LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-04-2006, 11:22 PM   #1
filex
Member
 
Registered: Sep 2004
Posts: 56

Rep: Reputation: 15
Shorewall:FORWARD:REJECT Problem


I keep received a SHOREWALL:FORWARD:REJECT error log in my /var/log/messages:

Sep 5 11:16:59 proxy308 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=64.233.167.99 DST=192.168.10.52 LEN=84 TOS=0x00 PREC=0x00 TTL=236 ID=0 DF PROTO=ICMP TYPE=0 CODE=0 ID=58196 SEQ=498

I have no problem ping google(IP Add:64.233.167.99) from a GW box but I CANT PING google.com from my LAN(192.168.10.52)

cat /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4

cat /etc/shorewall/interfaces
net eth0 detect tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,detectnets,nosmurfs

I tried "net eth0 detect routeback" but no luck and there are no log after changed to routeback

cat /etc/shorewall/policy
$FW all ACCEPT
loc $FW ACCEPT
all all REJECT info

I know this is because of this line "all all REJECT info"

iptables -t filter -L
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere


iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 776 packets, 49169 bytes)
pkts bytes target prot opt in out source destination
97 9360 net_dnat all -- eth0 any anywhere anywhere
1538 82433 loc_dnat all -- eth1 any 192.168.10.0/24 anywhere

Chain POSTROUTING (policy ACCEPT 3751 packets, 237K bytes)
pkts bytes target prot opt in out source destination
3549 230K eth0_masq all -- any eth0 anywhere anywhere
522 26659 eth1_masq all -- any eth1 anywhere anywhere
6 445 eth2_masq all -- any eth2 anywhere anywhere


Kindly HELP!
 
Old 09-05-2006, 09:59 PM   #2
backhand
LQ Newbie
 
Registered: Sep 2006
Posts: 4

Rep: Reputation: 0
in /etc/shorewall/policy
try to add "loc net ACCEPT"
reload/apply shorewall configuration n test ping to google from your lan...
 
Old 09-06-2006, 06:05 AM   #3
filex
Member
 
Registered: Sep 2004
Posts: 56

Original Poster
Rep: Reputation: 15
Thanks for your comment.

If putting "loc net ACCEPT" in /etc/shorewall/policy mean you are open all port to outside for LAN. I don't think this is a good solution, I have to block certain outgoing for my LAN users.

I just remark this 2 lines as below and it work.
/etc/shorewall/tcrules
#1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
#1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply

But I'm not understand why?
 
Old 12-02-2006, 07:06 PM   #4
manchox
LQ Newbie
 
Registered: Jun 2006
Location: Bahia de Banderas, Nayarit-Mexico
Distribution: CentOS 3.4
Posts: 4

Rep: Reputation: 0
Ok. looks at the following configuration:
zones file:
fw firewall
net ipv4
loc ipv4
##############
interfaces file:
net eth0 -
loc eth1 routeback
##############
masq file:
eth0 eth1
##############
policy file:
$FW net ACCEPT
net all DROP INFO
all all REJECT


in the file rules you open the ptos according to your necessities and that is everything...!
 
Old 05-04-2007, 12:29 PM   #5
nolinuxnollife
Registered User
 
Registered: Jan 2005
Location: india
Distribution: RedHat and Madrake
Posts: 55
Blog Entries: 1

Rep: Reputation: 15
I have a shorewall server .. eth0 for internal and eth1 for external. Now because of some considerations I had to divide my lan into two seperate networks (suppose 192.168.1.0 and 192.168.10.0). But servers are available on only one network (suppose in 192.168.1.0). When I am trying to access from 192.168.1.0 network from any host of 192.168.10.0 I am unable to reach the server network.I treid adding some of them in rules in iptables..Wonderingly if I stop the iptables service I am able to go to the other network. any suggesstions?
 
Old 05-17-2007, 08:39 AM   #6
wshawn
LQ Newbie
 
Registered: Mar 2004
Location: Central Florida
Distribution: Fedora
Posts: 11

Rep: Reputation: 0
Netmask

Your netmask is probably stil 255.255.255.0

You will need to change the third 255 to 0 (or other value depending on your actual needs -- 0 opens up 255 sub nets... -- big hole there) on both networks to have them access the server.

This could also be defeating the purpose for splitting the networks because it allows both networks access to each other.
 
  


Reply

Tags
shorewall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Static Routing results in Shorewall:FORWARD:REJECT chris.zeman Linux - Networking 3 09-19-2007 02:53 PM
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 10:33 PM
Problem w/Shorewall? eroica Linux - Security 6 12-02-2006 07:37 PM
shorewall problem sanjibgupta Linux - Security 2 12-02-2006 07:24 PM
cant see .forward file in home directory >> mail forward/copy steve_babbage Linux - Newbie 0 03-02-2004 07:25 AM


All times are GMT -5. The time now is 02:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration