Frédéric BOITEUX
2002-May-13 14:59 UTC
[Shorewall-users] [Newbie] Pb starting shorewall...
Hello, I''m trying to set up a simple firewall on a gateway host (2 interfaces), but the script fails : # shorewall start Processing /etc/shorewall/shorewall.conf ... Processing /etc/shorewall/params ... Starting Shorewall... Loading Modules... Initializing... Determining Zones... Zones: net loc Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth1:0.0.0.0/0 Local Zone: eth0:0.0.0.0/0 Deleting user chains... iptables: No chain/target/match by that name Terminated * My system is a Debian Gnu/Linux, Woody version, using shorewall 1.2.13-1 (the same problem arise with the 1.2.12-1 version). * my gateway is connected to the local network through eth0, to internet (via a proxy) through eth1. * I don''t know if the « Net Zone: eth1:0.0.0.0/0 » line and the following line is correct ?? I''ve tried to run in debug mode (shorewall debug start), but I get a 19ko log file ! The line causing error is : iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT in the « deleteallchains » function... If you have any ideas, thanks to help me ! bye, Fred.
On Mon, 13 May 2002, [x-unknown] Frédéric BOITEUX wrote:> Hello, > > I''m trying to set up a simple firewall on a gateway host (2 interfaces), but the script fails : > > # shorewall start > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Determining Hosts in Zones... > Net Zone: eth1:0.0.0.0/0 > Local Zone: eth0:0.0.0.0/0 > Deleting user chains... > iptables: No chain/target/match by that name > Terminated > > > * My system is a Debian Gnu/Linux, Woody version, using shorewall > 1.2.13-1 (the same problem arise with the 1.2.12-1 version). * my > gateway is connected to the local network through eth0, to internet (via > a proxy) through eth1. * I don''t know if the « Net Zone: eth1:0.0.0.0/0 > » line and the following line is correct ?? >They look ok.> I''ve tried to run in debug mode (shorewall debug start), but I get a 19ko log file ! The line causing error is : > > iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT > > in the « deleteallchains » function... > > If you have any ideas, thanks to help me ! >Please forward the trace file to me and I''ll take a look. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Mon, 13 May 2002, [x-unknown] Frédéric BOITEUX wrote:> Hello, > > I''m trying to set up a simple firewall on a gateway host (2 interfaces), but the script fails : > > # shorewall start > Processing /etc/shorewall/shorewall.conf ... > Processing /etc/shorewall/params ... > Starting Shorewall... > Loading Modules... > Initializing... > Determining Zones... > Zones: net loc > Validating interfaces file... > Validating hosts file... > Determining Hosts in Zones... > Net Zone: eth1:0.0.0.0/0 > Local Zone: eth0:0.0.0.0/0 > Deleting user chains... > iptables: No chain/target/match by that name > Terminated > > > * My system is a Debian Gnu/Linux, Woody version, using shorewall 1.2.13-1 (the same problem arise with the 1.2.12-1 version). > * my gateway is connected to the local network through eth0, to internet (via a proxy) through eth1. > * I don''t know if the « Net Zone: eth1:0.0.0.0/0 » line and the following line is correct ?? > > I''ve tried to run in debug mode (shorewall debug start), but I get a 19ko log file ! The line causing error is : > > iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT >Two things: 1) Your shorewall installation seems hosed. /etc/shorewall/version shows version 1.1.1 yet the ''firewall'' script that is running is later than that. 2) The rule that is causing the problem is ACCEPT local fw::8089 tcp 80 - all That rule looks ok. I can''t tell you any more given that I can''t tell what version you are really running. It does not appear to be 1.2.13 though from comparing your trace with a trace of a similar rule running through 1.2.13. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net