pctas.com
2003-Jan-12 09:26 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
Hi,
I have a install of shorewall I have 2 interfaces(I think)
ppp0[connection device] and eth0 [LAN device],
I want to allow all traffic from the the internet in or aleast port 80 and
CVS and webmin and mail and everything normal to the main machine with
shorewall on it.
I changed to policy file but it just gave me errors as to double interfaces.
I also what still to alow connection sharing comming from eth0 which is
working now over NAT I think
Is there some way to fully expose the internet interface?
Is there a way to fully expose eth0 from the LAN side?
Im stuck as I can''t even get into the machine from eth0 to edit the
system
etc.
Mike Noyes
2003-Jan-12 09:45 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
On Sun, 2003-01-12 at 09:25, pctas.com wrote:> I have a install of shorewall I have 2 interfaces(I think) > ppp0[connection device] and eth0 [LAN device], > I want to allow all traffic from the the internet in or aleast port 80 and > CVS and webmin and mail and everything normal to the main machine with > shorewall on it.pctas, Please read the support page. You haven''t provided enough information for us to assist you. A small ASCII art diagram of your LAN would be useful also. Support http://shorewall.sourceforge.net/support.htm ASCII Art Examples http://leaf-project.org/pub/doc/network_diagrams/> I changed to policy file but it just gave me errors as to double interfaces.If you want help with your policy file, you''ll need to include it in your post.> I also what still to alow connection sharing comming from eth0 which is > working now over NAT I think > Is there some way to fully expose the internet interface? > Is there a way to fully expose eth0 from the LAN side?Why are you using a firewall? Full exposure of an interface is what a firewall is designed to prevent. Sorry, but we need more information to help you.> Im stuck as I can''t even get into the machine from eth0 to edit the system > etc.Using ssh or telnet? Is the proper deamon running on the machine your trying to connect to? -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
Tom Eastep
2003-Jan-12 09:48 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
--On Monday, January 13, 2003 04:25:52 AM +1100 "pctas.com" <coldascold@dodo.com.au> wrote:> Hi, > I have a install of shorewall I have 2 interfaces(I think) > ppp0[connection device] and eth0 [LAN device], > I want to allow all traffic from the the internet in or aleast port 80 and > CVS and webmin and mail and everything normal to the main machine with > shorewall on it. > > I changed to policy file but it just gave me errors as to double > interfaces. I also what still to alow connection sharing comming from > eth0 which is working now over NAT I think > Is there some way to fully expose the internet interface? > Is there a way to fully expose eth0 from the LAN side? > > > Im stuck as I can''t even get into the machine from eth0 to edit the > system etc. >Based on the questions that you are asking, it doesn''t sound like you have read http://shorewall.sf.net/two-interface.htm -- have you? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
pctas.com
2003-Jan-12 13:08 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
Status.txt included
For illustration purposes see an average basic 2 interface LAN as in the
documentation
http://www.pcaus.com/mazda/BasicLan.png (40kb)[disregard the wireless
accessponit ]
Yes I very well read the documentation pages located at sourceforge
Therefore my request on this List that maybe someone knew exactly how to
disable the firewall still leaving the NAT translation for connection
sharing intact
The firewall is working very good to good for my liking
I simply wanted to allow all traffic in from the internet on ppp0 for a
webserver and let all traffic out to the internet from the LAN on eth0 to
ppp0 [NAT](already dose this) and also let the lan be open to filesharing
what have you maybe video(dream on) to.
from the documentation I see arround 4 or 5 files that may need editing ,
I have observed that it is very possible to allow only one service access
here and there, but, I wanted to know if there was a quick and simple way to
let NAT translation take place on all interfaces without editing tons of
services and ports into the service files and shorewall files
Thansk again
O Im not paranoided or worried about access to my
machines/machine
Jesse
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@shorewall.net>
Sent: Monday, January 13, 2003 4:47 AM
Subject: Re: [Shorewall-users] Shorewall on a file/webserver/router Help
>
>
> --On Monday, January 13, 2003 04:25:52 AM +1100 "pctas.com"
> <coldascold@dodo.com.au> wrote:
>
> > Hi,
> > I have a install of shorewall I have 2 interfaces(I think)
> > ppp0[connection device] and eth0 [LAN device],
> > I want to allow all traffic from the the internet in or aleast port 80
and> > CVS and webmin and mail and everything normal to the main machine with
> > shorewall on it.
> >
> > I changed to policy file but it just gave me errors as to double
> > interfaces. I also what still to alow connection sharing comming from
> > eth0 which is working now over NAT I think
> > Is there some way to fully expose the internet interface?
> > Is there a way to fully expose eth0 from the LAN side?
> >
> >
> > Im stuck as I can''t even get into the machine from eth0 to
edit the
> > system etc.
> >
>
> Based on the questions that you are asking, it doesn''t sound like
you have
> read http://shorewall.sf.net/two-interface.htm -- have you?
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.sf.net
> Washington USA \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://mail.shorewall.net/mailman/listinfo/shorewall-users
>
-------------- next part --------------
[H[JShorewall-1.3.7c Status at localhost.localdomain - Mon Jan 13 18:14:57 EST
2003
Counters reset Sun Jan 12 20:35:27 EST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38 3292 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1670 222K ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
1517 177K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38843 15M ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
41645 28M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
38 3292 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
260 26588 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW,RELATED,ESTABLISHED
1520 123K fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
1285 210K fw2masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
1256 167K common all -- * * 0.0.0.0/0 0.0.0.0/0
510 42195 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
510 42195 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
481 40463 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
976 143K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
66 3960 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP all -- * * 0.0.0.0/0
192.168.1.255
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
41645 28M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
41645 28M masq2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
1517 177K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
1517 177K masq2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2masq (1 references)
pkts bytes target prot opt in out source destination
566 115K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:137
218 53301 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:139
501 41763 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
403 24888 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
1117 97757 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2net (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain masq2fw (1 references)
pkts bytes target prot opt in out source destination
225 15029 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
6 288 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:119
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:123
521 33348 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
10 3288 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:67
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:631
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:143
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:110
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:119
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:123
755 125K all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain masq2net (1 references)
pkts bytes target prot opt in out source destination
38893 28M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
42 13069 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
2710 181K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
40113 15M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
19 928 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
351 24652 common all -- * * 0.0.0.0/0 0.0.0.0/0
55 2752 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
55 2752 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (7 references)
pkts bytes target prot opt in out source destination
61 13997 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
38843 15M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
38843 15M net2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
1670 222K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
30 2208 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
1640 220K net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source destination
75 4392 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
501 41763 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Jan 13 13:36:35 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=12174 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=68.7.200.39 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=11663 DF
PROTO=TCP SPT=3221 DPT=3829 WINDOW=64240 RES=0x00 SYN URGP=0 ]
Jan 13 13:36:41 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=12175 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=68.7.200.39 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=11664 DF
PROTO=TCP SPT=3221 DPT=3829 WINDOW=64240 RES=0x00 SYN URGP=0 ]
Jan 13 13:36:42 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=12176 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=210.49.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=11665
DF PROTO=TCP SPT=3222 DPT=3580 WINDOW=64240 RES=0x00 SYN URGP=0 ]
Jan 13 15:37:37 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=37238 DF PROTO=TCP SPT=4095 DPT=3128
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:37:40 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=38527 DF PROTO=TCP SPT=4095 DPT=3128
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:37:46 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=41342 DF PROTO=TCP SPT=4095 DPT=3128
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:37:58 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=47197 DF PROTO=TCP SPT=3773 DPT=8080
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:38:01 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=48610 DF PROTO=TCP SPT=3773 DPT=8080
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:38:07 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=51462 DF PROTO=TCP SPT=3773 DPT=8080
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:38:19 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=57462 DF PROTO=TCP SPT=4459 DPT=6588
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:38:22 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=58898 DF PROTO=TCP SPT=4459 DPT=6588
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:38:28 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=61860 DF PROTO=TCP SPT=4459 DPT=6588
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:38:40 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=2268 DF PROTO=TCP SPT=4837 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 15:38:49 net2all:DROP:IN=ppp0 OUT= SRC=64.144.25.246 DST=203.220.204.161
LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=6549 DF PROTO=TCP SPT=4837 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 13 17:36:45 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=576 TOS=0x00 PREC=0xC0 TTL=64 ID=21113 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=172.168.64.4 LEN=1288 TOS=0x00 PREC=0x00 TTL=128 ID=21419
DF PROTO=TCP SPT=3552 DPT=1797 WINDOW=64378 RES=0x00 ACK URGP=0 ]
Jan 13 17:36:49 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=576 TOS=0x00 PREC=0xC0 TTL=64 ID=21114 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=172.168.64.4 LEN=1362 TOS=0x00 PREC=0x00 TTL=128 ID=21420
DF PROTO=TCP SPT=3552 DPT=1797 WINDOW=64378 RES=0x00 ACK URGP=0 ]
Jan 13 17:37:08 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=576 TOS=0x00 PREC=0xC0 TTL=64 ID=21115 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=172.168.64.4 LEN=1362 TOS=0x00 PREC=0x00 TTL=128 ID=21421
DF PROTO=TCP SPT=3552 DPT=1797 WINDOW=64378 RES=0x00 ACK URGP=0 ]
Jan 13 17:37:14 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=85 TOS=0x00 PREC=0xC0 TTL=64 ID=21116 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=68.9.195.2 LEN=57 TOS=0x00 PREC=0x00 TTL=128 ID=21425 DF
PROTO=TCP SPT=3277 DPT=2548 WINDOW=62859 RES=0x00 ACK PSH URGP=0 ]
Jan 13 17:37:20 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=85 TOS=0x00 PREC=0xC0 TTL=64 ID=21117 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=68.9.195.2 LEN=57 TOS=0x00 PREC=0x00 TTL=128 ID=21426 DF
PROTO=TCP SPT=3277 DPT=2548 WINDOW=62859 RES=0x00 ACK PSH URGP=0 ]
Jan 13 17:37:25 all2all:REJECT:IN= OUT=eth0 SRC=192.168.1.1 DST=192.168.1.253
LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=21118 PROTO=ICMP TYPE=3 CODE=0
[SRC=192.168.1.253 DST=216.136.224.142 LEN=92 TOS=0x00 PREC=0x00 TTL=64 ID=21429
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=7424 ]
Chain PREROUTING (policy ACCEPT 34564 packets, 1785K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 30034 packets, 1285K bytes)
pkts bytes target prot opt in out source destination
3385 227K ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1353 packets, 140K bytes)
pkts bytes target prot opt in out source destination
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
2350 138K MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
Chain PREROUTING (policy ACCEPT 125K packets, 48M bytes)
pkts bytes target prot opt in out source destination
84896 43M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 34256 packets, 2025K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 89327 packets, 46M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 33890 packets, 2059K bytes)
pkts bytes target prot opt in out source destination
3104 363K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 123K packets, 48M bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
48 2172 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
57 4421 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 431958 ESTABLISHED src=192.168.1.253 dst=216.136.233.152 sport=3564
dport=5050 src=216.136.233.152 dst=203.221.15.117 sport=5050 dport=3564
[ASSURED] use=1
tcp 6 431965 ESTABLISHED src=192.168.1.253 dst=68.9.198.203 sport=3559
dport=3299 src=68.9.198.203 dst=203.221.15.117 sport=3299 dport=3559 [ASSURED]
use=1
Mike Noyes
2003-Jan-13 07:43 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
On Sun, 2003-01-12 at 13:07, pctas.com wrote:> Status.txt included > > For illustration purposes see an average basic 2 interface LAN as in the > documentation > http://www.pcaus.com/mazda/BasicLan.png (40kb)[disregard the wireless > accessponit ] > > Yes I very well read the documentation pages located at sourceforge > Therefore my request on this List that maybe someone knew exactly how to > disable the firewall still leaving the NAT translation for connection > sharing intactJesse, What you''re asking for is a router with NAT. Shorewall is a firewall. I suggest you remove Shorewall, and read the following documentation. It describes NAT configuration. http://tldp.org/HOWTO/IP-Masquerade-HOWTO/index.html http://tldp.org/HOWTO/Masquerading-Simple-HOWTO/index.html I have a feeling you may need these instructions. Follow them after you discover your network has been compromised. * Remain calm; don''t hurry. * Notify your organization''s management. * Provide a game plan (with options if possible). * Apply need-to-know. * Use out-of-band communications; avoid email and other network-based communications channels. * Take good notes, good enough to serve as evidence in a court of law. * Contain the problem; pull the network cable. * Back up the system(s), and collect evidence. * Eradicate the problem and get back in business. * Lessons learned, apply what you have learned. http://www.sans.org/resources/idfaq/incident_handling_steps.php> The firewall is working very good to good for my liking > I simply wanted to allow all traffic in from the internet on ppp0 for a > webserver and let all traffic out to the internet from the LAN on eth0 to > ppp0 [NAT](already dose this) and also let the lan be open to filesharing > what have you maybe video(dream on) to. > > from the documentation I see arround 4 or 5 files that may need editing , > I have observed that it is very possible to allow only one service access > here and there, but, I wanted to know if there was a quick and simple way to > let NAT translation take place on all interfaces without editing tons of > services and ports into the service files and shorewall filesBridging/Proxy-ARP, a DMZ, and ez-ipupdate is what you should look into.> O Im not paranoided or worried about access to my > machines/machineYou should be. -- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
Barry, Christopher
2003-Jan-13 13:35 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
You''re right - the line below is in error. It should read: "Shorewall Masquerading not made for simpletons">Quote "Shorewall Masqurading made simple ?"
Tom Eastep
2003-Jan-13 13:37 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
--On Monday, January 13, 2003 04:35:16 PM -0500 "Barry, Christopher" <cbarry@infiniconsys.com> wrote:> You''re right - the line below is in error. It should read: "Shorewall > Masquerading not made for simpletons" >Sigh -- I see that things are going well on the list in my absense... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Barry, Christopher
2003-Jan-13 13:44 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
Absense! What, did you take a catnap? ;^) -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, January 13, 2003 4:37 PM To: pctas.com; shorewall-users@shorewall.net Subject: RE: [Shorewall-users] Shorewall on a file/webserver/router Help --On Monday, January 13, 2003 04:35:16 PM -0500 "Barry, Christopher" <cbarry@infiniconsys.com> wrote:> You''re right - the line below is in error. It should read: "Shorewall > Masquerading not made for simpletons" >Sigh -- I see that things are going well on the list in my absense... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
Tom Eastep
2003-Jan-13 13:50 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
--On Monday, January 13, 2003 04:44:22 PM -0500 "Barry, Christopher" <cbarry@infiniconsys.com> wrote:> Absense! What, did you take a catnap? > > ;^) >I announced a week ago that until further notice, I wouldn''t be involved in Shorewall support or development. And I have been maintaining a low profile since then. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Barry, Christopher
2003-Jan-13 13:53 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
I knew that Tom - I was just kidding because it seems like you only took a few hours off! -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, January 13, 2003 4:50 PM To: Barry, Christopher; shorewall-users@shorewall.net Subject: RE: [Shorewall-users] Shorewall on a file/webserver/router Help --On Monday, January 13, 2003 04:44:22 PM -0500 "Barry, Christopher" <cbarry@infiniconsys.com> wrote:> Absense! What, did you take a catnap? > > ;^) >I announced a week ago that until further notice, I wouldn''t be involved in Shorewall support or development. And I have been maintaining a low profile since then. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Martinez, Mike (MHS-ACS)
2003-Jan-13 14:00 UTC
[Shorewall-users] Shorewall on a file/webserver/router Help
Tom''s been lurking.... He needs to go do some salmon fishing or do some hiking\Skiing up in the high country and take a good break ..... I subscribe to several lists and you will always see someone once in a while pop-up with a bad attitude and he\she usually will not get any help from anyone after they do that. This has been a great list thanks to Tom''s hard work and dedication and I believe that it will continue to be a great list. Tom you need the time off to be with your family and loved one''s and hopefully some of the people who have been helping out on the list will continue to do so and we will all continue to learn from each other. Cheers, Mike -----Original Message----- From: Barry, Christopher [mailto:cbarry@infiniconsys.com] Sent: Monday, January 13, 2003 3:44 PM To: Tom Eastep; pctas.com; shorewall-users@shorewall.net Subject: RE: [Shorewall-users] Shorewall on a file/webserver/router Help Absense! What, did you take a catnap? ;^) -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, January 13, 2003 4:37 PM To: pctas.com; shorewall-users@shorewall.net Subject: RE: [Shorewall-users] Shorewall on a file/webserver/router Help --On Monday, January 13, 2003 04:35:16 PM -0500 "Barry, Christopher" <cbarry@infiniconsys.com> wrote:> You''re right - the line below is in error. It should read: "Shorewall > Masquerading not made for simpletons" >Sigh -- I see that things are going well on the list in my absense... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users