Shorewall:FORWARD:REJECT Problem
I keep received a SHOREWALL:FORWARD:REJECT error log in my /var/log/messages:
Sep 5 11:16:59 proxy308 kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=64.233.167.99 DST=192.168.10.52 LEN=84 TOS=0x00 PREC=0x00 TTL=236 ID=0 DF PROTO=ICMP TYPE=0 CODE=0 ID=58196 SEQ=498 I have no problem ping google(IP Add:64.233.167.99) from a GW box but I CANT PING google.com from my LAN(192.168.10.52) cat /etc/shorewall/zones fw firewall net ipv4 loc ipv4 cat /etc/shorewall/interfaces net eth0 detect tcpflags,routefilter,nosmurfs,logmartians loc eth1 detect tcpflags,detectnets,nosmurfs I tried "net eth0 detect routeback" but no luck and there are no log after changed to routeback cat /etc/shorewall/policy $FW all ACCEPT loc $FW ACCEPT all all REJECT info I know this is because of this line "all all REJECT info" iptables -t filter -L Chain FORWARD (policy DROP) target prot opt source destination eth0_fwd all -- anywhere anywhere eth1_fwd all -- anywhere anywhere eth2_fwd all -- anywhere anywhere Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:' reject all -- anywhere anywhere iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 776 packets, 49169 bytes) pkts bytes target prot opt in out source destination 97 9360 net_dnat all -- eth0 any anywhere anywhere 1538 82433 loc_dnat all -- eth1 any 192.168.10.0/24 anywhere Chain POSTROUTING (policy ACCEPT 3751 packets, 237K bytes) pkts bytes target prot opt in out source destination 3549 230K eth0_masq all -- any eth0 anywhere anywhere 522 26659 eth1_masq all -- any eth1 anywhere anywhere 6 445 eth2_masq all -- any eth2 anywhere anywhere Kindly HELP! |
in /etc/shorewall/policy
try to add "loc net ACCEPT" reload/apply shorewall configuration n test ping to google from your lan... |
Thanks for your comment.
If putting "loc net ACCEPT" in /etc/shorewall/policy mean you are open all port to outside for LAN. I don't think this is a good solution, I have to block certain outgoing for my LAN users. I just remark this 2 lines as below and it work. /etc/shorewall/tcrules #1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request #1:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply But I'm not understand why? |
Ok. looks at the following configuration:
zones file: fw firewall net ipv4 loc ipv4 ############## interfaces file: net eth0 - loc eth1 routeback ############## masq file: eth0 eth1 ############## policy file: $FW net ACCEPT net all DROP INFO all all REJECT in the file rules you open the ptos according to your necessities and that is everything...! |
I have a shorewall server .. eth0 for internal and eth1 for external. Now because of some considerations I had to divide my lan into two seperate networks (suppose 192.168.1.0 and 192.168.10.0). But servers are available on only one network (suppose in 192.168.1.0). When I am trying to access from 192.168.1.0 network from any host of 192.168.10.0 I am unable to reach the server network.I treid adding some of them in rules in iptables..Wonderingly if I stop the iptables service I am able to go to the other network. any suggesstions?
|
Netmask
Your netmask is probably stil 255.255.255.0
You will need to change the third 255 to 0 (or other value depending on your actual needs -- 0 opens up 255 sub nets... -- big hole there) on both networks to have them access the server. This could also be defeating the purpose for splitting the networks because it allows both networks access to each other. |
All times are GMT -5. The time now is 03:24 PM. |