When you say that the LAN can't connect to the internet, are the LAN devices using 10.10.10.1 for their gateway?
Since you been through many revisions of your Shorewall configuration, it would be helpful to list the following files again: params rules zones interfaces hosts policy I noticed in your messages: Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled You're blocking all incoming TCP from the internet so your SSH ACCEPT rule will never be reached. Your policy: Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all so you don't need the "Invalid(DROP)" rule. I don't see anything wrong with your IP addresses or routes. Bill On 1/31/2018 9:02 AM, Bernard Drozd wrote:
>What is the contents of /etc/shorewall/snat? SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 I receive private address 192.168.15.145 (configured as static) from my ISP which is seen as public 46.xxx.xxx.xxx >Also show the output of these two commands run on the Shorewall/gateway machine: >ip -o -4 addr >ip -o -4 route ela@akacja:~$ ip -o -4 addr 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: enp1s0 inet 192.168.15.145/24 brd 192.168.15.255 scope global enp1s0\ valid_lft forever preferred_lft forever 4: enp3s0f1 inet 10.10.10.1/24 brd 10.10.10.255 scope global enp3s0f1\ valid_lft forever preferred_lft forever 5: wlp4s0 inet 10.10.11.1/24 brd 10.10.11.255 scope global wlp4s0\ valid_lft forever preferred_lft forever ela@akacja:~$ ip -o -4 route default via 192.168.15.1 dev enp1s0 proto static 10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1 10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1 192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145 >Are there any messages in the log? Jan 31 14:43:23 Processing /etc/shorewall/params ... Jan 31 14:43:23 Processing /etc/shorewall/shorewall.conf... Jan 31 14:43:23 Loading Modules... Jan 31 14:43:23 Compiling /etc/shorewall/zones... Jan 31 14:43:23 Compiling /etc/shorewall/interfaces... Jan 31 14:43:23 Interface "net enp1s0 detect tcpflags,logmartians,nosmurfs" Validated Jan 31 14:43:23 Interface "loc enp3s0f1 detect dhcp" Validated Jan 31 14:43:23 Interface "loc wlp4s0 detect dhcp" Validated Jan 31 14:43:23 Determining Hosts in Zones... Jan 31 14:43:23 fw (firewall) Jan 31 14:43:23 net (ipv4) Jan 31 14:43:23 enp1s0:0.0.0.0/0 Jan 31 14:43:23 loc (ipv4) Jan 31 14:43:23 enp3s0f1:0.0.0.0/0 Jan 31 14:43:23 wlp4s0:0.0.0.0/0 Jan 31 14:43:23 Locating Action Files... Jan 31 14:43:23 Compiling /etc/shorewall/policy... Jan 31 14:43:23 Policy for loc to net is ACCEPT using chain loc-net Jan 31 14:43:23 Policy for fw to net is ACCEPT using chain fw-net Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all Jan 31 14:43:23 Policy for net to loc is DROP using chain net-all Jan 31 14:43:23 Policy for fw to net is REJECT using chain all-all Jan 31 14:43:23 Policy for fw to loc is REJECT using chain all-all Jan 31 14:43:23 Policy for net to fw is REJECT using chain all-all Jan 31 14:43:23 Policy for net to loc is REJECT using chain all-all Jan 31 14:43:23 Policy for loc to fw is REJECT using chain all-all Jan 31 14:43:23 Policy for loc to net is REJECT using chain all-all Jan 31 14:43:23 Adding Anti-smurf Rules Jan 31 14:43:23 Adding rules for DHCP Jan 31 14:43:23 Compiling TCP Flags filtering... Jan 31 14:43:23 Compiling Kernel Route Filtering... Jan 31 14:43:23 Compiling Martian Logging... Jan 31 14:43:23 Compiling /etc/shorewall/snat... Jan 31 14:43:23 Snat record "SNAT(192.168.15.145) 10.10.10.0/24 enp1s0" Compiled Jan 31 14:43:23 Compiling MAC Filtration -- Phase 1... Jan 31 14:43:23 Chain enp1s0_iop deleted Jan 31 14:43:23 Chain enp1s0_fop deleted Jan 31 14:43:23 Chain enp3s0f1_iop deleted Jan 31 14:43:23 Chain enp3s0f1_fop deleted Jan 31 14:43:23 Chain enp3s0f1_oop deleted Jan 31 14:43:23 Chain wlp4s0_iop deleted Jan 31 14:43:23 Chain wlp4s0_fop deleted Jan 31 14:43:23 Chain wlp4s0_oop deleted Jan 31 14:43:23 Compiling /etc/shorewall/rules... Jan 31 14:43:23 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.SSH Jan 31 14:43:23 Rule "SSH(ACCEPT) loc fw" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.Ping... Jan 31 14:43:23 Rule "PARAM - - icmp 8" Compiled Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.Ping Jan 31 14:43:23 Rule "Ping(ACCEPT) loc fw" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.Ping... Jan 31 14:43:23 Rule "PARAM - - icmp 8" Compiled Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.Ping Jan 31 14:43:23 Rule "Ping(DROP) net fw" Compiled Jan 31 14:43:23 Rule "ACCEPT fw loc icmp" Compiled Jan 31 14:43:23 Rule "ACCEPT fw net icmp" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw tcp 6535" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw udp 6534" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw tcp 1007" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw tcp 22" Compiled Jan 31 14:43:24 Compiling /etc/shorewall/conntrack... Jan 31 14:43:24 Conntrack rule "CT:helper:amanda:PO - - udp 10080" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:amanda:PO - - udp 10080" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:ftp:PO - - tcp 21" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:ftp:PO - - tcp 21" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:RAS:PO - - udp 1719" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:RAS:PO - - udp 1719" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:irc:PO - - tcp 6667" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:irc:PO - - tcp 6667" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:pptp:PO - - tcp 1723" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:pptp:PO - - tcp 1723" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled Jan 31 14:43:24 Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled Jan 31 14:43:24 Compiling MAC Filtration -- Phase 2... Jan 31 14:43:24 Applying Policies... Jan 31 14:43:24 Policy ACCEPT from fw to net using chain fw-net Jan 31 14:43:24 Compiling /usr/share/shorewall/action.Reject for chain Reject... Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... Jan 31 14:43:24 Rule "PARAM - - icmp fragmentation-needed" Compiled Jan 31 14:43:24 Rule "PARAM - - icmp time-exceeded" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.AllowICMPs Jan 31 14:43:24 Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Jan 31 14:43:24 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.SMB... Jan 31 14:43:24 Rule "PARAM - - udp 135,445" Compiled Jan 31 14:43:24 Rule " PARAM - - udp 137:139" Compiled Jan 31 14:43:24 Rule "PARAM - - udp 1024: 137" Compiled Jan 31 14:43:24 Rule "PARAM - - tcp 135,139,445" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.SMB Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... Jan 31 14:43:24 Rule "PARAM - - udp 1900" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropUPnP Jan 31 14:43:24 ..Expanding inline action /usr/share/shorewall/action.NotSyn... Jan 31 14:43:24 Rule "DROP - - ;;+ -p 6 ! --syn" Compiled Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.NotSyn Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... Jan 31 14:43:24 Rule "PARAM - - udp - 53" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropDNSrep Jan 31 14:43:24 Policy REJECT from fw to loc using chain fw-loc Jan 31 14:43:24 Compiling /usr/share/shorewall/action.Drop for chain Drop... Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... Jan 31 14:43:24 Rule "PARAM - - icmp fragmentation-needed" Compiled Jan 31 14:43:24 Rule "PARAM - - icmp time-exceeded" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.AllowICMPs Jan 31 14:43:24 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.SMB... Jan 31 14:43:24 Rule "PARAM - - udp 135,445" Compiled Jan 31 14:43:24 Rule " PARAM - - udp 137:139" Compiled Jan 31 14:43:24 Rule "PARAM - - udp 1024: 137" Compiled Jan 31 14:43:24 Rule "PARAM - - tcp 135,139,445" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.SMB Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... Jan 31 14:43:24 Rule "PARAM - - udp 1900" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropUPnP Jan 31 14:43:24 ..Expanding inline action /usr/share/shorewall/action.NotSyn... Jan 31 14:43:24 Rule "DROP - - ;;+ -p 6 ! --syn" Compiled Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.NotSyn Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... Jan 31 14:43:24 Rule "PARAM - - udp - 53" Compiled Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropDNSrep Jan 31 14:43:24 Policy DROP from net to fw using chain net-fw Jan 31 14:43:24 Policy DROP from net to loc using chain net-loc Jan 31 14:43:24 Policy REJECT from loc to fw using chain loc-fw Jan 31 14:43:24 Policy ACCEPT from loc to net using chain loc-net Jan 31 14:43:24 Generating Rule Matrix... Jan 31 14:43:24 Handling complex zones... Jan 31 14:43:24 Entering main matrix-generation loop... Jan 31 14:43:24 Chain enp1s0_in deleted Jan 31 14:43:24 Chain enp1s0_fwd deleted Jan 31 14:43:24 Finishing matrix... Jan 31 14:43:24 Creating iptables-restore input... Jan 31 14:43:24 Shorewall configuration compiled to /var/lib/shorewall/.start Jan 31 14:43:24 Starting Shorewall.... Jan 31 14:43:24 Initializing... Jan 31 14:43:24 Setting up Route Filtering... Jan 31 14:43:24 Setting up Martian Logging... Jan 31 14:43:24 Disabling Kernel Automatic Helper Association Jan 31 14:43:24 Preparing iptables-restore input... Jan 31 14:43:24 Running /sbin/iptables-restore ... Jan 31 14:43:24 IPv4 Forwarding Enabled Jan 31 14:43:24 done. Regards, B ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
