Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 07-20-2006, 05:43 PM   #1
LQ Newbie
Registered: Jul 2006
Posts: 4

Rep: Reputation: 0
Unhappy Static Routing results in Shorewall:FORWARD:REJECT

I have been attempting to make this work for the past two days.

I am running SuSE 10.1 with Shorewall and 3 NIC's.
eth0: (Connects to Router)
eth1: (Reserved for a future project)
eth2: (Connected to LAN)

This machine is our LAN's internet gateway, among other things. Another server on our network is connected to the company's LAN, and is our department LAN's gateway to the company network. My route has been configured, as shown below.
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface     UG    0      0        0 eth2
Unfortunately, none of the computers on our LAN are able to access the network. This is what shows up in the firewall log:
Jul 20 01:21:56 automation kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=172.16.x.x LEN=106 TOS=0x00 PREC=0x00 TTL=127 ID=41313 PROTO=UDP SPT=1066 DPT=161 LEN=86
The routing work if I execute "shorewall clear", so I know I'm at the final hurdle. I've found information on how to Proxy ARP, but a lot of it isn't exactly clear to me or doesn't pertain to my situation. I could be wrong, though. I just need some help.

Thank you,

Last edited by chris.zeman; 07-21-2006 at 10:05 PM.
Old 07-20-2006, 05:57 PM   #2
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 122Reputation: 122
Can you post your firewall rules? It's there that it's being stopped.
Old 07-20-2006, 06:39 PM   #3
LQ Newbie
Registered: Jul 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Sorry, I meant to include them and forgot.

Cyber is my local network.

Cyber   all     ACCEPT
vpn1    all     ACCEPT
vpn2    all     ACCEPT
vpn3    all     ACCEPT
vpn4    all     ACCEPT
vpn5    all     ACCEPT
Net     all     DROP    info
fw      all     ACCEPT
all     all     DROP    info
I know the last policy is causing the problem, because everything works if I change it to ACCEPT. I can't leave it like that because then all the attacks start coming in. I can't, for the life of me, figure out what policy I should write to make it work. I've tried every combination I can think of, including Cyber<->Cyber.


SSH/ACCEPT:info         all     $FW
SMTP/ACCEPT:info        Net     $FW
Web/ACCEPT:info         all     $FW
IMAP/ACCEPT:info        all     $FW
ACCEPT:info             Net     $FW                     tcp     xxxx,xxxx,xxxx,xxxx
DNAT:info               Net     Cyber:172.16.x.x:xxxx   tcp     xxxx
DNAT:info               Net     Cyber:172.16.x.x:xxxx   tcp     xxxx
ACCEPT:info             Net     $FW                     tcp     xxxx
ACCEPT:info             Net     $FW                     tcp     xxxxx

Last edited by chris.zeman; 07-21-2006 at 10:04 PM.
Old 09-19-2007, 01:53 PM   #4
LQ Newbie
Registered: Sep 2007
Posts: 1

Rep: Reputation: 0
Shorewall Interfaces

you need to add the following to the /etc/shorewall/interfaces file

loc eth0 detect routeback

where eth0 is the interface with your static route.

Hope this helps


forward, reject, routing, shorewall, static

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SHOREWALL Firewall Routing Problem cccc Linux - Security 8 03-07-2006 01:50 PM
Shorewall Routing Internet access issues Raidmax Linux - Newbie 0 11-15-2005 07:29 PM
Advanced Networking - Multiple gateways, routing question/shorewall micaheli Linux - Networking 2 09-30-2004 12:05 AM
Static Routing Troubles Rundi Linux - Networking 2 07-16-2004 11:38 AM
shorewall with 2 external static ips and DMZ gjmwalsh Linux - Networking 0 05-10-2004 09:31 PM

All times are GMT -5. The time now is 03:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration