Hi !,
I have this problem. On a Mandrake 10.0 server with all the updates (Kernel
2.6.3-15mdk, iptables-1.2.9-7mdk and shorewall-2.0.3a-1mdk), one of our
internal users have to FTP some files to our external web server. I think we
have the correct configuration and rules in shorewall, and have read the
http://www.shorewall.net/FTP.html document. Still, our users can''t FTP
to
the Internet.
I''m not subscribed to the shorewall-users list (pending approbal ??)
This is the information of our system:
shorewall version 2.0.3a (shorewall-2.0.3a-1mdk)
-----------------
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:03:ce:89:2d:22 brd ff:ff:ff:ff:ff:ff
inet 200.71.42.100/24 brd 200.71.42.255 scope global eth0
inet6 fe80::203:ceff:fe89:2d22/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ff89:2d22/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:9f:23:a8:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global eth1
inet6 fe80::2c0:9fff:fe23:a844/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ff23:a844/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1255 qdisc pfifo_fast qlen
10
link/ppp
inet 192.168.99.1 peer 192.168.99.2/32 scope global tun0
----------------
ip route show
192.168.99.2 dev tun0 proto kernel scope link src 192.168.99.1
192.168.100.0/24 dev eth1 scope link
192.168.101.0/24 via 192.168.99.1 dev tun0 scope link
200.71.42.0/24 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 200.71.42.100 dev eth0
----------------
Our policy file:
fw loc ACCEPT
loc fw DROP info
#fw net DROP info
fw net ACCEPT
loc net DROP info
loc vpn ACCEPT
vpn loc ACCEPT
fw vpn ACCEPT
vpn fw ACCEPT
net all DROP info
all all REJECT info
-----------------
Our rules file:
ACCEPT loc fw tcp 22
ACCEPT loc fw udp 22
ACCEPT loc fw tcp 21
ACCEPT loc fw udp 21
ACCEPT loc fw tcp 80
ACCEPT loc fw tcp 3128
ACCEPT loc fw tcp 25
ACCEPT loc fw udp 25
ACCEPT loc fw tcp 110
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 10000
ACCEPT loc fw udp 10000
#LOCAL A INTERNET
ACCEPT loc net tcp 21
ACCEPT loc net udp 21
#ACCEPT loc net tcp 110
#
#INTERNET AL FIREWALL
ACCEPT net fw tcp 10000
ACCEPT net fw udp 10000
ACCEPT net fw tcp 22
ACCEPT net fw udp 22
ACCEPT net fw tcp 80
ACCEPT net fw tcp 21
ACCEPT net fw udp 21
ACCEPT net fw tcp 110
ACCEPT net fw udp 110
ACCEPT net fw tcp 5800
ACCEPT net fw tcp 5900
DNAT net loc:192.168.100.9 tcp 5800
DNAT net loc:192.168.100.9 tcp 5900
DNAT net loc:192.168.100.9 udp 5800
DNAT net loc:192.168.100.9 udp 5900
ACCEPT fw loc tcp 21
ACCEPT fw loc udp 21
ACCEPT fw loc tcp 53
ACCEPT fw loc udp 53
#
#FIREWALL A INTERNET
ACCEPT fw net tcp 80 -
ACCEPT fw net tcp 81
ACCEPT fw net tcp 21
ACCEPT fw net udp 21
ACCEPT fw net tcp 25
ACCEPT fw net udp 25
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT fw net tcp 110
ACCEPT fw net tcp 123
ACCEPT fw net udp 123
ACCEPT fw net tcp 443
ACCEPT fw net udp 443
ACCEPT loc net tcp 8080 -
ACCEPT fw net tcp 500
ACCEPT fw net udp 500
Anyone have had this kind of problem ???; why isn''t it working if it
has all
the modules and rules ??
Thank you !
-----------------------------------------------
SBG
expanbog wrote:> > Hi !, > > I have this problem. On a Mandrake 10.0 server with all the updates (Kernel > 2.6.3-15mdk, iptables-1.2.9-7mdk and shorewall-2.0.3a-1mdk), one of our > internal users have to FTP some files to our external web server. I think we > have the correct configuration and rules in shorewall, and have read the > http://www.shorewall.net/FTP.html document. Still, our users can''t FTP to > the Internet. > > I''m not subscribed to the shorewall-users list (pending approbal ??) >Please post the output of "lsmod" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
expanbog wrote:> > Hi !, > > I have this problem. On a Mandrake 10.0 server with all the updates (Kernel > 2.6.3-15mdk, iptables-1.2.9-7mdk and shorewall-2.0.3a-1mdk), one of our > internal users have to FTP some files to our external web server. I think we > have the correct configuration and rules in shorewall, and have read the > http://www.shorewall.net/FTP.html document. Still, our users can''t FTP to > the Internet. >I don''t see how your users could access *anything* on the internet unless they use a proxy. From the status you showed us, your /etc/shorewall/masq entry must look something like: eth1 200.71.42.0/24 But eth1 is your *internal* interface and 200.71.42.0/24 is your *external* network. From this connection tracking entry: tcp 6 21 SYN_SENT src=192.168.100.9 dst=216.241.15.67 sport=3551 dport=21 [UNREPLIED] src=216.241.15.67 dst=192.168.100.9 sport=21 dport=3 551 use=1 mark=0 it is clear that the initial TCP port 21 connection isn''t even being made; that''s because your have your masquerading set up backwards and 216.241.15.67 has no clue how to route correctly to 192.168.100.9. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > I don''t see how your users could access *anything* on the internet > unless they use a proxy. From the status you showed us, your > /etc/shorewall/masq entry must look something like: > > eth1 200.71.42.0/24 >It is also possible that your /etc/shorewall/masq entry is: eth1 eth0 and Shorewall is issuing a warning at "shorewall [re]start" that Shorewall is ignoring the default route when setting up masquerading: Warning: default route ignored on interface eth1 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi All, Evidently, I had a bad configuration. We upgraded the servers from Mandrake 9.0 to Mandrake 10.0, and the order of the eth interfaces changed (eth0 was eth1 in the new configuration), and I forgot to change the /etc/shorewall/masq file. When I changed the masq file, all was back to normal. Thank you for your help !!! SBG> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Martes, 03 de Agosto de 2004 02:30 p.m. > To: expanbog@myrealbox.com; Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Mandrake 10 - Shorewall 2.0.3a problem > > expanbog wrote: > > > > > Hi !, > > > > I have this problem. On a Mandrake 10.0 server with all the updates > > (Kernel 2.6.3-15mdk, iptables-1.2.9-7mdk and > shorewall-2.0.3a-1mdk), > > one of our internal users have to FTP some files to our > external web > > server. I think we have the correct configuration and rules in > > shorewall, and have read the http://www.shorewall.net/FTP.html > > document. Still, our users can''t FTP to the Internet. > > > > I don''t see how your users could access *anything* on the > internet unless they use a proxy. From the status you showed > us, your /etc/shorewall/masq entry must look something like: > > eth1 200.71.42.0/24 > > But eth1 is your *internal* interface and 200.71.42.0/24 is your > *external* network. > > From this connection tracking entry: > > tcp 6 21 SYN_SENT src=192.168.100.9 dst=216.241.15.67 sport=3551 > dport=21 [UNREPLIED] src=216.241.15.67 dst=192.168.100.9 > sport=21 dport=3 > 551 use=1 mark=0 > > it is clear that the initial TCP port 21 connection isn''t > even being made; that''s because your have your masquerading > set up backwards and > 216.241.15.67 has no clue how to route correctly to 192.168.100.9. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > >