Try adding to policy:
fw loc ACCEPT
loc fw ACCEPT
So devices on loc can ping the gateway? Ping www.google.com?
Bill
On 2/1/2018 1:29 PM, Bernard Drozd wrote:
Hi,
>When you say that the LAN can't connect to the internet, are the LAN devices
using 10.10.10.1 for their gateway?
Yes, see below:
ela@akacja:~$ arp
Address HWtype HWaddress Flags Mask Iface
10.10.10.13 ether f4:6d:04:63:aa:64 C
enp3s0f1
10.10.11.10 ether 34:23:ba:c4:3c:78 C wlp4s0
10.10.10.12 ether 7c:2f:80:0f:b7:b9 C
enp3s0f1
10.10.10.11 ether 6c:62:6d:2c:fc:9f C
enp3s0f1
192.168.15.1 ether 00:27:22:35:40:df C enp1s0
10.10.11.12 ether e0:b9:a5:34:57:83 C wlp4s0
Seethe fragment of the /etc/dhcp/dhcpd.conf file
.....
subnet 10.10.10.0 netmask 255.255.255.0 {
range 10.10.10.10 10.10.10.50;
option routers 10.10.10.1;
option broadcast-address 10.10.10.255;
option domain-name-servers 10.10.10.1;
option ntp-servers 10.10.10.1;
option netbios-name-servers 10.10.10.1;
option netbios-node-type 2;
default-lease-time 600;
max-lease-time 7200;
}
''''''
and /etc/netplan/03-netcfg.yaml file
network:
version: 2
renderer: networkd
ethernets:
enp3s0f1:
addresses:
- 10.10.10.1/24
dhcp4: no
>Since you been through many revisions of your Shorewall configuration, it
would be helpful to list the following files again:
>params
file empty
>rules
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all tcp
#
# Accept DNS connections from the firewall to the network
#
#DNS(ACCEPT) $FW net
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#
ACCEPT net $FW tcp 6535
ACCEPT net $FW udp 6534
ACCEPT net $FW tcp 1007
ACCEPT net $FW tcp 22
>zones
fw firewall
net ipv4
loc ipv4
>interfaces
net enp1s0 detect tcpflags,logmartians,nosmurfs
loc enp3s0f1 detect dhcp
>hosts
I don't use maclist option
>policy
loc net ACCEPT
$FW net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
>I noticed in your messages:
>Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid
>Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled
>Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH...
>Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled
>You're blocking all incoming TCP from the internet so your SSH ACCEPT rule
will never be reached.
ACCEPT net $FW tcp 22
is the last line of 'rules' file and port 22 can be reached from outside (I've
checked this)
>I don't see anything wrong with your IP addresses or routes.
I now that it should works. It is probably my small configuration mistake...
Regards,
B
W dniu 2018-01-31 o 15:38, Bill Shirley pisze:
When you say that the LAN can't connect to the internet, are the LAN devices
using
10.10.10.1 for their gateway?
Since you been through many revisions of your Shorewall configuration, it would
be
helpful to list the following files again:
params
rules
zones
interfaces
hosts
policy
I noticed in your messages:
Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid
Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled
Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH...
Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled
You're blocking all incoming TCP from the internet so your SSH ACCEPT rule will
never be reached.
Your policy:
Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all
so you don't need the "Invalid(DROP)" rule.
I don't see anything wrong with your IP addresses or routes.
Bill
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
