From: Tom E. <te...@sh...> - 2008-10-09 00:55:08
|
Stacker Hush wrote: > Here my firewall configuration: > > Now the REDIRECT rule is activacted in status.txt > > eth0: 192.168.0.254 (wan - connected to ADSL) > eth1: 172.16.1.254 (lan) > tap0: 192.168.99.1 openvpn > > zones: > fw firewall > net ipv4 > loc ipv4 > vpn ipv4 > > interfaces: > net eth0 detect > loc eth1 detect > vpn tap0 > > masq: > eth0 eth1 > eth1 eth0 > > squid is running in 8080 port. > > In messages i see: > Oct 8 19:48:25 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth0 > OUT=eth0 SRC=172.16.1.1 DST=65.77.157.50 LEN=48 TOS=0x00 PREC=0x00 TTL=127 > ID=20577 DF PROTO=TCP SPT=1232 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 That is a sign of a very sick configuration. Note that "IN=eth0 OUT=eth0". That means that the packets are arriving on eth0 and being routed back out of eth0. More troubling from the dump are: Table main: 192.168.99.0/24 dev tap0 proto kernel scope link src 192.168.99.1 172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.254 ------------- ---- ARP ? (172.16.1.200) at 00:1E:0B:79:56:C1 [ether] on eth1 ? (192.168.99.3) at 00:FF:E4:C4:C3:DF [ether] on tap0 ? (172.16.1.2) at 00:0E:2E:EC:64:17 [ether] on eth1 ? (172.16.1.1) at 00:0F:EA:D2:10:DB [ether] on eth1 ---------- ---- So 172.16.1.1 should be connected to eth1 yet traffic from that system is arriving on eth0!!! You need to understand why that is happening -- my best guess is that eth0 and eth1 are connected to the same Ethernet segment. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ |