[Shorewall-newbies] Routed Subnet - ICMP problem

Garrett Johnson garrettj at annalee.com
Fri Mar 5 07:43:25 PST 2004


Here are the files regarding the Subnetting problem I am having:

Eth0=Gigabit Ethernet Subnet
Eth1=100VG Anylan Subnet
Eth2=internet connection to Router

shorewall version
1.4.9

ip addr:

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:07:e9:1a:7a:03 brd ff:ff:ff:ff:ff:ff
    inet 10.1.10.55/24 brd 10.1.10.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 08:00:09:fc:e4:d3 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/8 brd 10.255.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:d0:b7:1a:f8:6a brd ff:ff:ff:ff:ff:ff
    inet 192.168.7.55/24 brd 192.168.7.255 scope global eth2

ip route:
A 192.168.7.0/24 dev eth2  scope link 
B 10.1.8.0/24 via 10.1.1.139 dev eth1 
C 10.1.10.0/24 dev eth0  scope link 
D 10.1.5.0/24 via 10.1.1.145 dev eth1 
E 10.1.3.0/24 via 10.1.1.145 dev eth1 
F 169.254.0.0/16 dev eth2  scope link 
G 10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.1 
H 127.0.0.0/8 dev lo  scope link 
I default via 192.168.7.1 dev eth2 


The issue: E cannot ping through to web directly (primary prob can't Email)
E can ping eth1 10.1.1.1
Firewall/Proxy can ping to 10.1.3.X
B can ping through to web

The firewall is basically setup to let all internal traffic go out but stop
most traffic from coming in.  When shorewall starts there are several
complaints about rules that should be policies or vice versa.

E gets to eth1 via the following path:
                                                    Packet Dropped????
10.1.3.1->10.1.5.8->10.1.5.145-->10.1.1.145-->10.1.1.1-X->192.168.7.55-->Web
     Ip Forward   Arcnet       Ip Forward    100VG       Ip Forward 

The logs don't show attempts to ping from E to the Web.  

I've included the shorewall interfaces, rules, and policy files as well.

interfaces: 
I have no DMZ setup in this configuration.  

#ZONE    INTERFACE      BROADCAST       OPTIONS
loc     eth0    detect  routeback
loc     eth1    detect  routeback
net     eth2    detect

rules:
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
RATE             USER
#                                               PORT    PORT(S)    DEST
LIMIT
ACCEPT  $FW     net     udp     53      53
ACCEPT  $FW     net     tcp     53      53
ACCEPT:info     net     $FW     tcp     22      -
ACCEPT  all     net     all     -       -
ACCEPT  loc     $FW     all     -       -
ACCEPT  loc     loc     tcp     -       -
ACCEPT  $FW     loc     all     -       -
ACCEPT:info     loc     all     icmp    -       -

Policy:
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc     loc     ACCEPT  -
loc     net     ACCEPT  info
#
# THE FOLLOWING POLICY MUST BE LAST
#
net             all             DROP            info
all             all             REJECT          info


Thanks Garrett

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.614 / Virus Database: 393 - Release Date: 3/5/2004
 



More information about the Shorewall-newbies mailing list