedBy=multi-user.target > > > > I must be being dense here. Can someone please explain what Ton is telling > > me here? > > What I am telling you is that you have these two routes: > > fe80::/64 dev eth2 proto kernel metric 256 > > fe80::/64 dev eth1 proto kernel metric 256 > > So the hosts connected to one of those are going to be unreachable. You > > need to configure the IP addresses on those devices as /72, not /64, > > which means that you will have to assign IP addresses to hosts connected > > to those interfaces manually or using DHCPv6. You will not be able to > > use stateless auto configuration. > > You have not told us where you are trying to ping from -- firewall or > > host behind the firewall? But you are not allowing Ping from any pkace > > to any other place in this configuration; AllowICMPs does not allow > > ping; it only allows those ICMPs specified by RFC 4890 as 'must allow' > > by routers. That explains the errors when Shorewall is started. But it > > doesn't explain the issue when Shorewall is cleared. With Shorewall > > cleared, can you ping 2001:470:a:c3::1? > > -Tom > > >
Re: [Shorewall-users] Do SNAT rules support ipsets?
Hi Tom, thank you! I took the opportunity, created my own Debian packages and upgraded to 5.1.12.3. If the Debian maintainer is following this list: Would be nice to see a package bump in 9.5 :) -- Regards, Igor -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail
On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote: > > ‐‐‐ Original Message ‐‐‐ > > On April 6, 2018 11:58 AM,wrote: > >> >> >> ‐‐‐ Original Message ‐‐‐ >> >> On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote: >> After shorewall6 clear, ping6 just hangs. ping6 google.com PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 56 data bytes ^C --- google.com ping statistics --- 20 packets transmitted, 0 received, 100% packet loss, time 19000ms >>> >>> You routing is all screwed up. You are trying to use the same /64 on >>> >>> three different networks. When you get a tunnel from HE, you get two /64 >>> >>> networks: one on the sit device, and one to use in your local network(s). >>> >>> You can subdivide the second /64 between multiple networks, but then the >>> >>> prefix length for those networks must be > 64 and you cannot use >>> >>> stateless autoconfiguration. >>> >>> -Tom >>> >>> Tom Eastep \ Q: What do you get when you cross a mobster with >>> >>> Shoreline, \ an international standard? >>> >>> Washington, USA \ A: Someone who makes you an offer you can't >>> >>> http://shorewall.org \ understand >> >> Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, and >> for the LAN I've set 2001:470:b:c3::/64 like they say. >> >> ip -6 route >> === >> >> unreachable ::/96 dev lo metric 1024 error -113 >> >> unreachable :::0.0.0.0/96 dev lo metric 1024 error -113 >> >> 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256 >> >> 2001:470:b:c3::/64 dev eth1 proto kernel metric 256 >> >> 2001:470:b:c3::/64 dev eth2 proto kernel metric 256 >> >> unreachable 2002:a00::/24 dev lo metric 1024 error -113 >> >> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 >> >> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 >> >> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 >> >> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 >> >> unreachable 2002:e000::/19 dev lo metric 1024 error -113 >> >> unreachable 3ffe:::/32 dev lo metric 1024 error -113 >> >> fe80::/64 dev eth1 proto kernel metric 256 >> >> fe80::/64 dev eth2 proto kernel metric 256 >> >> fe80::/64 dev eth0 proto kernel metric 256 >> >> fe80::/64 dev he-ipv6 proto kernel metric 256 >> >> default dev he-ipv6 metric 1024 >> >> True I don't have a gateway set on eth1, but that -is- the LAN gateway. >> >> To set up the tunnel I'm using the systemd service copied almost >> word-for-word from the Arch doc: >> >> [Unit] >> >> Description=he.net IPv6 tunnel >> >> After=network.target >> >> [Service] >> >> Type=oneshot >> >> RemainAfterExit=yes >> >> ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 >> local 50.47.100.167 ttl 255 >> >> ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480 >> >> ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6 >> >> ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6 >> >> ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6 >> >> ExecStop=/usr/sbin/ip link set he-ipv6 down >> >> ExecStop=/usr/sbin/ip tunnel del he-ipv6 >> >> [Install] >> >> WantedBy=multi-user.target > > > I must be being dense here. Can someone please explain what Ton is telling > me here? > What I am telling you is that you have these two routes: fe80::/64 dev eth2 proto kernel metric 256 fe80::/64 dev eth1 proto kernel metric 256 So the hosts connected to one of those are going to be unreachable. You need to configure the IP addresses on those devices as /72, not /64, which means that you will have to assign IP addresses to hosts connected to those interfaces manually or using DHCPv6. You will not be able to use stateless auto configuration. You have not told us where you are trying to ping from -- firewall or host behind the firewall? But you are not allowing Ping from any pkace to any other place in this configuration; AllowICMPs does *not* allow ping; it only allows those ICMPs specified by RFC 4890 as 'must allow' by routers. That explains the errors when Shorewall is started. But it doesn't explain the issue when Shorewall is cleared. With Shorewall cleared, can you ping 2001:470:a:c3::1? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net
Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail
‐‐‐ Original Message ‐‐‐ On April 6, 2018 11:58 AM,wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote: > > > > After shorewall6 clear, ping6 just hangs. > > > > > > ping6 google.com > > > > > > > > > PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 56 > > > data bytes > > > > > > ^C > > > > > > --- google.com ping statistics --- > > > > > > 20 packets transmitted, 0 received, 100% packet loss, time 19000ms > > > > You routing is all screwed up. You are trying to use the same /64 on > > > > three different networks. When you get a tunnel from HE, you get two /64 > > > > networks: one on the sit device, and one to use in your local network(s). > > > > You can subdivide the second /64 between multiple networks, but then the > > > > prefix length for those networks must be > 64 and you cannot use > > > > stateless autoconfiguration. > > > > -Tom > > > > Tom Eastep \ Q: What do you get when you cross a mobster with > > > > Shoreline, \ an international standard? > > > > Washington, USA \ A: Someone who makes you an offer you can't > > > > http://shorewall.org \ understand > > Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, and > for the LAN I've set 2001:470:b:c3::/64 like they say. > > ip -6 route > === > > unreachable ::/96 dev lo metric 1024 error -113 > > unreachable :::0.0.0.0/96 dev lo metric 1024 error -113 > > 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256 > > 2001:470:b:c3::/64 dev eth1 proto kernel metric 256 > > 2001:470:b:c3::/64 dev eth2 proto kernel metric 256 > > unreachable 2002:a00::/24 dev lo metric 1024 error -113 > > unreachable 2002:7f00::/24 dev lo metric 1024 error -113 > > unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 > > unreachable 2002:ac10::/28 dev lo metric 1024 error -113 > > unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 > > unreachable 2002:e000::/19 dev lo metric 1024 error -113 > > unreachable 3ffe:::/32 dev lo metric 1024 error -113 > > fe80::/64 dev eth1 proto kernel metric 256 > > fe80::/64 dev eth2 proto kernel metric 256 > > fe80::/64 dev eth0 proto kernel metric 256 > > fe80::/64 dev he-ipv6 proto kernel metric 256 > > default dev he-ipv6 metric 1024 > > True I don't have a gateway set on eth1, but that -is- the LAN gateway. > > To set up the tunnel I'm using the systemd service copied almost > word-for-word from the Arch doc: > > [Unit] > > Description=he.net IPv6 tunnel > > After=network.target > > [Service] > > Type=oneshot > > RemainAfterExit=yes > > ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 > local 50.47.100.167 ttl 255 > > ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480 > > ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6 > > ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6 > > ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6 > > ExecStop=/usr/sbin/ip link set he-ipv6 down > > ExecStop=/usr/sbin/ip tunnel del he-ipv6 > > [Install] > > WantedBy=multi-user.target I must be being dense here. Can someone please explain what Ton is telling me here? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPV6 Tunnel Ping Fail
‐‐‐ Original Message ‐‐‐ On April 6, 2018 11:18 AM, colony.three--- via Shorewall-userswrote: > # ip address > 7: he-ipv6@NONE: mtu 1480 qdisc noqueue state > UNKNOWN qlen 1 > link/sit 50.47.100.167 peer 216.218.226.238 > inet6 2001:470:a:c3::2/64 scope global >valid_lft forever preferred_lft forever > inet6 fe80::322f:64a7/64 scope link >valid_lft forever preferred_lft forever > # ip -6 neighbor > > # ping6 google.com > PING google.com(dfw25s08-in-x0e.1e100.net (2607:f8b0:4000:801::200e)) 56 data > bytes > From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) > icmp_seq=1 Destination unreachable: Address unreachable > ping: sendmsg: Operation not permitted > From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) > icmp_seq=2 Destination unreachable: Address unreachable > ping: sendmsg: Operation not permitted > From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) > icmp_seq=3 Destination unreachable: Address unreachable > ping: sendmsg: Operation not permitted > > Shorewall dump sent to Tom. I know that incoming ping is required for a Hurricane tunnel, and I've allowed this: Ping(ACCEPT) net:66.220.2.74 $FW (I don't want anyone else to ping) (CentOS7.4) But I don't know whether there needs to be an IPV6 ping incoming, and there are no Shorewall6 messages in dmesg. I can't find any evidence of how to allow protocol 41. Hopefully LAN passage through this router VM is covered with: net.ipv6.ip_forward = 1 G**gle is baffled.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] IPV6 Tunnel Ping Fail
# ip address 7: he-ipv6@NONE:mtu 1480 qdisc noqueue state UNKNOWN qlen 1 link/sit 50.47.100.167 peer 216.218.226.238 inet6 2001:470:a:c3::2/64 scope global valid_lft forever preferred_lft forever inet6 fe80::322f:64a7/64 scope link valid_lft forever preferred_lft forever # ip -6 neighbor # ping6 google.com PING google.com(dfw25s08-in-x0e.1e100.net (2607:f8b0:4000:801::200e)) 56 data bytes From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) icmp_seq=1 Destination unreachable: Address unreachable ping: sendmsg: Operation not permitted From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) icmp_seq=2 Destination unreachable: Address unreachable ping: sendmsg: Operation not permitted From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) icmp_seq=3 Destination unreachable: Address unreachable ping: sendmsg: Operation not permitted Shorewall dump sent to Tom.-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Do SNAT rules support ipsets?
On 04/06/2018 09:42 AM, Tom Eastep wrote: > On 04/05/2018 07:50 PM, Igor Sverkos wrote: > > It is a bug that was corrected in Shorewall 5.1.7. > Attached is the patch. patch /usr/share/shorewall/Shorewall/Rules.pm < commit-3b373f3 -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ From 3b373f3f215208b41f70783f8969f48cfc1766d1 Mon Sep 17 00:00:00 2001 From: Tom EastepDate: Tue, 5 Sep 2017 10:45:17 -0700 Subject: Correct handling of ipsets in the DEST column of the snat file - Also corrected handling of exclusion Signed-off-by: Tom Eastep diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 379be8923..649c4f018 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -5286,7 +5286,7 @@ sub process_snat1( ) { $interfaces = $1; } elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) { my ( $one, $two ) = ( $1, $2 ); - if ( $2 =~ /\./ || $2 =~ /^%/ ) { + if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) { $interfaces = $one; $destnets = $two; } else { signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Do SNAT rules support ipsets?
On 04/05/2018 07:50 PM, Igor Sverkos wrote: > Hi, > > I am on Debian Stretch system with multiple IP addresses and > shorewall-5.0.15.6. > > I have set "/etc/shorewall/snat" to > >> SNAT(1.2.3.4)0.0.0.0/0 eth0:+ip_restricted_endpoints[dst] > > My expectation: > > Whenever I try to contact an IPv4 address listed in > "ip_restricted_endpoints" ipset I expect that the IP address 1.2.3.4 > should be used as outgoing IP address. > > > But it looks like this doesn't work. It looks like every outgoing > traffic now uses IP 1.2.3.4. > I noticed that because I have set "smtp_bind_address = 4.3.2.1" in my > postfix instance however I see postfix connecting via 1.2.3.4 to other > mail servers. > > When I run `shorewall list nat` I see > >> Chain POSTROUTING (policy ACCEPT 10119 packets, 716K bytes) >> pkts bytes target prot opt in out source >> destination >> 17491 951K SNAT all -- * eth0 0.0.0.0/00.0.0.0/0 >> to:1.2.3.4 > > I would expect to see something like > >> 0 0 ACCEPT tcp -- * * 0.0.0.0/04.4.2.2 >> tcp dpt:22 match-set ssh-whitelist src > > > > > I.e. "match-set" command (this is from a a normal rule in rules file > where I use an ipset to control addresses which can ssh into this > box). > > Also, iptables file in /var/lib/shorewall just contains > >> ... >> :POSTROUTING ACCEPT [0:0] >> -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4 >> COMMIT >> ... > > So this all looks like snat doesn't support ipsets. > > However, `man shorewall-snat` says > >> DEST - {[+]interface[:[digit]][:[dest-address[,dest-address]...[exclusion]]} >> ... >> >> The interface may be qualified by adding the character ":" followed by a >> comma-separated list of >> destination host or subnet addresses to indicate that you only want to >> change the source IP address for >> packets being sent to those particular destinations. Exclusion is >> allowed (see shorewall-exclusion[10](5)) >> as are ipset names preceded by a plus sign '+'; >> ^^ > > so I would think it should be supported?! Maybe a bug? > It is a bug that was corrected in Shorewall 5.1.7. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users