[Shorewall-newbies] Routed Subnet - ICMP problem

Tom Eastep teastep at shorewall.net
Fri Mar 5 08:12:04 PST 2004


On Friday 05 March 2004 07:43 am, Garrett Johnson wrote:
> Here are the files regarding the Subnetting problem I am having:
>
> Eth0=Gigabit Ethernet Subnet
> Eth1=100VG Anylan Subnet
> Eth2=internet connection to Router
>
> shorewall version
> 1.4.9
>
> ip addr:
>
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:07:e9:1a:7a:03 brd ff:ff:ff:ff:ff:ff
>     inet 10.1.10.55/24 brd 10.1.10.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 08:00:09:fc:e4:d3 brd ff:ff:ff:ff:ff:ff
>     inet 10.1.1.1/8 brd 10.255.255.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:d0:b7:1a:f8:6a brd ff:ff:ff:ff:ff:ff
>     inet 192.168.7.55/24 brd 192.168.7.255 scope global eth2
>
> ip route:
> A 192.168.7.0/24 dev eth2  scope link
> B 10.1.8.0/24 via 10.1.1.139 dev eth1
> C 10.1.10.0/24 dev eth0  scope link
> D 10.1.5.0/24 via 10.1.1.145 dev eth1
> E 10.1.3.0/24 via 10.1.1.145 dev eth1
> F 169.254.0.0/16 dev eth2  scope link
> G 10.0.0.0/8 dev eth1  proto kernel  scope link  src 10.1.1.1
> H 127.0.0.0/8 dev lo  scope link
> I default via 192.168.7.1 dev eth2
>
>
> The issue: E cannot ping through to web directly (primary prob can't Email)
> E can ping eth1 10.1.1.1
> Firewall/Proxy can ping to 10.1.3.X
> B can ping through to web
>
> The firewall is basically setup to let all internal traffic go out but stop
> most traffic from coming in.  When shorewall starts there are several
> complaints about rules that should be policies or vice versa.
>
> E gets to eth1 via the following path:
>                                                     Packet Dropped????
> 10.1.3.1->10.1.5.8->10.1.5.145-->10.1.1.145-->10.1.1.1-X->192.168.7.55-->We
>b Ip Forward   Arcnet       Ip Forward    100VG       Ip Forward
>
> The logs don't show attempts to ping from E to the Web.
>

Please forward:

a) your /etc/shorewll/masq file contents.
b) the output of "shorewall show nat" as an attachment.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list