You should define policy for fw: fw all ACCEPT lan fw ACCEPT The order of these is important. They should be at the top. This is probably why 192.168.2.8 can't talk to the fw (192.168.2.1). Get traffic flowing and then narrow it down to what is allowed.
In your snat file you're masquerading every private address. Only define what is valid. Use 'ip -o -4 addr' to get your addresses: 2: lan4 inet 192.168.4.1/24 brd 192.168.4.255 scope global lan4\ valid_lft forever preferred_lft forever 2: lan4 inet 192.168.4.254/24 brd 192.168.4.255 scope global secondary lan4\ valid_lft forever preferred_lft forever My LAN is 192.168.4.0/24. I don't know if it matters to iptables, but your 192.168.1.0 is not the base of a /16. For that prefix you would define 192.168.0.0/16. It would be helpful to see the output of: ip -o -4 addr and: ip -o -4 route Bill On 12/12/2017 12:07 AM, jamby wrote:
Thanks Bill In the attached file are the zones, interfaces, hosts, masq (or snat), and policy files. + shorewall.conf Appreciate your time Jim ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
