At 07:50 PM 12/17/2003 +0100, and hansen wrote: [...]
and RH FAQ info to Ray Olszewski[details deleted in reply]
OK. I read through the Shorewall rulesets you provided (as well as the rest of the information), and it looks like the router should be letting you ping both ways between dmz and loc, and ssh from loc to dmz (the actual problems you reported in your first message). The ruleset output you quoted, though, is from a time when Shorewall has seen no packets from the dmz (the INPUT and FORWARD chain entries in the default table are all 0 for eth2 as source).
Your best bet at this point is to try the tests again, then capture again the output of "Shorewall status". Trace through the rulesets and see where they are and are not being incremented, and that should tell you where your problem is.
For example, you now report (I've reformatted this a bit in the hope that it will come through in more easily read form):
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
1671 862K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1942 322K eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
If you ping a dmz host from loc successfully, you should see both the rule for the eth1_fwd and the rule for the eth2_fwd target increment. If both do, the problem is after the icmp packet gets to the dmz host and it replies, so trace through the rules that follow the arrival at eth2_fwd. If only eth1_fwd increments, then trace through the rule chain that outgoing packets traverse (it has about 5 steps) to make sure all the proper rules increment. In this example, the rule sequence you would expect the packet to traverse is:
in eth1_fwd:
0 0 loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
in loc2dmz:
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
The ACCEPT target ends the sequence.
If these rules all do increment, then the ping packet goes out successfully, but the router never sees a reply (that is, eth2_fwd does not increment), then see what's going on on the dmz host.
This is just an example; exactly what you need to check depends on what you find, but I'm sure you can see the logic of following a rule path from this example.
I would also double check the configuration (the routing table and any onboard firewall) of the dmz host. If, for example, it thinks it is on 192.168.0.0/16 rather than 192.168.100.0/24, that would be sufficient to explain all the symptoms you've reported (this is an example only).
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
