Hi Tom,

I have installed the ipset utility and the compile errors are gone. But I
can not access the internet from the 10.4.x.x subnet.

Kind regards,
Roel de Wildt

2017-08-06 17:42 GMT+02:00 Tom Eastep <teas...@shorewall.net>:

> On 08/06/2017 07:12 AM, Roel de Wildt wrote:
> > Hi,
> >
> > I'm using shorewall 5.1.5.1 on archlinux and having some problems
> > configure archlinux with my dual isp setup and two separated internal
> > networks.
> >
> > The kernel I am using is the following one:
> > Linux router001 4.9.40-1-lts #1 SMP Fri Jul 28 21:45:40 CEST 2017 x86_64
> > GNU/Linux
> >
> > The problem is that I have internet access from only one of the two
> > internal networks (10.3.0.0/16 <http://10.3.0.0/16> and 10.4.0.0/16
> > <http://10.4.0.0/16>). The working network is 10.3.0.0/16
> > <http://10.3.0.0/16> and the network that does not have internet access
> > is 10.4.0.0/16 <http://10.4.0.0/16>.
> >
> > In the journal I find these log entries when I ping the 8.8.8.8 address
> > (google dns):
> >
> > Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2586
> > Aug 06 15:30:13 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2586
> > Aug 06 15:30:17 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2587
> > Aug 06 15:30:22 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2588
> > Aug 06 15:30:27 router001 kernel: FORWARD DROP IN=ens161 OUT=ens192
> > MAC=00:0c:29:bd:cb:26:d0:b2:c4:23:bb:fb:08:00 SRC=8.8.8.8 DST=10.4.2.209
> > LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=1
> SEQ=2589
> >
>
> These indicate that either the source (interface,ip) or destination
> (interface,ip) don't fall into any defined zone.
>
> >
> > I see also those two errors when I check the shorewall config with
> > shorewall try.
> >
> >
> > Compiling using Shorewall 5.1.5.1...
> > Processing /etc/shorewall/params ...
> > Processing /etc/shorewall/shorewall.conf...
> > Loading Modules...
> > Compiling /etc/shorewall/zones...
> > Compiling /etc/shorewall/interfaces...
> > Determining Hosts in Zones...
> > Locating Action Files...
> > Compiling /etc/shorewall/policy...
> > Running /etc/shorewall/initdone...
> > Adding rules for DHCP
> > Compiling TCP Flags filtering...
> > Compiling Kernel Route Filtering...
> > Compiling Martian Logging...
> > Compiling /etc/shorewall/providers...
> > Compiling /etc/shorewall/routes...
> > Compiling /etc/shorewall/snat...
> > Compiling MAC Filtration -- Phase 1...
> > Compiling /etc/shorewall/rules...
> > Compiling /etc/shorewall/conntrack...
> > Compiling /etc/shorewall/tunnels...
> > Compiling MAC Filtration -- Phase 2...
> > Applying Policies...
> > Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
> > Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
> > Generating Rule Matrix...
> > Optimizing Ruleset...
> > Creating iptables-restore input...
> > Use of uninitialized value in hash element at
> > /usr/share/shorewall/Shorewall/Rules.pm line 818.
> > Use of uninitialized value in concatenation (.) or string at
> > /usr/share/shorewall/Shorewall/Rules.pm line 823.
>
> Those are likely related to the log messages you posted above. For some
> reason, the compiler is confused about your zone definitions.
>
> > Shorewall configuration compiled to /var/lib/shorewall/.reload
> >    Currently-running Configuration Saved to /var/lib/shorewall/.try
> >    WARNING: No ipsets were saved
> >    ERROR: The ipset utility cannot be located - ipsets are not saved
>
> Looks like you have SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4 but the ipset
> utiity is not on the PATH.
>
> > Reloading...
> > Reloading Shorewall....
> > Initializing...
> > Processing /etc/shorewall/init ...
> > Processing /etc/shorewall/tcclear ...
> > Setting up Route Filtering...
> > Setting up Martian Logging...
> > Setting up Proxy ARP...
> > Adding Providers...
> > Preparing iptables-restore input...
> > Running /usr/bin/iptables-restore ...
> > IPv4 Forwarding Enabled
> > Processing /etc/shorewall/start ...
> > Processing /etc/shorewall/started ...
> > done.
> >
> >
> > Could someone help me with this problem?
>
> I would like two things:
>
> a) The output of 'shorewall dump' as an attachment.
> b) A tarball of your /etc/shorewall directory.
>
> You can send them to me privately if you like.
>
> -Tom
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to