Bill
Made the changes you suggested but still not working. I ran the ip
command and attached a file of the output.
Thanks
Jim
these were trying to ping 205.171.3.65
Dec 12 06:43:21 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:21 nub kernel: ll header: 00000000: 00 18 f8 0c 9e a6 b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:43:22 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:22 nub kernel: ll header: 00000000: 00 18 f8 0c 9e a6 b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:43:44 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:44 nub kernel: ll header: 00000000: ff ff ff ff ff ff b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:43:45 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:45 nub kernel: ll header: 00000000: ff ff ff ff ff ff b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:43:46 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:46 nub kernel: ll header: 00000000: ff ff ff ff ff ff b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:43:48 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:48 nub kernel: ll header: 00000000: ff ff ff ff ff ff b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:43:49 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:49 nub kernel: ll header: 00000000: ff ff ff ff ff ff b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:43:50 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:43:50 nub kernel: ll header: 00000000: ff ff ff ff ff ff b4 75
0e 39 a6 c4 08 06 .......u.9....
Dec 12 06:44:19 nub kernel: IPv4: martian source 192.168.1.2 from
192.168.1.1, on dev enp4s0
Dec 12 06:44:19 nub kernel: ll header: 00000000: 00 18 f8 0c 9e a6 b4 75
0e 39 a6 c4 08 00 .......u.9....
the firewall can ping that address but not the lan.
ip -o -4 addr
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft
forever
2: enp3s0 inet 192.168.2.1/24 brd 192.168.2.255 scope global enp3s0\
valid_lft forever preferred_lft forever
3: enp4s0 inet 192.168.1.2/24 brd 192.168.1.255 scope global enp4s0\
valid_lft forever preferred_lft forever
4: virbr0 inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0\
valid_lft forever preferred_lft forever
ip -o -4 route
default via 192.168.1.1 dev enp4s0 proto static metric 100
default via 192.168.1.1 dev enp3s0 proto static metric 101
192.168.1.0/24 dev enp4s0 proto kernel scope link src 192.168.1.2 metric 100
192.168.1.1 dev enp3s0 proto static scope link metric 100
192.168.2.0/24 dev enp3s0 proto kernel scope link src 192.168.2.1 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
Policy
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw all ACCEPT
lan fw ACCEPT
lan wan ACCEPT
wan all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Snat
USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by
Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
#
#SNAT 10.0.0.0/8,\
MASQUERADE 10.0.0.0/16,\
169.254.0.0/16,\
172.16.0.0/12,\
192.168.0.0/8 enp4s0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
