Check tcpdump while the command "ping -c1 -I 172.16.1.10
google-public-dns-a.google.com" is being run. You'll see that
google-public-dns-a.google.com is receiving a ICMP request from
172.16.1.10. The problem is 172.16.1.10 belongs to a private network so
google doesn't know how to route back to you.
It's hard to say what you're testing for and what you're trying to
accomplish, but if you add a rule to masquerade you'll get the results
you're expecting from your test.
add to /etc/shorewall/masq:
# /etc/shorewall/masq
eth0 172.16.1.10
On Sun, Aug 3, 2014 at 9:44 PM, Dale Greenway <[email protected]> wrote:
> Hello.
>
> I'm installing Shorewall on my hosted server.
>
> I'm doing stuff step by step so I can understand what does what. I have
> some trouble with Pings coming from private IP aliases.
>
> The server has 2 IPs on its one interface
>
> eth0
> X.15.9.149
> 172.16.1.10
>
> The shorewall config that matters is
>
> /etc/shorewall/interfaces
> net eth0
> tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0
>
> /etc/shorewall/zones
> fw firewall
> net ipv4
>
> /etc/shorewall/rules
> ...
> Ping(ACCEPT) $FW net
> ...
>
> When I do a
>
> ping google-public-dns-a.google.com
>
> it works an you can see the ICMP traffic in both directions
>
> tcpdump -i eth0 | grep google-public-dns-a.google.com
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 21:08:33.138416 IP my.fqdn.me > google-public-dns-a.google.com: ICMP
> echo request, id 9539, seq 1, length 64
> 21:08:33.160647 IP google-public-dns-a.google.com > my.fqdn.me: ICMP
> echo reply, id 9539, seq 1, length 64
>
>
> When I bind the ping to the internal IP address
>
> ping -c1 -I 172.16.1.10 google-public-dns-a.google.com
>
> it times out. And you only see ICMP traffic in one direction
>
> tcpdump -i eth0 | grep google-public-dns-a.google.com
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 21:10:41.011189 IP 172.16.1.10 > google-public-dns-a.google.com: ICMP
> echo request, id 9556, seq 1, length 64
>
> I thought since 172.16.1.10 is on the firewall this should work too.
>
> I guess I need another rule or masq or nat, right? I'm kindof unclear
> about the right options in the interface's options too. What do I need to
> change to make the
>
> ping -c1 -I 172.16.1.10 google-public-dns-a.google.com
>
> work right?
>
> Dale Greenway
>
> ____________________________________________________________
> FREE ONLINE PHOTOSHARING - Share your photos online with your friends and
> family!
> Visit http://www.inbox.com/photosharing to find out more!
>
>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
