Hi Tom ,

Thanks after following what you suggested it worked without adding an
optional parameter.

Since i have introduced the zone based conntrack , i had to tie the
inet interface and veth interface associated with inet in same zone. After
adding the veth I am seeing packet drops from wan to lan , it's because of
the policy, any better ways to define the policy.

I have created the contract rule like the below.

IPTABLES(CT --zone 5):O     0.0.0.0/0      eth3
IPTABLES(CT --zone 5)      veth-e3-p               -
IPTABLES(CT --zone 5):O     0.0.0.0/0      veth-e3-p


In the interface config file, I have to declare what veth-e3-p interface
is, since its internal interface, i defined it as lan .

inet     eth3            detect          tcpflags,nosmurfs,logmartians
lan     veth-e3-p            detect          tcpflags,nosmurfs,logmartians


Because of the policy my wan to lan traffic is getting dropped , any way to
get around this issue .
#SOURCE     DEST        POLICY      LOG LEVEL   LIMIT:BURST
lan         all         ACCEPT       -
$FW         all         ACCEPT       -
vpn         lan         ACCEPT       -
vpn         $FW         ACCEPT       -
*inet        all         DROP         -*
all         all         ACCEPT       -

 I don't want the traffic to be drop ,  i want the traffic to lookup route
table. Before making the recent change the inet traffic was doing a routing
lookup.
Is there a way to achieve this.

Thanks,
Naveen



On Wed, Jul 25, 2018 at 3:59 PM, Tom Eastep <teas...@shorewall.net> wrote:

> Naveen,
>
> You don't need 'optional' with the rules that I sent you.
>
> -Tom
>
> On 07/25/2018 11:42 AM, Naveen Neelakanta wrote:
> > Hi Tom,
> >
> > That helped, I made the optional interface configuration as default.
> >
> > #ZONE     INTERFACE       OPTIONS
> > inet     eth5            detect
> > tcpflags,nosmurfs,logmartians,optional
> > lan     eth4            detect
> > tcpflags,nosmurfs,logmartians,optional
> > lan     eth0            detect
> > tcpflags,nosmurfs,logmartians,optional
> > inet     eth3            detect
> > tcpflags,nosmurfs,logmartians,optional
> >
> >
> > cat /etc/shorewall/snat
> > MASQUERADE0.0.0.0/0 <http://0.0.0.0/0>eth3:0.0.0.0/0 <http://0.0.0.0/0>
> > MASQUERADE0.0.0.0/0 <http://0.0.0.0/0>eth5:0.0.0.0/0 <http://0.0.0.0/0>
> >
> > I believe adding optional will only disable handling the routing error
> > that i was seeing, is there any other downside for adding an optional
> > keyword in interface configuration. Just wanted to know if interface
> > gets an IP address should I have to restart Shorewall.
> >
> > Any pointer or link to understand Shorewall design and its working will
> > help.
> >
> > Thanks,
> > Naveen
> >
> > On Tue, Jul 24, 2018 at 9:54 AM, Tom Eastep <teas...@shorewall.net
> > <mailto:teas...@shorewall.net>> wrote:
> >
> >     On 07/23/2018 04:38 PM, Naveen Neelakanta wrote:
> >     > Hi Tom,
> >     >
> >     > I have upgraded to the latest version of Shorewall, but I am
> running
> >     > into an error which I did not see with the old version.
> >     >
> >     > *#shorewall version *
> >     > *5.2.0.4*
> >     >
> >     > #shorewall restart
> >     >
> >     > Optimizing Ruleset...
> >     > Creating iptables-restore input...
> >     > Shorewall configuration compiled to /var/lib/shorewall/.restart
> >     > Stopping Shorewall....
> >     > *   ERROR: Unable to determine the routes through interface "eth5":
> >     > Firewall state not changed*
> >     > */usr/share/shorewall/lib.common: line 93: 15598 Terminated
> >
> >     > $SHOREWALL_SHELL $script $options $@*
> >     >
> >     > Interface eth5 is configured for DHCP , but if does not have an ip.
> >     >
> >     > eth5      Link encap:Ethernet  HWaddr 00:50:56:a6:72:24
> >     >           BROADCAST MULTICAST  MTU:1500  Metric:1
> >     >           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >     >           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >     >           collisions:0 txqueuelen:1000
> >     >           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> >     >
> >     > #cat /etc/shorewall/conntrack
> >     > #
> >     > # Shorewall version 4 - conntrack File
> >     > #
> >     > # For information about entries in this file, type man
> shorewall-conntrack
> >     > #
> >     > ############################################################
> ##################################################
> >     > ?FORMAT 3
> >     > #ACTION                 SOURCE          DESTINATION     PROTO
>  DEST
> >     >         SOURCE  USER/  SWITCH
> >     > #
> >     > PORT(S)         PORT(S) GROUP
> >     > IPTABLES(CT --zone 0)      eth4               -
> >     > IPTABLES(CT --zone 0):PO      (0.0.0.0/0 <http://0.0.0.0/0>
> >     <http://0.0.0.0/0>)      eth4
> >     > IPTABLES(CT --zone 0)      eth0               -
> >     > IPTABLES(CT --zone 0):PO      (0.0.0.0/0 <http://0.0.0.0/0>
> >     <http://0.0.0.0/0>)      eth0
> >     > IPTABLES(CT --zone 1)      eth3               -
> >     > IPTABLES(CT --zone 1):PO      (0.0.0.0/0 <http://0.0.0.0/0>
> >     <http://0.0.0.0/0>)      eth3
> >     > IPTABLES(CT --zone 2)      eth5               -
> >     > IPTABLES(CT --zone 2):PO      (0.0.0.0/0 <http://0.0.0.0/0>
> >     <http://0.0.0.0/0>)      eth5
> >     >
> >     >
> >     > # cat /etc/shorewall/interfaces
> >     > #ZONE     INTERFACE       OPTIONS
> >     > lan     eth4            detect
> tcpflags,nosmurfs,logmartians
> >     > lan     eth0            detect
> tcpflags,nosmurfs,logmartians
> >     > inet     eth3            detect
> tcpflags,nosmurfs,logmartians
> >     > inet     eth5            detect
> tcpflags,nosmurfs,logmartians
> >     >
> >     >
> >     > Trying to understand why is the error seen with latest Shorewall
> and any
> >     > configuration that can help me clear the error.
> >     >
> >
> >     Because you didn't do what I suggested. You want:
> >
> >     IPTABLES(CT --zone 0)   eth4
> >     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth4
> >     IPTABLES(CT --zone 0)   eth0
> >     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth0
> >     IPTABLES(CT --zone 0)   eth3
> >     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth5
> >     IPTABLES(CT --zone 0)   eth0
> >     IPTABLES(CT --zone 0):O 0.0.0.0/0 <http://0.0.0.0/0>       eth5
> >
> >
> >     -Tom
> >     --
> >     Tom Eastep        \   Q: What do you get when you cross a mobster
> with
> >     Shoreline,         \     an international standard?
> >     Washington, USA     \ A: Someone who makes you an offer you can't
> >     http://shorewall.org \   understand
> >                           \_____________________________
> __________________
> >
> >
>
>
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to