Shorewall users - Feb 2004 - iptables changed after S10network script

Hi, I''m new on using shorewall.. after trying others iptables scripts,
I
find shorewall is the easiest/flexible to configure. Howerver, I have a
problem. I have a box with RedHat 9 and Shorewall 1.4, this box serves as
my firewall.
This box has 2 NICs, one to the internet and another one to my LAN. My
internet connection is using cable modem with DHCP ip.

The problem is, everytime the cable modem loses connection and available
again, somehow my iptables get changed. And to fix this, I have to
restart shorewall. I''ve tested this scenario by starting S25shorewall
when all network is up. All iptables are coorect. But then I restart
S10network after S25shorewall, I checked the iptables, and all are
changed. So how can I make S25shorewall to be started/restarted
automatically whenever my internet connection is down and up ?

thank you
-- 
  Eddy Jacob
  hunter@fastmail.fm

Hi, I''m new on using shorewall.. after trying others iptables scripts,
I
find shorewall is the easiest/flexible to configure. Howerver, I have a
problem. I have a box with RedHat 9 and Shorewall 1.4, this box serves as
my firewall.
This box has 2 NICs, one to the internet and another one to my LAN. My
internet connection is using cable modem with DHCP ip.

The problem is, everytime the cable modem loses connection and available
again, somehow my iptables get changed. And to fix this, I have to
restart shorewall. I''ve tested this scenario by starting S25shorewall
when all network is up. All iptables are coorect. But then I restart
S10network after S25shorewall, I checked the iptables, and all are
changed. So how can I make S25shorewall to be started/restarted
automatically whenever my internet connection is down and up ?

thank you
-- 
  Eddy Jacob
  hunter@fastmail.fm

On Sunday 08 February 2004 08:11 pm, Eddy Jacob wrote:
> Hi, I''m new on using shorewall.. after trying others iptables
scripts, I
> find shorewall is the easiest/flexible to configure. Howerver, I have a
> problem. I have a box with RedHat 9 and Shorewall 1.4, this box serves as
> my firewall.
> This box has 2 NICs, one to the internet and another one to my LAN. My
> internet connection is using cable modem with DHCP ip.
>
> The problem is, everytime the cable modem loses connection and available
> again, somehow my iptables get changed. And to fix this, I have to
> restart shorewall. I''ve tested this scenario by starting
S25shorewall
> when all network is up. All iptables are coorect. But then I restart
> S10network after S25shorewall, I checked the iptables, and all are
> changed. So how can I make S25shorewall to be started/restarted
> automatically whenever my internet connection is down and up ?
>
Either:

a. Find the code that is restarting iptables and change it to restart 
Shorewall. If it is RedHat supplied code, it is probably doing "service 
iptables restart" 


OR

b.

	cd /etc/init.d
	mv ipables iptables.old
	ln -s shorewall iptables

   That will make a start/restart/stop of iptables perform the operation on 
Shorewall rather than on the RedHat-provided iptables service.

Also, be sure that you have done "chkconfig --del iptables" so that
the
iptables script won''t be invoked at startup.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thank you for your reply Tom,

Since you mention about iptable script, I''ve found where the problem
is.
The problem is not in the iptables script, as the matter of fact,
iptables 
service has been turned off on all init levels. The problem is in the
S10network
script itself. I have not carefully go through the code, but somehow, it
runs
all necessary scripts under /etc/sysconfig/network-scripts/ and the cause
of the 
problem is /etc/sysconfig/network-scripts/ifup script. 

Below is the excerpt from ifup script:

# Is there a firewall running, and does it look like one we configured?
FWACTIVEif iptables -L -n 2>/dev/null | grep -q RH-Lokkit-0-50-INPUT ; then
    FWACTIVE=1
else
    modprobe -r iptable_filter >/dev/null 2>&1
fi

and more...

# DHCP clients need DNS to be available, and we don''t know
    # what DNS server they''re using until they are done.
    FWHACK    if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" !=
"no" ]; then
        iptables -I RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport 53 -d 0/0
        --dport 1025:65535 -p udp -j ACCEPT
        FWHACK=1
    fi

Since that I''m not an expert on this, before I started changing these
lines,
does anyone have tried this ? or can you supply me the proper changes to
these lines
without damaging RedHat logic on ifup ?

thanks again

On Mon, 9 Feb 2004 07:39:23 -0800, "Tom Eastep"
<teastep@shorewall.net>
said:
> On Sunday 08 February 2004 08:11 pm, Eddy Jacob wrote:
> > Hi, I''m new on using shorewall.. after trying others iptables
scripts, I
> > find shorewall is the easiest/flexible to configure. Howerver, I have
a
> > problem. I have a box with RedHat 9 and Shorewall 1.4, this box serves
as
> > my firewall.
> > This box has 2 NICs, one to the internet and another one to my LAN. My
> > internet connection is using cable modem with DHCP ip.
> >
> > The problem is, everytime the cable modem loses connection and
available
> > again, somehow my iptables get changed. And to fix this, I have to
> > restart shorewall. I''ve tested this scenario by starting
S25shorewall
> > when all network is up. All iptables are coorect. But then I restart
> > S10network after S25shorewall, I checked the iptables, and all are
> > changed. So how can I make S25shorewall to be started/restarted
> > automatically whenever my internet connection is down and up ?
> >
> 
> Either:
> 
> a. Find the code that is restarting iptables and change it to restart 
> Shorewall. If it is RedHat supplied code, it is probably doing
"service
> iptables restart" 
> 
> 
> OR
> 
> b.
> 
> 	cd /etc/init.d
> 	mv ipables iptables.old
> 	ln -s shorewall iptables
> 
>    That will make a start/restart/stop of iptables perform the operation
>    on 
> Shorewall rather than on the RedHat-provided iptables service.
> 
> Also, be sure that you have done "chkconfig --del iptables" so
that the
> iptables script won''t be invoked at startup.
>

Sorry, just noticed another file also that does something with iptables.
the file is
/etc/sysconfig/network-scripts/ifup-post and the lines are:

if [ "$FIREWALL_MODS" != "no" -a -f /etc/sysconfig/iptables
] && \
      iptables -L -n 2>/dev/null | grep -q RH-Lokkit-0-50-INPUT ; then
        ns=`awk ''/^nameserver / { print $2 }''
/etc/resolv.conf`
        if [ -n "$ns" ]; then
                for nameserver in $ns ; do
                        if ! iptables -L RH-Lokkit-0-50-INPUT -n | grep
                        -q $nameserver ; then
                                iptables -I RH-Lokkit-0-50-INPUT -m udp
                                -s $nameserver/32 --sport 53 -d 0/0
                                --dport 1025:65535 -p udp -j ACCEPT
                                [ -x /usr/bin/logger ] && logger
                                $"punching nameserver $nameserver through
                                the firewall"
                        fi
                done
        fi
fi

cheers


On Mon, 09 Feb 2004 18:26:25 -0800, "Eddy Jacob"
<mail@premiere.proinbox.com> said:
> Thank you for your reply Tom,
> 
> Since you mention about iptable script, I''ve found where the
problem is.
> The problem is not in the iptables script, as the matter of fact,
> iptables 
> service has been turned off on all init levels. The problem is in the
> S10network
> script itself. I have not carefully go through the code, but somehow, it
> runs
> all necessary scripts under /etc/sysconfig/network-scripts/ and the cause
> of the 
> problem is /etc/sysconfig/network-scripts/ifup script. 
> 
> Below is the excerpt from ifup script:
> 
> # Is there a firewall running, and does it look like one we configured?
> FWACTIVE> if iptables -L -n 2>/dev/null | grep -q
RH-Lokkit-0-50-INPUT ; then
>     FWACTIVE=1
> else
>     modprobe -r iptable_filter >/dev/null 2>&1
> fi
> 
> and more...
> 
> # DHCP clients need DNS to be available, and we don''t know
>     # what DNS server they''re using until they are done.
>     FWHACK>     if [ -n "$FWACTIVE" -a
"$FIREWALL_MODS" != "no" ]; then
>         iptables -I RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport 53 -d 0/0
>         --dport 1025:65535 -p udp -j ACCEPT
>         FWHACK=1
>     fi
> 
> Since that I''m not an expert on this, before I started changing
these
> lines,
> does anyone have tried this ? or can you supply me the proper changes to
> these lines
> without damaging RedHat logic on ifup ?
> 
> thanks again
> 
> On Mon, 9 Feb 2004 07:39:23 -0800, "Tom Eastep"
<teastep@shorewall.net>
> said:
> > On Sunday 08 February 2004 08:11 pm, Eddy Jacob wrote:
> > > Hi, I''m new on using shorewall.. after trying others
iptables scripts, I
> > > find shorewall is the easiest/flexible to configure. Howerver, I
have a
> > > problem. I have a box with RedHat 9 and Shorewall 1.4, this box
serves as
> > > my firewall.
> > > This box has 2 NICs, one to the internet and another one to my
LAN. My
> > > internet connection is using cable modem with DHCP ip.
> > >
> > > The problem is, everytime the cable modem loses connection and
available
> > > again, somehow my iptables get changed. And to fix this, I have
to
> > > restart shorewall. I''ve tested this scenario by starting
S25shorewall
> > > when all network is up. All iptables are coorect. But then I
restart
> > > S10network after S25shorewall, I checked the iptables, and all
are
> > > changed. So how can I make S25shorewall to be started/restarted
> > > automatically whenever my internet connection is down and up ?
> > >
> > 
> > Either:
> > 
> > a. Find the code that is restarting iptables and change it to restart 
> > Shorewall. If it is RedHat supplied code, it is probably doing
"service
> > iptables restart" 
> > 
> > 
> > OR
> > 
> > b.
> > 
> > 	cd /etc/init.d
> > 	mv ipables iptables.old
> > 	ln -s shorewall iptables
> > 
> >    That will make a start/restart/stop of iptables perform the
operation
> >    on 
> > Shorewall rather than on the RedHat-provided iptables service.
> > 
> > Also, be sure that you have done "chkconfig --del iptables"
so that the
> > iptables script won''t be invoked at startup.
> >

On Mon, 9 Feb 2004, Eddy Jacob wrote:
> Sorry, just noticed another file also that does something with iptables.
> the file is
> /etc/sysconfig/network-scripts/ifup-post and the lines are:
>
> if [ "$FIREWALL_MODS" != "no" -a -f
/etc/sysconfig/iptables ] && \
>       iptables -L -n 2>/dev/null | grep -q RH-Lokkit-0-50-INPUT ; then
>         ns=`awk ''/^nameserver / { print $2 }''
/etc/resolv.conf`
>         if [ -n "$ns" ]; then
>                 for nameserver in $ns ; do
>                         if ! iptables -L RH-Lokkit-0-50-INPUT -n | grep
>                         -q $nameserver ; then
>                                 iptables -I RH-Lokkit-0-50-INPUT -m udp
>                                 -s $nameserver/32 --sport 53 -d 0/0
>                                 --dport 1025:65535 -p udp -j ACCEPT
>                                 [ -x /usr/bin/logger ] && logger
>                                 $"punching nameserver $nameserver
through
>                                 the firewall"
>                         fi
>                 done
>         fi
> fi
>
I don''t believe that what you have posted has any bearing on your
problem.
I would investigate whatever code you installed to accomodate your cable
company. Until the last month or so, I ran RedHat on my firewalls and
I''ve
never seen a case where the RH init scripts interfered with Shorewall.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net