thr3ads.net - Shorewall users - [Shorewall-users] Problem with my simple local+ net shorewall configuration [Dec 2003]

If this information is useful, please help other people find it:
Share via:

Jimi Frechette

2003-Dec-01 14:17 UTC

[Shorewall-users] Problem with my simple local+ net shorewall configuration

Hi!
I''ve just installed the new mandrake 9.2 on my linux box. I''ve
also
installed shorewall in order to make my linux box a firewall. But it
doesn''t
seem to work.
I''ve tried to apply the HOWTO config but still doesn''t work.
Can anybody
help me out?
Here is my network

Window                        Linux
|192.168.0.2| <--------> eth0:192.168.0.1    eth1 : adsl dhcp
<------>
Internet

My Windows has gateway configured at 192.168.0.1

Quite simple network! I can ping everything from my linux box but I
can''t
ping my linux from my windows PC although my policy permits it!
I now think it may be a kernel problem?

Here are my config files:

ZONES:
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#     ZONE        Short name of the zone (5 Characters or less in length).
#     DISPLAY           Display name of the zone
#     COMMENTS    Comments about the zone
#
#ZONE DISPLAY           COMMENTS
net   Net   Internet zone
loc   Local Local
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


No RULES

POLICY:
#SOURCE           DEST        POLICY            LOG LEVEL   LIMIT:BURST
loc   net   ACCEPT
fw    net   ACCEPT
net   all   DROP  info
fw    loc   ACCEPT
loc   fw    ACCEPT
#all  all   ACCEPT      info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


MASQ:

#INTERFACE          SUBNET          ADDRESS

eth1  eth0


#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


INTERFACES:

#ZONE INTERFACE  BROADCAST   OPTIONS
net   eth1  detect      dhcp
loc   eth0  detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE




EXPORT OF VERSION, IP ADDR, IP ROUTE OTHER STUFF:

1.4.6c

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
      2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
          link/ether 52:54:00:e7:35:8e brd ff:ff:ff:ff:ff:ff
              inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
            3: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc
pfifo_fast qlen 100
                link/ether 00:0d:88:19:bd:5c brd ff:ff:ff:ff:ff:ff
                    inet 127.255.255.255/8 brd 127.255.255.255 scope host
eth1:9
                      inet 81.57.22.44/24 brd 81.57.22.255 scope global eth1


81.57.22.0/24 dev eth1  proto kernel  scope link  src 81.57.22.44
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 81.57.22.254 dev eth1


STATUS (SORRY FOR THE LENGTH)

Shorewall-1.4.6c Status at gate - dim nov 30 18:37:05 CET 2003

Counters reset Sun Nov 30 18:22:48 CET 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   168 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
  285 98190 eth1_in    all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
   51  5670 eth0_in    all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   168 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0
0.0.0.0/0          udp dpts:67:68
  301 37335 fw2net     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0
   59  3213 fw2loc     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain common (4 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:135
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:445
    7   336 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0
224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:113
    1    65 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0
127.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0
192.168.0.255

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source
destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 loc2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
   51  5670 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
   51  5670 loc2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 net2all    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
  285 98190 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:67:68
  285 98190 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source
destination
   52  2697 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
    7   516 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source
destination
  238 33433 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
   63  3902 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source
destination

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
   37  5014 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
   14   656 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source
destination
  264 96957 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    7   280 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
   14   953 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    6   552 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
    6   552 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain newnotsyn (5 references)
 pkts bytes target     prot opt in     out     source
destination
    7   280 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:''
    7   280 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain reject (7 references)
 pkts bytes target     prot opt in     out     source
destination
    7   336 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination

Nov 29 13:57:41 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUTSRC=81.57.213.81 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=61841
PROTO=TCP SPT=1463 DPT=1786 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 13:59:47 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUTSRC=81.57.135.15 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34004
PROTO=TCP SPT=2620 DPT=1419 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:04 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUTSRC=81.57.75.95 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=45722
PROTO=TCP SPT=2782 DPT=1014 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:40 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUTSRC=81.57.115.58 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=63212
PROTO=TCP SPT=1025 DPT=1379 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:44 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUTSRC=81.57.132.123 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=15000
PROTO=TCP SPT=1025 DPT=1969 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:59 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUTSRC=81.57.219.169 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=25826
PROTO=TCP SPT=2724 DPT=1656 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:01:35 marcadet-1-81-57-22-44 Shorewall:net2all:DROP:IN=eth1
OUTSRC=81.57.2.149 DST=81.57.22.44 LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=17383
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=1573
Nov 30 18:28:27 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.128.99 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=60768 PROTO=TCP SPT=2447 DPT=1497
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:28:44 net2all:DROP:IN=eth1 OUT= SRC=81.57.2.31 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=49651 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=45802
Nov 30 18:29:13 net2all:DROP:IN=eth1 OUT= SRC=81.57.117.152 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=52071 PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=60679
Nov 30 18:29:13 net2all:DROP:IN=eth1 OUT= SRC=81.57.70.83 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=18645 PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=2085
Nov 30 18:29:25 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.191.90 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34710 PROTO=TCP SPT=2169 DPT=1078
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:29:25 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.191.90 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34711 PROTO=TCP SPT=2169 DPT=1078
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:30:30 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.219.169
DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=60547 PROTO=TCP
SPT=1311 DPT=1031 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:31:59 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.48.41 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34276 PROTO=TCP SPT=2506 DPT=1208
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:33:39 net2all:DROP:IN=eth1 OUT= SRC=81.57.92.117 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=26347 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=3621
Nov 30 18:34:30 net2all:DROP:IN=eth1 OUT= SRC=81.56.192.142 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=62023 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=1827
Nov 30 18:35:14 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.222.31 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=3887 PROTO=TCP SPT=1025 DPT=1693
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:35:36 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.188.75 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=8587 PROTO=TCP SPT=1025 DPT=1799
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:35:37 net2all:DROP:IN=eth1 OUT= SRC=81.59.124.140 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=56291 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=45613

NAT Table

Chain PREROUTING (policy ACCEPT 124 packets, 6071 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 93 packets, 5769 bytes)
 pkts bytes target     prot opt in     out     source
destination
   70  4182 eth1_masq  all  --  *      eth1    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 86 packets, 5489 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      *       192.168.0.0/24
0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 587 packets, 241K bytes)
 pkts bytes target     prot opt in     out     source
destination
  375  106K pretos     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain INPUT (policy ACCEPT 521 packets, 238K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 540 packets, 56294 bytes)
 pkts bytes target     prot opt in     out     source
destination
  362 40716 outtos     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 540 packets, 56294 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10
   42  2349 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08
    4   168 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10
   28  2048 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10
    6  2678 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08

troy@troyandtina.com

2003-Dec-01 14:24 UTC

head link

[Shorewall-users] Problem with my simple local+ net shorewall configuration

Jim,

Are you using 1 NIC and sitting behind a Linksys/D-Link type of gateway 
connected to the DSL Modem ?

Quoting Jimi Frechette <djimix@free.fr>:
> Hi!
> I''ve just installed the new mandrake 9.2 on my linux box.
I''ve also
> installed shorewall in order to make my linux box a firewall. But it
doesn''t
> seem to work.
> I''ve tried to apply the HOWTO config but still doesn''t
work. Can anybody
> help me out?
> Here is my network
> 
> Window                        Linux
> |192.168.0.2| <--------> eth0:192.168.0.1    eth1 : adsl dhcp
<------>
> Internet
> 
> My Windows has gateway configured at 192.168.0.1
> 
> Quite simple network! I can ping everything from my linux box but I
can''t
> ping my linux from my windows PC although my policy permits it!
> I now think it may be a kernel problem?
> 
> Here are my config files:
> 
> ZONES:
> # Shorewall 1.4 /etc/shorewall/zones
> #
> # This file determines your network zones. Columns are:
> #
> #     ZONE        Short name of the zone (5 Characters or less in length).
> #     DISPLAY           Display name of the zone
> #     COMMENTS    Comments about the zone
> #
> #ZONE DISPLAY           COMMENTS
> net   Net   Internet zone
> loc   Local Local
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> 
> 
> No RULES
> 
> POLICY:
> #SOURCE           DEST        POLICY            LOG LEVEL   LIMIT:BURST
> loc   net   ACCEPT
> fw    net   ACCEPT
> net   all   DROP  info
> fw    loc   ACCEPT
> loc   fw    ACCEPT
> #all  all   ACCEPT      info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> MASQ:
> 
> #INTERFACE          SUBNET          ADDRESS
> 
> eth1  eth0
> 
> 
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> INTERFACES:
> 
> #ZONE INTERFACE  BROADCAST   OPTIONS
> net   eth1  detect      dhcp
> loc   eth0  detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> 
> 
> 
> EXPORT OF VERSION, IP ADDR, IP ROUTE OTHER STUFF:
> 
> 1.4.6c
> 
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>         inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>       2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 100
>           link/ether 52:54:00:e7:35:8e brd ff:ff:ff:ff:ff:ff
>               inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
>             3: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc
> pfifo_fast qlen 100
>                 link/ether 00:0d:88:19:bd:5c brd ff:ff:ff:ff:ff:ff
>                     inet 127.255.255.255/8 brd 127.255.255.255 scope host
> eth1:9
>                       inet 81.57.22.44/24 brd 81.57.22.255 scope global
eth1
> 
> 
> 81.57.22.0/24 dev eth1  proto kernel  scope link  src 81.57.22.44
> 192.168.0.0/24 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 81.57.22.254 dev eth1
> 
> 
> STATUS (SORRY FOR THE LENGTH)
> 
> Shorewall-1.4.6c Status at gate - dim nov 30 18:37:05 CET 2003
> 
> Counters reset Sun Nov 30 18:22:48 CET 2003
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     2   168 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 DROP      !icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0          state INVALID
>   285 98190 eth1_in    all  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0
>    51  5670 eth0_in    all  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:INPUT:DROP:''
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 DROP      !icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0          state INVALID
>     0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:FORWARD:DROP:''
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     2   168 ACCEPT     all  --  *      lo      0.0.0.0/0
> 0.0.0.0/0
>     0     0 DROP      !icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0          state INVALID
>     0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0          udp dpts:67:68
>   301 37335 fw2net     all  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0
>    59  3213 fw2loc     all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0
>     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:DROP:''
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain common (4 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 reject     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          udp dpt:135
>     0     0 reject     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          udp dpts:137:139
>     0     0 reject     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          udp dpt:445
>     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:139
>     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:445
>     7   336 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:135
>     0     0 DROP       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          udp dpt:1900
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 255.255.255.255
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 224.0.0.0/4
>     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:113
>     1    65 DROP       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          udp spt:53 state NEW
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 127.255.255.255
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 192.168.0.255
> 
> Chain dynamic (4 references)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain eth0_fwd (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 loc2net    all  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0
> 
> Chain eth0_in (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>    51  5670 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>    51  5670 loc2fw     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain eth1_fwd (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 net2all    all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0
> 
> Chain eth1_in (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>   285 98190 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          udp dpts:67:68
>   285 98190 net2all    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain fw2loc (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>    52  2697 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED
>     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp flags:!0x16/0x02
>     7   516 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain fw2net (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>   238 33433 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED
>     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp flags:!0x16/0x02
>    63  3902 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain icmpdef (0 references)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain loc2fw (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>    37  5014 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED
>     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp flags:!0x16/0x02
>    14   656 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain loc2net (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED
>     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp flags:!0x16/0x02
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain net2all (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
>   264 96957 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state RELATED,ESTABLISHED
>     7   280 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          state NEW tcp flags:!0x16/0x02
>    14   953 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>     6   552 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
>     6   552 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain newnotsyn (5 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     7   280 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:''
>     7   280 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain reject (7 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     7   336 REJECT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with tcp-reset
>     0     0 REJECT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with icmp-port-unreachable
>     0     0 REJECT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with icmp-host-unreachable
>     0     0 REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with icmp-host-prohibited
> 
> Chain shorewall (0 references)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Nov 29 13:57:41 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUT> SRC=81.57.213.81 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=124
ID=61841
> PROTO=TCP SPT=1463 DPT=1786 WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 29 13:59:47 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUT> SRC=81.57.135.15 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123
ID=34004
> PROTO=TCP SPT=2620 DPT=1419 WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 29 14:00:04 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUT> SRC=81.57.75.95 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123
ID=45722
> PROTO=TCP SPT=2782 DPT=1014 WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 29 14:00:40 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUT> SRC=81.57.115.58 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123
ID=63212
> PROTO=TCP SPT=1025 DPT=1379 WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 29 14:00:44 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUT> SRC=81.57.132.123 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123
ID=15000
> PROTO=TCP SPT=1025 DPT=1969 WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 29 14:00:59 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1
OUT> SRC=81.57.219.169 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123
ID=25826
> PROTO=TCP SPT=2724 DPT=1656 WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 29 14:01:35 marcadet-1-81-57-22-44 Shorewall:net2all:DROP:IN=eth1
OUT> SRC=81.57.2.149 DST=81.57.22.44 LEN=92 TOS=0x00 PREC=0x00 TTL=123
ID=17383
> PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=1573
> Nov 30 18:28:27 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.128.99
DST=81.57.22.44
> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=60768 PROTO=TCP SPT=2447 DPT=1497
> WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 30 18:28:44 net2all:DROP:IN=eth1 OUT= SRC=81.57.2.31 DST=81.57.22.44
> LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=49651 PROTO=ICMP TYPE=8 CODE=0 ID=512
> SEQ=45802
> Nov 30 18:29:13 net2all:DROP:IN=eth1 OUT= SRC=81.57.117.152 DST=81.57.22.44
> LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=52071 PROTO=ICMP TYPE=8 CODE=0 ID=768
> SEQ=60679
> Nov 30 18:29:13 net2all:DROP:IN=eth1 OUT= SRC=81.57.70.83 DST=81.57.22.44
> LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=18645 PROTO=ICMP TYPE=8 CODE=0 ID=768
> SEQ=2085
> Nov 30 18:29:25 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.191.90
DST=81.57.22.44
> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34710 PROTO=TCP SPT=2169 DPT=1078
> WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 30 18:29:25 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.191.90
DST=81.57.22.44
> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34711 PROTO=TCP SPT=2169 DPT=1078
> WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 30 18:30:30 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.219.169
> DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=60547 PROTO=TCP
> SPT=1311 DPT=1031 WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 30 18:31:59 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.48.41 DST=81.57.22.44
> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34276 PROTO=TCP SPT=2506 DPT=1208
> WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 30 18:33:39 net2all:DROP:IN=eth1 OUT= SRC=81.57.92.117 DST=81.57.22.44
> LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=26347 PROTO=ICMP TYPE=8 CODE=0 ID=512
> SEQ=3621
> Nov 30 18:34:30 net2all:DROP:IN=eth1 OUT= SRC=81.56.192.142 DST=81.57.22.44
> LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=62023 PROTO=ICMP TYPE=8 CODE=0 ID=512
> SEQ=1827
> Nov 30 18:35:14 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.222.31
DST=81.57.22.44
> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=3887 PROTO=TCP SPT=1025 DPT=1693
> WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 30 18:35:36 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.188.75
DST=81.57.22.44
> LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=8587 PROTO=TCP SPT=1025 DPT=1799
> WINDOW=0 RES=0x00 ACK RST URGP=0
> Nov 30 18:35:37 net2all:DROP:IN=eth1 OUT= SRC=81.59.124.140 DST=81.57.22.44
> LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=56291 PROTO=ICMP TYPE=8 CODE=0 ID=512
> SEQ=45613
> 
> NAT Table
> 
> Chain PREROUTING (policy ACCEPT 124 packets, 6071 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain POSTROUTING (policy ACCEPT 93 packets, 5769 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>    70  4182 eth1_masq  all  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT 86 packets, 5489 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain eth1_masq (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 MASQUERADE  all  --  *      *       192.168.0.0/24
> 0.0.0.0/0
> 
> Mangle Table
> 
> Chain PREROUTING (policy ACCEPT 587 packets, 241K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   375  106K pretos     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain INPUT (policy ACCEPT 521 packets, 238K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain OUTPUT (policy ACCEPT 540 packets, 56294 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   362 40716 outtos     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> 
> Chain POSTROUTING (policy ACCEPT 540 packets, 56294 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 
> Chain outtos (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:22 TOS set 0x10
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp spt:22 TOS set 0x10
>    42  2349 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:21 TOS set 0x10
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp spt:21 TOS set 0x10
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp spt:20 TOS set 0x08
>     4   168 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:20 TOS set 0x08
> 
> Chain pretos (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:22 TOS set 0x10
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp spt:22 TOS set 0x10
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:21 TOS set 0x10
>    28  2048 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp spt:21 TOS set 0x10
>     6  2678 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp spt:20 TOS set 0x08
>     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          tcp dpt:20 TOS set 0x08
> 
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Tom Eastep

2003-Dec-01 14:34 UTC

head link

[Shorewall-users] Problem with my simple local+ net shorewall configuration

On Mon, 2003-12-01 at 13:51, Jimi Frechette wrote:> Hi!
> I''ve just installed the new mandrake 9.2 on my linux box.
I''ve also
> installed shorewall in order to make my linux box a firewall. But it
doesn''t
> seem to work.
The output you provided looks ok so unless you can tell us exactly what
doesn''t work, I don''t know how we can help you. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Dec 2003 - Problem with my simple local+ net shorewall configuration

[Shorewall-users] Problem with my simple local+ net shorewall configuration

[Shorewall-users] Problem with my simple local+ net shorewall configuration

[Shorewall-users] Problem with my simple local+ net shorewall configuration