On 1/30/2018 1:34 PM, Bernard Drozd wrote: >> It refers here to your wan interface. >> Is your wan interface configured by dhcp (does it get an dinamic IP)? > No. My wan interface has static 192.168.15.145 address (which is seen > from outside/internet as public 46.xxx.xxx.xxx address). > So I've changed content of /etc/shorewall/snat to: > SNAT(192.168.15.145) 10.10.10.0/24 enp1s0
Then SNAT is correct in that case. > but still cannot connect to the Internet from LAN. > >> Clearly your two-interface setup is not working.So I will ignore the >> wireless part of this question. > Ok. I removed wifi configuration from /etc/shorewall files >> What is the content of the following files?: >> /etc/shorewall/zones > fw firewall > net ipv4 > loc ipv4 >> /etc/shorewall/interfaces > ?FORMAT 1 > ############################################################################### > > #ZONE INTERFACE BROADCAST OPTIONS > net enp1s0 detect tcpflags,logmartians,nosmurfs > loc enp3s0f1 detect dhcp >> /etc/shorewall/policy > loc net ACCEPT > $FW net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info >> /etc/shorewall/rules > # PORT PORT(S) DEST > LIMIT GROUP > > ?SECTION ALL > ?SECTION ESTABLISHED > ?SECTION RELATED > ?SECTION INVALID > ?SECTION UNTRACKED > ?SECTION NEW > > # Don't allow connection pickup from the net > # > Invalid(DROP) net all tcp > # > # Accept DNS connections from the firewall to the network > # > DNS(ACCEPT) $FW net This is superfluous given your policy '$FW net ACCEPT". > # > # Accept SSH connections from the local network for administration > # > SSH(ACCEPT) loc $FW > # > # Allow Ping from the local network > # > Ping(ACCEPT) loc $FW > > # > # Drop Ping from the "bad" net zone.. and prevent your log from being > flooded.. > # > > Ping(DROP) net $FW > > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > # > # > ACCEPT net $FW tcp 6535 > ACCEPT net $FW udp 6534 > ACCEPT net $FW tcp 22 From: http://shorewall.org/manpages/shorewall-rules.html "Warning If you masquerade or use SNAT from a local system to the internet, you cannot use an ACCEPT rule to allow traffic from the internet to that system. You must use a DNAT rule instead." EG: DNAT net $FW tcp 22 >> /etc/shorewall/stoppedrules > ACCEPT enp3s0f1 - > ACCEPT - enp3s0f1 > I asume that no other firewall are started. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
