I run a net box with Red Hat 7.3 for my home network. I''ve got Shorewall working, my internet works fine on all the computers. I can SSH from my home network to the box for admin, but I''m having trouble as I can''t seem to set this up to work from the internet. I copied the SSH for the local network and adapted it to the net, didn''t work. My friend has his working so I copied his ruleset and that didn''t work. I also tried substituting in ssh for port 22 on the incoming, to no avail, does anyone have any other ideas? Thanks, Nathan
> -----Original Message----- > From: Nathan Jones > Sent: Friday, October 18, 2002 12:24 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] SSH Problems > > > I run a net box with Red Hat 7.3 for my home network. I''ve got > Shorewall working, my internet works fine on all the computers. > I can SSH from my home network to the box for admin, but I''m > having trouble as I can''t seem to set this up to work from the > internet. > I copied the SSH for the local network and adapted it to the > net, didn''t work. My friend has his working so I copied his > ruleset and that didn''t work. I also tried substituting in > ssh for port 22 on the incoming, to no avail, does anyone have > any other ideas?Try and post the ssh related rule you added for net->fw. Also, is sshd configured to answer on the external interface? As root, type: netstat -nap | grep sshd Is your ISP possibly blocking inbound ssh requests? Try running tcpdump or ethereal on your firewall to see if port 22 connections are making it to your firewalls external interface. Steve Cowles
Is it possible to generate a shell script that would create the neccessary rules for the firewall? The reason I am looking to do this is because I like the interface of shorewall to create my firewall, but at a server at work, we''d like to use a cd based distro for the firewall. This cd distro reads the firewall script from a read-only floppy in the drive. It would be great if I could install shorewall on my workstation, create all the neccessary rules, but then have shorewall create a shell script that contains all the neccessary iptables commands to create the firewall. That way this one script can be copied to the floppy. This would be much easier/faster than hacking my way through the cd-rom based distro to add all the shorewall support files. Thanks, Bryan
Once Shorewall started, used the command iptables-save ex : iptables-save > my_script It generates the complete listing of the rules/chains created. You''ll have to edit the file to add the iptables command at the beginning, but this is trivial if you know vi. this is an extract of what it gives to me ... -A logdrop -j DROP -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2all -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j newnotsyn -A net2all -j common -A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6 -A net2all -j DROP -A net2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT -A net2dmz -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j newnotsyn ... ----- Original Message ----- From: "Bryan Ragon" <ragon@bellsouth.net> To: <shorewall-users@shorewall.net> Sent: Friday, October 18, 2002 9:37 AM Subject: [Shorewall-users] output to shell script?> Is it possible to generate a shell script that would create the > neccessary rules for the firewall? The reason I am looking to do this > is because I like the interface of shorewall to create my firewall, but > at a server at work, we''d like to use a cd based distro for the > firewall. This cd distro reads the firewall script from a read-only > floppy in the drive. It would be great if I could install shorewall on > my workstation, create all the neccessary rules, but then have shorewall > create a shell script that contains all the neccessary iptables commands > to create the firewall. That way this one script can be copied to the > floppy. This would be much easier/faster than hacking my way through > the cd-rom based distro to add all the shorewall support files. > > Thanks, > Bryan > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
On Fri, 2002-10-18 at 04:02, J=E9r=F4me Tytgat wrote:> Once Shorewall started, >=20 > used the command iptables-save >=20 > ex : iptables-save > my_scriptThat makes sense. However, will iptables/shorewall allow you to write rules for interfaces you don''t have? Specifically the IP addresses of my machines are different. The machine I want to "transfer" my rules to has two NIC''s.... my work machine has one. Can I get iptables to accept rules for two different NIC''s and with eth0 being assigned a diff address than my rules would "indicate?" If so, then I''m home free.=20 Just config shorewall on my work machine, save the rules, and then copy to my firewall. Thanks for all the help guys, Bryan
Hum not to my knowledge. But you can simply issue a command like : sed "s/your\.old\.ip\.number/your.new.ip.number/g" original_iptables_script> new_iptables_script[notice the \., they are important as a "." (dot) can be badly interpreted] And repeat this as many time as you want... Of course it''s by no mean a good implementation, but it''s a fast procedure to solve your problem. Jerome ----- Original Message ----- From: "Bryan Ragon" <ragon@bellsouth.net> To: <shorewall-users@shorewall.net> Sent: Saturday, October 19, 2002 8:26 AM Subject: Re: [Shorewall-users] output to shell script?> On Fri, 2002-10-18 at 04:02, Jérôme Tytgat wrote: > > Once Shorewall started, > > > > used the command iptables-save > > > > ex : iptables-save > my_script > > That makes sense. However, will iptables/shorewall allow you to write > rules for interfaces you don''t have? Specifically the IP addresses of > my machines are different. The machine I want to "transfer" my rules to > has two NIC''s.... my work machine has one. Can I get iptables to accept > rules for two different NIC''s and with eth0 being assigned a diff > address than my rules would "indicate?" If so, then I''m home free. > Just config shorewall on my work machine, save the rules, and then copy > to my firewall. > > Thanks for all the help guys, > Bryan > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >