Hi Again,
Theres nothing easy to learn firewall without trial-error.... :(
I try to do 2 things:
1. To block any http connection with REJECT
2. Forward connection for my torrent port 64198 working at 10.1.1.5
These are my conf files, hope someone can correct my mistake
ZONES
fw firewall
net ipv4
loc ipv4
INTERFACES
net ppp0 -
loc eth1 10.1.1.255
POLICY
all all ACCEPT
MASQ
ppp0 10.1.1.0/8
RULES
DNAT net loc:10.1.1.5 tcp 64198 64198
REJECT net loc:10.1.1.1 tcp http http
I have tried to change few options but nothing seems to be working
For the http, the way I try it out is by typing my external ip (from my ISP)
but still opening my Apache page
Cheers
Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now
http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=tagline
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Sat, Dec 06, 2008 at 01:18:18AM -0800, Phillipus Gunawan wrote:> > RULES > DNAT net loc:10.1.1.5 tcp 64198 64198 > REJECT net loc:10.1.1.1 tcp http http > >Both of those rules will only affect traffic destined for port {64198,http} on the specified host in the local zone *only* if the source port for the connection at the remote end is originating from port {64198,http}. The solution is to eliminate the use of the source port column in your rules. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Thanks for your reply, indeed, the rule: DNAT net loc:10.1.1.5 tcp 64198 works perfectly, but either one of these are not REJECT net loc:10.1.1.1 tcp http REJECT net loc:10.1.1.1 tcp 80 DROP net loc:10.1.1.1 tcp http DROP net loc:10.1.1.1 tcp 80 or combination with ''loc'' only i tried each of the rules above, one by one, but if I open my external ip address given by my isp, the connection still there, not blocking or rejecting it please help? On Sat, Dec 06, 2008 at 01:18:18AM -0800, Phillipus Gunawan wrote:> > RULES > DNAT net loc:10.1.1.5 tcp 64198 64198 > REJECT net loc:10.1.1.1 tcp http http > >Both of those rules will only affect traffic destined for port {64198,http} on the specified host in the local zone *only* if the source port for the connection at the remote end is originating from port {64198,http}. The solution is to eliminate the use of the source port column in your rules. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=tagline ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Sat, Dec 06, 2008 at 06:21:29AM -0800, Phillipus Gunawan wrote:> Thanks for your reply, > > indeed, the rule: > > DNAT net loc:10.1.1.5 tcp 64198 > > works perfectly, but either one of these are not > > REJECT net loc:10.1.1.1 tcp http > REJECT net loc:10.1.1.1 tcp 80 > DROP net loc:10.1.1.1 tcp http > DROP net loc:10.1.1.1 tcp 80 > > or combination with ''loc'' only > > i tried each of the rules above, one by one, > but if I open my external ip address given by my isp, > the connection still there, not blocking or rejecting it > > please help? >Please submit the output of ''shorewall dump'' *after* trying to connect to the HTTP port from outside of your network. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
I attached rar file
right after i restart shorewall, try to connect to my external ip:
777.777.777.777:80
and bang.... still showing my web page... :(
thanks for the reply
Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now
http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=tagline
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can''t happen without you. Join us at MIX09 to
help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Sat, Dec 06, 2008 at 06:40:50AM -0800, Phillipus Gunawan wrote:> I attached rar file > right after i restart shorewall, try to connect to my external ip: > 777.777.777.777:80 > and bang.... still showing my web page... :( > > thanks for the replyA few things: 1. Please don''t mangle the output of ''shorewall dump''. IP addresses ARE NOT SECRET! All you do is make it more difficult to diangose the problem and help you. 2. Please consider upgrading to Shorewall-perl (not specifically related to this problem, but a good idea nonetheless). 3. Please use a standard archive format (hint: RAR is not a standard archive format). Customarily, for a single file, it is posted as a .txt.gz, or .txt.bz, or even a .zip file. 4. Please fix your mail client, as it is completely destroying threading. The only connections associated with your 777.777.777.777:80 connection look like this: tcp 6 431792 ESTABLISHED src=10.1.1.12 dst=203.26.28.162 sport=2701 dport=80 packets=8 bytes=3677 src=203.26.28.162 dst=777.777.777.777 sport=80 dport=2701 packets=8 bytes=4649 [ASSURED] mark=0 use=1 So, it looks like you are accessing from within your loc zone. If the rule is rejecting traffic from the net zone, that will not work. You need to attempt the connection from a machine completely outside your network (i.e., from a source address that is in your net zone). That said, your IP configuration also looks broken: 3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:4c:50:16:70 brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/8 brd 10.255.255.255 scope global eth1 10: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 777.777.777.777 peer 10.20.20.125/32 scope global ppp0 10.20.20.125 dev ppp0 proto kernel scope link src 777.777.777.777 10.0.0.0/8 dev eth1 proto kernel scope link src 10.1.1.1 default dev ppp0 scope link The address of ppp0 is within the range assigned to eth1. Also, this section of the dump is blank: Log (/var/log/messages) So, unless you completely turned off logging in /etc/shorewall/policy (default if you follow the documentation is to log DROP and REJECT at info level), then nothing is being blocked by your system. From the looks of the other parts of the dump, you have diabled logging for DROP and REJECT, which is making it difficult to get a complete picture. I recommend: - turn on info logging in your policy (perhaps even for *all* connections, at least for troubleshooting, then return to just info logging for REJECT and DROP connections) - Fix your eth1''s configuration (you almost certainly can get by with something smaller than an address from 10/8, perhaps a 192.168.x/24 address, or at least pick a smaller range from 10/8. - Please follow the additional guidelines from above. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Phillipus Gunawan wrote:> Thanks for your reply, > > indeed, the rule: > > DNAT net loc:10.1.1.5 tcp 64198 > > works perfectly, but either one of these are not > > REJECT net loc:10.1.1.1 tcp http > REJECT net loc:10.1.1.1 tcp 80 > DROP net loc:10.1.1.1 tcp http > DROP net loc:10.1.1.1 tcp 80 > > or combination with ''loc'' only > > i tried each of the rules above, one by one, > but if I open my external ip address given by my isp, > the connection still there, not blocking or rejecting itTwo things: a) If you are trying to block 10.1.1.1 from accessing the WWW, then your rules are backward. You want: REJECT loc:10.1.1.1 net tcp http b) Shorewall generates a *stateful* firewall. So rules are only consulted for *new connections*. So if there is an existing connection from 10.1.1.1 to a web server on the net, inserting the above rule will not break that connection; it rather prevents new connections from being established. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/