Dario Lesca
2002-Oct-07 19:10 UTC
[Shorewall-users] Access internal to external blocked, but not ping!
Hi!
I want allow only some host (livex zone) from local net to access
external host directly, so I have configure shorewall with follow file...
But from the host non allowed, (es 10.1.65.46, note the comment in hosts
file) i correctly can''t access to any external services (es: links
www.shorewall.net ... Connection refused) but the ping to external Host is
allow!
I don''t'' want this, I want that the ping not work!, whats is
wrong?
Thanks and ... sorry for my bad english
-------
Dario Lesca (d.lesca@ivrea.osra.it)
My Config.......
#[/etc/shorewall/zones]--------------------------------------------
net Net Internet
liv LocIv PC locali
livex LocIvExit PC Locali che possono Uscire
dmz DMZ Demilitarized zone
#[/etc/shorewall/interfaces]---------------------------------------
net eth0 detect noping,norfc1918,routefilter,logunclean
- eth1 detect multi,filterping
dmz eth2 detect
#[/etc/shorewall/hosts]--------------------------------------------
liv eth1:10.1.65.0/24
# livex eth1:10.1.65.46
livex eth1:10.1.65.80
livex eth1:10.1.65.81
#[/etc/shorewall/policy]-------------------------------------------
fw net ACCEPT
fw liv ACCEPT
liv fw ACCEPT
livex net ACCEPT
net all DROP info
all all REJECT info
#[/etc/shorewall/rules]--------------------------------------------
ACCEPT net fw tcp ssh
#[/etc/shorewall/shorewall.conf]-----------------------------------
FW=fw
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
ALLOWRELATED=yes
MODULESDIRLOGRATELOGBURSTLOGUNCLEAN=info
LOGFILE=/var/log/messages
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
TC_ENABLED=No
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVELCLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
MULTIPORT=No
DETECT_DNAT_IPADDRS=No
MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
LOGNEWNOTSYNFORWARDPING=Yes
NEWNOTSYN=No
#[/etc/shorewall/common]-------------------------------------------
. /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
#[/etc/shorewall/masq]---------------------------------------------
eth0 10.0.0.0/8
eth0 172.16.0.0/20
#[/etc/shorewall/modules]------------------------------------------
loadmodule ip_tables
loadmodule iptable_filter
loadmodule iptable_nat
loadmodule ip_conntrack
loadmodule ip_nat_irc
loadmodule ip_conntrack_irc
loadmodule ip_nat_ftp ports=21,4559
loadmodule ip_conntrack_ftp ports=21,4559
Tom Eastep
2002-Oct-07 19:33 UTC
[Shorewall-users] Access internal to external blocked, but not ping!
Dario Lesca wrote:> Hi!> FORWARDPING=YesChange this to FORWARDPING=No -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Dario Lesca
2002-Oct-08 08:59 UTC
[Shorewall-users] Access internal to external blocked, but not ping!
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net>> > > FORWARDPING=Yes > > Change this to FORWARDPING=NoThanks Tom. Now work fine, but I have done insert in to policy file: liv net CONTINUE (liv is the zone witch contain livex zone) before the rule: livex net ACCEPT (livex is the subzone allowed to access the net) Now if I comment (or decomment) in to hosts file livex eth1:10.1.65.46 the host 10.1.65.46 can''t (or can) access to externat host whit ping, links or other service. Question: Is this approach correct? ... still thanks ------- Dario Lesca (d.lesca@ivrea.osra.it)