Bruce Lyon
2003-Feb-08 06:37 UTC
[Shorewall-users] shorewall 1.3.13 "firewall" script fails with ipsec
dear list cannot find anything to answer this query. I am running redhat 7.3 (kernel 2.4.18 custom) with iptables 1.2.5 shod shorewall 1.3.13. i am running 3 eth cards, one to adsl, one to dmz and one internal. I have successfully got ipsec to allow a winxp roadwarrior to ping from external into shorewall and into lan, but cannot get the "shorewall add ipsec0:x.x.x.x vpn1" to work. script bombs out in the firewall script it calls. i already uploaded the patched ''firewall'' script for 1.3.13 from web and it fixed one problem but i still get a problem. i turned on -x in firewall script and this is what i get ... there is a index problem .. in the loop. anyone come across this ?? thanks for any help. extract as below ... see >>>>> ++ output_rule_num +++ iptables -L OUTPUT -n --line-numbers +++ grep icmp +++ cut ''-d '' -f1 +++ head -n1 ++ local num=2 ++ ''['' -n 2 '']'' ++ echo 3 + do_iptables -I OUTPUT 3 -o ipsec0 -d 144.138.57.44 -j fw2vpn1 + iptables -I OUTPUT 3 -o ipsec0 -d 144.138.57.44 -j fw2vpn1 + read z1 z2 chain + ''['' vpn1 = vpn1 '']'' + ''['' fw = fw '']'' + list_search ipsec0 + local e=ipsec0 + ''['' 1 -gt 1 '']'' + return 1 + rulenum=2 + list_search ipsec0 + local e=ipsec0 + ''['' 1 -gt 1 '']'' + return 1 + rulenum=3 + list_search ipsec0 + local e=ipsec0 + ''['' 1 -gt 1 '']'' + return 1 + rulenum=4 + list_search ipsec0 + local e=ipsec0 + ''['' 1 -gt 1 '']'' + return 1 + rulenum=5 ++ input_chain ipsec0 +++ chain_base ipsec0 +++ local c=ipsec0 +++ echo ipsec0 ++ echo ipsec0_in + do_iptables -I ipsec0_in 5 -s 144.138.57.44 -j vpn12fw>>>> + iptables -I ipsec0_in 5 -s 144.138.57.44 -j vpn12fw >>>> iptables: Index of insertion too big >>>> + startup_error ''Error: can''\''''t add -I to zone ipsec0_in'' >>>> + echo '' Error: can''\''''t add -I to zone ipsec0_in'' >>>> Error: can''t add -I to zone ipsec0_in+ my_mutex_off + ''['' -n Yes '']'' + mutex_off + rm -f /var/lib/shorewall/lock + have_mutex+ ''['' -n /tmp/shorewall-15537 '']'' + rm -rf /tmp/shorewall-15537 + kill 15537
Tom Eastep
2003-Feb-08 07:23 UTC
[Shorewall-users] shorewall 1.3.13 "firewall" script fails with ipsec
Bruce Lyon wrote: > dear list > > cannot find anything to answer this query. I am running redhat 7.3 (kernel > 2.4.18 custom) with iptables 1.2.5 shod shorewall 1.3.13. i am running 3 > eth cards, one to adsl, one to dmz and one internal. > > I have successfully got ipsec to allow a winxp roadwarrior to ping from > external into shorewall and into lan, but cannot get the > "shorewall add ipsec0:x.x.x.x vpn1" to work. script bombs out in the > firewall script it calls. > > i already uploaded the patched ''firewall'' script for 1.3.13 from web and > it fixed one problem but i still get a problem. > > i turned on -x in firewall script and this is what i get ... > > there is a index problem .. in the loop. anyone come across this ?? > > thanks for any help. > > extract as below ... see >>>>> > > ++ output_rule_num > +++ iptables -L OUTPUT -n --line-numbers > +++ grep icmp > +++ cut ''-d '' -f1 > +++ head -n1 > ++ local num=2 > ++ ''['' -n 2 '']'' > ++ echo 3 > + do_iptables -I OUTPUT 3 -o ipsec0 -d 144.138.57.44 -j fw2vpn1 > + iptables -I OUTPUT 3 -o ipsec0 -d 144.138.57.44 -j fw2vpn1 > + read z1 z2 chain > + ''['' vpn1 = vpn1 '']'' > + ''['' fw = fw '']'' > + list_search ipsec0 > + local e=ipsec0 > + ''['' 1 -gt 1 '']'' > + return 1 > + rulenum=2 > + list_search ipsec0 > + local e=ipsec0 > + ''['' 1 -gt 1 '']'' > + return 1 > + rulenum=3 Try the firewall script at: ftp://ftp1.shorewall.net/pub/shorewall/errata/1.3.13/firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Bruce Lyon
2003-Feb-08 15:35 UTC
[Shorewall-users] shorewall 1.3.13 "firewall" script fails with ipsec
Well, this updated script certainly fixed that issue. Thanks!
Bruce
---------- Forwarded message ----------
Date: Sat, 08 Feb 2003 07:06:47 -0800
From: Tom Eastep <teastep@shorewall.net>
To: Bruce Lyon <brucel@soafy.desiin.com.au>
Subject: Re: [Shorewall-users] shorewall 1.3.13 "firewall" script
fails
with ipsec
Bruce Lyon wrote:> dear list
>
> cannot find anything to answer this query. I am running redhat 7.3 (kernel
> 2.4.18 custom) with iptables 1.2.5 shod shorewall 1.3.13. i am running 3
> eth cards, one to adsl, one to dmz and one internal.
>
> I have successfully got ipsec to allow a winxp roadwarrior to ping from
> external into shorewall and into lan, but cannot get the
> "shorewall add ipsec0:x.x.x.x vpn1" to work. script bombs out in
the
> firewall script it calls.
>
> i already uploaded the patched ''firewall'' script for
1.3.13 from web and
> it fixed one problem but i still get a problem.
>
> i turned on -x in firewall script and this is what i get ...
>
> there is a index problem .. in the loop. anyone come across this ??
>
> thanks for any help.
>
> extract as below ... see >>>>>
>
> ++ output_rule_num
> +++ iptables -L OUTPUT -n --line-numbers
> +++ grep icmp
> +++ cut ''-d '' -f1
> +++ head -n1
> ++ local num=2
> ++ ''['' -n 2 '']''
> ++ echo 3
> + do_iptables -I OUTPUT 3 -o ipsec0 -d 144.138.57.44 -j fw2vpn1
> + iptables -I OUTPUT 3 -o ipsec0 -d 144.138.57.44 -j fw2vpn1
> + read z1 z2 chain
> + ''['' vpn1 = vpn1 '']''
> + ''['' fw = fw '']''
> + list_search ipsec0
> + local e=ipsec0
> + ''['' 1 -gt 1 '']''
> + return 1
> + rulenum=2
> + list_search ipsec0
> + local e=ipsec0
> + ''['' 1 -gt 1 '']''
> + return 1
> + rulenum=3
Try the firewall script at:
ftp://ftp1.shorewall.net/pub/shorewall/errata/1.3.13/firewall.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net