thr3ads.net - Shorewall users - [Shorewall-users] Going crazy with DMZ [Nov 2003]

If this information is useful, please help other people find it:
Share via:

TR Yelton

2003-Nov-21 08:38 UTC

[Shorewall-users] Going crazy with DMZ

I am going crazy, I have read the shorewall 1.3 three-interface HOWTO
and I need help.

What I CAN do:
ping box on DMZ from FW
ping box on LAN from FW
ssh from LAN to FW
ssh from FW to box on DMZ 

What I CANNOT do:
ping fw interface from LAN
ssh from lan to box on DMZ 

Thanks in advance, and I am sorry if I have posted inapropriately.
TR Yelton
mnemonic76


version
Linux version 2.4.18-8.1mdksecure (qateam@updates.mandrakesoft.com) (gcc
version
 2.96 20000731 (Mandrake Linux 8.2 2.96-0.76mdk)) #1 SMP Mon Jun 24
11:39:25 MDT
 2002

Shorewall 1.3.11

########################################################################
######
# Shorewall 1.3 /etc/shorewall/icmp.def
#
# This file is obsolete and is included for compatibility with existing
# icmpdef extension scripts that source it.
#
run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT


# grep -v ^# /etc/shorewall/{zones,interfaces,masq,policy,rules} |grep
-v ^$ > /root/output.txt"

output.txt:

/etc/shorewall/zones:
/etc/shorewall/zones:
/etc/shorewall/zones:lan        LAN     local_area_network
/etc/shorewall/zones:dmz        DMZ     demilitarized_zone
/etc/shorewall/zones:wan        NET     internet
/etc/shorewall/interfaces:
/etc/shorewall/interfaces:
/etc/shorewall/interfaces:lan   eth0    detect  routestopped
/etc/shorewall/interfaces:wan   eth1    detect  dhcp,norfc1918
/etc/shorewall/interfaces:dmz   eth2    detect  routestopped
/etc/shorewall/masq:
/etc/shorewall/masq:
/etc/shorewall/masq:eth1:0.0.0.0/0      eth0
/etc/shorewall/masq:eth1:0.0.0.0/0      eth2
/etc/shorewall/policy:
/etc/shorewall/policy:
/etc/shorewall/policy:lan       all     ACCEPT  debug
/etc/shorewall/policy:dmz       wan     ACCEPT  info
/etc/shorewall/policy:fw        all     ACCEPT  info
/etc/shorewall/policy:wan       all     DROP    info
/etc/shorewall/policy:all       all     REJECT  info
/etc/shorewall/rules:
/etc/shorewall/rules:
/etc/shorewall/rules:ACCEPT     fw      wan     tcp     53      -
/etc/shorewall/rules:ACCEPT     fw      wan     udp     53      -
/etc/shorewall/rules:ACCEPT     dmz     wan     udp     53      -
/etc/shorewall/rules:ACCEPT     lan     wan     udp     53      -
/etc/shorewall/rules:REJECT     wan     fw      tcp     113     -
/etc/shorewall/rules:ACCEPT     lan     fw      tcp     22      -
/etc/shorewall/rules:ACCEPT     lan     fw      tcp     8443    -
/etc/shorewall/rules:ACCEPT     fw      lan     icmp    8       -
/etc/shorewall/rules:ACCEPT     lan     fw      icmp    8       -
/etc/shorewall/rules:ACCEPT     lan     dmz     icmp    8       -
/etc/shorewall/rules:ACCEPT     dmz     lan     icmp    8       -
/etc/shorewall/rules:ACCEPT     dmz     fw      icmp    8       -
/etc/shorewall/rules:ACCEPT     fw      dmz     icmp    8       -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     pop3    -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     smtp    -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     http    -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     https   -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     ssh     -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     ftp     -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     nntp    -
/etc/shorewall/rules:ACCEPT     fw      wan     udp     ntp     -
/etc/shorewall/rules:ACCEPT     lan     wan     tcp     imap    -
/etc/shorewall/rules:ACCEPT     fw      wan:20022       tcp     ftp
-


[root@firewall admin]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.1.0     0.0.0.0         255.255.255.0   U        40 0          0
eth0
68.58.154.0     0.0.0.0         255.255.254.0   U        40 0          0
eth1
192.168.0.0     0.0.0.0         255.255.0.0     U        40 0          0
eth2
127.0.0.0       0.0.0.0         255.0.0.0       U        40 0          0
lo
0.0.0.0         68.58.154.1     0.0.0.0         UG       40 0          0
eth1

########################################################################
######
#  /etc/shorewall/shorewall.conf V1.2 - Change the following variables
to
#  match your setup
#
#  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
#  This file should be placed in /etc/shorewall
#
#  (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
########################################################################
######
#
# Name of the firewall zone -- if not set or if set to an empty string,
"fw"
# is assumed.
#
FW=fw


# Set this to the name of the lock file expected by your init scripts.
For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don''t use lock
files,
# set -this to "".
#

SUBSYSLOCK=/var/lock/subsys/shorewall

# This is the directory where the firewall maintains state information
while
# it is running
#

STATEDIR=/var/lib/shorewall

#
# Set this to "yes" or "Yes" if you want to accept all
connection
requests
# that are related to already established connections. For example, you
want
# to accept FTP data connections. If you say "no" here, then to accept
# these connections between particular zones or hosts, you must include
# explicit "related" rules in /etc/shorewall/rules.
#

ALLOWRELATED="yes"

#
# If your netfilter kernel modules are in a directory other than
# /lib/modules/`uname -r`/kernel/net/ipv4/netfilter then specify that
# directory in this variable. Example: MODULESDIR=/etc/modules.

MODULESDIR=""

#
# The next two variables can be used to control the amount of log output
# generated. LOGRATE is expressed as a number followed by an optional
# `/second'',  `/minute'', `/hour'', or `/day''
suffix and specifies the
maximum
# rate at which a particular message will occur. LOGBURST determines the
# maximum initial burst size that will be logged. If set empty, the
default
# value of 5 will be used.
#
# If BOTH variables are set empty then logging will not be rate-limited.
#

LOGRATE=""
LOGBURST=""

#
# This variable determines the level at which Mangled/Invalid packets
are logged
# under the ''dropunclean'' interface option. If you set this
variable to
an
# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be
dropped
# silently.
#

LOGUNCLEAN=info

# This variable tells the /sbin/shorewall program where to look for
Shorewall
# log messages. If not set or set to an empty string (e.g.,
LOGFILE="")
then
# /var/log/messages is assumed.
#
# WARNING: The LOGFILE variable simply tells the ''shorewall''
program
where to
#          look for Shorewall messages.It does NOT control the
destination for
#          these messages. For information about how to do that, see
#
#              http://www.shorewall.net/FAQ.htm#faq6

LOGFILE="/var/log/messages"

#
# Enable nat support.
#
# You probally want yes here. Only gateways not doing NAT in any form,
like
# SNAT,DNAT masquerading, port forwading etc. should say "no" here.
#
NAT_ENABLED="Yes"

#
# Enable mangle support.
#
# If you say "no" here, Shorewall will ignore the /etc/shorewall/tos
file
# and will not initialize the mangle table when starting or stopping
# your firewall. You must enable mangling if you want Traffic Shaping
# (see TC_ENABLED below).
#
MANGLE_ENABLED="Yes"

#
# Enable IP Forwarding
#
# If you say "On" or "on" here, IPV4 Packet Forwarding is
enabled. If
you
# say "Off" or "off", packet forwarding will be disabled.
You would only
want
# to disable packet forwarding if you are installing Shorewall on a
# standalone system or if you want all traffic through the Shorewall
system
# to be handled by proxies.
#
# If you set this variable to "Keep" or "keep", Shorewall
will neither
# enable nor disable packet forwarding.
#
IP_FORWARDING="On"
#
# Automatically add IP Aliases
#
# If you say "Yes" or "yes" here, Shorewall will
automatically add IP
aliases
# for each NAT external address that you give in /etc/shorewall/nat. If
you say
# "No" or "no", you must add these aliases youself.
#
ADD_IP_ALIASES="Yes"

#
# Enable Traffic Shaping
#
# If you say "Yes" or "yes" here, Traffic Shaping is enabled
in the
firewall. If
# you say "No" or "no" then traffic shaping is not enabled.
If you
enable traffi
c
# shaping you must have iproute[2] installed (the "ip" and
"tc"
utilities) and
# you must enable packet mangling above.
#
TC_ENABLED="No"

#
# Blacklisting
#
# Set this variable to the action that you want to perform on packets
from
# Blacklisted systems. Must be DROP or REJECT. If not set or set to
empty,
# DROP is assumed.
#
BLACKLIST_DISPOSITION=DROP

#
# Blacklist Logging
#
# Set this variable to the syslogd level that you want blacklist packets
logged
# (beward of DOS attacks resulting from such logging). If not set, no
logging
# of blacklist packets occurs.
#
BLACKLIST_LOGLEVEL
#
# MSS Clamping
#
# Set this variable to "Yes" or "yes" if you want the TCP
"Clamp MSS to
PMTU"
# option. This option is most commonly required when your internet
# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
#
# If left blank, or set to "No" or "no", the option is not
enabled.
#
CLAMPMSS="Yes"
# I think this will make ping work...
FORWARDPING="Yes"
#LAST LINE -- DO NOT REMOVE

Tom Eastep

2003-Nov-21 10:04 UTC

head link

[Shorewall-users] Going crazy with DMZ

On Fri, 2003-11-21 at 08:38, TR Yelton wrote:> I am going crazy, I have read the shorewall 1.3 three-interface HOWTO
> and I need help.
> 
> What I CAN do:
> ping box on DMZ from FW
> ping box on LAN from FW
> ssh from LAN to FW
> ssh from FW to box on DMZ 
> 
> What I CANNOT do:
> ping fw interface from LAN
> ssh from lan to box on DMZ 
Do both of these work if you "shorewall clear"? With Shorewall
started,
what "Shorewall" messages are logged when you try these connections.
> 
> Thanks in advance, and I am sorry if I have posted inapropriately.
> TR Yelton
> mnemonic76
> 
> 
> version
> Linux version 2.4.18-8.1mdksecure (qateam@updates.mandrakesoft.com) (gcc
> version
>  2.96 20000731 (Mandrake Linux 8.2 2.96-0.76mdk)) #1 SMP Mon Jun 24
> 11:39:25 MDT
>  2002
> 
> Shorewall 1.3.11
If this is a new installation, why on earth are you using a year-old
version of Shorewall? While 1.3 is still supported, I''ll be very honest
with you -- I don''t remember how it works and have to look things up in
the 1.3 Documentation. Possibly others on the list that still run 1.3
can be more helpful.
> 
> ########################################################################
> ######
> # Shorewall 1.3 /etc/shorewall/icmp.def
> #
> # This file is obsolete and is included for compatibility with existing
> # icmpdef extension scripts that source it.
> #
> run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
> 
> 
> # grep -v ^# /etc/shorewall/{zones,interfaces,masq,policy,rules} |grep
> -v ^$ > /root/output.txt"
> 
> output.txt:
> 
> /etc/shorewall/zones:
> /etc/shorewall/zones:
> /etc/shorewall/zones:lan        LAN     local_area_network
> /etc/shorewall/zones:dmz        DMZ     demilitarized_zone
> /etc/shorewall/zones:wan        NET     internet
> /etc/shorewall/interfaces:
> /etc/shorewall/interfaces:
> /etc/shorewall/interfaces:lan   eth0    detect  routestopped
> /etc/shorewall/interfaces:wan   eth1    detect  dhcp,norfc1918
> /etc/shorewall/interfaces:dmz   eth2    detect  routestopped
> /etc/shorewall/masq:
> /etc/shorewall/masq:
> /etc/shorewall/masq:eth1:0.0.0.0/0      eth0
> /etc/shorewall/masq:eth1:0.0.0.0/0      eth2
> /etc/shorewall/policy:
> /etc/shorewall/policy:
> /etc/shorewall/policy:lan       all     ACCEPT  debug
> /etc/shorewall/policy:dmz       wan     ACCEPT  info
> /etc/shorewall/policy:fw        all     ACCEPT  info
> /etc/shorewall/policy:wan       all     DROP    info
> /etc/shorewall/policy:all       all     REJECT  info
> /etc/shorewall/rules:
> /etc/shorewall/rules:
> /etc/shorewall/rules:ACCEPT     fw      wan     tcp     53      -
> /etc/shorewall/rules:ACCEPT     fw      wan     udp     53      -
> /etc/shorewall/rules:ACCEPT     dmz     wan     udp     53      -
> /etc/shorewall/rules:ACCEPT     lan     wan     udp     53      -
> /etc/shorewall/rules:REJECT     wan     fw      tcp     113     -
> /etc/shorewall/rules:ACCEPT     lan     fw      tcp     22      -
> /etc/shorewall/rules:ACCEPT     lan     fw      tcp     8443    -
> /etc/shorewall/rules:ACCEPT     fw      lan     icmp    8       -
> /etc/shorewall/rules:ACCEPT     lan     fw      icmp    8       -
> /etc/shorewall/rules:ACCEPT     lan     dmz     icmp    8       -
> /etc/shorewall/rules:ACCEPT     dmz     lan     icmp    8       -
> /etc/shorewall/rules:ACCEPT     dmz     fw      icmp    8       -
> /etc/shorewall/rules:ACCEPT     fw      dmz     icmp    8       -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     pop3    -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     smtp    -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     http    -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     https   -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     ssh     -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     ftp     -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     nntp    -
> /etc/shorewall/rules:ACCEPT     fw      wan     udp     ntp     -
> /etc/shorewall/rules:ACCEPT     lan     wan     tcp     imap    -
> /etc/shorewall/rules:ACCEPT     fw      wan:20022       tcp     ftp
Given that you have a "lan all ACCEPT" policy, all of your rules with
"lan" as the source zone are just so much noise. None of your
''ping''
rules are required given that you don''t have any
''filterping'' interfaces
(Yes -- ping handling in Shorewall prior to 1.3.14 was pretty obtuse).

Other than that, I don''t see anything in your setup that would prevent
the connections that you are reporting.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

TR Yelton

2003-Nov-27 18:55 UTC

head link

[Shorewall-users] Going crazy with DMZ

Nevermind... it was some quirk with Mandrake MNF. I did a clean install
of Mandrake 9.1, and your FAQ was spot on. Also was able to fool Steam
(yet another quirky system) which has a ''bug'' that wont allow
you to
connect to a game server on your LAN because it links your external ip
to the verification (anti-piracy) system... with DNAT I can make it
THINK the server on the DMZ has the external address! Pretty neat! You
really learn a lot when you have no Linux, network admin, routing
experience and decide to setup a gameserver!

Thanks, shorewall made it easy(er)
Thomas Yelton
mnemonic76

Shorewall users - Nov 2003 - Going crazy with DMZ

[Shorewall-users] Going crazy with DMZ

[Shorewall-users] Going crazy with DMZ

[Shorewall-users] Going crazy with DMZ