Re: [Shorewall-users] cannot ping through Shorewall 5.1.4.4 gateway

Tom Eastep Mon, 03 Jul 2017 09:10:01 -0700

On 07/03/2017 08:34 AM, Tom Eastep wrote:
> On 07/03/2017 12:32 AM, Vieri Di Paola via Shorewall-users wrote:
>>
>> ________________________________ From: Tom Eastep
>> <[email protected]>
>>
>>>
>>> You have failed to enable IP forwarding on fw2.
>>
>> Sorry, my mistake. However, I'm still getting the same results after
>> setting up IP forwarding (no ICMP replies). I'm attaching 2 shorewall
>> dumps taken on the same shorewall system ("fw2" in my case). During
>> the first dump, I'm trying to ping to 8.8.8.8 from "fw1" with IP
>> addr. 172.168.0.1/10.215.144.91. During the second dump (swdump_7),
>> I'm trying to ping to 8.8.8.8 from 10.215.144.7 (a host's IP addr.
>> behind "fw1").
>>
>>
>> I'm still seeing echo requests with tcpdump on "fw2" but no replies.
> 
> Sorry, but I'm not going to have time to look at these today. I'll try
> to get to them tomorrow.
>


But a quick look through the dump shows:



Chain loc-net1 (1 references)
 pkts bytes target     prot opt in     out     source
destination
...
    0     0 ACCEPT     icmp --  *      *       10.215.0.2
0.0.0.0/0            icmptype 8 /* Ping */
...
    0     0 Broadcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain loc-net2 (1 references)
 pkts bytes target     prot opt in     out     source
destination
...
    1    84 ACCEPT     icmp --  *      *       10.215.144.7
192.168.100.1        icmptype 8 /* Ping */
    0     0 ACCEPT     icmp --  *      *       10.215.145.10
192.168.100.1        icmptype 8 /* Ping */
    0     0 ACCEPT     icmp --  *      *       10.215.144.48
192.168.100.1        icmptype 8 /* Ping */
...
    1    65 Broadcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    1    65 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain loc-net3 (1 references)
 pkts bytes target     prot opt in     out     source
destination
...
    0     0 ACCEPT     icmp --  *      *       192.168.210.0/23
0.0.0.0/0            icmptype 8 -m geoip --destination-country
AD,AT,AU,BE,CH,DE,DK,EU,FI,FR,GB,GR,IE,IS,US  /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.212.0/24
0.0.0.0/0            icmptype 8 -m geoip --destination-country
AD,AT,AU,BE,CH,DE,DK,EU,FI,FR,GB,GR,IE,IS,US  /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.210.0/23
0.0.0.0/0            icmptype 8 -m geoip --destination-country
NL,NO,NZ,PT,SE,CA,ES,IT  /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.212.0/24
0.0.0.0/0            icmptype 8 -m geoip --destination-country
NL,NO,NZ,PT,SE,CA,ES,IT  /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.210.0/23
0.0.0.0/0            icmptype 8 match-set OUT_WL dst /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.210.0/23
0.0.0.0/0            icmptype 8 match-set OUT_MANUAL_WL dst /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.210.0/23
0.0.0.0/0            icmptype 8 match-set OUT_XTRA_WL dst /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.212.0/24
0.0.0.0/0            icmptype 8 match-set OUT_WL dst /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.212.0/24
0.0.0.0/0            icmptype 8 match-set OUT_MANUAL_WL dst /* Ping */
    0     0 ACCEPT     icmp --  *      *       192.168.212.0/24
0.0.0.0/0            icmptype 8 match-set OUT_XTRA_WL dst /* Ping */
...
    1    84 ACCEPT     icmp --  *      *       10.215.144.7
192.168.101.1        icmptype 8 /* Ping */
    0     0 ACCEPT     icmp --  *      *       10.215.145.10
192.168.101.1        icmptype 8 /* Ping */
    0     0 ACCEPT     icmp --  *      *       10.215.144.48
192.168.101.1        icmptype 8 /* Ping */
...
    7   489 Broadcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    7   489 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain loc-net4 (1 references)
 pkts bytes target     prot opt in     out     source
destination
...
    0     0 ACCEPT     icmp --  *      *       10.215.144.7
192.168.102.1        icmptype 8 /* Ping */
    0     0 ACCEPT     icmp --  *      *       10.215.145.10
192.168.102.1        icmptype 8 /* Ping */
    0     0 ACCEPT     icmp --  *      *       10.215.144.48
192.168.102.1        icmptype 8 /* Ping */
...
    0     0 Broadcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Doesn't look to me as though any of those rules would match the pings
that don't work. And there are packets beging silently dropped because
you have not specified any logging for your loc->net* policies.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] cannot ping through Shorewall 5.1.4.4 gateway

Reply via email to