-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The original post was over 300,000kb so I didn''t spam the list with it
-TE.
|
|
| Thank you for your quick and helpful response.
|
| I didn''t understand that the virtual interface eth0:1
doesn''t count as
a separate instance from eth0.
| I am sorry to ask for further assistance and would appreciate any
help. The error message is on starting shorewall is:
|
| "iptables v1.2.9: invalid TCP port/service `66.17.65.22''
specified"
|
| (i recognize that it is difficult to read the rules file in this
format and have attached a text
| file for your convenience; this is my first time using a list serv so
please advise me if there is a better way to do this; my searches on
this site and at google have returned no results for "invalid TCP
port/service"; i suspect that my searches are not good and would
appreciate any help in searching this list better and asking fewer
questions):
|
| /etc/shorewall/rules
| #ACTION SOURCE DEST PROTO DEST ORIGINAL
| # PORT DEST
| DNAT net dmz:192.168.202.7 tcp smtp
66.17.65.22 #Mail FROM
|
#Internet
You can''t just decide to delete one column (CLIENT PORT(S)) from the
rules file!!!!!!!!!!!!!!!!!! If you don''t want to specify a CLIENT PORT
then you must enter "-" in that column.
~From /etc/shorwall/rules under "CLIENT PORT(S)":
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
#
In the above rules (and in all of your rules for that matter), the
ORIGINAL DEST IP address will be interpreted as the SOURCE PORT.
I suggest that you take a bit more time reading the instructions before
you dive into adding entries to the configuration files; this is the
second instance where you have overlooked/ignored instructions that were
right in front of you.
- -Tom
- --
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBSFX6O/MAbZfjDLIRAmaPAKCJF/gatypXvi5RcRC4Yox1y691JwCfayyr
MwNyewG6HTxrcBTBj3yR9HY=7llm
-----END PGP SIGNATURE-----
Thanks for your quick and helpful responses to my questions. I am grateful when
you take your time to help me with a problem.
I have been able to load shorewall without any error messages. I am attempting
to test my DNS and MAIL servers that I just moved behind my
shorewall router. My DNS server can Dig and get report correctly when I
access if from the root prompt and from a pc on the local net. However, it does
not respond to queries generated from www.dnsreport.com and
http://us.mirror.menandmice.com/cgi-bin/DoDig?host=testy.substantis.com&domain=att.com&type=A&recur=on
The same is true for my MAIL server using DNS report. I have attempted to
follow the DNAT troubleshooting which shows that I have zero packets hitting my
rules. I have the default shorewall.conf file except that i have set
ADD_SNAT_ALIASES=Yes
My LOGRATE= LOGBURST= variables are cleared.
The only "error" message I can get when doing the troubleshooting
steps is that I can''t generate a log. When I /sbin/shorewall show
log?/ Shorewall-2.0.8 Chain log? at ns2.substantis.com - Fri Sep 17 09:07:19 EDT
2004 /Counters reset Fri Sep 17 09:00:22 EDT 2004 / iptables: Table does not
exist (do you need to insmod?)
I also attempted to eliminate the arping issue using the suggested procedure but
got no response (no error message) and after about a 10 minute interval i just
terminated the command with CONTROL Z.
I have attached my shorewall status.txt and shorewall.conf file.
Mandatory Information as Per the Reporting Guidelines:
The complete, exact output of ip addr show is:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:2e:0f:89:8c brd ff:ff:ff:ff:ff:ff
inet 69.17.65.22/24 brd 69.17.65.255 scope global eth0
inet 66.17.75.22/32 scope global eth0
inet 66.17.65.161/32 scope global eth0:1
inet 69.17.65.161/24 brd 69.17.65.255 scope global secondary eth0:1
inet6 fe80::20e:2eff:fe0f:898c/64 scope link
valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:bd:2e:85:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.100/24 brd 192.168.0.255 scope global eth1
inet6 fe80::230:bdff:fe2e:8555/64 scope link
valid_lft forever preferred_lft forever
7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:4f:8b:03:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.202.1/24 brd 192.168.202.255 scope global eth2
inet6 fe80::2c0:4fff:fe8b:324/64 scope link
valid_lft forever preferred_lft forever
8: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
The complete, exact output of ip route show is:
69.17.65.0/24 dev eth0 proto kernel scope link src 69.17.65.22
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.100
192.168.202.0/24 dev eth2 proto kernel scope link src 192.168.202.1
169.254.0.0/16 dev eth2 scope link
default via 69.17.65.1 dev eth0
please excuse the cut and paste error on my prior post. my complete post
follows here:
Thanks for your quick and helpful responses to my questions. I am grateful when
you take your time to help me with a problem.
I have been able to load shorewall without any error messages. I am attempting
to test my DNS and MAIL servers that I just moved behind my
shorewall router. My DNS server can Dig and get report correctly when I
access if from the root prompt and from a pc on the local net. However, it does
not respond to queries generated from www.dnsreport.com and
http://us.mirror.menandmice.com/cgi-bin/DoDig?host=testy.substantis.com&domain=att.com&type=A&recur=on
The same is true for my MAIL server using DNS report. I have attempted to follow
the DNAT troubleshooting which shows that I have zero packets hitting my rules.
I have the default shorewall.conf file except that i have set
ADD_SNAT_ALIASES=Yes
My LOGRATE= LOGBURST= variables are cleared.
The only "error" message I can get when doing the troubleshooting
steps is that I can''t generate a log. When I /sbin/shorewall show log?/
Shorewall-2.0.8 Chain log? at ns2.substantis.com - Fri Sep 17 09:07:19 EDT 2004
/Counters reset Fri Sep 17 09:00:22 EDT 2004 / iptables: Table does not exist
(do you need to insmod?)
I also attempted to eliminate the arping issue using the suggested procedure but
got no response (no error message) and after about a 10 minute interval i just
terminated the command with CONTROL Z.
I am attempting to test my DNS and MAil servers that I just moved behind my
shorewall router. My DNS server can Dig and get report correctly when I
access if from the root prompt and from a pc on the local net. However, it does
not respond to queries generated from www.dnsreport.com and
http://us.mirror.menandmice.com/cgi-bin/DoDig?host=testy.substantis.com&domain=att.com&type=A&recur=on
The same is true for my MAIL server using DNS report.
I have attached my shorewall status.txt and shorewall.conf file.
Mandatory Information as Per the Reporting Guidelines:
The complete, exact output of ip addr show is:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:2e:0f:89:8c brd ff:ff:ff:ff:ff:ff
inet 69.17.65.22/24 brd 69.17.65.255 scope global eth0
inet 66.17.75.22/32 scope global eth0
inet 66.17.65.161/32 scope global eth0:1
inet 69.17.65.161/24 brd 69.17.65.255 scope global secondary eth0:1
inet 69.17.65.161/24 brd 69.17.65.255 scope global secondary eth0:1
inet6 fe80::20e:2eff:fe0f:898c/64 scope link
valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:bd:2e:85:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.100/24 brd 192.168.0.255 scope global eth1
inet6 fe80::230:bdff:fe2e:8555/64 scope link
valid_lft forever preferred_lft forever
7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:4f:8b:03:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.202.1/24 brd 192.168.202.255 scope global eth2
inet6 fe80::2c0:4fff:fe8b:324/64 scope link
valid_lft forever preferred_lft forever
8: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
The complete, exact output of ip route show is:
69.17.65.0/24 dev eth0 proto kernel scope link src 69.17.65.22
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.100
192.168.202.0/24 dev eth2 proto kernel scope link src 192.168.202.1
169.254.0.0/16 dev eth2 scope link
default via 69.17.65.1 dev eth0
/etc/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
#
net eth0 detect norfc1918,routefilter
# net eth0:1 detect rfc1918,routefilter
loc eth1 detect # We want to
dmz eth2 detect # substitute broadcast
/etc/nasq
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
eth0 192.168.202.7/32 66.17.75.22
eth0:1 192.168.202.8/32 66.17.65.161
eth0:1 192.168.0.0/29 66.17.65.161
/etc/policy
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
loc net ACCEPT
loc fw ACCEPT
loc dmz ACCEPT
fw net ACCEPT
fw loc ACCEPT
fw dmz ACCEPT
dmz fw ACCEPT
dmz loc ACCEPT
dmz net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
etc/shorewall/rules
# According to FAQ 30, "... if you masquerade or use SNAT from your
# local network to the internet then you will need to use DNAT rules to allow
# connections from the internet to your local network. In all other cases,
# you use ACCEPT unless you need to hijack connections as they go through
# your firewall and handle them on the firewall box itself; in that case,
# you use a REDIRECT rule."
#
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
RATE USER/
# PORT PORT(S) DEST
LIMIT GROUP
ACCEPT net dmz icmp echo-request
ACCEPT net loc icmp echo-request
ACCEPT dmz loc icmp echo-request
ACCEPT loc dmz icmp echo-request
DNAT net dmz:192.168.202.7 tcp smtp - 66.17.65.22
#Mail FROM
#Internet
DNAT net dmz:192.168.202.7 tcp imap - 66.17.65.22
#IMAP FROM
#Internet
DNAT loc dmz:192.168.202.7 tcp smtp - 66.17.65.22
#Mail FROM local
#Network
DNAT loc dmz:192.168.202.7 tcp imap - 66.17.65.22
#IMAP FROM local
#Network
DNAT fw dmz:192.168.202.7 tcp smtp - 66.17.65.22
#Mail FROM the
#Firewall
ACCEPT dmz:192.168.202.7 net tcp smtp
#Mail to the
#Firewall
DNAT net dmz:192.168.202.7 tcp http - 66.17.65.22
#WWW FROM
#Internet
DNAT net dmz:192.168.202.7 tcp https - 66.17.65.22
#Secure WWW
DNAT net dmz:192.168.202.7 tcp https - 66.17.65.22
#Secure WWW
#FROM Internet
DNAT loc dmz:192.168.202.7 tcp https - 66.17.65.22
#Secure WWW
#FROM local
#Network
DNAT net dmz:192.168.202.7 udp domain - 66.17.65.22
#UDP DNS FROM
#Internet
DNAT net dmz:192.168.202.7 tcp domain - 66.17.65.22
#TCP DNS FROM
#Internet
DNAT loc dmz:192.168.202.7 udp domain - 66.17.65.22
#UDP DNS FROM
#Local Network
DNAT loc dmz:192.168.202.7 tcp domain - 66.17.65.22
#TCP DNS FROM
#Local Network
DNAT fw dmz:192.168.202.7 udp domain - 66.17.65.22
#UDP DNS FROM
#the Firewall
DNAT fw dmz:192.168.202.7 tcp domain - 66.17.65.22
#TCP DNS FROM
#the Firewall
ACCEPT dmz:192.168.202.7 net udp domain
#UDP DNS to
#the Internet
ACCEPT dmz:192.168.202.7 net tcp domain
#TCP DNS to
#the Internet
ACCEPT loc dmz tcp ssh
#SSH to the DMZ
ACCEPT net fw tcp ssh
#SSH to the
#Firewall
DNAT net dmz:192.168.202.8 tcp smtp - 66.17.65.161
#Mail FROM
#Internet
DNAT net dmz:192.168.202.8 tcp imap - 66.17.65.161
#IMAP FROM
#Internet
DNAT loc dmz:192.168.202.8 tcp smtp - 66.17.65.161
#Mail FROM local
#Network
DNAT loc dmz:192.168.202.8 tcp imap - 66.17.65.161
#IMAP FROM local
#Network
DNAT fw dmz:192.168.202.8 tcp smtp - 66.17.65.161
#Mail FROM the
#Firewall
ACCEPT dmz:192.168.202.8 net tcp smtp -
#Mail to the
#Firewall
DNAT net dmz:192.168.202.8 tcp http - 66.17.65.161
#WWW FROM
#Internet
DNAT net dmz:192.168.202.8 tcp https - 66.17.65.161
#Secure WWW
#FROM Internet
DNAT loc dmz:192.168.202.8 tcp https - 66.17.65.161
#Secure WWW
#FROM local
#Network
DNAT net dmz:192.168.202.8 udp domain - 66.17.65.161
#UDP DNS FROM
DNAT net dmz:192.168.202.8 tcp domain - 66.17.65.161
#TCP DNS FROM
#Internet
DNAT loc dmz:192.168.202.8 udp domain - 66.17.65.161
#UDP DNS FROM
#Local Network
DNAT loc dmz:192.168.202.8 tcp domain - 66.17.65.161
#TCP DNS FROM
#Local Network
DNAT fw dmz:192.168.202.8 udp domain - 66.17.65.161
#UDP DNS FROM
#the Firewall
DNAT fw dmz:192.168.202.8 tcp domain - 66.17.65.161
#TCP DNS FROM
#the Firewall
ACCEPT dmz:192.168.202.8 net udp domain
#UDP DNS to
#the Internet
ACCEPT dmz:192.168.202.8 net tcp domain
#TCP DNS to
#the Internet
On Fri, 17 Sep 2004 rioguia@speakeasy.net wrote:> The only "error" message I can get when doing the troubleshooting steps > is that I can''t generate a log. When I /sbin/shorewall show log?/ > Shorewall-2.0.8 Chain log? at ns2.substantis.com - Fri Sep 17 09:07:19 > EDT 2004 /Counters reset Fri Sep 17 09:00:22 EDT 2004 / iptables: Table > does not exist (do you need to insmod?) >Boy, I wish you would post in plain text and configure your browser to fold long lines. The command is: shorewall show log THERE IS NO QUESTION MARK ON THE END OF THE COMMAND! I''ll look at your config over the weekend -- usually however when moving systems behind a firewall, a stale upstream ARP cache is the usual problem and it can take HOURS to clear if the ''arping'' trick doesn''t work.. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote: | The complete, exact output of ip addr show is: | 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue | link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | inet 127.0.0.1/8 brd 127.255.255.255 scope host lo | inet6 ::1/128 scope host | valid_lft forever preferred_lft forever | 5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 | link/ether 00:0e:2e:0f:89:8c brd ff:ff:ff:ff:ff:ff | inet 69.17.65.22/24 brd 69.17.65.255 scope global eth0 | inet 66.17.75.22/32 scope global eth0 Is the above address really what you wanted (It is apparently in your /etc/shorewall/masq file and you have ADD_SNAT_ALIASES=Yes). | inet 66.17.65.161/32 scope global eth0:1 | inet 69.17.65.161/24 brd 69.17.65.255 scope global secondary eth0:1 | inet6 fe80::20e:2eff:fe0f:898c/64 scope link | valid_lft forever preferred_lft forever - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFBSvxTO/MAbZfjDLIRAq2sAJ4odrT4zqsl5KIGKEVbweMGpkhdAwCYg47q 4w210fXPXHzUQGn183jJpQ==NlGp -----END PGP SIGNATURE-----
sorry about the posting format. i cut and paste from vi. my editor claims i am transmitting in text. i am trying forwarding this to my email server and sending from squirrelmail. i hope this will solve the format problem. 66.17.75.22 is an error. it should be 66.17.65.22. sorry for the stupid question. i''ve been up all night working on this. i am surprised that the DNS server was able to successfully process queries for external domains (like dexter1976.com,yahoo.com, etc.)
On Fri, 17 Sep 2004 rioguia@speakeasy.net wrote:> sorry about the posting format. i cut and paste from vi. my editor > claims i am transmitting in text. i am trying forwarding this to my > email server and sending from squirrelmail. i hope this will solve the > format problem. >It didn''t -- each of your paragraphs is one long line.> 66.17.75.22 is an error. it should be 66.17.65.22. sorry for the stupid > question. i''ve been up all night working on this. i am > surprised that the DNS server was able to successfully > process queries for external domains (like > dexter1976.com,yahoo.com, etc.) >If you correct that error, be sure to reset ADD_SNAT_ALIASES=Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | On Fri, 17 Sep 2004 rioguia@speakeasy.net wrote: | | |>sorry about the posting format. i cut and paste from vi. my editor |>claims i am transmitting in text. i am trying forwarding this to my |>email server and sending from squirrelmail. i hope this will solve the |>format problem. |> | | | It didn''t -- each of your paragraphs is one long line. | | |>66.17.75.22 is an error. it should be 66.17.65.22. sorry for the stupid |> question. i''ve been up all night working on this. i am |> surprised that the DNS server was able to successfully |> process queries for external domains (like |> dexter1976.com,yahoo.com, etc.) |> | | | If you correct that error, be sure to reset ADD_SNAT_ALIASES=Yes That is, you want ADD_SNAT_ALIASES=No -- otherwise, Shorewall will delete the primary IP address then re-added, thus removing your default route. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBSwqIO/MAbZfjDLIRAneNAJ9PEMKjUSqF3pp/oiBEMtdDofWMAACfQ95X TtgSiZASCCewEKtSTz/PCW8=qNyB -----END PGP SIGNATURE-----
Thank you for your prompt help. I repeated the dns troubleshooting steps with the smae results and same results for arping. Should I repost with updated status and shorewall.conf file?> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > | On Fri, 17 Sep 2004 rioguia@speakeasy.net wrote: > | > | > |>sorry about the posting format. i cut and paste from vi. my editor > |>claims i am transmitting in text. i am trying forwarding this to my > |>email server and sending from squirrelmail. i hope this will solve the > |>format problem. > |> > | > | > | It didn''t -- each of your paragraphs is one long line. > | > | > |>66.17.75.22 is an error. it should be 66.17.65.22. sorry for the stupid > |> question. i''ve been up all night working on this. i am > |> surprised that the DNS server was able to successfully > |> process queries for external domains (like > |> dexter1976.com,yahoo.com, etc.) > |> > | > | > | If you correct that error, be sure to reset ADD_SNAT_ALIASES=Yes > > That is, you want ADD_SNAT_ALIASES=No -- otherwise, Shorewall will > delete the primary IP address then re-added, thus removing your default > route. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBSwqIO/MAbZfjDLIRAneNAJ9PEMKjUSqF3pp/oiBEMtdDofWMAACfQ95X > TtgSiZASCCewEKtSTz/PCW8> =qNyB > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Michael Worden
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Worden wrote: | Thank you for your prompt help. I repeated the dns troubleshooting steps | with the smae results and same results for arping. Should I repost with | updated status and shorewall.conf file? There are very detailed instructiions at http://shorewall.net/ProxyARP.htm that show how to determine if a stale ARP cache is the problem. Have you followed those instructions? Also what do you mean by "...same results for arping"? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBTFN4O/MAbZfjDLIRAsySAKCWR66BGsimFDpzNO/95MB6SoSQ+QCfVA+H Gws5oNjAOqybSvK6HonfXUY=4iYd -----END PGP SIGNATURE-----
i believe that i am having a problem with DNAT. None of my external services
are available when testing from a shell account on a server at my ISP. all of
my requests generated by external shell accounts are being rejected as
"smurfs." according to the shorewall status command. (status file
attached)
SAMPLE OUTPUT FROM STATUS FILE (my shell account is IP 69.17.110.70)
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 69.17.65.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 69.17.65.255 0.0.0.0/0
0 0 LOG all -- * * 192.168.0.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.0.255 0.0.0.0/0
0 0 LOG all -- * * 192.168.202.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.202.255 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Sep 18 16:51:49 net2all:DROP:IN=eth0 OUT= SRC=216.254.0.218 DST=69.17.65.22
LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=27246 DF PROTO=TCP SPT=52942 DPT=25
WINDOW=5840 RES=0x00 SYN URGP=0
Sep 18 16:51:49 net2all:DROP:IN=eth0 OUT= SRC=216.254.0.208 DST=69.17.65.22
LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=32098 DF PROTO=TCP SPT=42871 DPT=25
WINDOW=5840 RES=0x00 SYN URGP=0
Sep 18 16:51:50 net2all:DROP:IN=eth0 OUT= SRC=69.17.110.70 DST=69.17.65.22
LEN=62 TOS=0x00 PREC=0x00 TTL=60 ID=43451 DF PROTO=UDP SPT=57620 DPT=53 LEN=42
282,0-1
i have reviewed my /shorewall/interfaces file and don''t have that
option selected. furthermore, to simplify i have commented out all options.
SHOREWALL/INTERFACE
net eth0 detect # norfc1918,routefilter
loc eth1 detect
dmz eth2 detect
OTHER TROUBLESHOOTING AS PER FAQ''S ON DNAT
i have successfully shown that I do not have an arp cache problem (with the
following results from my firewall machine); the gateway has the correct
hardware address for my firewall card.
[root@ns2 root]# tcpdump -nei eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:18:02.665168 00:0e:2e:0f:89:8c > 00:90:1a:40:90:1c, ethertype IPv4
(0x0800), length 98: IP 69.17.65.22 > 69.17.65.1: icmp 64: echo request seq 0
14:18:02.689883 00:90:1a:40:90:1c > 00:0e:2e:0f:89:8c, ethertype IPv4
(0x0800), length 98: IP 69.17.65.1 > 69.17.65.22: icmp 64: echo reply seq 0
I have followed the steps in (FAQ 1a) and have eliminated these issues.
1. I am not trying to test from inside your firewall. For example, using a
shell account from my ISP, I have tested the mail server and DNS server as
follows:
/home/r/rioguia % telnet testy.substantis.com 25
Trying 69.17.65.22...
telnet: Unable to connect to remote host: Connection timed out
/home/r/rioguia %
/home/r/rioguia % dig @testy.substantis.com yahoo.com
; <<>> DiG 9.2.4rc5 <<>> @testy.substantis.com yahoo.com
;; global options: printcmd
;; connection timed out; no servers could be reached
2. I do not have any basic problem with my DMZ server. The DMZ''s
server has the correct address and is set to the default gateway (IP address of
the firewall''s internal interface 192.168.202.1). My ISP does not
blocking any inbound ports because the server works fine when it is directly
attached to the ISP''s modem.
3. I am not running Mandrake Linux (Fedora Core 2).
I have run the troubleshooting suggested in (FAQ 1b) to further diagnose this
problem:
1. I have rune ?iptables -t nat -Z? to clear the NetFilter counters in the nat
table and attempted to connect to the redirected port from an external host (as
shown above). *
2. As root I typed ?shorewall show nat | more" and located the appropriate
DNAT rule and found the packet count is zero (see results)
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22
tcp dpt:25 to:192.168.202.7
0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22
tcp dpt:143 to:192.168.202.7
0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22
tcp dpt:80 to:192.168.202.7
0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22
tcp dpt:443 to:192.168.202.7
0 0 DNAT udp -- * * 0.0.0.0/0 66.17.65.22
udp dpt:53 to:192.168.202.7
0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22
tcp dpt:53 to:192.168.202.7
I am not trying to connect to a secondary IP address on my firewall although I
have specified the secondary IP address in the ?ORIG. DEST.? column in my DNAT
rule for my other server at 192.168.202.8).
I have installed etherial and output the two above attempts to connect to my
server by the shell account into two text files port_caputure_mail
and port_capture_dig to aid in further troubleshooting. To ease your review of
these files, you should know that my shell account is at 69.17.110.69
I would be greatful to know if there is a better way to capture this information
or a resource to help me interpret the results.
> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Saturday, September 18, 2004 03:25 PM
> To: mworden@substantis.com, ''Mailing List for Shorewall
Users''
> Subject: Re: [Shorewall-users] start error
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael Worden wrote:
> | Thank you for your prompt help. I repeated the dns troubleshooting steps
> | with the smae results and same results for arping. Should I repost with
> | updated status and shorewall.conf file?
>
> There are very detailed instructiions at
> http://shorewall.net/ProxyARP.htm that show how to determine if a stale
> ARP cache is the problem. Have you followed those instructions?
>
> Also what do you mean by "...same results for arping"?
>
> - -Tom
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBTFN4O/MAbZfjDLIRAsySAKCWR66BGsimFDpzNO/95MB6SoSQ+QCfVA+H
> Gws5oNjAOqybSvK6HonfXUY> =4iYd
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote: | i believe that i am having a problem with DNAT. None of my external services are available when testing from a shell account on a server at my ISP. all of my requests generated by external shell accounts are being rejected as "smurfs." according to the shorewall status command. Nonsense -- all of the packet counts were zero and the smurfs chain has no references. | | Sep 18 16:51:49 net2all:DROP:IN=eth0 OUT= SRC=216.254.0.218 DST=69.17.65.22 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=27246 DF PROTO=TCP SPT=52942 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 | Sep 18 16:51:49 net2all:DROP:IN=eth0 OUT= SRC=216.254.0.208 DST=69.17.65.22 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=32098 DF PROTO=TCP SPT=42871 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 | Sep 18 16:51:50 net2all:DROP:IN=eth0 OUT= SRC=69.17.110.70 DST=69.17.65.22 LEN=62 TOS=0x00 PREC=0x00 TTL=60 ID=43451 DF PROTO=UDP SPT=57620 DPT=53 LEN=42 | | | Chain net_dnat (1 references) | pkts bytes target prot opt in out source destination | 0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22 tcp dpt:25 to:192.168.202.7 | 0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22 tcp dpt:143 to:192.168.202.7 | 0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22 tcp dpt:80 to:192.168.202.7 | 0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22 tcp dpt:443 to:192.168.202.7 | 0 0 DNAT udp -- * * 0.0.0.0/0 66.17.65.22 udp dpt:53 to:192.168.202.7 | 0 0 DNAT tcp -- * * 0.0.0.0/0 66.17.65.22 tcp dpt:53 to:192.168.202.7 You are sending requests to 69.17.65.22 but your DNAT rules specify 66.17.65.22. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBTJ77O/MAbZfjDLIRAkAtAKCyfaUbcMvEs/S8q2kgWQUodYNitgCglhDI u/x2bih51tbfdSNmFQx1Jnw=AEvo -----END PGP SIGNATURE-----
Tom: Thanks for your prompt reply. I must be misreading the status file. The below quoted data is the output of shorewall status > status.txt. I agree with you that the DNAT chains all read zero but I found the below quote data just after the chain SMURFS and before the NAT table entry in the status file. Since the data came after the SMURFS report, I assumed it was associated with that chain. Is that incorrect? The below quoted data suggests to me that the packets comming from 69.17.110.70 (my shell account) are coming in on eth0 using a UDP protocol with a destination IP of 69.17.65.22 port of 53. These packets match my DNAT rule but are being dropped. Can you help me to better interpret the status file or tell me where I can find a reference to better interepret the status file? Sep 18 16:51:50 net2all:DROP:IN=eth0 OUT= SRC=69.17.110.70 DST=69.17.65.22 LEN=62 TOS=0x00 PREC=0x00 TTL=60 ID=43451 DF PROTO=UDP SPT=57620 DPT=53 LEN=42 -----Original Message-----> From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Saturday, September 18, 2004 08:47 PM > To: ''Mailing List for Shorewall Users'' > Subject: Re: [Shorewall-users] start error > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > rioguia@speakeasy.net wrote: > | i believe that i am having a problem with DNAT. None of my external > services are available when testing from a shell account on a server at > my ISP. all of my requests generated by external shell accounts are > being rejected as "smurfs." according to the shorewall status command. > > Nonsense -- all of the packet counts were zero and the smurfs chain has > no references. > > > | > | Sep 18 16:51:49 net2all:DROP:IN=eth0 OUT= SRC=216.254.0.218 > DST=69.17.65.22 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=27246 DF PROTO=TCP > SPT=52942 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 > | Sep 18 16:51:49 net2all:DROP:IN=eth0 OUT= SRC=216.254.0.208 > DST=69.17.65.22 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=32098 DF PROTO=TCP > SPT=42871 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 > | Sep 18 16:51:50 net2all:DROP:IN=eth0 OUT= SRC=69.17.110.70 > DST=69.17.65.22 LEN=62 TOS=0x00 PREC=0x00 TTL=60 ID=43451 DF PROTO=UDP > SPT=57620 DPT=53 LEN=42 > | > > > | > | Chain net_dnat (1 references) > | pkts bytes target prot opt in out source > destination > | 0 0 DNAT tcp -- * * 0.0.0.0/0 > 66.17.65.22 tcp dpt:25 to:192.168.202.7 > | 0 0 DNAT tcp -- * * 0.0.0.0/0 > 66.17.65.22 tcp dpt:143 to:192.168.202.7 > | 0 0 DNAT tcp -- * * 0.0.0.0/0 > 66.17.65.22 tcp dpt:80 to:192.168.202.7 > | 0 0 DNAT tcp -- * * 0.0.0.0/0 > 66.17.65.22 tcp dpt:443 to:192.168.202.7 > | 0 0 DNAT udp -- * * 0.0.0.0/0 > 66.17.65.22 udp dpt:53 to:192.168.202.7 > | 0 0 DNAT tcp -- * * 0.0.0.0/0 > 66.17.65.22 tcp dpt:53 to:192.168.202.7 > > You are sending requests to 69.17.65.22 but your DNAT rules specify > 66.17.65.22. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBTJ77O/MAbZfjDLIRAkAtAKCyfaUbcMvEs/S8q2kgWQUodYNitgCglhDI > u/x2bih51tbfdSNmFQx1Jnw> =AEvo > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Saturday 18 September 2004 14:46, rioguia@speakeasy.net wrote:> > Sep 18 16:51:50 net2all:DROP:IN=eth0 OUT= SRC=69.17.110.70 > DST=69.17.65.22 LEN=62 TOS=0x00 PREC=0x00 TTL=60 ID=43451 DF PROTO=UDP > SPT=57620 DPT=53 LEN=42READ WHAT I SAID!!!!!!!!!!!!!!!!! YOU HAVE THE WRONG IP ADDRESS IN YOUR RULES!!!!!!!!!!!!!!!!!!!!!!!!!!!!! YOU HAVE 66.17.65.22 BUT THE CORRECT ADDRESS IS 69.17.65.22. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you for your kind help. Your solution (for the incorrect IP addresses in my rules) allowed the firewall to load and to route most of my traffic correctly. I am having a difficult time resolving how to approach the final problems. To briefly recap my prior posts, i am setting up a firewall with two IP addresses using the shorewall guide for more than one IP address and IP aliasing. My primary server in the DMZ in the DMZ gets DNAT / SNAT for public IP address 69.17.65.22 to local address 192.168.202.7/32. My secondary server in the DMZ and the pc''s on the local network get DNAT / SNAT for 69.17.65.161 for local addresses 192.168.202.8/32 and 192.168.0.0/24. I have two specific problems. First, I have a working mail server that can receive email from behind the firewall but cannot deliver mail outside the firewall. The mail log (attached) shows that the mail server resolves the correct external address but then indicates that the connection "timed out." Second, none of my dmz or loc computers can use a browser to reach the internet (i can browse to the local IP address of the dmz servers howerever). i have tried changing the rules and masq to do one-to-one NAT for the server and have tried several DNS approaches to solve the problem (making the firewall a cashing firewall for the local pc''s and using my ISP''s dns servers for resolution) but i have had no success. Could someone take a look at my shorewall status file and give me some pointers?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote: | Thank you for your kind help. Your solution (for the incorrect IP addresses | in my rules) allowed the firewall to load and to route most of my traffic | correctly. I am having a difficult time resolving how to approach the final | problems. | | To briefly recap my prior posts, i am setting up a firewall with two IP | addresses using the shorewall guide for more than one IP address and IP | aliasing. My primary server in the DMZ in the DMZ gets DNAT / SNAT for | public IP address 69.17.65.22 to local address 192.168.202.7/32. My | secondary server in the DMZ and the pc''s on the local network get DNAT / | SNAT for 69.17.65.161 for local addresses 192.168.202.8/32 and | 192.168.0.0/24. | | I have two specific problems. First, I have a working mail server that can | receive email from behind the firewall but cannot deliver mail outside the | firewall. The mail log (attached) shows that the mail server resolves the | correct external address but then indicates that the connection "timed out." | | Second, none of my dmz or loc computers can use a browser to reach the | internet (i can browse to the local IP address of the dmz servers | howerever). | | i have tried changing the rules and masq to do one-to-one NAT for the server | and have tried several DNS approaches to solve the problem (making the | firewall a cashing firewall for the local pc''s and using my ISP''s dns | servers for resolution) but i have had no success. Could someone take a look | at my shorewall status file and give me some pointers? Carefully check each entry in your /etc/shorewall/masq file -- not one of the three is correct. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBVexMO/MAbZfjDLIRAuojAKDCk5H3vih4WlmtnTN9rjZP8W7RWQCcDnmB Luhu4WOwpfvkKAccT69OeWk=DmmA -----END PGP SIGNATURE-----