thr3ads.net - Shorewall users - [Shorewall-users] Newbie problems [Oct 2002]

If this information is useful, please help other people find it:
Share via:

Claus Atzenbeck

2002-Oct-11 08:04 UTC

[Shorewall-users] Newbie problems

Hello,

I am a newbie concerning firewalls and network stuff. Although I was  
reading the docs, I didn''t get along with shorewall''s
configuration.

I have Mandrake 9.0 (IP 192.168.1.1) and shorewall installed on it.

I have some other computers computers within this LAN. Using shorewall  
and masquerading, I can use Mandrake as internet router. This is  
working well. But there are some things which does not work, although  
it should (yep, I also was reading the manual...):

(1)
I have several mails in my queue, but "sendmail -q" is not able to
send
them. (Possible it is a postfix problem!?) /var/log/syslog says:

*****
Oct 10 15:28:53 thor postfix/master[3105]: warning: process  
/usr/lib/postfix/smtp pid 21408 exit status 1
Oct 10 09:28:53 thor postfix/nqmgr[3118]: 1D6268B392:  
to=<listmaster@somedomain.de>, relay=none, delay=255706,  
status=deferred (unknown mail transport error)
*****

(2)
I cannot access neither my SMB nor my netatalk server on my Linux box.  
/var/log/messages says:

*****
Oct 10 15:35:12 thor kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=  
MAC=00:e0:7d:70:eb:83:00:03:93:a5:66:b8:08:00 SRC=192.168.1.252  
DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13139 DF PROTO=TCP  
SPT=49376 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
*****

(3)
I cannot connect to Mandrake using XDMCP (port 177) while shorewall is  
running. /var/log/messages says:

*****
Oct 10 15:41:05 thor kernel: Shorewall:all2all:REJECT:IN= OUT=eth0  
SRC=192.168.1.1 DST=192.168.1.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64  
ID=5635 DF PROTO=TCP SPT=32929 DPT=6000 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 10 15:41:09 thor kernel: Shorewall:all2all:REJECT:IN= OUT=eth0  
SRC=192.168.1.1 DST=192.168.1.252 LEN=96 TOS=0x00 PREC=0xC0 TTL=64  
ID=28605 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.252 DST=62.104.196.134  
LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=13401 PROTO=UDP SPT=50379 DPT=53  
LEN=48 ]
*****

(4)
Although my Mac shows the printer queues on Mandrake via Mandrake''s  
cups server, nothing happens when I print a docomunt. printing on  
Mandrake itself works, but with other computers within my LAN using my  
Linux box as cups server (port 631).

Thanks for any hint!
Claus



Here are my shorewall entries in /etc/shorewall:

*** shorewall:
net	Net	Internet zone
masq	Masquerade	Masquerade Local
loc	Local	Local

*** tos
all	all		tcp		-		ssh		16
all	all		tcp		ssh		-		16
all	all		tcp		-		ftp		16
all	all		tcp		ftp		-		16
all	all		tcp		ftp-data	-		8
all	all		tcp		-		ftp-data	8

*** rules
ACCEPT	net	fw	udp	631,177	-
ACCEPT	net	fw	tcp	22,631,177	-
ACCEPT	masq	fw	udp	631,177	-
ACCEPT	masq	fw	tcp	22,631,177	-
ACCEPT	loc	fw	udp	631,177	-
ACCEPT	loc	fw	tcp	22,631,177	-
ACCEPT	masq	fw	tcp	domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp 
	-
ACCEPT	masq	fw	udp	domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp 
	-
ACCEPT	fw	masq	tcp	631,137,138,139	-
ACCEPT	fw	masq	udp	631,137,138,139	-

*** masq
ippp0	192.168.1.0/255.255.255.0

*** interfaces
net	ippp0	-
masq	eth0	detect


*** policy
masq	net	ACCEPT
loc	net	ACCEPT
fw	net	ACCEPT
net	all	DROP	info
all	all	REJECT	info

*** modules
     loadmodule ip_tables
     loadmodule iptable_filter
     loadmodule ip_conntrack
     loadmodule ip_conntrack_ftp
     loadmodule ip_conntrack_irc
     loadmodule iptable_nat
     loadmodule ip_nat_ftp
     loadmodule ip_nat_irc

*** rfc1918
255.255.255.255		RETURN		# We need to allow limited broadcast
169.254.0.0/16		DROP		# DHCP autoconfig
172.16.0.0/12		logdrop		# RFC 1918
192.0.2.0/24		logdrop		# Example addresses
192.168.0.0/16		logdrop		# RFC 1918
0.0.0.0/7		logdrop		# Reserved
2.0.0.0/8		logdrop		# Reserved
5.0.0.0/8		logdrop		# Reserved
7.0.0.0/8		logdrop		# Reserved
10.0.0.0/8		logdrop		# Reserved
23.0.0.0/8		logdrop		# Reserved
27.0.0.0/8		logdrop		# Reserved
31.0.0.0/8		logdrop		# Reserved
36.0.0.0/7		logdrop		# Reserved
39.0.0.0/8		logdrop		# Reserved
41.0.0.0/8		logdrop		# Reserved
42.0.0.0/8		logdrop		# Reserved
58.0.0.0/7		logdrop		# Reserved
60.0.0.0/8		logdrop		# Reserved
70.0.0.0/7		logdrop		# Reserved
72.0.0.0/5		logdrop		# Reserved
82.0.0.0/7		logdrop		# Reserved
84.0.0.0/6		logdrop		# Reserved
88.0.0.0/5		logdrop		# Reserved
96.0.0.0/3		logdrop		# Reserved
127.0.0.0/8		logdrop		# Loopback
197.0.0.0/8		logdrop		# Reserved
222.0.0.0/7		logdrop		# Reserved
240.0.0.0/4		logdrop		# Reserved

*** common.def
run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -m state -p tcp --state INVALID -j DROP
run_iptables -A common -p udp --dport 137:139     -j REJECT
run_iptables -A common -p udp --dport 445         -j REJECT
run_iptables -A common -p tcp --dport 135	  -j reject
run_iptables -A common -p udp --dport 1900	  -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP
run_iptables -A common -p tcp --dport 113 -j reject

*** shorewall.conf
FW=fw
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
ALLOWRELATED=yes
MODULESDIRLOGRATELOGBURSTLOGUNCLEAN=info
LOGFILE=/var/log/messages
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=No
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVELCLAMPMSS=yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
MULTIPORT=No
DETECT_DNAT_IPADDRS=No
MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
LOGNEWNOTSYNFORWARDPING=Yes

Tom Eastep

2002-Oct-11 13:40 UTC

head link

[Shorewall-users] Newbie problems

Claus Atzenbeck wrote:> Hello,
> 
> I am a newbie concerning firewalls and network stuff. Although I was  
> reading the docs, I didn''t get along with shorewall''s
configuration.
> 
> I have Mandrake 9.0 (IP 192.168.1.1) and shorewall installed on it.
> 
> I have some other computers computers within this LAN. Using shorewall  
> and masquerading, I can use Mandrake as internet router. This is  
> working well. But there are some things which does not work, although  
> it should (yep, I also was reading the manual...):
> 
> (1)
> I have several mails in my queue, but "sendmail -q" is not able
to send
> them. (Possible it is a postfix problem!?) /var/log/syslog says:
> 
> *****
> Oct 10 15:28:53 thor postfix/master[3105]: warning: process  
> /usr/lib/postfix/smtp pid 21408 exit status 1
> Oct 10 09:28:53 thor postfix/nqmgr[3118]: 1D6268B392:  
> to=<listmaster@somedomain.de>, relay=none, delay=255706,  
> status=deferred (unknown mail transport error)
> *****
> 
> (2)
> I cannot access neither my SMB nor my netatalk server on my Linux box.  
> /var/log/messages says:
> 
> *****
> Oct 10 15:35:12 thor kernel: Shorewall:all2all:REJECT:IN=eth0 OUT=  
> MAC=00:e0:7d:70:eb:83:00:03:93:a5:66:b8:08:00 SRC=192.168.1.252  
> DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13139 DF PROTO=TCP  
> SPT=49376 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0
> *****
> 
> (3)
> I cannot connect to Mandrake using XDMCP (port 177) while shorewall is  
> running. /var/log/messages says:
> 
> *****
> Oct 10 15:41:05 thor kernel: Shorewall:all2all:REJECT:IN= OUT=eth0  
> SRC=192.168.1.1 DST=192.168.1.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64  
> ID=5635 DF PROTO=TCP SPT=32929 DPT=6000 WINDOW=5840 RES=0x00 SYN URGP=0
> Oct 10 15:41:09 thor kernel: Shorewall:all2all:REJECT:IN= OUT=eth0  
> SRC=192.168.1.1 DST=192.168.1.252 LEN=96 TOS=0x00 PREC=0xC0 TTL=64  
> ID=28605 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.252 DST=62.104.196.134  
> LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=13401 PROTO=UDP SPT=50379 DPT=53  
> LEN=48 ]
> *****
> 
> (4)
> Although my Mac shows the printer queues on Mandrake via
Mandrake''s
> cups server, nothing happens when I print a docomunt. printing on  
> Mandrake itself works, but with other computers within my LAN using my  
> Linux box as cups server (port 631).
> 
> Thanks for any hint!
> Claus
> 
> 
> 
> Here are my shorewall entries in /etc/shorewall:
> 
> *** shorewall:
> net    Net    Internet zone
> masq    Masquerade    Masquerade Local
> loc    Local    Local
> 
I don''t know why Mandrake chose to include the ''masq''
zone -- it just
confuses people. In your setup, the ''loc'' zone is empty (and
you can see
that when you start Shorewall) so any rules, policies, etc. that you have 
involving ''loc'' are useless. I would remove
''loc'' above and all
rules/policies having to do with ''loc''.

> 
> 
> *** policy
> masq    net    ACCEPT
> loc    net    ACCEPT
> fw    net    ACCEPT
> net    all    DROP    info
> all    all    REJECT    info
> 
Given your experience and the fact that you want to use the Mandrake box 
as an integral part of your network, I would change your policies to:

fw	all	ACCEPT
masq	all	ACCEPT
net	all	DROP	info
all	all	REJECT	info

That should solve all of the problems that you are reporting.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Shorewall users - Oct 2002 - Newbie problems

[Shorewall-users] Newbie problems

[Shorewall-users] Newbie problems