LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Shorewall:FORWARD:REJECT Problem (https://www.linuxquestions.org/questions/linux-security-4/shorewall-forward-reject-problem-480459/)

filex 09-04-2006 10:22 PM

Shorewall:FORWARD:REJECT Problem
 
I keep received a SHOREWALL:FORWARD:REJECT error log in my /var/log/messages:

Sep 5 11:16:59 proxy308 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=64.233.167.99 DST=192.168.10.52 LEN=84 TOS=0x00 PREC=0x00 TTL=236 ID=0 DF PROTO=ICMP TYPE=0 CODE=0 ID=58196 SEQ=498

I have no problem ping google(IP Add:64.233.167.99) from a GW box but I CANT PING google.com from my LAN(192.168.10.52)

cat /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4

cat /etc/shorewall/interfaces
net eth0 detect tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect tcpflags,detectnets,nosmurfs

I tried "net eth0 detect routeback" but no luck and there are no log after changed to routeback

cat /etc/shorewall/policy
$FW all ACCEPT
loc $FW ACCEPT
all all REJECT info

I know this is because of this line "all all REJECT info"

iptables -t filter -L
Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere


iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 776 packets, 49169 bytes)
pkts bytes target prot opt in out source destination
97 9360 net_dnat all -- eth0 any anywhere anywhere
1538 82433 loc_dnat all -- eth1 any 192.168.10.0/24 anywhere

Chain POSTROUTING (policy ACCEPT 3751 packets, 237K bytes)
pkts bytes target prot opt in out source destination
3549 230K eth0_masq all -- any eth0 anywhere anywhere
522 26659 eth1_masq all -- any eth1 anywhere anywhere
6 445 eth2_masq all -- any eth2 anywhere anywhere


Kindly HELP!

backhand 09-05-2006 08:59 PM

in /etc/shorewall/policy
try to add "loc net ACCEPT"
reload/apply shorewall configuration n test ping to google from your lan...

filex 09-06-2006 05:05 AM

Thanks for your comment.

If putting "loc net ACCEPT" in /etc/shorewall/policy mean you are open all port to outside for LAN. I don't think this is a good solution, I have to block certain outgoing for my LAN users.

I just remark this 2 lines as below and it work.
/etc/shorewall/tcrules
#1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request
#1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply

But I'm not understand why?

manchox 12-02-2006 06:06 PM

Ok. looks at the following configuration:
zones file:
fw firewall
net ipv4
loc ipv4
##############
interfaces file:
net eth0 -
loc eth1 routeback
##############
masq file:
eth0 eth1
##############
policy file:
$FW net ACCEPT
net all DROP INFO
all all REJECT


in the file rules you open the ptos according to your necessities and that is everything...!

nolinuxnollife 05-04-2007 11:29 AM

I have a shorewall server .. eth0 for internal and eth1 for external. Now because of some considerations I had to divide my lan into two seperate networks (suppose 192.168.1.0 and 192.168.10.0). But servers are available on only one network (suppose in 192.168.1.0). When I am trying to access from 192.168.1.0 network from any host of 192.168.10.0 I am unable to reach the server network.I treid adding some of them in rules in iptables..Wonderingly if I stop the iptables service I am able to go to the other network. any suggesstions?

wshawn 05-17-2007 07:39 AM

Netmask
 
Your netmask is probably stil 255.255.255.0

You will need to change the third 255 to 0 (or other value depending on your actual needs -- 0 opens up 255 sub nets... -- big hole there) on both networks to have them access the server.

This could also be defeating the purpose for splitting the networks because it allows both networks access to each other.


All times are GMT -5. The time now is 03:24 PM.