Static Routing results in Shorewall:FORWARD:REJECT

chris.zeman · 07-20-2006, 06:43 PM

I have been attempting to make this work for the past two days.

I am running SuSE 10.1 with Shorewall and 3 NIC's.
eth0: 10.1.10.250 255.255.0.0 (Connects to Router)
eth1: 10.120.2.250 255.255.0.0 (Reserved for a future project)
eth2: 172.16.1.6 255.255.0.0 (Connected to LAN)

This machine is our LAN's internet gateway, among other things. Another server on our network is connected to the company's LAN, and is our department LAN's gateway to the company network. My route has been configured, as shown below.

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.115.0.0      172.16.xxx.xxx  255.255.0.0     UG    0      0        0 eth2

Unfortunately, none of the computers on our LAN are able to access the 10.115.0.0 network. This is what shows up in the firewall log:

Code:

Jul 20 01:21:56 automation kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=172.16.x.x DST=10.xxx.x.xx LEN=106 TOS=0x00 PREC=0x00 TTL=127 ID=41313 PROTO=UDP SPT=1066 DPT=161 LEN=86

The routing work if I execute "shorewall clear", so I know I'm at the final hurdle. I've found information on how to Proxy ARP, but a lot of it isn't exactly clear to me or doesn't pertain to my situation. I could be wrong, though. I just need some help.

Thank you,
Chris

Matir · 07-20-2006, 06:57 PM

Can you post your firewall rules? It's there that it's being stopped.

chris.zeman · 07-20-2006, 07:39 PM

Sorry, I meant to include them and forgot.

Cyber is my local network.

Policy

Code:

Cyber   all     ACCEPT
vpn1    all     ACCEPT
vpn2    all     ACCEPT
vpn3    all     ACCEPT
vpn4    all     ACCEPT
vpn5    all     ACCEPT
Net     all     DROP    info
fw      all     ACCEPT
all     all     DROP    info

I know the last policy is causing the problem, because everything works if I change it to ACCEPT. I can't leave it like that because then all the attacks start coming in. I can't, for the life of me, figure out what policy I should write to make it work. I've tried every combination I can think of, including Cyber<->Cyber.

Rules

Code:

SECTION NEW

SSH/ACCEPT:info         all     $FW
SMTP/ACCEPT:info        Net     $FW
Web/ACCEPT:info         all     $FW
IMAP/ACCEPT:info        all     $FW
ACCEPT:info             Net     $FW                     tcp     xxxx,xxxx,xxxx,xxxx
DNAT:info               Net     Cyber:172.16.x.x:xxxx   tcp     xxxx
DNAT:info               Net     Cyber:172.16.x.x:xxxx   tcp     xxxx
ACCEPT:info             Net     $FW                     tcp     xxxx
ACCEPT:info             Net     $FW                     tcp     xxxxx

neal860 · 09-19-2007, 02:53 PM

you need to add the following to the /etc/shorewall/interfaces file

#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 detect routeback

where eth0 is the interface with your static route.

Hope this helps