crap... I just realized one thing ... in the section where I was trying to
illustrate the ping from my client to my firewall, I did the opposite
(pinged the client from my firewall).
so:
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
is when I'm logged into my fw (remotely) trying to ping my client machine.
sorry for the confusion.
On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote:
Hello List,
This is my first post to the list, and as such I apologize for the length
of it. I tried to put as much detail into this as possible.
I recently installed Shorewall on a computer running Gentoo Linux. The
computer has 3 network cards in it, but I've only configured 2. Going the
cheap route, I'm connecting my client directly to my firewall using a
crossover cable.
When I try to access the Internet from my client, the operation times out.
Client is running Windows XP Home Edition.
Card is set to Auto-negotiate the speed and duplex.
Firewall is running Gentoo Linux ( 2006.1).
The version of shorewall I have installed is: 3.0.8
eth0 is connected to a cable modem and gets its IP information via DHCP
from my ISP.
eth1 reports the following information from ifconfig eth1:
eth1 Link encap:Ethernet HWaddr 00:10:B5:0E:D6:E9
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:10 Base address:0x6c00
My routing table is as follows:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 192.168.1.1 255.255.255.0 UG 0 0 0
eth1
192.168.1.0 * 255.255.255.0 U 0 0 0
eth1
c-71-203-144-0. * 255.255.252.0 U 0 0 0
eth0
loopback * 255.0.0.0 U 0 0 0 lo
default c-71-203-144-1. 0.0.0.0 UG 0 0 0
eth0
One thing that I noticed is if I do mii-tool eth1 I get:
eth1: no link
Since I can ping eth1 from the firewall, shouldn't that mean there is a
link?
Things I've tested / tried / ensured:
On the firewall side of things:
The link light is lit on my client and firewall (eth1 and on the client's
NIC)
From the firewall I can get to the Internet (I can browse sites, SSH to
another computer on another network, etc)
I can ping the address of the interior interface (eth1: 192.168.1.1 ) from
the firewall. (replies are in < 1ms)
I've toggled the SSH rule on the firewall to ensure that if I am not
accepting SSH from net to fw that it won't work, and that works fine, so I
think that rule is behaving as I'd expect.
I've blocked ping at the firewall, and that works fine, so that rule seems
to be correct.
I cannot ping the address of my client from the firewall (the clients
address is 192.168.1.2).
On the client side of things:
When I try to ping my firewall or reach the Internet I can see that it is
sending packets.
The send counter increases, but not the received counter (the received
counter stays at 0)
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
--- 192.168.1.2 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time
3009ms
, pipe 3
I don't think it's an issue with my DNS setup, as I've entered the IP
address of the site I wish to visit, but still can't get there. The
operation will take too long, and just timeout.
I've set the IP parameters as follows on the client:
IP address: 192.168.1.2
Netmask: 255.255.255.0
Default Gateway: 192.168.1.1
Preferred DNS: 192.168.1.1
No matter what traffic I send to the firewall, whether it be a ping or my
client trying to get to the Internet, I don't see anything getting logged. I
see the firewall is busy, but it's not getting anything from my client.
just a snippet of shorewall show log:
Feb 2 07:59:28 fury [32025.333661] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=107
ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
Feb 2 08:08:43 fury [32579.604207] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC=71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00 PREC=0x20 TTL=114
ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
Feb 2 08:11:04 fury [32720.939826] Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC=71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64
ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
Feb 2 08:11:13 fury [32730.239305] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC= 193.95.190.178 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=108
ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
Feb 2 08:16:33 fury [33049.711995] Shorewall:net2all:DROP:IN=eth0 OUT=
SRC= 180.10.35.7 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20 TTL=45
ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
Feb 2 08:23:49 fury [33486.225830] Shorewall:fw2net:ACCEPT:IN= OUT=eth0
SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=UDP SPT=32769 DPT=53 LEN=50
I set my rules, policy, masq, interfaces, etc according to the basic
two-interface firewall howto, and used an FAQ to configure my firewall as
follows:
/etc/shorewall/params:
ETH0_IP=`find_first_interface_address eth0`
/etc/shorewall/rules:
#
# Local Rules
SSH/ACCEPT loc $FW
Ping/ACCEPT loc $FW
# DNS
DNS/ACCEPT loc $FW
# DHCP SERVER
ACCEPT loc net UDP 67
ACCEPT loc net TCP 67
# DHCP CLIENT
ACCEPT loc net UDP 68
ACCEPT loc net TCP 68
#
# Remote Rules
#
SSH/ACCEPT net $FW
Ping/ACCEPT $FW loc
# DNAT
DNAT loc loc:192.168.1.1 tcp www - $ETH0_IP
/etc/shorewall/policy:
loc net ACCEPT info
$FW net ACCEPT info
$FW loc ACCEPT info
net all DROP info
all all REJECT info
/etc/shorewall/interfaces:
net eth0 detect dhcp
loc eth1 192.168.1.255 routeback
/etc/shorewall/masq:
eth1: 192.168.1.1 eth1 192.168.1.1 tcp www
I was getting an error when I initially setup shorewall telling me that
the route had not been defined for my internal interface at the point where
the firewall was trying to start, so I placed the following entry into
/etc/shorewall/init
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 eth1
However, I've been through many evolutions since then; so this may no
longer be needed.
"Doing linear scans over an associative array is like trying to club
someone to death with a loaded Uzi."
---Larry Wall
--
"Doing linear scans over an associative array is like trying to club someone
to death with a loaded Uzi."
Larry Wall
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
