rioguia@speakeasy.net
2004-Sep-14 09:09 UTC
start error "invalid interface" on shorewall 2.08
I have a dsl modem and two static IP addresses: 66.17.65.22
and 66.17.65.161. I am using the standard configuration from
the Shorewall Setup Guide for multiple IP addresses and
modifications suggested by the Aliased Interfaces Guide.
I want to set up a shorewall 2.08 router for my home (Fedora
Core 2 / kernel 2.6.8-1.521). I want share an internet connection with some
pc''son a local protected network and host two servers in a DMZ
providing http / imap/ snmp / dns services. The router''s eth0 will be
assigned the public address of 66.17.65.22 and an alias eth0:0 with address of
66.17.65.161.
Conceptually SERVER #1 will have a local address:
192.168.202.7 and receive DNAT for public address 66.17.65.22
and SERVER #2 will have local address: 192.168.202.8 and
recieve DNAT for public address 66.17.65.161. The local pc''s
on the local interface will receive SNAT sharing the public
address 66.17.65.161 (I didn''t use proxy-arp because I only have
two addresses). I used the RedHat network gui tool (NEAT)
to assign an alias ito the eth0 for the shorewall router.
Mandatory Information as Per the Reporting Guidelines:
The complete, exact output of ip addr show is:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:2e:0f:89:8c brd ff:ff:ff:ff:ff:ff
inet 69.17.65.22/24 brd 69.17.65.255 scope global eth0
inet 69.17.65.161/24 brd 69.17.65.255 scope global secondary eth0:1
inet6 fe80::20e:2eff:fe0f:898c/64 scope link
valid_lft forever preferred_lft forever
6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:bd:2e:85:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.100/24 brd 192.168.0.255 scope global eth1
inet6 fe80::230:bdff:fe2e:8555/64 scope link
valid_lft forever preferred_lft forever
7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:4f:8b:03:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.202.1/24 brd 192.168.202.255 scope global eth2
inet6 fe80::2c0:4fff:fe8b:324/64 scope link
valid_lft forever preferred_lft forever
8: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
The complete, exact output of ip route show is:
69.17.65.0/24 dev eth0 proto kernel scope link src 69.17.65.22
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.100
192.168.202.0/24 dev eth2 proto kernel scope link src 192.168.202.1
169.254.0.0/16 dev eth2 scope link
default via 69.17.65.1 dev eth0
Shorewall isn''t starting. The exact error message is:
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Determining Zones...
Zones: net loc dmz
Validating interfaces file...
Warning: Invalid option (rfc1918) in record "net eth0 detect
rfc1918,routefilter"
Error: Invalid Interface Name: eth0:1
Terminated
The status.txt file is attached.
The output of /sbin/shorewall show log is:
Shorewall-2.0.8 Log at ns2.substantis.com -
The the error message from the trace file (attached) is:
+ validate_zone net
+ list_search net net loc dmz fw
+ local e=net
+ ''['' 5 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ list_search eth0:1 eth0
+ local e=eth0:1
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xeth0:1 = xeth0 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ wildcard+ startup_error ''Invalid Interface Name: eth0:1''
+ echo '' Error: Invalid Interface Name: eth0:1''
Error: Invalid Interface Name: eth0:1
+ my_mutex_off
+ ''['' -n Yes '']''
+ mutex_off
+ rm -f /var/lib/shorewall/lock
+ have_mutex+ ''['' -n /tmp/shorewall.pS4135
'']''
+ rm -rf /tmp/shorewall.pS4135
+ ''['' -n /var/lib/shorewall/shorewall.mX4232
'']''
+ rm -f /var/lib/shorewall/shorewall.mX4232
+ kill 4125
I modified the shorewall files as follows:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect rfc1918,routefilter
net eth0:0 detect rfc1918,routefilter
loc eth1 detect
dmz eth2 detect
# We have to remember to:
# change the Broadcast "detect" settings to 69.17.65.255,
# 69.17.65.255, 192.168.0.255, and 192.168.202.7 respectively
# "detect" to avoid bringing up interfaces without protection.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
/etc/shorewall/masq - Local Subnet
#INTERFACE SUBNET ADDRESS
eth0 192.168.0.0/29 66.17.65.161
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
/etc/shorewall/nat SERVER PROVIDING HTTP / IMAP/ SMTP / DNS
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
66.17.65.22 eth0 192.168.202.7 No No
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
/etc/policies
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP info
dmz net ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST ORIGINAL
# PORT DEST
DNAT net dmz:192.168.202.7 tcp smtp 66.17.65.22
#Mail FROM
#Internet
DNAT net dmz:192.168.202.7 tcp IMAP 66.17.65.22
#IMAP FROM
#Internet
ACCEPT loc dmz:192.168.202.7 tcp smtp 66.17.65.22
#Mail FROM local
#Network
ACCEPT loc dmz:192.168.202.7 tcp IMAP 66.17.65.22
#IMAP FROM local
#Network
DNAT fw dmz:192.168.202.7 tcp smtp 66.17.65.22
#Mail FROM the
#Firewall
DNAT dmz:192.168.202.7 net tcp smtp
#Mail to the
#Firewall
DNAT net dmz:192.168.202.7 tcp http 66.17.65.22
#WWW FROM
#Internet
DNAT net dmz:192.168.202.7 tcp https 66.17.65.22
#Secure WWW
#FROM Internet
ACCEPT loc dmz:192.168.202.7 tcp https 66.17.65.22
#Secure WWW
#FROM local
#Network
DNAT net dmz:192.168.202.7 udp domain 66.17.65.22
#UDP DNS FROM
#Internet
DNAT net dmz:192.168.202.7 tcp domain 66.17.65.22
#TCP DNS FROM
#Internet
DNAT loc dmz:192.168.202.7 udp domain 66.17.65.22
#UDP DNS FROM
#Local Network
DNAT loc dmz:192.168.202.7 tcp domain 66.17.65.22
#TCP DNS FROM
#Local Network
DNAT fw dmz:192.168.202.7 udp domain 66.17.65.22
#UDP DNS FROM
#the Firewall
DNAT fw dmz:192.168.202.7 tcp domain 66.17.65.22
#TCP DNS FROM
#the Firewall
DNAT dmz:192.168.202.7 net udp domain
#UDP DNS to
#the Internet
DNAT dmz:192.168.202.7 net tcp domain
#TCP DNS to
#the Internet
ACCEPT loc dmz tcp ssh
#SSH to the DMZ
ACCEPT net fw tcp ssh
#SSH to the
#Firewall
#SERVER #2
DNAT net dmz:192.168.202.8 tcp smtp 66.17.65.161
#Mail FROM
#Internet
DNAT net dmz:192.168.202.8 tcp IMAP 66.17.65.161
#IMAP FROM
#Internet
ACCEPT loc dmz:192.168.202.8 tcp smtp 66.17.65.161
#Mail FROM local
#Network
ACCEPT loc dmz:192.168.202.8 tcp IMAP 66.17.65.161
#IMAP FROM local
#Network
DNAT fw dmz:192.168.202.8 tcp smtp 66.17.65.161
#Mail FROM the
#Firewall
DNAT dmz:192.168.202.8 net tcp smtp 66.17.65.161
#Mail to the
#Firewall
DNAT net dmz:192.168.202.8 tcp http 66.17.65.161
#WWW FROM
#Internet
DNAT net dmz:192.168.202.8 tcp https 66.17.65.161
#Secure WWW
#FROM Internet
ACCEPT loc dmz:192.168.202.8 tcp https 66.17.65.161
#Secure WWW
#FROM local
#Network
DNAT net dmz:192.168.202.8 udp domain 66.17.65.161
#UDP DNS FROM
#Internet
DNAT net dmz:192.168.202.8 tcp domain 66.17.65.161
#TCP DNS FROM
#Internet
ACCEPT loc dmz:192.168.202.8 udp domain 66.17.65.161
#UDP DNS FROM
#Local Network
ACCEPT loc dmz:192.168.202.8 tcp domain 66.17.65.161
#TCP DNS FROM
#Local Network
DNAT fw dmz:192.168.202.8 udp domain 66.17.65.161
#UDP DNS FROM
#the Firewall
DNAT fw dmz:192.168.202.8 tcp domain 66.17.65.161
#TCP DNS FROM
#Network
ACCEPT loc dmz:192.168.202.8 tcp IMAP 66.17.65.161
#IMAP FROM local
#Network
DNAT fw dmz:192.168.202.8 tcp smtp 66.17.65.161
#Mail FROM the
#Firewall
DNAT dmz:192.168.202.8 net tcp smtp 66.17.65.161
#Mail to the
#Firewall
DNAT net dmz:192.168.202.8 tcp http 66.17.65.161
#WWW FROM
#Internet
DNAT net dmz:192.168.202.8 tcp https 66.17.65.161
#Secure WWW
#FROM Internet
ACCEPT loc dmz:192.168.202.8 tcp https 66.17.65.161
#Secure WWW
#FROM local
#Network
DNAT net dmz:192.168.202.8 udp domain 66.17.65.161
#UDP DNS FROM
#Internet
DNAT net dmz:192.168.202.8 tcp domain 66.17.65.161
#TCP DNS FROM
#Internet
ACCEPT loc dmz:192.168.202.8 udp domain 66.17.65.161
#UDP DNS FROM
#Local Network
ACCEPT loc dmz:192.168.202.8 tcp domain 66.17.65.161
#TCP DNS FROM
#Local Network
DNAT fw dmz:192.168.202.8 udp domain 66.17.65.161
#UDP DNS FROM
#the Firewall
DNAT fw dmz:192.168.202.8 tcp domain 66.17.65.161
#TCP DNS FROM
#the Firewall
DNAT dmz:192.168.202.8 net udp domain
#UDP DNS to
#the Internet
DNAT dmz:192.168.202.8 net tcp domain
#TCP DNS to
#the Internet
Quoting rioguia@speakeasy.net:> I modified the shorewall files as follows: > # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # > /etc/shorewall/interfaces > > #ZONE INTERFACE BROADCAST OPTIONS > net eth0 detect rfc1918,routefilter > net eth0:0 detect rfc1918,routefilter > loc eth1 detect > dmz eth2 detect >>From the interfaces file:# # INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # http://www.shorewall.net/FAQ.htm#faq18 And I think you want the ''norfc1918'' option rather than rfc1918.