On 12/12/2017 02:58 AM, Bill Shirley wrote: > You should define policy for fw: > fw all ACCEPT > lan fw ACCEPT > The order of these is important. They should be at the top. This is > probably why > 192.168.2.8 can't talk to the fw (192.168.2.1). Get traffic flowing and > then narrow > it down to what is allowed. > > In your snat file you're masquerading every private address. Only > define what is valid. > Use 'ip -o -4 addr' to get your addresses: > 2: lan4 inet 192.168.4.1/24 brd 192.168.4.255 scope global > lan4\ valid_lft forever preferred_lft forever > 2: lan4 inet 192.168.4.254/24 brd 192.168.4.255 scope global > secondary lan4\ valid_lft forever preferred_lft forever > My LAN is 192.168.4.0/24. I don't know if it matters to iptables, but > your 192.168.1.0 > is not the base of a /16. For that prefix you would define 192.168.0.0/16. > > It would be helpful to see the output of: > ip -o -4 addr > and: > ip -o -4 route > > Bill > > On 12/12/2017 12:07 AM, jamby wrote: >> Thanks Bill >> >> In the attached file are the zones, interfaces, hosts, masq (or >> snat), and policy files. + shorewall.conf >> >> Appreciate your time
Remove the default route out of your 'loc' interface. It's not correct and it is the cause your martian and mis-routing issues. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
