Hi,
I simply used the delivered script for masquerading hosts:
/etc/shorewall/start:
#!/bin/sh
EXTERNAL_INTERFACE="ppp0"
IPTABLES="/sbin/iptables"
INTERNAL_HOSTS="192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4
192.168.0.5"
for HOST in $INTERNAL_HOSTS; do
echo "Creating Chain for $HOST"
$IPTABLES -N $HOST
# incoming jump rule
$IPTABLES -A FORWARD -o $EXTERNAL_INTERFACE -d $HOST -j $HOST
# outgoing jump rule
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s $HOST -j $HOST
# incoming accounting chain
$IPTABLES -A $HOST -o $EXTERNAL_INTERFACE -d $HOST
# outgoing accounting chain
$IPTABLES -A $HOST -i $EXTERNAL_INTERFACE -s $HOST
done;
I stopped shorewall and started it.
Output (just the end):
Activating Rules...
Processing /etc/shorewall/start ...
Creating Chain for 192.168.0.1
Creating Chain for 192.168.0.2
Creating Chain for 192.168.0.3
Creating Chain for 192.168.0.4
Creating Chain for 192.168.0.5
Shorewall Started
Okay, iptables -nL -v -x shows the following:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
-- some more snipped---
0 0 192.168.0.1 all -- * ppp0 0.0.0.0/0
192.168.0.1
0 0 192.168.0.1 all -- ppp0 * 192.168.0.1
0.0.0.0/0
0 0 192.168.0.2 all -- * ppp0 0.0.0.0/0
192.168.0.2
0 0 192.168.0.2 all -- ppp0 * 192.168.0.2
0.0.0.0/0
0 0 192.168.0.3 all -- * ppp0 0.0.0.0/0
192.168.0.3
0 0 192.168.0.3 all -- ppp0 * 192.168.0.3
0.0.0.0/0
0 0 192.168.0.4 all -- * ppp0 0.0.0.0/0
192.168.0.4
0 0 192.168.0.4 all -- ppp0 * 192.168.0.4
0.0.0.0/0
0 0 192.168.0.5 all -- * ppp0 0.0.0.0/0
192.168.0.5
0 0 192.168.0.5 all -- ppp0 * 192.168.0.5
0.0.0.0/0
Chain 192.168.0.1 (2 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * ppp0 0.0.0.0/0
192.168.0.1
0 0 all -- ppp0 * 192.168.0.1
0.0.0.0/0
Chain 192.168.0.2 (2 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * ppp0 0.0.0.0/0
192.168.0.2
0 0 all -- ppp0 * 192.168.0.2
0.0.0.0/0
Chain 192.168.0.3 (2 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * ppp0 0.0.0.0/0
192.168.0.3
0 0 all -- ppp0 * 192.168.0.3
0.0.0.0/0
Chain 192.168.0.4 (2 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * ppp0 0.0.0.0/0
192.168.0.4
0 0 all -- ppp0 * 192.168.0.4
0.0.0.0/0
Chain 192.168.0.5 (2 references)
pkts bytes target prot opt in out source
destination
0 0 all -- * ppp0 0.0.0.0/0
192.168.0.5
0 0 all -- ppp0 * 192.168.0.5
0.0.0.0/0
Okay, when I generate traffic on these hosts (over ppp0) and I reuse the
last command
(iptables -nL -v -x) it stills look the same. No pkts or bytes in all
these chains...
I use shorewall version 1.2.12-1 on debian woody...
Questions:
Is it right to use /etc/shorewall/start for the first litte script that
sets
up the chains?
Why do I have no traffic listed in all these chains?
Any more hints where to start the delivered firewall.iptables.acct.stop
to
write the traffic in the database before the chains are cleared?
Would be fine if someone can show me the right way ;)
Tia,
Jack
--On Sunday, December 08, 2002 04:41:26 AM +0100 Ulf Kohlmorgen <ulf.kohlmorgen@gmx.de> wrote:> Hi, > > I simply used the delivered script for masquerading hosts: > > /etc/shorewall/start:If you are going to extend Shorewall using extension scripts then you are going to have to take to time to understand Shorewall''s rule set so that you can extend it correctly. I''m not in the business of debugging people''s extension scripts for them. However... In general, using the -A command in /etc/shorewall/start doesn''t work at all because it will add your rules after the unconditional policy rules generated by the contents of your /etc/shorewall/policy file. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
--On Sunday, December 08, 2002 04:41:26 AM +0100 Ulf Kohlmorgen <ulf.kohlmorgen@gmx.de> wrote:> > > Okay, when I generate traffic on these hosts (over ppp0) and I reuse the > last command > (iptables -nL -v -x) it stills look the same. No pkts or bytes in all > these chains... > > I use shorewall version 1.2.12-1 on debian woody... > > Questions: > > Is it right to use /etc/shorewall/start for the first litte script that > sets > up the chains?Yes.> > Why do I have no traffic listed in all these chains?I covered that in my previous post. Also, rather than running iptables directly, you should use "run_iptables" as described in the Extension Script documentation.> > Any more hints where to start the delivered firewall.iptables.acct.stop > to > write the traffic in the database before the chains are cleared?/etc/shorewall/init -- be sure to test to see if the chains exist or not since this script gets called on all commands, including start. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Robin Mordasiewicz
2002-Dec-08 17:59 UTC
[Shorewall-users] /etc/init.d/shorewall clear is gone
the command /etc/init.d/shorewall clear is not available with the rpm install anymore the init script still has the case but the select is missing the opttion.
--On Sunday, December 08, 2002 12:59:29 PM -0500 Robin Mordasiewicz <robin@primus.ca> wrote:> the command > /etc/init.d/shorewall clear > is not available with the rpm install anymore > the init script still has the case but the select is missing the opttion.Use /sbin/shorewall clear -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net