Re: [Shorewall-users] Client cannot connect to Internet

Fri, 02 Feb 2007 08:03:49 -0800 

thanks for your input David. maybe my x-over cable is the culprit. I'll try
connecting two other computers together using it and see what happens.

On 2/2/07, David Mohr <[EMAIL PROTECTED]> wrote:


On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote:
> I suspect my shorewall config is correct, I think something network-wise
> might be screwy. I just can't put my figure on what it is.

If you really have the setup that you described, then the only thing
network-wise that you have is your crossover cable. Are you sure that
you tested it and were able to transmit data over it?
There is pretty much nothing that should prevent you from pinging if
neither host has a firewall activated.

> On 2/2/07, David Mohr <[EMAIL PROTECTED]> wrote:
> > Hi,
> > did things work without shorewall? Disconnect from the internet
> > (unplug the cable), run 'shorewall clear' and at least make sure that
> > the firewall and the client can ping each other before you attempt any
> > shorewall troubleshooting.
> >
> > ~David
> >
> > On 2/2/07, Shawn Singh < [EMAIL PROTECTED]> wrote:
> > > crap... I just realized one thing ... in the section where I was
trying
> to
> > > illustrate the ping from my client to my firewall, I did the
opposite
> > > (pinged the client from my firewall).
> > >
> > > so:
> > > PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
> > >  >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > >
> > > is when I'm logged into my fw (remotely) trying to ping my client
> machine.
> > >
> > > sorry for the confusion.
> > >
> > >
> > > On 2/2/07, Shawn Singh <[EMAIL PROTECTED]> wrote:
> > > > Hello List,
> > > >
> > > > This is my first post to the list, and as such I apologize for the
> length
> > > of it. I tried to put as much detail into this as possible.
> > > >
> > > > I recently installed Shorewall on a computer running Gentoo Linux.
The
> > > computer has 3 network cards in it, but I've only configured 2.
Going
> the
> > > cheap route, I'm connecting my client directly to my firewall using
a
> > > crossover cable.
> > > >
> > > > When I try to access the Internet from my client, the operation
times
> out.
> > > >
> > > > Client is running Windows XP Home Edition.
> > > > Card is set to Auto-negotiate the speed and duplex.
> > > >
> > > > Firewall is running Gentoo Linux ( 2006.1).
> > > > The version of shorewall I have installed is: 3.0.8
> > > > eth0 is connected to a cable modem and gets its IP information via
> DHCP
> > > from my ISP.
> > > > eth1 reports the following information from ifconfig eth1:
> > > >
> > > > eth1      Link encap:Ethernet  HWaddr 00:10:B5:0E:D6:E9
> > > >           inet addr:192.168.1.1  Bcast: 192.168.1.255
> Mask:255.255.255.0
> > > >           UP BROADCAST MULTICAST  MTU:1500  Metric:1
> > > >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > > >           collisions:0 txqueuelen:1000
> > > >           RX bytes:0 ( 0.0 b)  TX bytes:0 (0.0 b)
> > > >           Interrupt:10 Base address:0x6c00
> > > >
> > > > My routing table is as follows:
> > > >
> > > > Kernel IP routing table
> > > > Destination     Gateway         Genmask         Flags Metric Ref
> Use
> > > Iface
> > > > 192.168.1.0     192.168.1.1     255.255.255.0   UG    0      0
> 0
> > > eth1
> > > > 192.168.1.0      *               255.255.255.0   U     0      0
> 0
> > > eth1
> > > > c-71-203-144-0. *               255.255.252.0   U     0      0
> 0
> > > eth0
> > > > loopback        *               255.0.0.0       U     0      0
> 0 lo
> > > > default         c-71-203-144-1. 0.0.0.0         UG    0      0
> 0
> > > eth0
> > > >
> > > > One thing that I noticed is if I do mii-tool eth1 I get:
> > > > eth1: no link
> > > >
> > > > Since I can ping eth1 from the firewall, shouldn't that mean there
is
> a
> > > link?
> > > >
> > > > Things I've tested / tried / ensured:
> > > >
> > > > On the firewall side of things:
> > > > The link light is lit on my client and firewall (eth1 and on the
> client's
> > > NIC)
> > > > From the firewall I can get to the Internet (I can browse sites,
SSH
> to
> > > another computer on another network, etc)
> > > > I can ping the address of the interior interface (eth1:
192.168.1.1 )
> from
> > > the firewall. (replies are in < 1ms)
> > > > I've toggled the SSH rule on the firewall to ensure that if I am
not
> > > accepting SSH from net to fw that it won't work, and that works
fine, so
> I
> > > think that rule is behaving as I'd expect.
> > > > I've blocked ping at the firewall, and that works fine, so that
rule
> seems
> > > to be correct.
> > > > I cannot ping the address of my client from the firewall (the
clients
> > > address is 192.168.1.2).
> > > >
> > > > On the client side of things:
> > > > When I try to ping my firewall or reach the Internet I can see
that it
> is
> > > sending packets.
> > > > The send counter increases, but not the received counter (the
received
> > > counter stays at 0)
> > > >
> > > > PING 192.168.1.2 (192.168.1.2 ) 56(84) bytes of data.
> > > > >From 192.168.1.1 icmp_seq=1 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=2 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=3 Destination Host Unreachable
> > > > From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
> > > >
> > > > --- 192.168.1.2 ping statistics ---
> > > > 4 packets transmitted, 0 received, +4 errors, 100% packet loss,
time
> > > 3009ms
> > > > , pipe 3
> > > >
> > > > I don't think it's an issue with my DNS setup, as I've entered the
IP
> > > address of the site I wish to visit, but still can't get there. The
> > > operation will take too long, and just timeout.
> > > > I've set the IP parameters as follows on the client:
> > > > IP address: 192.168.1.2
> > > > Netmask:    255.255.255.0
> > > > Default Gateway: 192.168.1.1
> > > > Preferred DNS:     192.168.1.1
> > > >
> > > > No matter what traffic I send to the firewall, whether it be a
ping or
> my
> > > client trying to get to the Internet, I don't see anything getting
> logged. I
> > > see the firewall is busy, but it's not getting anything from my
client.
> > > >
> > > > just a snippet of shorewall show log:
> > > >
> > > > Feb  2 07:59:28 fury [32025.333661] Shorewall:net2all:DROP:IN=eth0
> OUT=
> > > SRC= 220.178.32.78 DST=71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
TTL=107
> > > ID=27105 PROTO=UDP SPT=2119 DPT=1434 LEN=384
> > > > Feb  2 08:08:43 fury [ 32579.604207]
Shorewall:net2all:DROP:IN=eth0
> OUT=
> > > SRC= 71.204.17.37 DST= 71.203.146.136 LEN=92 TOS=0x00 PREC=0x20
TTL=114
> > > ID=5644 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26501
> > > > Feb  2 08:11:04 fury [32720.939826] Shorewall:fw2net:ACCEPT:IN=
> OUT=eth0
> > > SRC= 71.203.146.136 DST=68.87.74.162 LEN=70 TOS=0x00 PREC=0x00
TTL=64
> > > ID=40217 DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > > Feb  2 08:11:13 fury [ 32730.239305]
Shorewall:net2all:DROP:IN=eth0
> OUT=
> > > SRC= 193.95.190.178 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
> TTL=108
> > > ID=57862 PROTO=UDP SPT=4189 DPT=1434 LEN=384
> > > > Feb  2 08:16:33 fury [33049.711995] Shorewall:net2all:DROP:IN=eth0
> OUT=
> > > SRC= 180.10.35.7 DST= 71.203.146.136 LEN=404 TOS=0x00 PREC=0x20
TTL=45
> > > ID=34719 PROTO=UDP SPT=31187 DPT=1026 LEN=384
> > > > Feb  2 08:23:49 fury [33486.225830] Shorewall:fw2net:ACCEPT:IN=
> OUT=eth0
> > > SRC= 71.203.146.136 DST= 68.87.74.162 LEN=70 TOS=0x00 PREC=0x00
TTL=64
> ID=0
> > > DF PROTO=UDP SPT=32769 DPT=53 LEN=50
> > > >
> > > > I set my rules, policy, masq, interfaces, etc according to the
basic
> > > two-interface firewall howto, and used an FAQ to configure my
firewall
> as
> > > follows:
> > > >
> > > > /etc/shorewall/params:
> > > > ETH0_IP=`find_first_interface_address eth0`
> > > >
> > > > /etc/shorewall/rules:
> > > > #
> > > > # Local Rules
> > > > SSH/ACCEPT      loc     $FW
> > > > Ping/ACCEPT     loc     $FW
> > > >
> > > > # DNS
> > > > DNS/ACCEPT      loc     $FW
> > > >
> > > > # DHCP SERVER
> > > > ACCEPT          loc     net             UDP     67
> > > > ACCEPT          loc     net             TCP     67
> > > >
> > > > # DHCP CLIENT
> > > > ACCEPT          loc     net             UDP     68
> > > > ACCEPT          loc     net             TCP     68
> > > > #
> > > > # Remote Rules
> > > > #
> > > > SSH/ACCEPT      net     $FW
> > > > Ping/ACCEPT     $FW     loc
> > > >
> > > > # DNAT
> > > > DNAT     loc    loc: 192.168.1.1        tcp     www
-    $ETH0_IP
> > > >
> > > > /etc/shorewall/policy:
> > > > loc            net             ACCEPT          info
> > > > $FW         net             ACCEPT          info
> > > > $FW         loc             ACCEPT          info
> > > > net            all             DROP            info
> > > > all             all             REJECT          info
> > > >
> > > > /etc/shorewall/interfaces:
> > > > net     eth0            detect          dhcp
> > > > loc     eth1            192.168.1.255    routeback
> > > >
> > > >
> > > > /etc/shorewall/masq:
> > > > eth1: 192.168.1.1        eth1           192.168.1.1     tcp
www
> > > >
> > > > I was getting an error when I initially setup shorewall telling me
> that
> > > the route had not been defined for my internal interface at the
point
> where
> > > the firewall was trying to start, so I placed the following entry
into
> > > > /etc/shorewall/init
> > > > route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1eth1
> > > >
> > > > However, I've been through many evolutions since then; so this may
no
> > > longer be needed.
> > > >
> > > >
> > > >
> > > > "Doing linear scans over an associative array is like trying to
club
> > > someone to death with a loaded Uzi."
> > > > ---Larry Wall
> > >
> > >
> > >
> > > --
> > >
> > > "Doing linear scans over an associative array is like trying to club
> someone
> > > to death with a loaded Uzi."
> > > Larry Wall
> > >

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users





--
"Doing linear scans over an associative array is like trying to club someone
to death with a loaded Uzi."
Larry Wall

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to