On Thu, 2008-09-18 at 17:59 -0700, Tom Eastep wrote: > Ricardo Kleemann wrote: > > Hi, > > > > I'm setting up shorewall (v. 3.4.8) and have established some IPs in the > > nat file. > > > > For testing purposes only, I have my main eth0 interface for shorewall > > (the "net" interface) in network 192.168.0. The dmz interface is eth2 in > > network 192.168.1. > > > > Here's a snippet of ip addr output: > > > > 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:00:24:c0:02:dc brd ff:ff:ff:ff:ff:ff > > inet 192.168.0.200/24 brd 192.168.0.255 scope global eth0 > > inet 192.168.0.199/24 brd 192.168.0.255 scope global secondary > > eth0:1 > > > > 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > > link/ether 00:00:24:c0:02:de brd ff:ff:ff:ff:ff:ff > > inet 192.168.1.1/24 brd 192.168.1.255 scope global eth2 > > > > > > And I have in the nat file: > > 192.168.0.199 eth0:1 192.168.1.200 > > > > > > in the rules file I opened it up for testing: > > Ping/ACCEPT net fw > > Ping/ACCEPT net dmz > > Ping/ACCEPT loc fw > > Ping/ACCEPT dmz fw > > Ping/ACCEPT fw dmz > > > > > > And I have a test PC connected to the net interface, IP 192.168.0.104. > > > > > > The routing from the fw looks correct: > > # ip route > > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 > > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.200 > > default via 192.168.0.1 dev eth0 > > > > > > Here's what I see: > > > > ping fw -> dmz is ok (192.168.1.1 -> 192.168.1.200) > > ping net -> fw main address is ok (192.168.0.104 -> 192.168.0.200) > > ping net -> dmz FAILS (192.168.0.104 -> 192.168.0.199) > > > > I know packets are not being dropped so it's not shorewall that's > > blocking. I guess something's just not getting routed properly? If I can > > go net -> fw and fw -> dmz, why is the net -> dmz failing? > > What is the output of "shorewall show zones"? >
# shorewall show zones Shorewall 3.4.8 Zones at firewall - Fri Sep 19 01:02:15 UTC 2008 fw (firewall) net (ipv4) eth0:0.0.0.0/0 loc (ipv4) eth1:0.0.0.0/0 dmz (ipv4) eth2:0.0.0.0/0 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
