subject:"\[Shorewall\-users\] Fwd\: Shorewall issue with snat and forward drops"

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

2017-08-06 Thread Roel de Wildt

Hi Tom,

I have removed the zone nesting and the compile fails when gone and my
problems with the internet access are now solved.
In the interfaces file I have also removed the routeback as suggested
except the tun+ interface for my vpn.

Thank you for your time and for the solution.

Kind regards,
Roel de Wildt

2017-08-06 22:23 GMT+02:00 Tom Eastep :

> On 08/06/2017 09:43 AM, Roel de Wildt wrote:
> > Hi Tom,
> >
> > I have installed the ipset utility and the compile errors are gone. But
> > I can not access the internet from the 10.4.x.x subnet.
> >
>
> Shorewall zones are defined by both interface and ip addresses. Since
> gast, net, vpn and lan have distinct interfaces, there is no zone
> nesting in your configuration. Yet, you have defined zone nesting in the
> zones file.
>
> Please change your zones file to
>
> fw  firewall
> net ipv4
> lan ipv4
> gastipv4
> vpn ipv4
>
> And with the exception of tun+, I don't believe that you want
> 'routeback' on your interfaces.
>
> -Tom
> --
> Tom Eastep\   Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>   \___
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

2017-08-06 Thread Tom Eastep

On 08/06/2017 09:43 AM, Roel de Wildt wrote:
> Hi Tom,
> 
> I have installed the ipset utility and the compile errors are gone. But
> I can not access the internet from the 10.4.x.x subnet.
> 

Shorewall zones are defined by both interface and ip addresses. Since
gast, net, vpn and lan have distinct interfaces, there is no zone
nesting in your configuration. Yet, you have defined zone nesting in the
zones file.

Please change your zones file to

fw  firewall
net ipv4
lan ipv4
gastipv4
vpn ipv4

And with the exception of tun+, I don't believe that you want
'routeback' on your interfaces.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

2017-08-06 Thread Roel de Wildt

Hi Tom,

I have installed the ipset utility and the compile errors are gone. But I
can not access the internet from the 10.4.x.x subnet.

Kind regards,
Roel de Wildt

2017-08-06 17:42 GMT+02:00 Tom Eastep :

> On 08/06/2017 07:12 AM, Roel de Wildt wrote:
> > Hi,
> >
> > I'm using shorewall 5.1.5.1 on archlinux and having some problems
> > configure archlinux with my dual isp setup and two separated internal
> > networks.
> >
> > The kernel I am using is the following one:
> > Linux router001 4.9.40-1-lts #1 SMP Fri Jul 28 21:45:40 CEST 2017 x86_64
> > GNU/Linux
> >
> > The problem is that I have internet access from only one of the two
> > internal networks (10.3.0.0/16  and 10.4.0.0/16
> > ). The working network is 10.3.0.0/16
> >  and the network that does not have internet access
> > is 10.4.0.0/16 .
> >
> > In the journal I find these log entries when I ping the 8.8.8.8 address
> > (google dns):
> >
> > Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2586
> > Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2586
> > Aug 06 15:30:17 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2587
> > Aug 06 15:30:22 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2588
> > Aug 06 15:30:27 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2589
> >
>
> These indicate that either the source (interface,ip) or destination
> (interface,ip) don't fall into any defined zone.
>
> >
> > I see also those two errors when I check the shorewall config with
> > shorewall try.
> >
> >
> > Compiling using Shorewall 5.1.5.1...
> > Processing /etc/shorewall/params ...
> > Processing /etc/shorewall/shorewall.conf...
> > Loading Modules...
> > Compiling /etc/shorewall/zones...
> > Compiling /etc/shorewall/interfaces...
> > Determining Hosts in Zones...
> > Locating Action Files...
> > Compiling /etc/shorewall/policy...
> > Running /etc/shorewall/initdone...
> > Adding rules for DHCP
> > Compiling TCP Flags filtering...
> > Compiling Kernel Route Filtering...
> > Compiling Martian Logging...
> > Compiling /etc/shorewall/providers...
> > Compiling /etc/shorewall/routes...
> > Compiling /etc/shorewall/snat...
> > Compiling MAC Filtration -- Phase 1...
> > Compiling /etc/shorewall/rules...
> > Compiling /etc/shorewall/conntrack...
> > Compiling /etc/shorewall/tunnels...
> > Compiling MAC Filtration -- Phase 2...
> > Applying Policies...
> > Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
> > Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
> > Generating Rule Matrix...
> > Optimizing Ruleset...
> > Creating iptables-restore input...
> > Use of uninitialized value in hash element at
> > /usr/share/shorewall/Shorewall/Rules.pm line 818.
> > Use of uninitialized value in concatenation (.) or string at
> > /usr/share/shorewall/Shorewall/Rules.pm line 823.
>
> Those are likely related to the log messages you posted above. For some
> reason, the compiler is confused about your zone definitions.
>
> > Shorewall configuration compiled to /var/lib/shorewall/.reload
> >Currently-running Configuration Saved to /var/lib/shorewall/.try
> >WARNING: No ipsets were saved
> >ERROR: The ipset utility cannot be located - ipsets are not saved
>
> Looks like you have SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4 but the ipset
> utiity is not on the PATH.
>
> > Reloading...
> > Reloading Shorewall
> > Initializing...
> > Processing /etc/shorewall/init ...
> > Processing /etc/shorewall/tcclear ...
> > Setting up Route Filtering...
> > Setting up Martian Logging...
> > Setting up Proxy ARP...
> > Adding Providers...
> > Preparing iptables-restore input...
> > Running /usr/bin/iptables-restore ...
> > IPv4 Forwarding Enabled
> > Processing /etc/shorewall/start ...
> > Processing /etc/shorewall/started ...
> > done.
> >
> >
> > Could someone help me with this problem?
>
> I would like two things:
>
> a) The output of 'shorewall dump' as an attachment.
> b) A tarball of your /etc/shorewall directory.
>
> You can send them to me privately if you like.
>
> -Tom
> --
> Tom Eastep\   Q: What do you get

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

2017-08-06 Thread Tom Eastep

On 08/06/2017 07:12 AM, Roel de Wildt wrote:
> Hi,
> 
> I'm using shorewall 5.1.5.1 on archlinux and having some problems
> configure archlinux with my dual isp setup and two separated internal
> networks.
> 
> The kernel I am using is the following one:
> Linux router001 4.9.40-1-lts #1 SMP Fri Jul 28 21:45:40 CEST 2017 x86_64
> GNU/Linux
> 
> The problem is that I have internet access from only one of the two
> internal networks (10.3.0.0/16  and 10.4.0.0/16
> ). The working network is 10.3.0.0/16
>  and the network that does not have internet access
> is 10.4.0.0/16 .
> 
> In the journal I find these log entries when I ping the 8.8.8.8 address
> (google dns):
> 
> Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2586
> Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2586
> Aug 06 15:30:17 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2587
> Aug 06 15:30:22 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2588
> Aug 06 15:30:27 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2589
> 

These indicate that either the source (interface,ip) or destination
(interface,ip) don't fall into any defined zone.

> 
> I see also those two errors when I check the shorewall config with
> shorewall try.
> 
> 
> Compiling using Shorewall 5.1.5.1...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Compiling /etc/shorewall/zones...
> Compiling /etc/shorewall/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Compiling /etc/shorewall/policy...
> Running /etc/shorewall/initdone...
> Adding rules for DHCP
> Compiling TCP Flags filtering...
> Compiling Kernel Route Filtering...
> Compiling Martian Logging...
> Compiling /etc/shorewall/providers...
> Compiling /etc/shorewall/routes...
> Compiling /etc/shorewall/snat...
> Compiling MAC Filtration -- Phase 1...
> Compiling /etc/shorewall/rules...
> Compiling /etc/shorewall/conntrack...
> Compiling /etc/shorewall/tunnels...
> Compiling MAC Filtration -- Phase 2...
> Applying Policies...
> Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
> Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
> Generating Rule Matrix...
> Optimizing Ruleset...
> Creating iptables-restore input...
> Use of uninitialized value in hash element at
> /usr/share/shorewall/Shorewall/Rules.pm line 818.
> Use of uninitialized value in concatenation (.) or string at
> /usr/share/shorewall/Shorewall/Rules.pm line 823.

Those are likely related to the log messages you posted above. For some
reason, the compiler is confused about your zone definitions.

> Shorewall configuration compiled to /var/lib/shorewall/.reload
>Currently-running Configuration Saved to /var/lib/shorewall/.try
>WARNING: No ipsets were saved
>ERROR: The ipset utility cannot be located - ipsets are not saved

Looks like you have SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4 but the ipset
utiity is not on the PATH.

> Reloading...
> Reloading Shorewall
> Initializing...
> Processing /etc/shorewall/init ...
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> Adding Providers...
> Preparing iptables-restore input...
> Running /usr/bin/iptables-restore ...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/start ...
> Processing /etc/shorewall/started ...
> done.
> 
> 
> Could someone help me with this problem?

I would like two things:

a) The output of 'shorewall dump' as an attachment.
b) A tarball of your /etc/shorewall directory.

You can send them to me privately if you like.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most

[Shorewall-users] Fwd: Shorewall issue with snat and forward drops

2017-08-06 Thread Roel de Wildt

Hi,

I'm using shorewall 5.1.5.1 on archlinux and having some problems configure
archlinux with my dual isp setup and two separated internal networks.

The kernel I am using is the following one:
Linux router001 4.9.40-1-lts #1 SMP Fri Jul 28 21:45:40 CEST 2017 x86_64
GNU/Linux

The problem is that I have internet access from only one of the two
internal networks (10.3.0.0/16 and 10.4.0.0/16). The working network is
10.3.0.0/16 and the network that does not have internet access is
10.4.0.0/16.

In the journal I find these log entries when I ping the 8.8.8.8 address
(google dns):

Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2586
Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2586
Aug 06 15:30:17 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2587
Aug 06 15:30:22 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2588
Aug 06 15:30:27 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2589


I see also those two errors when I check the shorewall config with
shorewall try.


Compiling using Shorewall 5.1.5.1...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/providers...
Compiling /etc/shorewall/routes...
Compiling /etc/shorewall/snat...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling /etc/shorewall/tunnels...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
Generating Rule Matrix...
Optimizing Ruleset...
Creating iptables-restore input...
Use of uninitialized value in hash element at
/usr/share/shorewall/Shorewall/Rules.pm
line 818.
Use of uninitialized value in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Rules.pm line 823.
Shorewall configuration compiled to /var/lib/shorewall/.reload
   Currently-running Configuration Saved to /var/lib/shorewall/.try
   WARNING: No ipsets were saved
   ERROR: The ipset utility cannot be located - ipsets are not saved
Reloading...
Reloading Shorewall
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Adding Providers...
Preparing iptables-restore input...
Running /usr/bin/iptables-restore ...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.


Could someone help me with this problem?

Kind regards,
Roel de Wildt
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

Re: [Shorewall-users] Fwd: Shorewall issue with snat and forward drops

[Shorewall-users] Fwd: Shorewall issue with snat and forward drops

5 matches

Site Navigation

Mail list logo

Footer information