[Shorewall-users] More bridge/router woes.

Fri, 09 Jul 2010 21:26:08 -0700

At this point I'm rather certain my issue is not specific to shorewall, but likely something lower level that I have configured wrong. 
The box is running Proxmox (Debian Lenny basically) as the base.
eth0 is the outside interface connected to the ISP.
eth1 is the lan/bridge physical interface used to connect everything to the box (internal virtual machines and outside physical machines). 
vmbr0 is the bridge interface using eth1 that actual has the IP address.
The box is running bind/dhcpd/etc. as usual.

Machines (physical and virtual) get IP addresses, etc. just fine.

The router can connect to the internet just fine.
Lan machines can ping internet machines just fine.
Lan machines can connect to each other just fine.

That's where the problems start.
Lan machines cannot connect to web pages (normal or ssl), ssh out, retrieve pop3 mail (the client will authenticate but that's as far as it gets), etc. 
Port forwards are not successfully making a full connection.

I know it is most likely something terribly simple, but I can't find it.
I've been banging my head on it all evening.

I'm assuming it's some sort of routing or nat issue.

Thanks.
Configurations below.

Mark II

/etc/network/interfaces:
# network interface settings
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  10.10.42.1
        netmask  255.255.255.0
        broadcast 10.10.42.255
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

/etc/shorewall/interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect dhcp,tcpflags,routefilter,nosmurfs
loc     vmbr0           detect         tcpflags,nosmurfs,routeback,dhcp

/etc/shorewall/masq
eth0                    10.10.42.0/24

/etc/shorewall/policy
(this will be drop so I can lock it down tight once I get it all working right again) 
loc<---><------>net<---><------>ACCEPT
loc<---><------>$FW<---><------>ACCEPT
loc<---><------>loc<---><------>ACCEPT

$FW<---><------>net<---><------>ACCEPT
$FW<---><------>loc<---><------>ACCEPT
net<---><------>all<---><------>DROP<--><------>warn
# THE FOLLOWING POLICY MUST BE LAST
all<---><------>all<---><------>REJECT<><------>info



--
Mark D. Montgomery II
http://www.techiem2.net

Attachment: bin7AvpdLnwCM.bin
Description: PGP Public Key

Attachment: pgpkpNNXdfHzd.pgp
Description: PGP Digital Signature

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to