Re: [Shorewall-users] cannot ping through Shorewall 5.1.4.4 gateway

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 07/05/2017 07:58 AM, Tom Eastep wrote:
> On 07/05/2017 01:57 AM, Vieri Di Paola via Shorewall-users wrote:
>>
>> ________________________________
>> From: Tom Eastep <te...@sh...>
>>>
>>> Okay -- let's try this:
>>>
>>> a) set LOG_BACKEND=LOG in shorewall.conf
>>> b) shorewall reload
>>> c) shorewall iptrace -s 172.16.0.1 -p icmp
>>> d) Try the ping that fails from fw1
>>> e) shorewall noiptrace -s 172.16.0.1 -p icmp
>>> d) forward the part of the shorewall log that captures the time covered
>>> by this test
>>
>> Note that LOG_BACKEND was already set to LOG. I did not have to change that.
>>
>> # grep LOG_BACKEND /etc/shorewall/shorewall.conf
>> LOG_BACKEND=LOG
>>
>> I created the following script on "fw2" to do what you asked.
>>
>> # cat sw_trace.sh
>> #!/bin/bash
>> srcip=$1
>> [ ${#srcip} -eq 0 ] && srcip=172.16.0.1
>> locif=enp10s0
>> echo '' > /var/log/shorewall/info.log
>> shorewall reset
>> shorewall reload
>> shorewall iptrace -s $srcip -p icmp
>> echo "Now start pinging from $srcip to 8.8.8.8 and press ENTER"
>> read
>> tcpdump -n -c 30 -i $locif icmp and host $srcip > ./tcpdump_$srcip
>> sleep 2
>> shorewall noiptrace -s $srcip -p icmp
>> shorewall dump > ./swdump_$srcip
>> cp /var/log/shorewall/info.log ./swtrace_$srcip
>> gzip --best ./swtrace_$srcip
>>
>> I then realized that the trace dumps were incomplete, so I retrieved them from /var/log/messages with:
>> grep "TRACE:" /var/log/messages
>> I thought LOGFILE=/var/log/shorewall/info.log was enough in shorewall.conf, but this is the least of my problems right now. ;-)
>> So I hope you don't mind if I send 2 trace files. One was taken from /var/log/shorewall/info.log, the other from /var/log/messages (according to timestamps).
>>
>> I'm attaching all the results in this and later posts (due to message size limits in the ML).
>> I also did new shorewall dumps because of a few minor changes.
>> Any *part* file name I attach should be rebuilt with:
>> cat FILE.PART1 FILE.PART2 ... > FILE.gz
>>
>> I did 2 tests. One was from "fw1" at 172.16.0.1, the other was from a host in one of fw1's zones (IP addr. 10.215.144.7). Failing ping requests go to 8.8.8.8.
>>
>> The tcpdump tests show that both the host at 10.215.144.7 and fw1 can ping fw2 just fine. Trying to access the providers seems to be the issue here.
>>
> 
> Thare are no SNAT/MASQUERADE rules being instantiated. Hence, reply
> packets from 8.8.8.8 cannot be routed back you fw2. What is the output
> of 'ls -l /etc/shorewall/snat'?
> 

I am going to be away from home for the day so I need you to gather some
data while I'm away.

I see that you are using interface names as the SOURCE in your
masquerade/snat rules. That has been deprecated for years (and generates
warnings during compilation).

Please send me (privately), your /var/lib/shorewall/firewall file.

Also, please:

   sh -x /var/lib/shorewall/firewall reload > trace 2>&1

and send me the 'trace' file.

Finally, include the output of 'ip route ls dev enp10s0'

Thanks,
-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________