On 07/05/2017 07:58 AM, Tom Eastep wrote: > On 07/05/2017 01:57 AM, Vieri Di Paola via Shorewall-users wrote: >> >> ________________________________ >> From: Tom Eastep <[email protected]> >>> >>> Okay -- let's try this: >>> >>> a) set LOG_BACKEND=LOG in shorewall.conf >>> b) shorewall reload >>> c) shorewall iptrace -s 172.16.0.1 -p icmp >>> d) Try the ping that fails from fw1 >>> e) shorewall noiptrace -s 172.16.0.1 -p icmp >>> d) forward the part of the shorewall log that captures the time covered >>> by this test >> >> Note that LOG_BACKEND was already set to LOG. I did not have to change that. >> >> # grep LOG_BACKEND /etc/shorewall/shorewall.conf >> LOG_BACKEND=LOG >> >> I created the following script on "fw2" to do what you asked. >> >> # cat sw_trace.sh >> #!/bin/bash >> srcip=$1 >> [ ${#srcip} -eq 0 ] && srcip=172.16.0.1 >> locif=enp10s0 >> echo '' > /var/log/shorewall/info.log >> shorewall reset >> shorewall reload >> shorewall iptrace -s $srcip -p icmp >> echo "Now start pinging from $srcip to 8.8.8.8 and press ENTER" >> read >> tcpdump -n -c 30 -i $locif icmp and host $srcip > ./tcpdump_$srcip >> sleep 2 >> shorewall noiptrace -s $srcip -p icmp >> shorewall dump > ./swdump_$srcip >> cp /var/log/shorewall/info.log ./swtrace_$srcip >> gzip --best ./swtrace_$srcip >> >> I then realized that the trace dumps were incomplete, so I retrieved them >> from /var/log/messages with: >> grep "TRACE:" /var/log/messages >> I thought LOGFILE=/var/log/shorewall/info.log was enough in shorewall.conf, >> but this is the least of my problems right now. ;-) >> So I hope you don't mind if I send 2 trace files. One was taken from >> /var/log/shorewall/info.log, the other from /var/log/messages (according to >> timestamps). >> >> I'm attaching all the results in this and later posts (due to message size >> limits in the ML). >> I also did new shorewall dumps because of a few minor changes. >> Any *part* file name I attach should be rebuilt with: >> cat FILE.PART1 FILE.PART2 ... > FILE.gz >> >> I did 2 tests. One was from "fw1" at 172.16.0.1, the other was from a host >> in one of fw1's zones (IP addr. 10.215.144.7). Failing ping requests go to >> 8.8.8.8. >> >> The tcpdump tests show that both the host at 10.215.144.7 and fw1 can ping >> fw2 just fine. Trying to access the providers seems to be the issue here. >> > > Thare are no SNAT/MASQUERADE rules being instantiated. Hence, reply > packets from 8.8.8.8 cannot be routed back you fw2. What is the output > of 'ls -l /etc/shorewall/snat'? >
I am going to be away from home for the day so I need you to gather some data while I'm away. I see that you are using interface names as the SOURCE in your masquerade/snat rules. That has been deprecated for years (and generates warnings during compilation). Please send me (privately), your /var/lib/shorewall/firewall file. Also, please: sh -x /var/lib/shorewall/firewall reload > trace 2>&1 and send me the 'trace' file. Finally, include the output of 'ip route ls dev enp10s0' Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
