I''ve written a how-to for Shorewall on standalone web hosting servers, since I''ve been using it on my own cPanel servers for a while now without problem: HOW-TO: Shoreline Firewall (Shorewall) 2.0.2f http://unofficial-support.com/node/view/46 Any feedback would be kindly recieved :) (I am not a member of the mailing list by the way) As a seperate issue, does anyone use Shorewall in a VPS? I''ve just got a VPS from ServInt.com who use SWsoft''s Virtuozzo - after installing, I got the following messages when starting Shorewall: root@vps01 [/usr/src]# shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Not available Multi-port Match: Available Connection Tracking Match: Not available Determining Zones... Zones: net Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: venet0:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... iptables: No chain/target/match by that name Processing /etc/shorewall/stop ... iptables: No chain/target/match by that name iptables: No chain/target/match by that name IP Forwarding Disabled! Processing /etc/shorewall/stopped ... Terminated Any thoughts? Thanks! -- Andrew Allen e:: mail@projectandrew.com // t:: +44 (0) 7958 540 596 w:: www.projectandrew.com \\ f:: +44 (0) 8704 601 527 yahoo! messenger: aa_projectandrew skype: aa_projectandrew
Andrew Allen wrote:> I''ve written a how-to for Shorewall on standalone web hosting servers, since > I''ve been using it on my own cPanel servers for a while now without problem: > > HOW-TO: Shoreline Firewall (Shorewall) 2.0.2f > http://unofficial-support.com/node/view/46Thanks!> > As a seperate issue, does anyone use Shorewall in a VPS? I''ve just got a VPS > from ServInt.com who use SWsoft''s Virtuozzo - after installing, I got the > following messages when starting Shorewall:<useless "shorewall start" output snipped>> > Any thoughts?Any trace? (see http://shorewall.net/troubleshoot.htm, subject "shorewall start and shorewall restart errors"). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > > Any trace? (see http://shorewall.net/troubleshoot.htm, subject > "shorewall start and shorewall restart errors").You might just see what this command does: iptables -L -n -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Andrew Allen wrote:> I''ve written a how-to for Shorewall on standalone web hosting servers, since > I''ve been using it on my own cPanel servers for a while now without problem: > > HOW-TO: Shoreline Firewall (Shorewall) 2.0.2f > http://unofficial-support.com/node/view/46 >I''ve added a link to this site from the QuickStart Guide page. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I''ve tried what you''ve suggested, and the trace file shows the errors, right at the end: + run_iptables -F + ''['' -n '''' '']'' + iptables -F + run_iptables -X + ''['' -n '''' '']'' + iptables -X + setcontinue FORWARD + run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + ''['' -n '''' '']'' + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name + ''['' -z '''' '']'' + stop_firewall + rm -f /var/lib/shorewall/restore-17728 + set +x iptables: No chain/target/match by that name iptables: No chain/target/match by that name After running Shorewall start, iptables -L -n shows: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 80.229.154.84 ACCEPT all -- 0.0.0.0/0 217.112.90.179 Chain OUTPUT (policy ACCEPT) target prot opt source destination I''ve set /etc/shorewall/routestopped as: venet0 - Thanks! (PS. not a member of the list) -- Andrew Allen e:: mail@projectandrew.com // t:: +44 (0) 7958 540 596 w:: www.projectandrew.com \\ f:: +44 (0) 8704 601 527 yahoo! messenger: aa_projectandrew skype: aa_projectandrew> ----- Message from teastep@shorewall.net --------- > Date: Sat, 19 Jun 2004 17:09:01 -0700 > From: Tom Eastep <teastep@shorewall.net> > Reply-To: Tom Eastep <teastep@shorewall.net> > Subject: Re: [Shorewall-users] Shorewall HOW-TO & VPS Question > To: Mailing List for Shorewall Users<shorewall-users@lists.shorewall.net>, mail@projectandrew.com> > Tom Eastep wrote: > > > > > > > > Any trace? (see http://shorewall.net/troubleshoot.htm, subject > > "shorewall start and shorewall restart errors"). > > You might just see what this command does: > > iptables -L -n > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > > ----- End message from teastep@shorewall.net -----
Andrew Allen wrote:> I''ve tried what you''ve suggested, and the trace file shows the errors, right at > the end: > > + run_iptables -F > + ''['' -n '''' '']'' > + iptables -F > + run_iptables -X > + ''['' -n '''' '']'' > + iptables -X > + setcontinue FORWARD > + run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > + ''['' -n '''' '']'' > + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables: No chain/target/match by that name >Looks like there is no state match support in the kernel -- Shorewall won''t run without it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables: No chain/target/match by that name >> > > Looks like there is no state match support in the kernel -- Shorewall > won''t run without it.It may be that module autoloading is disabled in the kernel -- try "modprobe ipt_state"; if that works, you can add: loadmodule ipt_state to /etc/shorewall/modules (you will probably have to add more as you go along). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I''ve tried your suggestion, but that does not work either. I''ve did find the following post on SWsoft''s forums: "In Virtuozzo prior 2.6 (which is scheduled for general availability at the end of May) we do not compile in connection tracking modules and that''s why you cannot use state module as well, it depends on connection tracking. However, you can achive the same result by using --syn flag, i.e. by blocking incoming packets with SYN flag set and allowing them in otherwise. Moreover, i would suggest to use --syn method even in Virtuozzo 2.6, since keeping the state of all connections is kernel resource wastage and with SYN flag you do the same on by packet basis." Does what''s said hold true? Can shorewall support this rather than state matching, or is it not recommended? Thanks! Andrew Allen Quoting Tom Eastep <teastep@shorewall.net>:> Copy of post send to the mailing list. > > Tom Eastep wrote: > >>> + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >>> iptables: No chain/target/match by that name >>> >> >> Looks like there is no state match support in the kernel -- >> Shorewall won''t run without it. > > It may be that module autoloading is disabled in the kernel -- try > "modprobe ipt_state"; if that works, you can add: > > loadmodule ipt_state > > to /etc/shorewall/modules (you will probably have to add more as you go > along). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Andrew Allen wrote:> > by packet basis." > > Does what''s said hold true? Can shorewall support this rather than state > matching, or is it not recommended? > > >>> Looks like there is no state match support in the kernel -- Shorewall >>> won''t run without it.Shorewall hasn''t changed since my previous post -- Shorewall still won''t run without state match (and never will). See http://shorewall.net/kernel.htm for Shorewall''s kernel requirements. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net