Hi, you have to set up source nat (masquerading) for the interface associated with your net zone, otherwise the traffic will go out with the clients ip to the gateway. You can simply validate that with an tcpdump on your net interface.
> Am 10.05.2018 um 22:07 schrieb David Ventura <davidventur...@gmail.com>: > > Hi > I am setting up shorewall as my router but currently I can't connect to > anything on the `net` from machines on `loc`. I am running shorewall > 5.0.15.6-1 on armbian, kernel 4.14.14, aarch64. > > Things I checked: > > * I can access stuff on the `net` just fine from the firewall > * I Set IP_FORWARDING=Yes in /etc/shorewall/shorewall.conf. > > I can connect from the `net` to the `fw`. I have dnsmasq on the firewall and > I am currently getting proper DHCP and DNS. I can ping both the (fw) LAN > address (192.168.2.1) and the WAN address (192.168.1.113) from the machines > on `loc`. > > The firewall can access internet properly, but anything on `loc` just gets > the packets (tcp, udp, icmp) dropped. > > I am missing ` /etc/shorewall/masq` but it was not provided on > `/usr/share/doc/shorewall/examples` by the debian package. > > My interfaces file > > net wan > dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 > loc lan0 dhcp,tcpflags,nosmurfs,routefilter,logmartians > > ===================== > On my rules I have > > ACCEPT loc net tcp > ACCEPT loc net udp > ACCEPT loc net icmp > > ACCEPT $FW loc all > > ====================== > Policy (default) > > loc net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > What am I doing wrong? > Also - I am not getting anything on /var/log/messages - no idea why, even > tried to do `shorewall debug restart` but no dice. > > David > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
