-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 06/28/2016 12:03 AM, Thomas Schneider wrote:
> Update: I have adjusted some rules as follows: ## Permit ping
> access Ping(ACCEPT) loc,fb $FW Ping(ACCEPT) $FW
> loc,fb Ping(ACCEPT) fb loc,dmz
>
> ## Drop ping access from net Ping(DROP) net all
>
> ## Permit ICMP access ACCEPT $FW loc,fb
> icmp ACCEPT $FW net icmp
> ACCEPT loc,fb net icmp ACCEPT
> fb loc,dmz icmp
>
> However, I can only ping host pc4-svp.whl.meilocal.net serving
> Shorewall: 192.168.178.10 (aka 10.0.0.1 and 10.1.0.1).
> http://up.picr.de/26014890cy.jpg
>
> Any ping or traceroute to another server in 10.0.0.0/24 or
> 10.1.0.0/24 fails after reaching 192.168.178.10. My conclusion is
> that the static route configured in router is working, but then
> communication is blocked on 192.168.178.10. thomas@pc8-nb:~$ sudo
> traceroute 10.0.0.2 traceroute to 10.0.0.2 (10.0.0.2), 30 hops max,
> 60 byte packets 1 pc4-svp.whl.meilocal.net (192.168.178.10) 0.243
> ms 0.234 ms 0.231 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * *
> * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * *
> * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 *
> * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27
> * * * 28 * * * 29 * * * 30 * * * thomas@pc8-nb:~$ sudo ping
> 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. From
> 192.168.178.1: icmp_seq=124 Redirect Host(New nexthop:
> 192.168.178.10) From 192.168.178.1: icmp_seq=424 Redirect Host(New
> nexthop: 192.168.178.10)
>
>
> Any advise?
- From the dump, packets arriving on vmbr2 and to be forwarded go
through the chain UMP_IF_fwd:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
953 76428 UMP_IF_fwd all -- vmbr2 * 0.0.0.0/0
0.0.0.0/0
Since the source IP is in 192.168.178.0/24, they are then passed
through the chain fb_frwd
Chain UMP_IF_fwd (1 references)
pkts bytes target prot opt in out source
destination
953 76428 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
953 76428 smurfs all -- * * 192.168.178.0/24
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
953 76428 smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 192.168.178.0/24
0.0.0.0/0
0 0 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
953 76428 fb_frwd all -- * * 192.168.178.0/24
0.0.0.0/0
953 76428 net_frwd all -- * * 0.0.0.0/0
0.0.0.0/0
There, *no rule matches the traffic*. So the traffic now goes to net_frw
d:
Chain fb_frwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 fb-net all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 fb-net all -- * vmbr2 0.0.0.0/0
0.0.0.0/0
0 0 all-all all -- * tun+ 0.0.0.0/0
0.0.0.0/0
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0
10.1.0.0/24
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0
224.0.0.0/4
In net_frwd, traffic rouoted out of vmbr0 goes through the net-loc chain
:
Chain net_frwd (2 references)
pkts bytes target prot opt in out source
destination
0 0 ~comb2 all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
0 0 ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * vmbr2 0.0.0.0/0
0.0.0.0/0
118K 153M net-loc all -- * vmbr0 0.0.0.0/0
10.0.0.0/24
There, ping is dropped.
Chain net-loc (2 references)
pkts bytes target prot opt in out source
destination
117K 153M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
802 67368 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8 /* Ping */
52 2404 ACCEPT tcp -- eth0 * 0.0.0.0/0
10.0.0.2 multiport dports 80,443 limit: avg 5/sec burst 10
151 9060 net-all all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
You appear to have no traceroute rules so traceroute requests get
dropped in net-all, which you can clearly see from the Log section of
the dump.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJXc96bAAoJEJbms/JCOk0QC2IP/R3UpWnFPB9cjpoJsIzLHY2U
irynvCLC6YKU8Ef4PLiIpMkvQz7QBot85VnGqUxhpNOtzyRkzpwZyRpjhelj2h5u
e37o7Do4NUOsZM5P2WD/PExtHf4jqsRTG9puE0HPfWI+/m2zYEu3bDRvVGd7FjRF
3a1948GwV9cn5rCAqe9/+YAX7QBtuR03KFyyza+H6WjXjPrpQhtvThKUJBdGo12V
5A6Xjwl6ym2EoKxX4BTMp4rniOLzYa++wd5jtHyFgDEo6/EhpX2lLfohTsbH/FQl
I8M1RM8C0dsc2t9viaeGIHDKCE3uZjLaZ0oHaOWEgRIvK5LbQ9n/ezLPS3cNbpvn
pwwyStuQnkbn+xKmJSJCkzZDjxaehO0alnjK4aeiY9G5uhi4EJu11/wwKBvcCbkw
62gKjYNhSl5eRuh1mmT+8lLMSnH/3M8b6H6ieSluIO1OiKWAPCHTDQ5lPGb9++in
UjZ5svCBVYGcX5jhGAqhhjAnTuslPr2FezDn9kgV+eYgpEIUq8h/7SYXiybjO927
ejZgsVUOUjg5wTJhg+gDINbYj34tYckMausijLSaOg7cvA9/BuFmhuCpeqYi7LNt
1+dhmKEPObToA+NdbexHWTjlHoFLfZiMmy3QGC5ImJtMnTRXFbmK7Pg5tNVVuuqd
eeydH0b5po1IylaCKTEu
=Jxzh
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
