[Shorewall-users] web on firewall not accessable from internet why ?

Arnar Þórarinsson art at strik.is
Fri May 16 00:25:41 PDT 2003


> "Do you see any "Shorewall" messages ("/sbin/shorewall show log") when
you 
> exercise the function that is giving you problems? If so, include the 
> message(s) in your post along with a copy of your
> /etc/shorewall/interfaces 
> file."
>
> I don't see a copy of your /etc/shorewall/interfaces file so I have no
way 
> to interpret the above message.

Ok, heres my interface file:
net     eth0            detect   dhcp,routefilter,norfc1918,dropunclean
loc     eth1            detect

and if you need my kernel version : Linux web 2.4.18-14 #1 Wed Sep 4
13:35:50 EDT 2002 i686 i686 i386 GNU/Linux

> There is nothing obvious that I see -- If eth0 is your internet
interface, 
> I'd like to hear more about your network setup (especially IP
addresses of 
> your local systems and internal firewall interface). Also, what IP
address 
> were you trying to FTP from?

Actually I tried to connect from a computer on the LAN using my internet
IP, which probably wasn´t a good idea ;( but if I try to connect from an
external address I get a connect failure and nothing is reported in
/var/log/messages or shorewall show log.

I´m wondering if my router is responsible, could it be that it isn´t
forwarding these connections to the firewall ? ( my router is an ericson
HM220dp )

Anyways my network setup is as follows:

        192.168.254.254
                |
[ISP] <--> [router] <--> [ firewall ] <--> [ LAN ]
                     eth0             eth1
                 192.168.254.10     192.168.0.1

[root at web shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:04:2b:3c:52 brd ff:ff:ff:ff:ff:ff
    inet 192.168.254.10/24 brd 192.168.254.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:a0:24:7e:f4:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1

[root at web shorewall]# ip route show
192.168.0.0/24 dev eth1  scope link
192.168.254.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 192.168.254.254 dev eth0




-----Original Message-----
From: Tom Eastep [mailto:teastep at shorewall.net] 
Sent: 15. maí 2003 19:03
To: Arnar Þórarinsson; shorewall-users at lists.shorewall.net
Subject: Re: [Shorewall-users] web on firewall not accessable from
internet why ?

On Thu, 15 May 2003 18:49:27 -0000, Arnar Þórarinsson <art at strik.is>
wrote:


> I get no drop messages from shorewall for port 80 but when I try to
> connect with ftp I get the following message:
> May 15 17:41:42 web kernel: Shorewall:net2fw:ACCEPT:IN=eth0 OUT=
> MAC=00:50:04:2b:3c:52:00:80:37:c3:4b:f0:08:00 SRC=192.168.254.254
> DST=192.168.254.10 LEN=56 TOS=0x00 PREC=0x00 TTL=30 ID=4724 PROTO=ICMP
> TYPE=3 CODE=3 [SRC=192.168.254.10 DST=213.213.136.38 LEN=48 TOS=0x10
> PREC=0x00 TTL=127 ID=7375 DF PROTO=TCP INCOMPLETE [8 bytes] ]

>From http://www.shorewall.net/support.htm:


> My Rules :

> # Allow ftp request from local net to internet
> ACCEPT  loc             net             tcp     20,21

Port 20 is unnecessary.

> # Allow ftp requests from internet to firewall
> ACCEPT  net             fw              tcp     20,21

Dito.

> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> My Policy:
> loc             net             REJECT          info
> #loc            net             ACCEPT
> fw              net             ACCEPT
> loc             fw              ACCEPT
> net             all             DROP            info
> net             fw              ACCEPT          info
> all             all             DROP            info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

There is nothing obvious that I see -- If eth0 is your internet
interface, 
I'd like to hear more about your network setup (especially IP addresses
of 
your local systems and internal firewall interface). Also, what IP
address 
were you trying to FTP from?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list