LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Static Routing results in Shorewall:FORWARD:REJECT (https://www.linuxquestions.org/questions/linux-networking-3/static-routing-results-in-shorewall-forward-reject-466029/)

chris.zeman 07-20-2006 05:43 PM
Static Routing results in Shorewall:FORWARD:REJECT
 
I have been attempting to make this work for the past two days.

I am running SuSE 10.1 with Shorewall and 3 NIC's.
eth0: 10.1.10.250 255.255.0.0 (Connects to Router)
eth1: 10.120.2.250 255.255.0.0 (Reserved for a future project)
eth2: 172.16.1.6 255.255.0.0 (Connected to LAN)

This machine is our LAN's internet gateway, among other things. Another server on our network is connected to the company's LAN, and is our department LAN's gateway to the company network. My route has been configured, as shown below.
Code:
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
10.115.0.0      172.16.xxx.xxx  255.255.0.0    UG    0      0        0 eth2
Unfortunately, none of the computers on our LAN are able to access the 10.115.0.0 network. This is what shows up in the firewall log:
Code:
Jul 20 01:21:56 automation kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=172.16.x.x DST=10.xxx.x.xx LEN=106 TOS=0x00 PREC=0x00 TTL=127 ID=41313 PROTO=UDP SPT=1066 DPT=161 LEN=86
The routing work if I execute "shorewall clear", so I know I'm at the final hurdle. I've found information on how to Proxy ARP, but a lot of it isn't exactly clear to me or doesn't pertain to my situation. I could be wrong, though. I just need some help. :(

Thank you,
Chris

Matir 07-20-2006 05:57 PM
Can you post your firewall rules? It's there that it's being stopped.

chris.zeman 07-20-2006 06:39 PM
Sorry, I meant to include them and forgot.

Cyber is my local network.

Policy
Code:
Cyber  all    ACCEPT
vpn1    all    ACCEPT
vpn2    all    ACCEPT
vpn3    all    ACCEPT
vpn4    all    ACCEPT
vpn5    all    ACCEPT
Net    all    DROP    info
fw      all    ACCEPT
all    all    DROP    info
I know the last policy is causing the problem, because everything works if I change it to ACCEPT. I can't leave it like that because then all the attacks start coming in. I can't, for the life of me, figure out what policy I should write to make it work. I've tried every combination I can think of, including Cyber<->Cyber.


Rules
Code:
SECTION NEW

SSH/ACCEPT:info        all    $FW
SMTP/ACCEPT:info        Net    $FW
Web/ACCEPT:info        all    $FW
IMAP/ACCEPT:info        all    $FW
ACCEPT:info            Net    $FW                    tcp    xxxx,xxxx,xxxx,xxxx
DNAT:info              Net    Cyber:172.16.x.x:xxxx  tcp    xxxx
DNAT:info              Net    Cyber:172.16.x.x:xxxx  tcp    xxxx
ACCEPT:info            Net    $FW                    tcp    xxxx
ACCEPT:info            Net    $FW                    tcp    xxxxx

neal860 09-19-2007 01:53 PM
Shorewall Interfaces
 
you need to add the following to the /etc/shorewall/interfaces file

#ZONE INTERFACE BROADCAST OPTIONS
loc eth0 detect routeback

where eth0 is the interface with your static route.

Hope this helps


All times are GMT -5. The time now is 12:27 AM.