Hi Tom ,
Thanks after following what you suggested it worked without adding an
optional parameter.
Since i have introduced the zone based conntrack , i had to tie the
inet interface and veth interface associated with inet in same zone. After
adding the veth I am seeing packet drops from wan to lan , it's because of
the policy, any better ways to define the policy.
I have created the contract rule like the below.
IPTABLES(CT --zone 5):O 0.0.0.0/0 eth3
IPTABLES(CT --zone 5) veth-e3-p -
IPTABLES(CT --zone 5):O 0.0.0.0/0 veth-e3-p
In the interface config file, I have to declare what veth-e3-p interface
is, since its internal interface, i defined it as lan .
inet eth3 detect tcpflags,nosmurfs,logmartians
lan veth-e3-p detect tcpflags,nosmurfs,logmartians
Because of the policy my wan to lan traffic is getting dropped , any way to
get around this issue .
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
lan all ACCEPT -
$FW all ACCEPT -
vpn lan ACCEPT -
vpn $FW ACCEPT -
*inet all DROP -*
all all ACCEPT -
I don't want the traffic to be drop , i want the traffic to lookup route
table. Before making the recent change the inet traffic was doing a routing
lookup.
Is there a way to achieve this.
Thanks,
Naveen
On Wed, Jul 25, 2018 at 3:59 PM, Tom Eastep <teas...@shorewall.net> wrote:
> Naveen,
>
> You don't need 'optional' with the rules that I sent you.
>
> -Tom
>
> On 07/25/2018 11:42 AM, Naveen Neelakanta wrote:
> > Hi Tom,
> >
> > That helped, I made the optional interface configuration as default.
> >
> > #ZONE INTERFACE OPTIONS
> > inet eth5 detect
> > tcpflags,nosmurfs,logmartians,optional
> > lan eth4 detect
> > tcpflags,nosmurfs,logmartians,optional
> > lan eth0 detect
> > tcpflags,nosmurfs,logmartians,optional
> > inet eth3 detect
> > tcpflags,nosmurfs,logmartians,optional
> >
> >
> > cat /etc/shorewall/snat
> > MASQUERADE0.0.0.0/0 <http://0.0.0.0/0>eth3:0.0.0.0/0 <http://0.0.0.0/0>
> > MASQUERADE0.0.0.0/0 <http://0.0.0.0/0>eth5:0.0.0.0/0 <http://0.0.0.0/0>
> >
> > I believe adding optional will only disable handling the routing error
> > that i was seeing, is there any other downside for adding an optional
> > keyword in interface configuration. Just wanted to know if interface
> > gets an IP address should I have to restart Shorewall.
> >
> > Any pointer or link to understand Shorewall design and its working will
> > help.
> >
> > Thanks,
> > Naveen
> >
> > On Tue, Jul 24, 2018 at 9:54 AM, Tom Eastep <teas...@shorewall.net
> > <mailto:teas...@shorewall.net>> wrote:
> >
> > On 07/23/2018 04:38 PM, Naveen Neelakanta wrote:
> > > Hi Tom,
> > >
> > > I have upgraded to the latest version of Shorewall, but I am
> running
> > > into an error which I did not see with the old version.
> > >
> > > *#shorewall version *
> > > *5.2.0.4*
> > >
> > > #shorewall restart
> > >
> > > Optimizing Ruleset...
> > > Creating iptables-restore input...
> > > Shorewall configuration compiled to /var/lib/shorewall/.restart
> > > Stopping Shorewall....
> > > * ERROR: Unable to determine the routes through interface "eth5":
> > > Firewall state not changed*
> > > */usr/share/shorewall/lib.common: line 93: 15598 Terminated
> >
> > > $SHOREWALL_SHELL $script $options $@*
> > >
> > > Interface eth5 is configured for DHCP , but if does not have an ip.
> > >
> > > eth5 Link encap:Ethernet HWaddr 00:50:56:a6:72:24
> > > BROADCAST MULTICAST MTU:1500 Metric:1
> > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:1000
> > > RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > >
> > > #cat /etc/shorewall/conntrack
> > > #
> > > # Shorewall version 4 - conntrack File
> > > #
> > > # For information about entries in this file, type man
> shorewall-conntrack
> > > #
> > > ############################################################
> ##################################################
> > > ?FORMAT 3
> > > #ACTION SOURCE DESTINATION PROTO
> DEST
> > > SOURCE USER/ SWITCH
> > > #
> > > PORT(S) PORT(S) GROUP
> > > IPTABLES(CT --zone 0) eth4 -
> > > IPTABLES(CT --zone 0):PO (0.0.0.0/0 <http://0.0.0.0/0>
> > <http://0.0.0.0/0>) eth4
> > > IPTABLES(CT --zone 0) eth0 -
> > > IPTABLES(CT --zone 0):PO (0.0.0.0/0 <http://0.0.0.0/0>
> > <http://0.0.0.0/0>) eth0
> > > IPTABLES(CT --zone 1) eth3 -
> > > IPTABLES(CT --zone 1):PO (0.0.0.0/0 <http://0.0.0.0/0>
> > <http://0.0.0.0/0>) eth3
> > > IPTABLES(CT --zone 2) eth5 -
> > > IPTABLES(CT --zone 2):PO (0.0.0.0/0 <http://0.0.0.0/0>
> > <http://0.0.0.0/0>) eth5
> > >
> > >
> > > # cat /etc/shorewall/interfaces
> > > #ZONE INTERFACE OPTIONS
> > > lan eth4 detect
> tcpflags,nosmurfs,logmartians
> > > lan eth0 detect
> tcpflags,nosmurfs,logmartians
> > > inet eth3 detect
> tcpflags,nosmurfs,logmartians
> > > inet eth5 detect
> tcpflags,nosmurfs,logmartians
> > >
> > >
> > > Trying to understand why is the error seen with latest Shorewall
> and any
> > > configuration that can help me clear the error.
> > >
> >
> > Because you didn't do what I suggested. You want:
> >
> > IPTABLES(CT --zone 0) eth4
> > IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0> eth4
> > IPTABLES(CT --zone 0) eth0
> > IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0> eth0
> > IPTABLES(CT --zone 0) eth3
> > IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0> eth5
> > IPTABLES(CT --zone 0) eth0
> > IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0> eth5
> >
> >
> > -Tom
> > --
> > Tom Eastep \ Q: What do you get when you cross a mobster
> with
> > Shoreline, \ an international standard?
> > Washington, USA \ A: Someone who makes you an offer you can't
> > http://shorewall.org \ understand
> > \_____________________________
> __________________
> >
> >
>
>
> --
> Tom Eastep \ Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \ understand
> \_______________________________________________
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users