thr3ads.net - Shorewall users - Shorewall problem, perhaps with PPPoE [Jan 2005]

If this information is useful, please help other people find it:
Share via:

Timothy Murphy

2005-Jan-08 04:31 UTC

Shorewall problem, perhaps with PPPoE

I have what strikes me as an odd problem with shorewall.

Let me describe my setup.
My desktop (alfred) is connected to the network
through an ADSL modem.
I am running rp-pppoe, and this works perfectly.

I have a small home network, with two LANs;
an Ethernet LAN (including a machine running Windows XP),
and a WiFi LAN, including the laptop (william) I am using now.

All the computers except for the Windows machine
are running linux-2.6.10 under Fedora-3.

When running shorewall, I am able to connect to the internet
(for mail, news and browsing) from all computers _except_ the desktop.
When I am on the desktop, all connection to the internet is refused.

There is one other failure;
I am running httpd on my desktop,
and I cannot access this from the other computers.

As soon as I stop shorewall (with "service shorewall stop" as
superuser)
all these problems disappear.

Now for the information which it was suggested should accompany any query
-----------------------------------------------
[root@alfred tim]# shorewall version
1.4.8
[root@alfred tim]# ip addr show
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:e0:18:98:f7:2b brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/8 brd 10.255.255.255 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:6e:07:a1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:2d:4a:52:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global eth2
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 83.70.163.56 peer 159.134.155.26/32 scope global ppp0
[root@alfred tim]# ip route show
159.134.155.26 dev ppp0  proto kernel  scope link  src 83.70.163.56
192.168.3.0/24 dev eth2  proto kernel  scope link  src 192.168.3.1
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
169.254.0.0/16 dev eth2  scope link
10.0.0.0/8 dev eth0  proto kernel  scope link  src 10.0.0.1
default via 83.70.163.56 dev ppp0  scope link
default via 159.134.155.26 dev ppp0
[root@alfred tim]# /sbin/shorewall reset
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Shorewall Counters Reset
[root@alfred tim]# uucico -S tcdmath
[root@alfred tim]# /sbin/shorewall status > /tmp/status.txt

I am using two-interfaces.tgz with slight modifications for rp-pppoe.
-----------------------------------------------

Finally, here is /tmp/status.txt after trying to collect my UUCP mail
with uucico (above).
I''ve used this, even though it is rather an unusual application,
because it may be easier to determine what goes wrong.
(The uucp command is effectively equivalent to "telnet salmon uucp",
which works from my laptop 
======================[tim@william ~]$ telnet salmon uucp
Trying 134.226.81.11...
Connected to salmon.
Escape character is ''^]''.
login: ^]
telnet> quit
Connection closed.
======================but not from the desktop, where I get
======================[tim@alfred ~]$ telnet salmon uucp
Trying 134.226.81.11...
telnet: connect to address 134.226.81.11: Connection refused
======================I get the same result if I try "ssh salmon".)

----------- /tmp/status.txt ----------------
[H[2JShorewall-1.4.8 Status at alfred.murphy.ie - Sat Jan  8 03:05:57 GMT 
2005

Counters reset Sat Jan  8 03:04:58 GMT 2005

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination         
   29  3189 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0
state INVALID 
   27  1831 ppp0_in    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
    1   236 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
  137 10528 eth2_in    all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0
state INVALID 
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
   26  1688 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
    4   170 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
   24  1592 eth2_fwd   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination         
   29  3189 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0
state INVALID 
   29  1896 fw2net     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    2   356 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
   75  8198 fw2loc     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
    2   340 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    2   340 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 
    2   340 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (3 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp flags:!0x16/0x02 
   10  1774 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    5   836 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 
    5   836 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
udp dpt:135 
    1   236 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
udp dpts:137:139 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
udp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:139 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0
udp dpt:1900 
    0     0 DROP       all  --  *      *       0.0.0.0/0            
255.255.255.255     
    0     0 DROP       all  --  *      *       0.0.0.0/0            
224.0.0.0/4         
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:113 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0
udp spt:53 state NEW 
    2   356 DROP       all  --  *      *       0.0.0.0/0            
192.168.1.255       
    2   346 DROP       all  --  *      *       0.0.0.0/0            
192.168.3.255       

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               
destination         

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW 
    4   170 loc2net    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    1   236 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW 
    1   236 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    2   126 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW 
   24  1592 loc2net    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    2   388 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW 
  137 10528 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (2 references)
 pkts bytes target     prot opt in     out     source               
destination         
   72  7524 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
icmp type 8 
    5  1030 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
   26  1714 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp dpt:53 
    1    62 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW udp dpt:53 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
icmp type 8 
    2   120 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               
destination         

Chain loc2fw (2 references)
 pkts bytes target     prot opt in     out     source               
destination         
  135 10140 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp dpt:22 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
icmp type 8 
    3   624 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source               
destination         
   26  1636 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp flags:!0x16/0x02 
    2   126 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source               
destination         
   26  1688 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp flags:!0x16/0x02 
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
   27  1831 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
icmp type 8 
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (7 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0
tcp flags:0x10/0x10 
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0
tcp flags:0x04/0x04 
    0     0 ACCEPT     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0
tcp flags:0x01/0x01 
    0     0 RETURN     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:'' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW 
    2    96 net2all    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
   24  1592 net2all    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0

Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
state NEW 
   27  1831 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               
destination         
    3   180 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
reject-with tcp-reset 
    5  1232 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               
destination         

Jan  8 03:02:45 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.1 DST=10.255.255.255 
LEN=170 TOS=0x00 PREC=0x00 TTL=64 ID=21592 DF PROTO=UDP SPT=631 DPT=631 
LEN=150 
Jan  8 03:03:16 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.1 DST=10.255.255.255 
LEN=170 TOS=0x00 PREC=0x00 TTL=64 ID=21595 DF PROTO=UDP SPT=631 DPT=631 
LEN=150 
Jan  8 03:03:48 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.1 DST=10.255.255.255 
LEN=170 TOS=0x00 PREC=0x00 TTL=64 ID=21598 DF PROTO=UDP SPT=631 DPT=631 
LEN=150 
Jan  8 03:03:54 all2all:REJECT:IN=eth2 OUT= SRC=192.168.3.5 DST=192.168.3.1 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308 
Jan  8 03:03:54 all2all:REJECT:IN= OUT=eth2 SRC=192.168.3.1 DST=192.168.3.5 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=89 DF PROTO=UDP SPT=67 DPT=68 LEN=308 
Jan  8 03:03:57 all2all:REJECT:IN=eth2 OUT= SRC=192.168.3.5 DST=192.168.3.1 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=1 DF PROTO=UDP SPT=68 DPT=67 LEN=308 
Jan  8 03:03:57 all2all:REJECT:IN= OUT=eth2 SRC=192.168.3.1 DST=192.168.3.5 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=90 DF PROTO=UDP SPT=67 DPT=68 LEN=308 
Jan  8 03:04:04 all2all:REJECT:IN=eth2 OUT= SRC=192.168.3.5 DST=192.168.3.1 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=2 DF PROTO=UDP SPT=68 DPT=67 LEN=308 
Jan  8 03:04:04 all2all:REJECT:IN= OUT=eth2 SRC=192.168.3.1 DST=192.168.3.5 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=91 DF PROTO=UDP SPT=67 DPT=68 LEN=308 
Jan  8 03:04:18 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.1 DST=10.255.255.255 
LEN=170 TOS=0x00 PREC=0x00 TTL=64 ID=21601 DF PROTO=UDP SPT=631 DPT=631 
LEN=150 
Jan  8 03:04:20 all2all:REJECT:IN=eth2 OUT= SRC=192.168.3.5 DST=192.168.3.1 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=3 DF PROTO=UDP SPT=68 DPT=67 LEN=308 
Jan  8 03:04:20 all2all:REJECT:IN= OUT=eth2 SRC=192.168.3.1 DST=192.168.3.5 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=92 DF PROTO=UDP SPT=67 DPT=68 LEN=308 
Jan  8 03:04:49 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.1 DST=10.255.255.255 
LEN=170 TOS=0x00 PREC=0x00 TTL=64 ID=21604 DF PROTO=UDP SPT=631 DPT=631 
LEN=150 
Jan  8 03:05:00 all2all:REJECT:IN=eth2 OUT= SRC=192.168.3.5 DST=192.168.1.1 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41635 DF PROTO=TCP SPT=32938 DPT=143 
WINDOW=5840 RES=0x00 SYN URGP=0 
Jan  8 03:05:11 all2all:REJECT:IN=eth2 OUT= SRC=192.168.3.5 DST=192.168.3.1 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=4 DF PROTO=UDP SPT=68 DPT=67 LEN=308 
Jan  8 03:05:11 all2all:REJECT:IN= OUT=eth2 SRC=192.168.3.1 DST=192.168.3.5 
LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=93 DF PROTO=UDP SPT=67 DPT=68 LEN=308 
Jan  8 03:05:12 all2all:REJECT:IN= OUT=ppp0 SRC=83.70.163.56 DST=134.226.81.11 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=51512 DF PROTO=TCP SPT=4758 DPT=540 
WINDOW=5808 RES=0x00 SYN URGP=0 
Jan  8 03:05:12 all2all:REJECT:IN= OUT=ppp0 SRC=83.70.163.56 DST=134.226.81.11 
LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8427 DF PROTO=TCP SPT=4759 DPT=540 
WINDOW=5808 RES=0x00 SYN URGP=0 
Jan  8 03:05:20 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.1 DST=10.255.255.255 
LEN=170 TOS=0x00 PREC=0x00 TTL=64 ID=21607 DF PROTO=UDP SPT=631 DPT=631 
LEN=150 
Jan  8 03:05:51 OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.1 DST=10.255.255.255 
LEN=170 TOS=0x00 PREC=0x00 TTL=64 ID=21610 DF PROTO=UDP SPT=631 DPT=631 
LEN=150 

NAT Table

Chain PREROUTING (policy ACCEPT 5 packets, 750 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain POSTROUTING (policy ACCEPT 6 packets, 294 bytes)
 pkts bytes target     prot opt in     out     source               
destination         
    3   188 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 12 packets, 1664 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 MASQUERADE  all  --  *      *       192.168.1.0/24       0.0.0.0/0
    2   126 MASQUERADE  all  --  *      *       192.168.3.0/24       0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       169.254.0.0/16       0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 248 packets, 19234 bytes)
 pkts bytes target     prot opt in     out     source               
destination         
  248 19234 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 194 packets, 15784 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain FORWARD (policy ACCEPT 54 packets, 3450 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain OUTPUT (policy ACCEPT 137 packets, 13979 bytes)
 pkts bytes target     prot opt in     out     source               
destination         
  137 13979 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 182 packets, 15939 bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:22 TOS set 0x10 
   70  7128 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:20 TOS set 0x08 

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               
destination         
  135 10140 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
tcp dpt:20 TOS set 0x08 

udp      17 173 src=83.70.163.56 dst=159.134.237.6 sport=3197 dport=53 
src=159.134.237.6 dst=83.70.163.56 sport=53 dport=3197 [ASSURED] use=1
tcp      6 212001 ESTABLISHED src=192.168.3.5 dst=217.173.101.246 sport=33131 
dport=80 src=217.173.101.246 dst=83.70.163.56 sport=80 dport=33131 [ASSURED] 
use=1
tcp      6 311449 ESTABLISHED src=83.70.163.56 dst=213.200.95.126 sport=2888 
dport=80 src=213.200.95.126 dst=83.70.163.56 sport=80 dport=2888 [ASSURED] 
use=1
tcp      6 176287 ESTABLISHED src=192.168.1.7 dst=64.4.23.188 sport=1140 
dport=443 src=64.4.23.188 dst=83.70.163.56 sport=443 dport=1140 [ASSURED] 
use=1
tcp      6 245863 ESTABLISHED src=192.168.1.7 dst=207.46.253.92 sport=1321 
dport=443 src=207.46.253.92 dst=83.70.163.56 sport=443 dport=1321 [ASSURED] 
use=1
tcp      6 430456 ESTABLISHED src=192.168.3.5 dst=69.59.167.109 sport=32896 
dport=80 src=69.59.167.109 dst=83.70.163.56 sport=80 dport=32896 [ASSURED] 
use=1
tcp      6 311449 ESTABLISHED src=83.70.163.56 dst=213.200.95.126 sport=2889 
dport=80 src=213.200.95.126 dst=83.70.163.56 sport=80 dport=2889 [ASSURED] 
use=1
tcp      6 391076 ESTABLISHED src=192.168.1.7 dst=207.46.157.93 sport=1324 
dport=443 src=207.46.157.93 dst=83.70.163.56 sport=443 dport=1324 [ASSURED] 
use=1
udp      17 129 src=192.168.3.5 dst=159.134.237.6 sport=32813 dport=53 
src=159.134.237.6 dst=83.70.163.56 sport=53 dport=32813 [ASSURED] use=1
tcp      6 306325 ESTABLISHED src=83.70.241.204 dst=83.70.163.56 sport=3072 
dport=445 [UNREPLIED] src=83.70.163.56 dst=83.70.241.204 sport=445 dport=3072 
use=1
tcp      6 390710 ESTABLISHED src=192.168.1.7 dst=159.134.196.104 sport=1322 
dport=80 src=159.134.196.104 dst=83.70.163.56 sport=80 dport=1322 [ASSURED] 
use=1
tcp      6 314078 ESTABLISHED src=192.168.1.7 dst=207.46.157.60 sport=1152 
dport=443 src=207.46.157.60 dst=83.70.163.56 sport=443 dport=1152 [ASSURED] 
use=1
tcp      6 219687 ESTABLISHED src=83.70.124.36 dst=83.70.163.56 sport=4136 
dport=445 src=83.70.163.56 dst=83.70.124.36 sport=445 dport=4136 [ASSURED] 
use=1
tcp      6 84718 ESTABLISHED src=192.168.3.5 dst=66.129.67.103 sport=33748 
dport=80 src=66.129.67.103 dst=83.70.163.56 sport=80 dport=33748 [ASSURED] 
use=1
udp      17 133 src=83.70.163.56 dst=159.134.248.17 sport=3197 dport=53 
src=159.134.248.17 dst=83.70.163.56 sport=53 dport=3197 [ASSURED] use=1
tcp      6 236924 ESTABLISHED src=83.70.224.152 dst=83.70.163.56 sport=3081 
dport=445 [UNREPLIED] src=83.70.163.56 dst=83.70.224.152 sport=445 dport=3081 
use=1
tcp      6 243993 ESTABLISHED src=192.168.1.7 dst=207.46.110.100 sport=1270 
dport=80 src=207.46.110.100 dst=83.70.163.56 sport=80 dport=1270 [ASSURED] 
use=1
tcp      6 327577 ESTABLISHED src=83.70.120.186 dst=83.70.163.56 sport=1459 
dport=445 src=83.70.163.56 dst=83.70.120.186 sport=445 dport=1459 [ASSURED] 
use=1
tcp      6 87960 ESTABLISHED src=192.168.3.5 dst=213.115.162.82 sport=33847 
dport=80 src=213.115.162.82 dst=83.70.163.56 sport=80 dport=33847 [ASSURED] 
use=1
tcp      6 87935 ESTABLISHED src=192.168.3.5 dst=213.115.162.82 sport=33844 
dport=80 src=213.115.162.82 dst=83.70.163.56 sport=80 dport=33844 [ASSURED] 
use=1
tcp      6 73 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=4757 dport=25 
src=127.0.0.1 dst=127.0.0.1 sport=25 dport=4757 [ASSURED] use=1
tcp      6 403256 ESTABLISHED src=83.70.163.56 dst=203.31.48.5 sport=4414 
dport=80 src=203.31.48.5 dst=83.70.163.56 sport=80 dport=4414 [ASSURED] use=1
tcp      6 386874 ESTABLISHED src=83.70.126.16 dst=83.70.163.56 sport=4402 
dport=445 src=83.70.163.56 dst=83.70.126.16 sport=445 dport=4402 [ASSURED] 
use=1
tcp      6 233725 ESTABLISHED src=83.70.65.217 dst=83.70.163.56 sport=2907 
dport=445 src=83.70.163.56 dst=83.70.65.217 sport=445 dport=2907 [ASSURED] 
use=1
tcp      6 431988 ESTABLISHED src=192.168.1.7 dst=207.46.107.1 sport=1355 
dport=1863 src=207.46.107.1 dst=83.70.163.56 sport=1863 dport=1355 [ASSURED] 
use=1
tcp      6 241378 ESTABLISHED src=216.230.132.182 dst=83.70.163.56 sport=37754 
dport=21 src=83.70.163.56 dst=216.230.132.182 sport=21 dport=37754 [ASSURED] 
use=1
tcp      6 337293 ESTABLISHED src=83.70.125.27 dst=83.70.163.56 sport=3985 
dport=445 src=83.70.163.56 dst=83.70.125.27 sport=445 dport=3985 [ASSURED] 
use=1
tcp      6 426610 ESTABLISHED src=192.168.3.5 dst=192.168.1.1 sport=32776 
dport=22 src=192.168.1.1 dst=192.168.3.5 sport=22 dport=32776 [ASSURED] use=1
tcp      6 131931 ESTABLISHED src=192.168.3.5 dst=199.239.136.245 sport=32827 
dport=80 src=199.239.136.245 dst=83.70.163.56 sport=80 dport=32827 [ASSURED] 
use=1
tcp      6 390720 ESTABLISHED src=192.168.1.7 dst=64.4.23.188 sport=1323 
dport=80 src=64.4.23.188 dst=83.70.163.56 sport=80 dport=1323 [ASSURED] use=1
tcp      6 219690 ESTABLISHED src=83.70.124.36 dst=83.70.163.56 sport=4175 
dport=445 src=83.70.163.56 dst=83.70.124.36 sport=445 dport=4175 [ASSURED] 
use=1
tcp      6 393378 ESTABLISHED src=83.70.163.56 dst=213.200.95.126 sport=3770 
dport=80 src=213.200.95.126 dst=83.70.163.56 sport=80 dport=3770 [ASSURED] 
use=1
udp      17 130 src=192.168.3.5 dst=159.134.248.17 sport=32813 dport=53 
src=159.134.248.17 dst=83.70.163.56 sport=53 dport=32813 [ASSURED] use=1
tcp      6 313408 ESTABLISHED src=83.70.46.76 dst=83.70.163.56 sport=2351 
dport=445 [UNREPLIED] src=83.70.163.56 dst=83.70.46.76 sport=445 dport=2351 
use=1
tcp      6 312906 ESTABLISHED src=83.70.16.53 dst=83.70.163.56 sport=1488 
dport=445 src=83.70.163.56 dst=83.70.16.53 sport=445 dport=1488 [ASSURED] 
use=1
tcp      6 393378 ESTABLISHED src=83.70.163.56 dst=213.200.95.126 sport=3771 
dport=80 src=213.200.95.126 dst=83.70.163.56 sport=80 dport=3771 [ASSURED] 
use=1
tcp      6 67014 ESTABLISHED src=192.168.1.7 dst=213.199.154.46 sport=1060 
dport=80 src=213.199.154.46 dst=83.70.163.56 sport=80 dport=1060 [ASSURED] 
use=1
unknown  2 503 src=159.134.155.26 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 
dst=159.134.155.26 use=1
tcp      6 88717 ESTABLISHED src=192.168.3.5 dst=66.179.234.15 sport=33874 
dport=80 src=66.179.234.15 dst=83.70.163.56 sport=80 dport=33874 [ASSURED] 
use=1
tcp      6 344506 ESTABLISHED src=83.70.126.26 dst=83.70.163.56 sport=3928 
dport=445 src=83.70.163.56 dst=83.70.126.26 sport=445 dport=3928 [ASSURED] 
use=1
tcp      6 398900 ESTABLISHED src=83.70.127.43 dst=83.70.163.56 sport=4973 
dport=445 [UNREPLIED] src=83.70.163.56 dst=83.70.127.43 sport=445 dport=4973 
use=1
tcp      6 211923 ESTABLISHED src=192.168.3.5 dst=217.173.101.246 sport=33127 
dport=80 src=217.173.101.246 dst=83.70.163.56 sport=80 dport=33127 [ASSURED] 
use=1
tcp      6 431999 ESTABLISHED src=192.168.3.5 dst=192.168.1.1 sport=32775 
dport=22 src=192.168.1.1 dst=192.168.3.5 sport=22 dport=32775 [ASSURED] use=1
-----------------------------------------------

Apologies for the rather diffuse question;
if anyone can cast light on my problme I shall be very grateful.

-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

John Andersen

2005-Jan-08 05:48 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

On Friday 07 January 2005 07:31 pm, Timothy Murphy
wrote:> Apologies for the rather diffuse question;
> if anyone can cast light on my problme I shall be very grateful.
What about your shorewall policy file?

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

Timothy Murphy

2005-Jan-08 13:22 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

On Saturday 08 January 2005 05:48, John Andersen wrote:
> What about your shorewall policy file?
Apologies.
Your hint showed me my error -
I had not "commented in" the line in "policy"
allowing "open access to the Internet from your Firewall".
(I misunderstood this comment.)
Now I have done that I am able to access the internet
from the desktop running shorewall.

That leaves me with only one small problem.
I am running httpd on my desktop (where shorewall is also running)
but cannot access www files on this machine from my other machines
when shorewall is running, eg
===========  shorewall not running ================[tim@william ~]$ wget
http://alfred/Welcome.html
--13:07:26--  http://alfred/Welcome.html
           => `Welcome.html''
Resolving alfred... 192.168.1.1
Connecting to alfred[192.168.1.1]:80... connected.
...
13:07:27 (277.53 KB/s) - `Welcome.html'' saved [694/694]
=============== shorewall running ===============[tim@william ~]$ wget
http://alfred/Welcome.html
--13:08:57--  http://alfred/Welcome.html
           => `Welcome.html.1''
Resolving alfred... 192.168.1.1
Connecting to alfred[192.168.1.1]:80... failed: Connection refused.
==============================================
To explain my setup:
I took two-interfaces as my starting-point,
and the only changes I made were to the files below

============= interfaces ==============#ZONE   INTERFACE       BROADCAST      
OPTIONS
net     ppp0            -               routefilter
loc     eth1            detect
loc     eth2            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
============== policy =================#SOURCE         DEST            POLICY   
LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw             net             ACCEPT
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
============== zones =================#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local Networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
========== shorewall.conf ============LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTLOGUNCLEAN=info
BLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS="yes"
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
======================================
Any suggestions gratefully received.

Thanks for shorewall, which seems to provide
a very solid firewall.

-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

Tom Eastep

2005-Jan-08 15:31 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

Timothy Murphy wrote:>
> 
> Any suggestions gratefully received.
>
Add the necessary rules to /etc/shorewall/rules as explained in the
Two-Interface Quickstart Guide (http://shorewall.net/two-interface.htm)
under "Other connections".

Any connections which are contrary to your policies that you want to
accept must have the appropriate ACCEPT rule.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

John Andersen

2005-Jan-08 21:44 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

On Saturday 08 January 2005 04:22 am, Timothy Murphy
wrote:> On Saturday 08 January 2005 05:48, John Andersen wrote:
> > What about your shorewall policy file?
>
> Apologies.
> Your hint showed me my error -
I thought it might...

 > That leaves me with only one small problem.
> I am running httpd on my desktop (where shorewall is also running)
> but cannot access www files on this machine from my other machines
> when shorewall is running, eg
Similar sort of problem.  Rule needed.  Perhaps something
like:
ACCEPT          loc     fw              tcp     www,ftp,time


-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

Timothy Murphy

2005-Jan-08 22:17 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

On Saturday 08 January 2005 15:31, Tom Eastep wrote:
> Add the necessary rules to /etc/shorewall/rules as explained in the
> Two-Interface Quickstart Guide (http://shorewall.net/two-interface.htm)
> under "Other connections".
Unfortunately, this document states
"Prior to Shorewall version 1.4.9, 
rules in /etc/shorewall/rules were limited to those defined by Netfilter 
(ACCEPT, DROP, REJECT, etc.). 
Beginning with Shorewall version 1.4.9, 
users may use sequences of these elementary operations 
to define more complex actions."

As I explained,  I am using version 1.4.8,
which is the most recent version availabe in standard Fedora-3.
So the advice in this document does not appear to be applicable.

However, I got everything I want working as far (as I can see)
with 3 additions to /etc/shorewall/rules:
==========================ACCEPT          fw              loc             tcp   
22
ACCEPT          loc             fw      tcp     http
ACCEPT          loc             fw      tcp     imap
==========================
I''d sort of expected that all internal traffic would be allowed.

Thanks for the help, and for shorewall,
which seems like a great firewall.

-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

Brad

2005-Jan-09 01:19 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

Timothy Murphy wrote:
> I''d sort of expected that all internal traffic would be allowed.
If you''d like all internal traffic to be allowed you can add a line to 
/etc/shorewall/policy like:

loc	fw	ACCEPT

Timothy Murphy

2005-Jan-09 04:08 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

On Sunday 09 January 2005 01:19, Brad wrote:
> > I''d sort of expected that all internal traffic would be
allowed.
>
> If you''d like all internal traffic to be allowed you can add a
line to
> /etc/shorewall/policy like:
>
> loc fw ACCEPT
Thanks, that simplifies things.
I have added
loc             fw              ACCEPT
fw              loc             ACCEPT
to /etc/shorewall/policy , and all seems fine..
The only additional lines I have now in /etc/shorewall/rules are
ACCEPT          fw              net             tcp     uucp
ACCEPT          fw              net             tcp     ssh


-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

Tom Eastep

2005-Jan-09 04:17 UTC

head link

Re: Shorewall problem, perhaps with PPPoE

Timothy Murphy wrote:> On Sunday 09 January 2005 01:19, Brad wrote:
> 
> 
>>>I''d sort of expected that all internal traffic would be
allowed.
>>
>>If you''d like all internal traffic to be allowed you can add a
line to
>>/etc/shorewall/policy like:
>>
>>loc fw ACCEPT
> 
> 
> Thanks, that simplifies things.
> I have added
> loc             fw              ACCEPT
> fw              loc             ACCEPT
> to /etc/shorewall/policy , and all seems fine..
> The only additional lines I have now in /etc/shorewall/rules are
> ACCEPT          fw              net             tcp     uucp
> ACCEPT          fw              net             tcp     ssh
> 
> 
I thought you said that you had uncommented the fw->net ACCEPT policy --
if that is the case then fw->net ACCEPT rules are superfluous.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Seemingly Similar Threads

Search for more seemingly similar threads

Shorewall users - Jan 2005 - Shorewall problem, perhaps with PPPoE

Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Re: Shorewall problem, perhaps with PPPoE

Seemingly Similar Threads