search for: run_iptables2

...terface}_options=\"$options\" - for option in `separate_list $options`; do + for option in $options; do case $option in dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags) ;; @@ -2160,8 +2160,8 @@ if [ "$loglevel" = ULOG ]; then run_iptables2 -A $chain $proto $multiport \ $state $cli $sports $serv $dports -j ULOG $LOGPARMS \ - --ulog-prefix "Shorewall:$chain:$logtarget:" \ - else + --ulog-prefix "Shorewall:$chain:$logtarget:" + else run_iptables2 -A $chain $proto $multiport \ $state $cli $sports...

...off of the mailing list, feel free to put it back on there if you want. Hmmm -- the tunnels file has never accepted "!" in the GATEWAY column regardless of the tunnel type :-( Change the ''addrule()'' function (line 293 in /usr/share/shorewall/firewall) to use ''run_iptables2'' rather than ''run_iptables''. ~ addrule() # $1 = chain name, remainder of arguments specify the rule ~ { ~ ensurechain $1 ~ run_iptables2 -A $@ ~ } I''ve tested that change with this tunnels file entry: pptpserver net !64.139.97.4...

...as simple as : #MARK SOURCE DEST PROTO PORT(S) CLIENT USER 2 eth1 0.0.0.0/0 tcp 80 As a result, I tried to get more information using the shorewall start debug 2 > file command. Here''s what I got : + run_iptables2 -t mangle -A tcfor -p -j MARK --set-mark ''PORT(S)'' + ''['' ''x-t mangle -A tcfor -p -j MARK --set-mark PORT(S)'' = ''x-t mangle -A tcfor -p -j MARK --set-mark PORT(S)'' '']'' + run_iptables -t mangle -A tcfor -p -j MA...

...ROR: Command "/sbin/iptables -A'' OUTPUT -o eth0 -d ''!192.168.0.0/24'' -j ''fw2net" Failed'' ERROR: Command "/sbin/iptables -A OUTPUT -o eth0 -d !192.168.0.0/24 -j fw2net" Failed It looks like there are places that should be calling run_iptables2, not run_iptables. Shorewall version is 2.2.2 I don''t think you need the rest of the stuff since this isn''t a problem with the iptables running, but with getting the iptables generated in the first place. Dick Munroe

I was wondering if anyone had implemented rules like this in shorewall: http://blog.andrew.net.au/tech I see tons of brute force attempts on the machines I administer, and I like the idea of limiting them without the need for extra daemons scanning for attacks. Thanks, Dale -- Dale E. Martin - dale@the-martins.org http://the-martins.org/~dmartin

...in eth0_masq + havenatchain eth0_masq + eval test ''"$eth0_masq_nat_exists"'' = Yes ++ test '''' = Yes + createnatchain eth0_masq + run_iptables -t nat -N eth0_masq + iptables -t nat -N eth0_masq + eval eth0_masq_nat_exists=Yes ++ eth0_masq_nat_exists=Yes + run_iptables2 -t nat -A eth0_masq -s 192.168.200.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE + ''['' ''x-t nat -A eth0_masq -s 192.168.200.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A eth0_masq -s 192.168.200.0/255.255.255.0 -d 0.0.0.0/0 -j MASQUERADE'...

...0/0268.html http://lists.netfilter.org/pipermail/netfilter/2003-September/046962.html Here is tail from debug message. How I can force to shorewall use POSTROUTING chain for masq and DNAT instead of user defined chains? # tail /tmp/trace + eval exists_nat_net_dnat=Yes + exists_nat_net_dnat=Yes + run_iptables2 -t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-destination 192.168.140.2 + [ x-t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-desti nation 192.168.140.2 = x-t nat -A net_dnat -p tcp -d 212.24.147.254 --dport http -j DNAT --to-destination 192.168.140.2...

I am getting the following message when Shorewall stops can anybody shed any light on this message and where I should be looking? Thanks root@bobshost:~# shorewall stop Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Stopping Shorewall...Processing /etc/shorewall/stop ... IP Forwarding Enabled

...sts_nat_eth0_masq"'' = Yes ++ test '''' = Yes + createnatchain eth0_masq + run_iptables -t nat -N eth0_masq + ''['' -n '''' '']'' + iptables -t nat -N eth0_masq + eval exists_nat_eth0_masq=Yes ++ exists_nat_eth0_masq=Yes + run_iptables2 -t nat -A eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0 -j MASQUERADE + ''['' ''x-t nat -A eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A eth0_masq -s 192.168.4.0/24 -d 0.0.0.0/0 -j MASQUERADE'' '']'' + run_iptab...

This is a minor release of Shorewall. WARNING: This release introduces incompatibilities with prior releases. See http://www.shorewall.net/upgrade_issues.htm. Changes are: a) There is now a new NONE policy specifiable in /etc/shorewall/policy. This policy will cause Shorewall to assume that there will never be any traffic between the source and destination zones. b) Shorewall no longer