Hi, I''ve installed Emule (p2p program) on my client box but I can''t access the servers due to the firewall. I''m getting this blocking errors: Jan 22 01:26:07 servidor kernel: Shorewall:net2all:DROP:IN=eth1 OUT=eth0 SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=50538 DF PROTO=TCP SPT=46408 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 My rules file has: ACCEPT net fw udp 53 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw udp 53 - ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT loc fw udp 53 - ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - ACCEPT fw net tcp 4661,4662 - ACCEPT fw net udp 3665,4665 - DNAT net loc:192.168.0.3 udp 4665 - DNAT net loc:192.168.0.3 tcp 4661,4662,4672 - I''ve tried different configurations but none worked so far... Any idea what is the problem? Thanks Feijao
--On Wednesday, January 22, 2003 1:30 AM +0000 Feijao <feijao@feijao.net> wrote:> Hi, > > I''ve installed Emule (p2p program) on my client box but I can''t access > the servers due to the firewall. > > I''m getting this blocking errors: > > Jan 22 01:26:07 servidor kernel: Shorewall:net2all:DROP:IN=eth1 OUT=eth0 > SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=57 > ID=50538 DF PROTO=TCP SPT=46408 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0Please see http://www.shorewall.net/support.htm -- we can''t tell you ANYTHING about a log message without your /etc/shorewall/interfaces file! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Sorry, .. It shows net eth1 detect masq eth0 detect -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: quarta-feira, 22 de Janeiro de 2003 1:33 To: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Emule + Shorewall --On Wednesday, January 22, 2003 1:30 AM +0000 Feijao <feijao@feijao.net> wrote:> Hi, > > I''ve installed Emule (p2p program) on my client box but I can''t access> the servers due to the firewall. > > I''m getting this blocking errors: > > Jan 22 01:26:07 servidor kernel: Shorewall:net2all:DROP:IN=eth1 > OUT=eth0 SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 > TTL=57 ID=50538 DF PROTO=TCP SPT=46408 DPT=4662 WINDOW=5840 RES=0x00 > SYN URGP=0Please see http://www.shorewall.net/support.htm -- we can''t tell you ANYTHING about a log message without your /etc/shorewall/interfaces file! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.shorewall.net http://lists.shorewall.net/mailman/listinfo/shorewall-users
I did that, restarted shorewall and the problem persists: Jan 22 02:04:36 servidor kernel: Shorewall:net2all:DROP:IN=eth1 OUT=eth0 SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=42166 DF PROTO=TCP SPT=46498 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 Now, my rules are: ACCEPT net fw udp 53 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw udp 53 - ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - ACCEPT fw net tcp 4661,4662 - ACCEPT fw net udp 3665,4665 - DNAT net loc:192.168.0.3 udp 4665 - DNAT net loc:192.168.0.3 tcp 4661,4662,4672 - Any idea? Thanks For the help.> Sorry, .. > It shows > > net eth1 detect > masq eth0 detect >Ok -- It looks like you have the incomprehensible Shorewall configuration that Mandrake 9.0 sets up when you enable "Internet Connection Sharing". My advice to you is either: a) Get rid of all references to the ''loc'' zone in your configuration, changing ''loc'' to ''masq'' where necessary to retain rules; OR b) Toss out the Mandarke configuration, download the latest version of Shorewall and follow http://www.shorewall.net/two-interfaces.htm. The problem is that Mandrake sets up two local zones (loc and masq) that conflict with one another and it''s very difficult to tell which is which. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Wednesday, January 22, 2003 1:57 AM +0000 Feijao <feijao@feijao.net> wrote:> I did that, restarted shorewall and the problem persists:You did what? I still see ''loc'' and ''masq'' in your rules below.... -Tom> > Jan 22 02:04:36 servidor kernel: Shorewall:net2all:DROP:IN=eth1 OUT=eth0 > SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=57 > ID=42166 DF PROTO=TCP SPT=46498 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > Now, my rules are: > > ACCEPT net fw udp 53 - > ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw udp 53 - > ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw tcp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT masq fw udp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT fw masq tcp 631,137,138,139 - > ACCEPT fw masq udp 631,137,138,139 - > ACCEPT fw net tcp 4661,4662 - > ACCEPT fw net udp 3665,4665 - > DNAT net loc:192.168.0.3 udp 4665 - > DNAT net loc:192.168.0.3 tcp 4661,4662,4672 - > > Any idea? > > Thanks > For the help. > >> Sorry, .. >> It shows >> >> net eth1 detect >> masq eth0 detect >> > > Ok -- It looks like you have the incomprehensible Shorewall > configuration > that Mandrake 9.0 sets up when you enable "Internet Connection Sharing". > My > advice to you is either: > > a) Get rid of all references to the ''loc'' zone in your configuration, > changing ''loc'' to ''masq'' where necessary to retain rules; OR > b) Toss out the Mandarke configuration, download the latest version of > Shorewall and follow http://www.shorewall.net/two-interfaces.htm. > > The problem is that Mandrake sets up two local zones (loc and masq) that > > conflict with one another and it''s very difficult to tell which is > which. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: teastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users-- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Tuesday, January 21, 2003 6:00 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Wednesday, January 22, 2003 1:57 AM +0000 Feijao <feijao@feijao.net> > wrote: > >> I did that, restarted shorewall and the problem persists: > > You did what? > > I still see ''loc'' and ''masq'' in your rules below.... >If your /etc/shorewall/interfaces file is as you show and your /etc/shorewall/hosts file is empty, then when you start shorewall it is warning you that the ''loc'' zone is empty. That means that ANY RULE, POLICY, or anythin else that refers to ''loc'' WON''T DO ANYTHING!!! So you need to remove and/or edit any entry IN YOUR ENTIRE CONFIGURATION that refers to ''loc'' INCLUDING ALL OF THE RULES YOU HAVE FOR EMULE. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I''ve removed the loc lines, but you say I must change all that lines? What sould I place there? I''me a newbie :) The actual is: ACCEPT net fw udp 53 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw udp 53 - ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - ACCEPT fw net tcp 4661,4662 - ACCEPT fw net udp 3665,4665 - DNAT net loc:192.168.0.3 udp 4665 - DNAT net loc:192.168.0.3 tcp 4661,4662,4672 - Sould I change it to this? ACCEPT net fw udp 53 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT fw net tcp 4661,4662 - ACCEPT fw net udp 3665,4665 - Will it work? Will nat work? And the services as ssh, ftp, mail and http? Thanks, Feijao --On Wednesday, January 22, 2003 1:57 AM +0000 Feijao <feijao@feijao.net> wrote:> I did that, restarted shorewall and the problem persists:You did what? I still see ''loc'' and ''masq'' in your rules below.... -Tom> > Jan 22 02:04:36 servidor kernel: Shorewall:net2all:DROP:IN=eth1 > OUT=eth0 SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 > TTL=57 ID=42166 DF PROTO=TCP SPT=46498 DPT=4662 WINDOW=5840 RES=0x00 > SYN URGP=0 > > > > Now, my rules are: > > ACCEPT net fw udp 53 - > ACCEPT net fw tcp80,443,53,22,20,21,25,109,110,143,10000> - > ACCEPT masq fw udp 53 - > ACCEPT masq fw tcp80,443,53,22,20,21,25,109,110,143,10000> - > ACCEPT masq fw tcp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT masq fw udp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT fw masq tcp 631,137,138,139 - > ACCEPT fw masq udp 631,137,138,139 - > ACCEPT fw net tcp 4661,4662 - > ACCEPT fw net udp 3665,4665 - > DNAT net loc:192.168.0.3 udp 4665 - > DNAT net loc:192.168.0.3 tcp 4661,4662,4672 - > > Any idea? > > Thanks > For the help. > >> Sorry, .. >> It shows >> >> net eth1 detect >> masq eth0 detect >> > > Ok -- It looks like you have the incomprehensible Shorewall > configuration that Mandrake 9.0 sets up when you enable "Internet > Connection Sharing". My > advice to you is either: > > a) Get rid of all references to the ''loc'' zone in your configuration, > changing ''loc'' to ''masq'' where necessary to retain rules; OR > b) Toss out the Mandarke configuration, download the latest version of> Shorewall and follow http://www.shorewall.net/two-interfaces.htm. > > The problem is that Mandrake sets up two local zones (loc and masq) > that > > conflict with one another and it''s very difficult to tell which is > which. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: teastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users-- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.shorewall.net http://lists.shorewall.net/mailman/listinfo/shorewall-users
cheers(); As I am used to Mandrake 9.0 I too would you strongly advise, to get a fresh shorewall: - Download the latest version from shorewall.net (RPM) and get a copy of the 2 Interfaces QuickStart Guide. - Get rid of that old one installed (as root) % urpme shorewall - Install the latest shorewall (as root) % urpmi shorewall*.rpm - Follow the really good instructions from the Guide. - Take a look at all DNAT after done that.> ACCEPT net fw udp 53 - > ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw udp 53 - > ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw tcp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT masq fw udp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT fw masq tcp 631,137,138,139 - > ACCEPT fw masq udp 631,137,138,139 - > ACCEPT fw net tcp 4661,4662 - > ACCEPT fw net udp 3665,4665 - > DNAT net loc:192.168.0.3 udp 4665 - > DNAT net loc:192.168.0.3 tcp 4661,4662,4672 -Sorry, I didn''t do DNAT by now -- but dont you have to ACCEPT traffic from the net to DNAT? (Tom, this one''s for you... ;-) ACCEPT net masq tcp <emule> ACCEPT net masq udp <emule> karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
--On Wednesday, January 22, 2003 3:48 AM +0100 kb <kb@bluehash.de> wrote:> > Sorry, I didn''t do DNAT by now -- but dont you have to ACCEPT traffic > from the net to DNAT? (Tom, this one''s for you... ;-) > > ACCEPT net masq tcp <emule> > ACCEPT net masq udp <emule> >No -- DNAT does an automatic ACCEPT. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
cheers();> > Sorry, I didn''t do DNAT by now -- but dont you have to ACCEPT traffic > > from the net to DNAT? (Tom, this one''s for you... ;-) > > No -- DNAT does an automatic ACCEPT.Thanks -- was new to me, but I will use it in the next weeks... :-) karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
--On Wednesday, January 22, 2003 4:00 AM +0100 kb <kb@bluehash.de> wrote:> cheers(); > >> > Sorry, I didn''t do DNAT by now -- but dont you have to ACCEPT traffic >> > from the net to DNAT? (Tom, this one''s for you... ;-) >> >> No -- DNAT does an automatic ACCEPT. > > Thanks -- was new to me, but I will use it in the next weeks... :-) >The new DNAT- action in 1.3.13 doesn''t include the automatic ACCEPT and can be used when several DNAT rules would generate the same redundant ACCEPT rule. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
here is an example for emule and overnet: example: box1=192.168.1.100 DNAT net loc:192.168.1.100 tcp 4662 # emule standard tcp to internal box1 DNAT net loc:192.168.1.100 udp 4672 # emule standard udp port to internal box1 DNAT net loc:192.168.1.100 tcp 4663 # overnet tcp port (modified from 4662) to box1 DNAT net loc:192.168.1.100 udp 6310 # overnet udp to box1 have fun - andy ----- Original Message ----- From: "Feijao" <feijao@feijao.net> To: <shorewall-users@shorewall.net> Sent: Wednesday, January 22, 2003 2:30 AM Subject: [Shorewall-users] Emule + Shorewall> Hi, > > I''ve installed Emule (p2p program) on my client box but I can''t access > the servers due to the firewall. > > I''m getting this blocking errors: > > Jan 22 01:26:07 servidor kernel: Shorewall:net2all:DROP:IN=eth1 OUT=eth0 > SRC=213.22.49.86 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=57 > ID=50538 DF PROTO=TCP SPT=46408 DPT=4662 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > My rules file has: > ACCEPT net fw udp 53 - > ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw udp 53 - > ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT loc fw udp 53 - > ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw tcp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT masq fw udp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT fw masq tcp 631,137,138,139 - > ACCEPT fw masq udp 631,137,138,139 - > ACCEPT fw net tcp 4661,4662 - > ACCEPT fw net udp 3665,4665 - > DNAT net loc:192.168.0.3 udp 4665 - > DNAT net loc:192.168.0.3 tcp 4661,4662,4672 - > > > I''ve tried different configurations but none worked so far... > Any idea what is the problem? > > Thanks > Feijao > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users
Thanks For all the helps. It works fine now. My rules now are: ACCEPT net fw udp 53 - ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw udp 53 - ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 - ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - ACCEPT fw masq tcp 631,137,138,139 - ACCEPT fw masq udp 631,137,138,139 - ACCEPT fw net tcp 4661,4662 - ACCEPT fw net udp 3665,4665 - DNAT net masq:192.168.0.3 udp 4665 - DNAT net masq:192.168.0.3 tcp 4661,4662,4672 - And it works. Thanks, Paulo Cardoso
--On Wednesday, January 22, 2003 6:30 PM +0000 Feijao <feijao@feijao.net> wrote:> Thanks > For all the helps. > It works fine now. > > My rules now are: > > ACCEPT net fw udp 53 - > ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw udp 53 - > ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,10000 > - > ACCEPT masq fw tcp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT masq fw udp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT fw masq tcp 631,137,138,139 - > ACCEPT fw masq udp 631,137,138,139 - > ACCEPT fw net tcp 4661,4662 - > ACCEPT fw net udp 3665,4665 - > DNAT net masq:192.168.0.3 udp 4665 - > DNAT net masq:192.168.0.3 tcp 4661,4662,4672 - > > > And it works. >Great! As long as you posted them, I''ll offer just a few comments then on your rules: a) You have a lot of duplication -- your are specifying the open ports both by port number AND by service name with at least the following being duplicates (http, https, imap, pop3, smtp). b) Rather than list bootps (which is ONLY udp BTW)in a rule, you should specify ''dhcp'' on the local interface in /etc/shorewall/interfaces. c) You are running a LOT of services on your firewall and open to the internet. That substantially weakens the firewall''s strength since each open service has the potential to be exploited. d) The UDP entries for http, https, imap, ipp, pop3, smtp and nntp are all superfluous since these services are TCP only. f) Your NETBIOS rules from firewall->masq could be improved -- see http://www.shorewall.net/samba.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thanks I''ll take a look at this. Paulo ------------------------------------------------------------------------ ------ Great! As long as you posted them, I''ll offer just a few comments then on your rules: a) You have a lot of duplication -- your are specifying the open ports both by port number AND by service name with at least the following being duplicates (http, https, imap, pop3, smtp). b) Rather than list bootps (which is ONLY udp BTW)in a rule, you should specify ''dhcp'' on the local interface in /etc/shorewall/interfaces. c) You are running a LOT of services on your firewall and open to the internet. That substantially weakens the firewall''s strength since each open service has the potential to be exploited. d) The UDP entries for http, https, imap, ipp, pop3, smtp and nntp are all superfluous since these services are TCP only. f) Your NETBIOS rules from firewall->masq could be improved -- see http://www.shorewall.net/samba.htm. -Tom