I''m having problems getting shorewall working again to allow another
computer to connect through my linux box. My machine can connect to the
internet fine through eth0, the other pc is getting an ip and can ping
192.168.0.1, but not past. I''ve tracked it down to a problem in
/etc/shorewall/masq but I have no idea why shorewall is barfing on the
file when it was working 72 hours ago and I have since reinstalled and
reconfiged everything to a very simple setup.
I am running mandrake but I have a fresh non-mandrake 2.4.21 kernel, the
only patch is the patch-o-matic for netfilter/iptables. I am not running
the Mandrake release of Shorewall.
# shorewall version
1.4.6b
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
100
link/ether 00:e0:29:55:81:fb brd ff:ff:ff:ff:ff:ff
inet 24.47.23.33/20 brd 255.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:cc:e0:be:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
# ip route show
255.255.255.255 dev eth1 scope link
192.168.0.0/24 dev eth1 scope link
24.47.16.0/20 dev eth0 proto kernel scope link src 24.47.23.33
127.0.0.0/8 dev lo scope link
default via 24.47.16.1 dev eth0
---# shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Not available
Determining Zones...
Zones: net masq
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Maquerade Zone: eth1:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Rule "ACCEPT fw net tcp 53" added.
Rule "ACCEPT fw net udp 53" added.
Rule "ACCEPT masq fw tcp 22" added.
Rule "ACCEPT net fw tcp 22" added.
Rule "ACCEPT masq fw icmp 8" added.
Rule "DROP net fw icmp 8" added.
Rule "ACCEPT fw masq icmp 8" added.
Rule "ACCEPT fw net icmp 8" added.
Rule "ACCEPT net fw tcp 113" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy REJECT for fw to masq using chain all2all
Policy DROP for net to fw using chain net2all
Policy REJECT for masq to fw using chain all2all
Policy ACCEPT for masq to net using chain masq2net
Masqueraded Subnets and Hosts:
iptables: Invalid argument
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/stopped ...
Terminated
-------
/etc/shorewall/zone
#ZONE DISPLAY COMMENTS
net Net Internet
masq Maquerade Masqueraded Local Networks
--------------
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp
masq eth1 detect
-------------
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth0 eth1
(if i comment out that line int he masq file I am able to load shorewall
and get onto the net from my linux box otherwise nothing works)
I basically have the standard two-interfaces example install, which was
working until the blackout, and now it doesn''t work.Any help you can
give would be great. Thanks.
_dan
On Sat, 2003-08-16 at 15:45, Pab wrote:> > I am running mandrake but I have a fresh non-mandrake 2.4.21 kernel, the > only patch is the patch-o-matic for netfilter/iptables. I am not running > the Mandrake release of Shorewall.> Policy REJECT for masq to fw using chain all2all > Policy ACCEPT for masq to net using chain masq2net > Masqueraded Subnets and Hosts: > iptables: Invalid argument > Processing /etc/shorewall/stop ...Looks like you neglected to include MASQ support in your new kernel. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> On Sat, 2003-08-16 at 15:45, Pab wrote: > > >>I am running mandrake but I have a fresh non-mandrake 2.4.21 kernel, the >>only patch is the patch-o-matic for netfilter/iptables. I am not running >>the Mandrake release of Shorewall. > > >> Policy REJECT for masq to fw using chain all2all >> Policy ACCEPT for masq to net using chain masq2net >>Masqueraded Subnets and Hosts: >>iptables: Invalid argument >>Processing /etc/shorewall/stop ... > > > Looks like you neglected to include MASQ support in your new kernel. > > -TomI though of that and I actaully have just about EVERYTHING build as a module and loaded. ipt_MAQUERADE is loaded. # lsmod Module Size Used by Tainted: P ipt_unclean 7288 0 (unused) ipt_ULOG 4136 0 (unused) ipt_tos 472 0 (unused) ipt_random 728 0 (unused) ipt_quota 632 0 (unused) ipt_pool 600 0 (unused) ipt_owner 1432 0 (unused) ipt_mport 760 0 (unused) ipt_ipv4options 1016 0 (unused) ipt_TTL 1112 0 (unused) ipt_ttl 568 0 (unused) ipt_time 1400 0 (unused) ipt_TCPMSS 2360 0 (unused) ipt_tcpmss 792 0 (unused) ipt_SAME 1016 0 (unused) ipt_REDIRECT 792 0 (unused) ipt_psd 42884 0 (unused) ipt_POOL 696 0 (unused) ip_pool 3248 0 [ipt_pool ipt_POOL] ipt_pkttype 472 0 (unused) ipt_nth 1216 0 (unused) ipt_NETMAP 792 0 (unused) ipt_NETLINK 1436 0 (unused) ipt_MIRROR 1496 0 (unused) ipt_MARK 760 0 (unused) ipt_mark 472 0 (unused) ipt_mac 632 0 (unused) ipt_limit 888 0 (unused) ipt_length 504 0 (unused) ipt_IPV4OPTSSTRIP 1080 0 (unused) ipt_iplimit 1752 0 (unused) ipt_helper 696 0 (unused) ipt_fuzzy 1144 0 (unused) ipt_esp 600 0 (unused) ipt_ECN 1784 0 (unused) ipt_ecn 824 0 (unused) ipt_DSCP 1048 0 (unused) ipt_dscp 472 0 (unused) ipt_ah 600 0 (unused) ip_queue 5868 0 (unused) ip_conntrack_tftp 1904 1 (autoclean) ip_nat_tftp 1904 0 (unused) ip_nat_snmp_basic 9212 0 (unused) ip_nat_amanda 1820 0 (unused) ip_conntrack_amanda 2176 1 [ip_nat_amanda] arptable_filter 1456 0 (unused) arp_tables 10924 1 [arptable_filter] ipt_MASQUERADE 1912 0 (autoclean) tdfx 34016 13 agpgart 18384 0 (autoclean) (unused) lp 7040 0 parport_pc 16004 1 parport 26592 1 [lp parport_pc] ipt_TOS 1016 12 (autoclean) ipt_LOG 3384 5 (autoclean) ipt_REJECT 3224 4 (autoclean) ipt_state 568 23 (autoclean) ip_nat_irc 2864 0 (unused) ip_nat_ftp 3856 0 (unused) ip_conntrack_irc 3248 1 [ip_nat_irc] ip_conntrack_ftp 4496 1 [ip_nat_ftp] ipt_multiport 664 0 (autoclean) ipt_conntrack 1176 0 (autoclean) iptable_filter 1740 1 (autoclean) iptable_mangle 2136 1 (autoclean) iptable_nat 23704 6 (autoclean) [ipt_SAME ipt_REDIRECT ipt_NETMAP ip_nat_tftp ip_nat_snmp_basic ip_nat_amanda ipt_MASQUERADE ip_nat_irc ip_nat_ftp] ip_conntrack 29608 9 (autoclean) [ipt_SAME ipt_REDIRECT ipt_NETMAP ipt_iplimit ipt_helper ip_conntrack_tftp ip_nat_tftp ip_nat_amanda ip_conntrack_amanda ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat] ip_tables 14840 50 [ipt_unclean ipt_ULOG ipt_tos ipt_random ipt_quota ipt_pool ipt_owner ipt_mport ipt_ipv4options ipt_TTL ipt_ttl ipt_time ipt_TCPMSS ipt_tcpmss ipt_SAME ipt_REDIRECT ipt_psd ipt_POOL ipt_pkttype ipt_nth ipt_NETMAP ipt_NETLINK ipt_MIRROR ipt_MARK ipt_mark ipt_mac ipt_limit ipt_length ipt_IPV4OPTSSTRIP ipt_iplimit ipt_helper ipt_fuzzy ipt_esp ipt_ECN ipt_ecn ipt_DSCP ipt_dscp ipt_ah ipt_MASQUERADE ipt_TOS ipt_LOG ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat] af_packet 13608 3 (autoclean) sr_mod 14392 0 (autoclean) natsemi 16480 1 (autoclean) 8139too 14952 1 (autoclean) mii 2560 0 (autoclean) [8139too] vfat 10860 0 (autoclean) fat 32696 0 (autoclean) [vfat] ide-scsi 10512 0 scsi_mod 87444 2 [sr_mod ide-scsi] sb 7764 0 sb_lib 38030 0 [sb] uart401 6820 0 [sb_lib] sound 59348 0 [sb_lib uart401] rtc 6844 0 (autoclean)
Tom Eastep wrote:> On Sat, 16 Aug 2003 20:38:00 -0400, Pab <pab@albanysux.com> wrote: > > >>> >>> Looks like you neglected to include MASQ support in your new kernel. >>> >>> -Tom >> >> I though of that and I actaully have just about EVERYTHING build as a >> module and loaded. ipt_MAQUERADE is loaded. > > > Then please follow the instructions at > http://shorewall.net/troubleshoot.htm under the heading "If the firewall > fails to start". > > -TomHere is part of the trace if tht helps. + read first rest + ''['' x#INTERFACE = xINCLUDE '']'' + echo ''#INTERFACE SUBNET ADDRESS'' + read first rest + ''['' xeth0 = xINCLUDE '']'' + echo ''eth0 eth1'' + read first rest + ''['' x#LAST = xINCLUDE '']'' + echo ''#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE'' + read first rest + ''['' -n Yes '']'' + echo ''Masqueraded Subnets and Hosts:'' + read fullinterface subnet address + expandv fullinterface subnet address + local varval + ''['' 3 -gt 0 '']'' + eval ''varval=$fullinterface'' ++ varval=eth0 + eval ''fullinterface="eth0"'' ++ fullinterface=eth0 + shift + ''['' 2 -gt 0 '']'' + eval ''varval=$subnet'' ++ varval=eth1 + eval ''subnet="eth1"'' ++ subnet=eth1 + shift + ''['' 1 -gt 0 '']'' + eval ''varval=$address'' ++ varval+ eval ''address=""'' ++ address+ shift + ''['' 0 -gt 0 '']'' + ''['' -n Yes '']'' + setup_one + local using + destnet=0.0.0.0/0 + interface=eth0 + list_search eth0 eth0 eth1 + local e=eth0 + ''['' 3 -gt 1 '']'' + shift + ''['' xeth0 = xeth0 '']'' + return 0 + ''['' eth1 = eth1 '']'' + nomasq++ masq_chain eth0 +++ chain_base eth0 +++ local c=eth0 +++ echo eth0 ++ echo eth0_masq + chain=eth0_masq + iface+ source=eth1 ++ get_routed_subnets eth1 ++ local address ++ local rest ++ ip route show dev eth1 ++ read address rest ++ ''['' x255.255.255.255 = xdefault '']'' ++ ''['' 255.255.255.255 = 255.255.255.255 '']'' ++ address=255.255.255.255/32 ++ echo 255.255.255.255/32 ++ read address rest ++ ''['' x192.168.0.0/24 = xdefault '']'' ++ ''['' 192.168.0.0/24 = 192.168.0.0 '']'' ++ echo 192.168.0.0/24 ++ read address rest + subnets=255.255.255.255/32 192.168.0.0/24 + ''['' -z ''255.255.255.255/32 192.168.0.0/24'' '']'' + subnet=255.255.255.255/32 192.168.0.0/24 + ''['' -n '''' -a -n '''' '']'' + destination=0.0.0.0/0 + ''['' -n '''' '']'' + destnet=-d 0.0.0.0/0 + ''['' -n ''255.255.255.255/32 192.168.0.0/24'' '']'' + ''['' -n '''' '']'' + addnatrule eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE + ensurenatchain eth0_masq + havenatchain eth0_masq + eval test ''"$eth0_masq_nat_exists"'' = Yes ++ test '''' = Yes + createnatchain eth0_masq + run_iptables -t nat -N eth0_masq + iptables -t nat -N eth0_masq + eval eth0_masq_nat_exists=Yes ++ eth0_masq_nat_exists=Yes + run_iptables2 -t nat -A eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE + ''['' ''x-t nat -A eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE'' = ''x-t nat -A eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE'' '']'' + run_iptables -t nat -A eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE + iptables -t nat -A eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument + ''['' -z '''' '']'' + stop_firewall + set +x
On Sun, 17 Aug 2003, Pab wrote:> Here is part of the trace if tht helps. > > MASQUERADE > + iptables -t nat -A eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j > MASQUERADE > iptables: Invalid argument > + ''['' -z '''' '']'' > + stop_firewall > + set +x >Ok -- the above is the first MASQ rule begin added and it is valid: [root@gateway root]# iptables -t nat -A eth0_masq -s 255.255.255.255 -d 0.0.0.0/0 -j MASQUERADE [root@gateway root]# If you used a recent P-O-M snapshot, you must also rebuild your iptables utility using the updated kernel source. Otherwise, all commands associated with NAT fail. -Tom Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> On Sun, 17 Aug 2003, Pab wrote: > > >>Here is part of the trace if tht helps. >> >>MASQUERADE >>+ iptables -t nat -A eth0_masq -s 255.255.255.255/32 -d 0.0.0.0/0 -j >>MASQUERADE >>iptables: Invalid argument >>+ ''['' -z '''' '']'' >>+ stop_firewall >>+ set +x >> > > > Ok -- the above is the first MASQ rule begin added and it is valid: > > [root@gateway root]# iptables -t nat -A eth0_masq -s 255.255.255.255 -d > 0.0.0.0/0 -j MASQUERADE > [root@gateway root]# > > If you used a recent P-O-M snapshot, you must also rebuild your iptables > utility using the updated kernel source. Otherwise, all commands > associated with NAT fail. > > -Tom > > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net >That was it. I made a rookie mistake and the new iptable I had built was being installed into /usr/local/sbin and not overwriting the older verion in /sbin. Everything is working now and thanks for the help!
On Sun, 17 Aug 2003 12:44:40 -0400, Pab <pab@albanysux.com> wrote:>> > > That was it. I made a rookie mistake and the new iptable I had built was > being installed into /usr/local/sbin and not overwriting the older verion > in /sbin.You''re not the first person to cut yourself on that sharp edge :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net