Shorewall users - Apr 2003 - After upgrading to 1.3.14 REDIRECT in rules and masq doesn''t work

shorewall:1.3.14
kernel: 2.4.19
iptables: v1.2.7a
iproute: 2.4.7
using VLAN: 8021q module
Mandrake: positive ;)

After upgrading from 1.3.[7|9]? to 1.3.14 shorewall cannot start because 
of these line in rules:
REDIRECT loc  8080    tcp     www     -       !127.0.0.1
which redirected web traffic to a transparent proxy server, located on 
the firewall. After commenting out three lines with REDIRECT, shorewall 
stopped again, on file masq. I had to comment out all the lines, to be 
able to start shorewall.
eth1                   200.200.200.0/24        62.176.29.1
eth1                   192.168.11.100/32       62.176.29.1
eth1                   192.168.12.19/32
eth1                   192.168.12.20/32
eth4                   192.168.11.100/32       62.176.29.5

_______

PS: i also upgraded iptables recently :) so maybe the problem is related 
to this also

PS2: "shorewall check" works ok, but shorewall start issues the 
"Terminated" errors. Could a check be made, that really checks the
rules ?

PS3: I use tab not spaces. Is that ok?

PS4: thx for a great sw.

-- 
Ernest Beinrohr, OERNii
eAdmin @ AxonPro.sk, http://www.AxonPro.sk
+421-2-62410360, +421-903-482603    <==  NOVE TELEFONNE CISLO
HomePage: http://www.oernii.sk

On Wed, 2 Apr 2003, Ernest Beinrohr wrote:
> shorewall:1.3.14
> kernel: 2.4.19
> iptables: v1.2.7a
> iproute: 2.4.7
> using VLAN: 8021q module
> Mandrake: positive ;)
>
> After upgrading from 1.3.[7|9]? to 1.3.14 shorewall cannot start because
> of these line in rules:
> REDIRECT loc  8080    tcp     www     -       !127.0.0.1
That''s a nonsensical rule -- how could traffic from loc have a
destination
IP address of 127.0.0.1 in the first place?
> which redirected web traffic to a transparent proxy server, located on
> the firewall. After commenting out three lines with REDIRECT, shorewall
> stopped again, on file masq. I had to comment out all the lines, to be
> able to start shorewall.
> eth1                   200.200.200.0/24        62.176.29.1
> eth1                   192.168.11.100/32       62.176.29.1
> eth1                   192.168.12.19/32
> eth1                   192.168.12.20/32
> eth4                   192.168.11.100/32       62.176.29.5
>
> _______
>
> PS: i also upgraded iptables recently :) so maybe the problem is related
> to this also
I think that''s likely -- have you followed the instructions in the
Troubleshooting guide under the heading "If the firewall fails to
start"?
> PS2: "shorewall check" works ok, but shorewall start issues the
> "Terminated" errors. Could a check be made, that really checks
the rules ?
>
Including checking for broken iptables?
> PS3: I use tab not spaces. Is that ok
Of course.
>
> PS4: thx for a great sw.
>
You''re welcome.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2 Apr 2003, Tom Eastep wrote:
> > After upgrading from 1.3.[7|9]? to 1.3.14 shorewall cannot start
because
> > of these line in rules:
> > REDIRECT loc  8080    tcp     www     -       !127.0.0.1
>
> That''s a nonsensical rule -- how could traffic from loc have a
destination
> IP address of 127.0.0.1 in the first place?
>
Nevertheless, Shorewall starts fine for me with that rule in place.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2 Apr 2003, Tom Eastep wrote:
> On Wed, 2 Apr 2003, Tom Eastep wrote:
>
> > > After upgrading from 1.3.[7|9]? to 1.3.14 shorewall cannot start
because
> > > of these line in rules:
> > > REDIRECT loc  8080    tcp     www     -       !127.0.0.1
> >
> > That''s a nonsensical rule -- how could traffic from loc have
a destination
> > IP address of 127.0.0.1 in the first place?
> >
>
> Nevertheless, Shorewall starts fine for me with that rule in place.
>
Did you also rebuild your kernel? Sounds to me like you didn''t include
NAT
support.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>On Wed, 2 Apr 2003, Tom Eastep wrote:
>  
>
>>On Wed, 2 Apr 2003, Tom Eastep wrote:
>>    
>>
>>>>After upgrading from 1.3.[7|9]? to 1.3.14 shorewall cannot start
because
>>>>of these line in rules:
>>>>REDIRECT loc  8080    tcp     www     -       !127.0.0.1
>>>>        
>>>>
>>>That''s a nonsensical rule -- how could traffic from loc
have a destination
>>>IP address of 127.0.0.1 in the first place?
>>>      
>>>
>>Nevertheless, Shorewall starts fine for me with that rule in place.
>>    
>>
>
>Did you also rebuild your kernel? Sounds to me like you didn''t
include NAT
>support.
>
After DOWNgrading iptables to 1.2.6.a [mandrake] all is working as it 
should. Sorry for bothering the shorewall list ;)

-- 
Ernest Beinrohr, OERNii
eAdmin @ AxonPro.sk, http://www.AxonPro.sk
+421-2-62410360, +421-903-482603    <==  NOVE TELEFONNE CISLO
HomePage: http://www.oernii.sk

On Thu, 3 Apr 2003, Ernest Beinrohr wrote:
> 
> After DOWNgrading iptables to 1.2.6.a [mandrake] all is working as it 
> should. Sorry for bothering the shorewall list ;)
You need to look at the upgrade issues page then -- you can''t just
upgrade
from 1.2.x to 1.3.y and expect you configuration to work without any 
changes.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net