LinuxAnswers - the LQ Linux tutorial section.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-04-2006, 11:22 PM   #1
Registered: Sep 2004
Posts: 56

Rep: Reputation: 15
Shorewall:FORWARD:REJECT Problem

I keep received a SHOREWALL:FORWARD:REJECT error log in my /var/log/messages:

Sep 5 11:16:59 proxy308 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC= DST= LEN=84 TOS=0x00 PREC=0x00 TTL=236 ID=0 DF PROTO=ICMP TYPE=0 CODE=0 ID=58196 SEQ=498

I have no problem ping google(IP Add: from a GW box but I CANT PING from my LAN(

cat /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4

cat /etc/shorewall/interfaces
net eth0 detect tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,detectnets,nosmurfs

I tried "net eth0 detect routeback" but no luck and there are no log after changed to routeback

cat /etc/shorewall/policy
all all REJECT info

I know this is because of this line "all all REJECT info"

iptables -t filter -L
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 776 packets, 49169 bytes)
pkts bytes target prot opt in out source destination
97 9360 net_dnat all -- eth0 any anywhere anywhere
1538 82433 loc_dnat all -- eth1 any anywhere

Chain POSTROUTING (policy ACCEPT 3751 packets, 237K bytes)
pkts bytes target prot opt in out source destination
3549 230K eth0_masq all -- any eth0 anywhere anywhere
522 26659 eth1_masq all -- any eth1 anywhere anywhere
6 445 eth2_masq all -- any eth2 anywhere anywhere

Kindly HELP!
Old 09-05-2006, 09:59 PM   #2
LQ Newbie
Registered: Sep 2006
Posts: 4

Rep: Reputation: 0
in /etc/shorewall/policy
try to add "loc net ACCEPT"
reload/apply shorewall configuration n test ping to google from your lan...
Old 09-06-2006, 06:05 AM   #3
Registered: Sep 2004
Posts: 56

Original Poster
Rep: Reputation: 15
Thanks for your comment.

If putting "loc net ACCEPT" in /etc/shorewall/policy mean you are open all port to outside for LAN. I don't think this is a good solution, I have to block certain outgoing for my LAN users.

I just remark this 2 lines as below and it work.
#1:P icmp echo-request
#1:P icmp echo-reply

But I'm not understand why?
Old 12-02-2006, 07:06 PM   #4
LQ Newbie
Registered: Jun 2006
Location: Bahia de Banderas, Nayarit-Mexico
Distribution: CentOS 3.4
Posts: 4

Rep: Reputation: 0
Ok. looks at the following configuration:
zones file:
fw firewall
net ipv4
loc ipv4
interfaces file:
net eth0 -
loc eth1 routeback
masq file:
eth0 eth1
policy file:
net all DROP INFO
all all REJECT

in the file rules you open the ptos according to your necessities and that is everything...!
Old 05-04-2007, 12:29 PM   #5
Registered User
Registered: Jan 2005
Location: india
Distribution: RedHat and Madrake
Posts: 55
Blog Entries: 1

Rep: Reputation: 15
I have a shorewall server .. eth0 for internal and eth1 for external. Now because of some considerations I had to divide my lan into two seperate networks (suppose and But servers are available on only one network (suppose in When I am trying to access from network from any host of I am unable to reach the server network.I treid adding some of them in rules in iptables..Wonderingly if I stop the iptables service I am able to go to the other network. any suggesstions?
Old 05-17-2007, 08:39 AM   #6
LQ Newbie
Registered: Mar 2004
Location: Central Florida
Distribution: Fedora
Posts: 11

Rep: Reputation: 0

Your netmask is probably stil

You will need to change the third 255 to 0 (or other value depending on your actual needs -- 0 opens up 255 sub nets... -- big hole there) on both networks to have them access the server.

This could also be defeating the purpose for splitting the networks because it allows both networks access to each other.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Static Routing results in Shorewall:FORWARD:REJECT chris.zeman Linux - Networking 3 09-19-2007 02:53 PM
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 10:33 PM
Problem w/Shorewall? eroica Linux - Security 6 12-02-2006 07:37 PM
shorewall problem sanjibgupta Linux - Security 2 12-02-2006 07:24 PM
cant see .forward file in home directory >> mail forward/copy steve_babbage Linux - Newbie 0 03-02-2004 07:25 AM

All times are GMT -5. The time now is 03:50 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration