On 08/06/2017 07:12 AM, Roel de Wildt wrote:
> Hi,
> 
> I'm using shorewall 5.1.5.1 on archlinux and having some problems
> configure archlinux with my dual isp setup and two separated internal
> networks.
> 
> The kernel I am using is the following one:
> Linux router001 4.9.40-1-lts #1 SMP Fri Jul 28 21:45:40 CEST 2017 x86_64
> GNU/Linux
> 
> The problem is that I have internet access from only one of the two
> internal networks (10.3.0.0/16 <http://10.3.0.0/16> and 10.4.0.0/16
> <http://10.4.0.0/16>). The working network is 10.3.0.0/16
> <http://10.3.0.0/16> and the network that does not have internet access
> is 10.4.0.0/16 <http://10.4.0.0/16>.
> 
> In the journal I find these log entries when I ping the 8.8.8.8 address
> (google dns):
> 
> Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2586
> Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2586
> Aug 06 15:30:17 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2587
> Aug 06 15:30:22 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2588
> Aug 06 15:30:27 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1 SEQ=2589
> 

These indicate that either the source (interface,ip) or destination
(interface,ip) don't fall into any defined zone.

> 
> I see also those two errors when I check the shorewall config with
> shorewall try.
> 
> 
> Compiling using Shorewall 5.1.5.1...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Compiling /etc/shorewall/zones...
> Compiling /etc/shorewall/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Compiling /etc/shorewall/policy...
> Running /etc/shorewall/initdone...
> Adding rules for DHCP
> Compiling TCP Flags filtering...
> Compiling Kernel Route Filtering...
> Compiling Martian Logging...
> Compiling /etc/shorewall/providers...
> Compiling /etc/shorewall/routes...
> Compiling /etc/shorewall/snat...
> Compiling MAC Filtration -- Phase 1...
> Compiling /etc/shorewall/rules...
> Compiling /etc/shorewall/conntrack...
> Compiling /etc/shorewall/tunnels...
> Compiling MAC Filtration -- Phase 2...
> Applying Policies...
> Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
> Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
> Generating Rule Matrix...
> Optimizing Ruleset...
> Creating iptables-restore input...
> Use of uninitialized value in hash element at
> /usr/share/shorewall/Shorewall/Rules.pm line 818.
> Use of uninitialized value in concatenation (.) or string at
> /usr/share/shorewall/Shorewall/Rules.pm line 823.

Those are likely related to the log messages you posted above. For some
reason, the compiler is confused about your zone definitions.

> Shorewall configuration compiled to /var/lib/shorewall/.reload
>    Currently-running Configuration Saved to /var/lib/shorewall/.try
>    WARNING: No ipsets were saved
>    ERROR: The ipset utility cannot be located - ipsets are not saved

Looks like you have SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4 but the ipset
utiity is not on the PATH.

> Reloading...
> Reloading Shorewall....
> Initializing...
> Processing /etc/shorewall/init ...
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> Adding Providers...
> Preparing iptables-restore input...
> Running /usr/bin/iptables-restore ...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/start ...
> Processing /etc/shorewall/started ...
> done.
> 
> 
> Could someone help me with this problem?

I would like two things:

a) The output of 'shorewall dump' as an attachment.
b) A tarball of your /etc/shorewall directory.

You can send them to me privately if you like.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to