On 04/30/2013 01:48 PM, Ernesto Domato wrote: > On Mon, Apr 29, 2013 at 2:29 PM, Ernesto Domato <[email protected]> wrote: >> On the other hand, the test that I did today is to save the IPTABLES >> rules created by Shorewall to a file with "iptables-save > >> shorewall.rules". Then, I configured the machine to not start >> Shorewall at startup and reboot. When the machine comes up, I did >> "iptables-restore < shorewall.rules" and then configure the routing >> table to route the packets to the proxy and just turned on the >> ip_forward kernel flag and the transparent proxy worked as expected. >> >> So, I think that the problem that I'm having is maybe on some kernel >> parameter that Shorewall change. >> >> What did you suggest? >> > > Ok, I'm still trying to solve my problem :-) > > The firewall machine has this interfaces: > > eth0 -> link to the internet > eth1 -> link to the local network > ovsbr0 -> OpenVSwitch connected to virtual machines (the Squid proxy server) > > Now, when I apply the full Shorewall rules (through "shorewall start") > and do a tcpdump on eth1 and ovsbr0 I see syn packets going through > ovsbr0 and syn reply packet coming back. But on the eth1 I just see > the syn packet going in just one direction (the remote one that is > routed by policy routing to the proxy machine) and not back to eth1 so > it can reach the machine that made the request. > > When I apply the shorewall iptables rules only and configure ip > forwarding and policy routing to the proxy by hand everything works > fine. > > So, I still think that the problem is on some configuration on the > firewall itself, even more on the kernel parameters. > > Any help?.
Please capture the output of 'shorewall dump' when it is working (by hand configuration) and when it is not working (shorewall start) and forward both. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
