On 5/1/2014 3:48 PM, Michael Kress wrote: > Am 01.05.2014 21:26, schrieb Tom Eastep: >> Please forward the output of 'shorewall dump' collected as desccribed at >> http://www.shorewall.net/support.htm#Guidelines >> >> > > Hi, forgot to mention the mangles file: > #ACTION SOURCE DEST > 2:P 0.0.0.0/0 > 2 $FW > > I've derived that from the FAQ #58 > > As a test case I've started a ping from 192.168.0.11 to heise.de > (193.99.144.80) : > root@halgw:/root [0] > tcpdump -i eth0 -vvnnt icmp > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > 65535 bytes > IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > 192.168.0.11 > 193.99.144.80: ICMP echo request, id 49159, seq 1, > length 64 > IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > 192.168.0.11 > 193.99.144.80: ICMP echo request, id 49159, seq 2, > length 64 > IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > 192.168.0.11 > 193.99.144.80: ICMP echo request, id 49159, seq 3, > length 64 > IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > 192.168.0.11 > 193.99.144.80: ICMP echo request, id 49159, seq 4, > length 64 > ^C > 4 packets captured > 4 packets received by filter > 0 packets dropped by kernel > root@halgw:/root [0] > tcpdump -i eth1 -vvnnt icmp > tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size > 65535 bytes > ^C > 0 packets captured > 0 packets received by filter > 0 packets dropped by kernel > root@halgw:/root [0] > tcpdump -i tun1 -vvnnt icmp > tcpdump: listening on tun1, link-type RAW (Raw IP), capture size 65535 bytes > IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > 192.168.0.11 > 193.99.144.80: ICMP echo request, id 49415, seq 12, > length 64 > IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > 192.168.0.11 > 193.99.144.80: ICMP echo request, id 49415, seq 13, > length 64 > IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) > 192.168.0.11 > 193.99.144.80: ICMP echo request, id 49415, seq 14, > length 64 > ^C > 3 packets captured > 3 packets received by filter > 0 packets dropped by kernel > > > ==> Here we see that the reply doesn't get replied back and goes out the > wrong device (tun1 instead eth1). > > > and btw from 192.168.0.11 I am able to ping the gateway: > [email protected]:/root [1] > ping 192.168.2.1 > PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data. > 64 bytes from 192.168.2.1: icmp_seq=1 ttl=63 time=1.37 ms > 64 bytes from 192.168.2.1: icmp_seq=2 ttl=63 time=1.49 ms > ^C > --- 192.168.2.1 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 1438ms > rtt min/avg/max/mdev = 1.376/1.433/1.491/0.068 ms > [email protected]:/root [0] > route -n > Kernel IP Routentabelle > Ziel Router Genmask Flags Metric Ref Use Iface > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 > 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 > > > The dump:
Please send it as a compressed attachment. Embedding it in the message makes it unreadable due to folding by your mailer. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
