Daniel Pielmeier
2007-Jan-23 15:17 UTC
Conflict between iptables and previous shorewall installation
Hi, i have a problem concerning my previous shorewall installation. I tried to use shorewall to configure my firewall, but i couldn''t get NAT to work. So i decided to remove shorewall and tried it with plain iptables. This is now working for me but everytime when i start my network connection it seems that my handmade iptable rules are overwritten. I have to manually run my iptables-script, do "iptables save" and "iptables restart" to get it back working. I have compared INPUT FORWARD and OUTPUT chains which are changed with my previous shorewall configuration and they are the same, so i think there are some things from shorewall remaining on my system which are restored when i start my internet conection. I have searched my system completely to find any remaining parts of shorewall but i couldn''t find anything which could cause this problem. I am using Gentoo Linux and i tried to solve this problem already with help of the gentoo mailing list. You can find the relevant thread here http://thread.gmane.org/gmane.linux.gentoo.user/177640 and here http://thread.gmane.org/gmane.linux.gentoo.user/177639 This thread shows my initial problem with shorewall and my actual problem. I loked in your Shorewall Support Guide but my problem doesn''t fit in scheme, so i give the information i have, but when you need anything further feel free to ask for it! The shorewall version which caused this trouble was 3.0.8. Below you see my current iptable-rules: Chain INPUT (policy ACCEPT) target prot opt source destination block all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED block all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain block (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW DROP all -- anywhere anywhere This are the rules i have after i started my internet connection: Chain INPUT (policy ACCEPT) target prot opt source destination LOG udp -- anywhere anywhere udp dpts:0:1023 LOG level warning LOG tcp -- anywhere anywhere tcp dpts:0:1023 LOG level warning DROP udp -- anywhere anywhere udp dpts:0:1023 DROP tcp -- anywhere anywhere tcp dpts:0:1023 LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN DROP icmp -- anywhere anywhere icmp echo-request Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain block (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW DROP all -- anywhere anywhere Any assistance would be appreciated! Thank you in advance, Daniel Pielmeier ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
David Mohr
2007-Jan-23 15:47 UTC
Re: Conflict between iptables and previous shorewall installation
Hi Daniel, On 1/23/07, Daniel Pielmeier <daniel.pielmeier@googlemail.com> wrote:> Hi, > > i have a problem concerning my previous shorewall installation. > > I tried to use shorewall to configure my firewall, but i couldn''t get > NAT to work. So i decided to remove shorewall and tried it with plain > iptables. This is now working for me but everytime when i start my > network connection it seems that my handmade iptable rules are > overwritten. I have to manually run my iptables-script, do "iptables > save" and "iptables restart" to get it back working.What IMHO you should be asking here is how to get the NAT working with Shorewall. That''s really not very hard to setup, and then in the end you''d have a full scale firewall running on your router. That''s what people here on the list can help you with. The problem you have right now is off-topic, since it is purely Gentoo related. Maybe you are lucky and someone on the list can help you, but really the better place to ask would be some Gentoo mailing list or forum.> I have compared INPUT FORWARD and OUTPUT chains which are changed with > my previous shorewall configuration and they are the same, so i think > there are some things from shorewall remaining on my system which are > restored when i start my internet conection. I have searched my system > completely to find any remaining parts of shorewall but i couldn''t > find anything which could cause this problem. > > I am using Gentoo Linux and i tried to solve this problem already with > help of the gentoo mailing list. You can find the relevant thread here > http://thread.gmane.org/gmane.linux.gentoo.user/177640 > and here > http://thread.gmane.org/gmane.linux.gentoo.user/177639 > This thread shows my initial problem with shorewall and my actual problem.That is a very long thread that at least initially just contains the messages about you trying to get NAT working - if you want someone to help you with completely deinstalling shorewall, then I think you should post links directly to the messages related to that. If you want us to help you fix Shorewall instead, then there''s no need for these links anyways, just follow the Shorewall support page instructions.> I loked in your Shorewall Support Guide but my problem doesn''t fit in > scheme, so i give the information i have, but when you need anything > further feel free to ask for it! > > The shorewall version which caused this trouble was 3.0.8. > > Below you see my current iptable-rules: >[ cut iptables output ] Your iptables rules don''t matter for these problems in any case... :-) ~David ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Daniel Pielmeier
2007-Jan-23 16:23 UTC
Re: Conflict between iptables and previous shorewall installation
> That is a very long thread that at least initially just contains the > messages about you trying to get NAT working - if you want someone to > help you with completely deinstalling shorewall, then I think you > should post links directly to the messages related to that. If you > want us to help you fix Shorewall instead, then there''s no need for > these links anyways, just follow the Shorewall support page > instructions.Unfortunately there are two topics in this thread first setting up shorewal, second removing shorewall completely. i give you direct links for all posts concering the removal of shorewall, as i want to remove it and just use iptables. http://article.gmane.org/gmane.linux.gentoo.user/177739 http://article.gmane.org/gmane.linux.gentoo.user/177745 http://article.gmane.org/gmane.linux.gentoo.user/177765 http://article.gmane.org/gmane.linux.gentoo.user/177766 http://article.gmane.org/gmane.linux.gentoo.user/177767 http://article.gmane.org/gmane.linux.gentoo.user/177768 http://article.gmane.org/gmane.linux.gentoo.user/177793 http://article.gmane.org/gmane.linux.gentoo.user/177802 http://article.gmane.org/gmane.linux.gentoo.user/177811 http://article.gmane.org/gmane.linux.gentoo.user/177819 http://article.gmane.org/gmane.linux.gentoo.user/177820 http://article.gmane.org/gmane.linux.gentoo.user/177821 http://article.gmane.org/gmane.linux.gentoo.user/177822 http://article.gmane.org/gmane.linux.gentoo.user/177825 http://article.gmane.org/gmane.linux.gentoo.user/177895 http://article.gmane.org/gmane.linux.gentoo.user/177939 http://article.gmane.org/gmane.linux.gentoo.user/178001 http://article.gmane.org/gmane.linux.gentoo.user/178001 http://article.gmane.org/gmane.linux.gentoo.user/177816>> Below you see my current iptable-rules: >> > > [ cut iptables output ] > >Your iptables rules don''t matter for these problems in any case... :-)I just want to show in which way my rules are overwritten! Daniel ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2007-Jan-23 22:09 UTC
Re: Conflict between iptables and previous shorewall installation
Daniel Pielmeier wrote:> Hi, > > i have a problem concerning my previous shorewall installation. > > I tried to use shorewall to configure my firewall, but i couldn''t get > NAT to work. So i decided to remove shorewall and tried it with plain > iptables. This is now working for me but everytime when i start my > network connection it seems that my handmade iptable rules are > overwritten. I have to manually run my iptables-script, do "iptables > save" and "iptables restart" to get it back workingShorewall has nothing to do with that. Even when it is installed, Shorewall doesn''t do anything when a network connection is restarted. If anything involved with Shorewall is getting invoked then, it is code that you or the gentoo Shorewall package added. Look at /etc/ppp/* and see if /sbin/shorewall is mentioned on one of the files. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Daniel Pielmeier
2007-Jan-23 22:20 UTC
Re: Conflict between iptables and previous shorewall installation
> Shorewall has nothing to do with that. Even when it is installed, > Shorewall doesn''t do anything when a network connection is restarted. If > anything involved with Shorewall is getting invoked then, it is code > that you or the gentoo Shorewall package added. > > Look at /etc/ppp/* and see if /sbin/shorewall is mentioned on one of the > files.Thank you very much, i have activated the FIREWALL=STANDALONE option in /etc/pppoe.conf. This causes the problem. It loads new rules when activating internet connection. Daniel ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV