On 07/05/2017 01:57 AM, Vieri Di Paola via Shorewall-users wrote: > > ________________________________ > From: Tom Eastep <[email protected]> >> >> Okay -- let's try this: >> >> a) set LOG_BACKEND=LOG in shorewall.conf >> b) shorewall reload >> c) shorewall iptrace -s 172.16.0.1 -p icmp >> d) Try the ping that fails from fw1 >> e) shorewall noiptrace -s 172.16.0.1 -p icmp >> d) forward the part of the shorewall log that captures the time covered >> by this test > > Note that LOG_BACKEND was already set to LOG. I did not have to change that. > > # grep LOG_BACKEND /etc/shorewall/shorewall.conf > LOG_BACKEND=LOG > > I created the following script on "fw2" to do what you asked. > > # cat sw_trace.sh > #!/bin/bash > srcip=$1 > [ ${#srcip} -eq 0 ] && srcip=172.16.0.1 > locif=enp10s0 > echo '' > /var/log/shorewall/info.log > shorewall reset > shorewall reload > shorewall iptrace -s $srcip -p icmp > echo "Now start pinging from $srcip to 8.8.8.8 and press ENTER" > read > tcpdump -n -c 30 -i $locif icmp and host $srcip > ./tcpdump_$srcip > sleep 2 > shorewall noiptrace -s $srcip -p icmp > shorewall dump > ./swdump_$srcip > cp /var/log/shorewall/info.log ./swtrace_$srcip > gzip --best ./swtrace_$srcip > > I then realized that the trace dumps were incomplete, so I retrieved them > from /var/log/messages with: > grep "TRACE:" /var/log/messages > I thought LOGFILE=/var/log/shorewall/info.log was enough in shorewall.conf, > but this is the least of my problems right now. ;-) > So I hope you don't mind if I send 2 trace files. One was taken from > /var/log/shorewall/info.log, the other from /var/log/messages (according to > timestamps). > > I'm attaching all the results in this and later posts (due to message size > limits in the ML). > I also did new shorewall dumps because of a few minor changes. > Any *part* file name I attach should be rebuilt with: > cat FILE.PART1 FILE.PART2 ... > FILE.gz > > I did 2 tests. One was from "fw1" at 172.16.0.1, the other was from a host in > one of fw1's zones (IP addr. 10.215.144.7). Failing ping requests go to > 8.8.8.8. > > The tcpdump tests show that both the host at 10.215.144.7 and fw1 can ping > fw2 just fine. Trying to access the providers seems to be the issue here. >
Thare are no SNAT/MASQUERADE rules being instantiated. Hence, reply packets from 8.8.8.8 cannot be routed back you fw2. What is the output of 'ls -l /etc/shorewall/snat'? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
