On 1/30/2018 5:22 PM, Matt Darfeuille wrote: > On 1/30/2018 1:34 PM, Bernard Drozd wrote: >>> It refers here to your wan interface. >>> Is your wan interface configured by dhcp (does it get an dinamic IP)? >> No. My wan interface has static 192.168.15.145 address (which is seen >> from outside/internet as public 46.xxx.xxx.xxx address). >> So I've changed content of /etc/shorewall/snat to: >> SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 > > Then SNAT is correct in that case. > >> but still cannot connect to the Internet from LAN. >> >>> Clearly your two-interface setup is not working.So I will ignore the >>> wireless part of this question. >> Ok. I removed wifi configuration from /etc/shorewall files >>> What is the content of the following files?: >>> /etc/shorewall/zones >> fw firewall >> net ipv4 >> loc ipv4 >>> /etc/shorewall/interfaces >> ?FORMAT 1 >> ############################################################################### >> >> #ZONE INTERFACE BROADCAST OPTIONS >> net enp1s0 detect tcpflags,logmartians,nosmurfs >> loc enp3s0f1 detect dhcp >>> /etc/shorewall/policy >> loc net ACCEPT >> $FW net ACCEPT >> net all DROP info >> # THE FOLLOWING POLICY MUST BE LAST >> all all REJECT info >>> /etc/shorewall/rules >> # PORT PORT(S) DEST >> LIMIT GROUP >> >> ?SECTION ALL >> ?SECTION ESTABLISHED >> ?SECTION RELATED >> ?SECTION INVALID >> ?SECTION UNTRACKED >> ?SECTION NEW >> >> # Don't allow connection pickup from the net >> # >> Invalid(DROP) net all tcp >> # >> # Accept DNS connections from the firewall to the network >> # >> DNS(ACCEPT) $FW net > > This is superfluous given your policy '$FW net ACCEPT". > >> # >> # Accept SSH connections from the local network for administration >> # >> SSH(ACCEPT) loc $FW >> # >> # Allow Ping from the local network >> # >> Ping(ACCEPT) loc $FW >> >> # >> # Drop Ping from the "bad" net zone.. and prevent your log from being >> flooded.. >> # >> >> Ping(DROP) net $FW >> >> ACCEPT $FW loc icmp >> ACCEPT $FW net icmp >> # >> # >> ACCEPT net $FW tcp 6535 >> ACCEPT net $FW udp 6534 >> ACCEPT net $FW tcp 22 > > From: > > http://shorewall.org/manpages/shorewall-rules.html > > "Warning > If you masquerade or use SNAT from a local system to the internet, you > cannot use an ACCEPT rule to allow traffic from the internet to that > system. You must use a DNAT rule instead." > > EG: > > DNAT net $FW tcp 22 >
As Bill Shirley pointed out you can forget this. >>> /etc/shorewall/stoppedrules >> ACCEPT enp3s0f1 - >> ACCEPT - enp3s0f1 >> > > I asume that no other firewalls are started. > And that 'IP_FORWARDING' is set to 'Yes' in /etc/shorewall/shorewall.conf. -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
