Tom
So sorry for the next question, but a i dont understand what did you mean
when yo say trace shorewall restart. i did it and i didnt see nothing about
routestopped or routeback on an interface
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth1:0.0.0.0/0
Local Zone: eth0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Setting up Blacklisting...
Blacklisting enabled on eth1:0.0.0.0/0
Blacklisting enabled on eth0:0.0.0.0/0
192.168.0.0/16 tcp 1863,6881 added to Black List
192.168.20.50 added to Black List
192.168.20.68 added to Black List
192.168.20.100 added to Black List
192.168.20.162 added to Black List
192.168.30.7 added to Black List
192.168.30.72 added to Black List
66.21.161.8 tcp 3084 added to Black List
66.21.161.8 udp 3084 added to Black List
Adding rules for DHCP
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.DropSMB...
Pre-processing /usr/share/shorewall/action.RejectSMB...
Pre-processing /usr/share/shorewall/action.DropUPnP...
Pre-processing /usr/share/shorewall/action.RejectAuth...
Pre-processing /usr/share/shorewall/action.DropPing...
Pre-processing /usr/share/shorewall/action.DropDNSrep...
Pre-processing /usr/share/shorewall/action.AllowPing...
Pre-processing /usr/share/shorewall/action.AllowFTP...
Pre-processing /usr/share/shorewall/action.AllowDNS...
Pre-processing /usr/share/shorewall/action.AllowSSH...
Pre-processing /usr/share/shorewall/action.AllowWeb...
Pre-processing /usr/share/shorewall/action.AllowSMB...
Pre-processing /usr/share/shorewall/action.AllowAuth...
Pre-processing /usr/share/shorewall/action.AllowSMTP...
Pre-processing /usr/share/shorewall/action.AllowPOP3...
Pre-processing /usr/share/shorewall/action.AllowIMAP...
Pre-processing /usr/share/shorewall/action.AllowTelnet...
Pre-processing /usr/share/shorewall/action.AllowVNC...
Pre-processing /usr/share/shorewall/action.AllowVNCL...
Pre-processing /usr/share/shorewall/action.AllowNTP...
Pre-processing /usr/share/shorewall/action.AllowRdate...
Pre-processing /usr/share/shorewall/action.AllowNNTP...
Pre-processing /usr/share/shorewall/action.AllowTrcrt...
Pre-processing /usr/share/shorewall/action.AllowSNMP...
Pre-processing /usr/share/shorewall/action.AllowPCA...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
Rule "ACCEPT fw net:66.21.161.0/27" added.
Rule "ACCEPT fw net tcp 80,21,20" added.
Rule "ACCEPT net fw tcp 80" added.
Rule "ACCEPT fw net icmp -" added.
Rule "ACCEPT fw net udp snmp" added.
Rule "ACCEPT fw loc tcp 143" added.
Rule "ACCEPT fw loc icmp" added.
Rule "REDIRECT loc 3128 tcp www -
!66.21.161.68,66.21.161.20,66.21.161.41" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "dropInvalid" added.
Rule "DropSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "dropInvalid" added.
Rule "RejectSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth...
Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.DropSMB...
Rule "DROP - - udp 135" added.
Rule "DROP - - udp 137:139" added.
Rule "DROP - - udp 445" added.
Rule "DROP - - tcp 135" added.
Rule "DROP - - tcp 139" added.
Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP...
Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep...
Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB...
Rule "REJECT - - udp 135" added.
Rule "REJECT - - udp 137:139" added.
Rule "REJECT - - udp 445" added.
Rule "REJECT - - tcp 135" added.
Rule "REJECT - - tcp 139" added.
Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
Policy REJECT for fw to net using chain all2all
Policy REJECT for fw to loc using chain all2all
Policy DROP for net to fw using chain net2all
Policy ACCEPT for loc to fw using chain loc2fw
Policy ACCEPT for loc to net using chain loc2net
Masqueraded Networks and Hosts:
To !10.200.0.0/24,192.168.14.0/24 (all) from 192.168.10.0/24 through eth1
using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.20.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.30.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.40.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.90.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.11.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.12.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.13.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.15.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.16.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.17.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.18.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.70.0/24 through eth1 using 66.21.161.68
To 0.0.0.0/0 (all) from 192.168.80.0/24 through eth1 using 66.21.161.68
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted
Looked up in the file /usr/share/shorewall/firewall and i found:
hosts
strip_file routestopped
while read interface host options; do
expandv interface host options
[ "x$host" = "x-" -o -z "$host" ]
&& host=0.0.0.0/0
for h in $(separate_list $host); do
hosts="$hosts $interface:$h"
done
routeback
if [ -n $options ]; then
for option in $(separate_list $options); do
case $option in
routeback)
if [ -n "$routeback" ]; then
error_message "Warning: Duplicate option
ignored: routeback"
else
routeback=Yes
for h in $(separate_list $host); do
iptables -A FORWARD -i $interface -s $h -o
$interface -d $h -j ACCEPT
done
fi
;;
*)
error_message "Warning: Unknown option ignored:
$option"
;;
esac
done
fi
done < $TMP_DIR/routestopped
I need the command in iptables that enables route back in an interface is
this one?:
iptables -A FORWARD -i $interface -s $h -o $interface -d $h -j ACCEPT
Regards
Mario
-----Mensaje original-----
De: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net]En nombre de Tom
Eastep
Enviado el: Thursday, August 25, 2005 3:28 PM
Para: shorewall-users@lists.sourceforge.net
Asunto: Re: [Shorewall-users] A route-back question
mbeltran@americatel.com.sv wrote:
> I need to now what is the command that shorewall run (in iptables format)
> when I set in an interface the routeback attribute
The answer to your question is highly configuration-dependent. I suggest
that you trace "shorewall [re]start" then search the trace for
''routestopped''. Study the trace and the code
(/usr/share/shorewall/firewall) and see what rule(s) are generated in your
particular case.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf