Arnar Þórarinsson
2003-May-15 11:50 UTC
[Shorewall-users] web on firewall not accessable from internet why ?
Hello I?m trying to open an access so that people can view my web, which will be located on my firewall but all I get is a timeout. My ISP says its not blocking port 80 to me and I?m pretty sure that I have the ports open. I have a static IP. I get no drop messages from shorewall for port 80 but when I try to connect with ftp I get the following message: May 15 17:41:42 web kernel: Shorewall:net2fw:ACCEPT:IN=eth0 OUTMAC=00:50:04:2b:3c:52:00:80:37:c3:4b:f0:08:00 SRC=192.168.254.254 DST=192.168.254.10 LEN=56 TOS=0x00 PREC=0x00 TTL=30 ID=4724 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.254.10 DST=213.213.136.38 LEN=48 TOS=0x10 PREC=0x00 TTL=127 ID=7375 DF PROTO=TCP INCOMPLETE [8 bytes] ] Anybody see what I?m doing wrong ? Running RedHat 8 and Shorewall 1.4.2 and two interface system. My Rules : # Accept DNS connections from the firewall to the network ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # Accept DNS connections from the local network to the network ACCEPT loc net tcp domain ACCEPT loc net udp domain ACCEPT net fw tcp domain ACCEPT net fw udp domain # Accept NTP protocol to the firewall ACCEPT net fw udp ntp ACCEPT net fw tcp ntp # Accept SSH connections from the local network for administration ACCEPT loc fw tcp 22 # Accept SSH connections from internet to fw ACCEPT net fw tcp 22 # Allow Ping to and from Firewall ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 ACCEPT loc net icmp 8 # Allow www requests ACCEPT loc net tcp www ACCEPT loc net tcp 8080 ACCEPT loc net tcp https ACCEPT net fw tcp www,smtp,443 ACCEPT net fw tcp 8080 # Allow ftp request from local net to internet ACCEPT loc net tcp 20,21 # Allow ftp requests from internet to firewall ACCEPT net fw tcp 20,21 # Allow mail smtp and pop to and from the fw and local network to the internet ACCEPT loc net tcp pop3 ACCEPT net fw tcp pop3 ACCEPT loc net tcp 25 # Allow MSN messenger to connect from local to network ACCEPT loc net tcp 1863 ACCEPT loc net udp 7001 ACCEPT fw loc udp 7001 # For file transfers range 6891 - 6900 ACCEPT loc net tcp 6891 # TCP application and whitebord sharing ACCEPT loc net tcp 1503 # TCP remote assist #ACCEPT loc net tcp 3389 # UDP incoming A/V real-time streams #ACCEPT loc net udp 5004:65535 # Allow BF1942 taffic ACCEPT loc net tcp 14690 ACCEPT loc net tcp 24690 ACCEPT loc net udp 14690 ACCEPT loc net udp 24690 ACCEPT loc net tcp 14567 ACCEPT loc net udp 14567 # Allow AllSeeingEye trsffic DNAT net loc:192.168.0.2 tcp 27243:27246 27243:27246 DNAT net loc:192.168.0.2 udp 27243:27246 27243:27246 ACCEPT loc net tcp 27243:27246 ACCEPT loc net udp 27243:27246 # Allow DC++ ACCEPT loc net tcp 411 - ACCEPT loc net tcp 1412 - ACCEPT loc net tcp 14666 - ACCEPT loc net tcp 22688 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE My Policy: loc net REJECT info #loc net ACCEPT fw net ACCEPT loc fw ACCEPT net all DROP info net fw ACCEPT info all all DROP info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
Tom Eastep
2003-May-15 12:03 UTC
[Shorewall-users] web on firewall not accessable from internet why ?
On Thu, 15 May 2003 18:49:27 -0000, Arnar ??rarinsson <art@strik.is> wrote:> I get no drop messages from shorewall for port 80 but when I try to > connect with ftp I get the following message: > May 15 17:41:42 web kernel: Shorewall:net2fw:ACCEPT:IN=eth0 OUT> MAC=00:50:04:2b:3c:52:00:80:37:c3:4b:f0:08:00 SRC=192.168.254.254 > DST=192.168.254.10 LEN=56 TOS=0x00 PREC=0x00 TTL=30 ID=4724 PROTO=ICMP > TYPE=3 CODE=3 [SRC=192.168.254.10 DST=213.213.136.38 LEN=48 TOS=0x10 > PREC=0x00 TTL=127 ID=7375 DF PROTO=TCP INCOMPLETE [8 bytes] ]>From http://www.shorewall.net/support.htm:"Do you see any "Shorewall" messages ("/sbin/shorewall show log") when you exercise the function that is giving you problems? If so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces file." I don''t see a copy of your /etc/shorewall/interfaces file so I have no way to interpret the above message.> My Rules :> # Allow ftp request from local net to internet > ACCEPT loc net tcp 20,21Port 20 is unnecessary.> # Allow ftp requests from internet to firewall > ACCEPT net fw tcp 20,21Dito.> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > My Policy: > loc net REJECT info > #loc net ACCEPT > fw net ACCEPT > loc fw ACCEPT > net all DROP info > net fw ACCEPT info > all all DROP info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTEThere is nothing obvious that I see -- If eth0 is your internet interface, I''d like to hear more about your network setup (especially IP addresses of your local systems and internal firewall interface). Also, what IP address were you trying to FTP from? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Arnar Þórarinsson
2003-May-15 16:26 UTC
[Shorewall-users] web on firewall not accessable from internet why ?
> "Do you see any "Shorewall" messages ("/sbin/shorewall show log") whenyou> exercise the function that is giving you problems? If so, include the > message(s) in your post along with a copy of your > /etc/shorewall/interfaces > file." > > I don''t see a copy of your /etc/shorewall/interfaces file so I have noway> to interpret the above message.Ok, heres my interface file: net eth0 detect dhcp,routefilter,norfc1918,dropunclean loc eth1 detect and if you need my kernel version : Linux web 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002 i686 i686 i386 GNU/Linux> There is nothing obvious that I see -- If eth0 is your internetinterface,> I''d like to hear more about your network setup (especially IPaddresses of> your local systems and internal firewall interface). Also, what IPaddress> were you trying to FTP from?Actually I tried to connect from a computer on the LAN using my internet IP, which probably wasn?t a good idea ;( but if I try to connect from an external address I get a connect failure and nothing is reported in /var/log/messages or shorewall show log. I?m wondering if my router is responsible, could it be that it isn?t forwarding these connections to the firewall ? ( my router is an ericson HM220dp ) Anyways my network setup is as follows: 192.168.254.254 | [ISP] <--> [router] <--> [ firewall ] <--> [ LAN ] eth0 eth1 192.168.254.10 192.168.0.1 [root@web shorewall]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:04:2b:3c:52 brd ff:ff:ff:ff:ff:ff inet 192.168.254.10/24 brd 192.168.254.255 scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:24:7e:f4:80 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 [root@web shorewall]# ip route show 192.168.0.0/24 dev eth1 scope link 192.168.254.0/24 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 192.168.254.254 dev eth0 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: 15. ma? 2003 19:03 To: Arnar ??rarinsson; shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] web on firewall not accessable from internet why ? On Thu, 15 May 2003 18:49:27 -0000, Arnar ??rarinsson <art@strik.is> wrote:> I get no drop messages from shorewall for port 80 but when I try to > connect with ftp I get the following message: > May 15 17:41:42 web kernel: Shorewall:net2fw:ACCEPT:IN=eth0 OUT> MAC=00:50:04:2b:3c:52:00:80:37:c3:4b:f0:08:00 SRC=192.168.254.254 > DST=192.168.254.10 LEN=56 TOS=0x00 PREC=0x00 TTL=30 ID=4724 PROTO=ICMP > TYPE=3 CODE=3 [SRC=192.168.254.10 DST=213.213.136.38 LEN=48 TOS=0x10 > PREC=0x00 TTL=127 ID=7375 DF PROTO=TCP INCOMPLETE [8 bytes] ]>From http://www.shorewall.net/support.htm:> My Rules :> # Allow ftp request from local net to internet > ACCEPT loc net tcp 20,21Port 20 is unnecessary.> # Allow ftp requests from internet to firewall > ACCEPT net fw tcp 20,21Dito.> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > My Policy: > loc net REJECT info > #loc net ACCEPT > fw net ACCEPT > loc fw ACCEPT > net all DROP info > net fw ACCEPT info > all all DROP info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTEThere is nothing obvious that I see -- If eth0 is your internet interface, I''d like to hear more about your network setup (especially IP addresses of your local systems and internal firewall interface). Also, what IP address were you trying to FTP from? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-May-15 17:21 UTC
[Shorewall-users] web on firewall not accessable from internet why ?
On Thu, 15 May 2003 23:25:41 -0000, Arnar ??rarinsson <art@strik.is> wrote:> > Ok, heres my interface file: > net eth0 detect dhcp,routefilter,norfc1918,dropunclean > loc eth1 detect > > > Anyways my network setup is as follows: > > 192.168.254.254 > | > [ISP] <--> [router] <--> [ firewall ] <--> [ LAN ] > eth0 eth1 > 192.168.254.10 192.168.0.1 >Have you modified your /etc/shorewall/rfc1918 file to account for the fact that your external IP address is reserved by RFC 1918? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-May-16 06:58 UTC
[Shorewall-users] web on firewall not accessable from internet why ?
On F?s, 16 May 2003 10:11:46 GMT, <art@strik.is> wrote:> When you say external IP address do you mean eth0 ( eth0 connects router > to firewall , IP > 192.168.254.10 ) or from router to ISP ( IP 213.213.136.*) ? > > If the former : No, I?ll change then IP for eth0 to something better. > If the latter : why ?, shorewall doesn?t see that IPHopefully you used the Two-interface QuickStart Guide while configuring your firewall. If so, you missed the part under "Addresses" where it talks about RFC 1918 addresses and what to do if the IP ADDRESS OF YOUR FIREWALL''S EXTERNAL INTERFACE (192.168.254.10) is reserved by RFC 1918 (which yours is). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net