Hi,
I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web)
from
the internet to the firewall but it does not work.
I managed to DNAT ftp to a host in the loc network (192.168.0.50) successful
but I don''t know why SSH:
Does not work for me:
ACCEPT net fw tcp 22
Works from the loc network:
ACCEPT loc fw tcp 22
I have tried also with (no success):
AllowSSH net fw
I have setup the "two interface example" with modifications:
Eth1 is the interface connected to adsl (ppp0) and eth0 the interface
connected to LAN.
(I tried the connections from the internet (job) + I used web services that
check a firewall for open ports
http://probe.hackerwatch.org/probe/probe.asp or
https://grc.com/x/ne.dll?bh0bkyd2)
Please help me I''m desperate!
My shorewall config files (I posted only the files that have something set):
INTERFACES:
----------------------------------------------------------------------------
------------------
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - dhcp,norfc1918,tcpflags
loc eth0 detect tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
MASQ:
----------------------------------------------------------------------------
------------------
#INTERFACE SUBNET ADDRESS
eth1 eth0 213.155.200.43
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
MODULES:
----------------------------------------------------------------------------
------------------
#
loadmodule ip_tables
loadmodule iptable_filter
loadmodule ip_conntrack
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_tftp
loadmodule ip_conntrack_irc
loadmodule iptable_nat
loadmodule ip_nat_ftp
loadmodule ip_nat_tftp
loadmodule ip_nat_irc
NAT:
----------------------------------------------------------------------------
------------------
#EXTERNAL INTERFACE INTERNAL ALL
LOCAL
# INTERFACES
#213.155.200.43 ppp0 192.168.0.50 yes yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
POLICY:
----------------------------------------------------------------------------
------------------
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
ROUTESTOPED:
----------------------------------------------------------------------------
------------------
#INTERFACE HOST(S)
eth0 -
#eth1 IP POINTERCOM
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
ROULES:
----------------------------------------------------------------------------
------------------
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
AllowDNS loc fw
AllowDNS fw net
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp
ACCEPT fw net icmp
#
# Accept SSH connections from the local + internet network for
administration
#
ACCEPT loc fw tcp 22
ACCEPT net fw tcp 22
#
#
# Accept WEBMIN connections from the local to firewall
#
ACCEPT loc fw tcp 10000
#
# ACCEPT FTP TO loc LAN PC
DNAT net loc:192.168.0.50 tcp 21 21
#
# INCOMING
#AllowPing net fw
#AllowSSH net fw
#AllowSSH loc fw
#AllowDNS net fw
#AllowFTP net fw
#AllowWeb net fw
#AllowSMTP net fw
#AllowPOP3 net fw
#AllowIMAP net fw
#REDIRECT net 22 tcp 22
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
SHOREWALL.CONF:
----------------------------------------------------------------------------
------------------
LOGFILE=/var/log/firewall
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTBLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRCONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILEFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=yes
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
MODULE_SUFFIXDISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
START:
----------------------------------------------------------------------------
------------------
run_iptables -I INPUT -i eth0 -j LOG --log-prefix BANDWIDTH_IN: --log-level
debug
run_iptables -I FORWARD -i eth0 -j LOG --log-prefix BANDWIDTH_IN:
--log-level debug
run_iptables -I FORWARD -o eth0 -j LOG --log-prefix BANDWIDTH_OUT:
--log-level debug
run_iptables -I OUTPUT -o eth0 -j LOG --log-prefix BANDWIDTH_OUT:
--log-level debug
run_iptables -I INPUT -i ppp0 -j LOG --log-prefix BANDWIDTH_IN: --log-level
debug
run_iptables -I FORWARD -i ppp0 -j LOG --log-prefix BANDWIDTH_IN:
--log-level debug
run_iptables -I FORWARD -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT:
--log-level debug
run_iptables -I OUTPUT -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT:
--log-level debug
TOS:
----------------------------------------------------------------------------
------------------
#SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS
all all tcp - ssh 16
all all tcp ssh - 16
all all tcp - ftp 16
all all tcp ftp - 16
all all tcp ftp-data - 8
all all tcp - ftp-data 8
#LAST LINE -- Add your entries above -- DO NOT REMOVE
ZONES:
----------------------------------------------------------------------------
------------------
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local Networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Thanks for any help,
Marc
s/fw/$FW On 4/19/05, Marc Schillinger <m.schillinger@pointercom.it> wrote:> > > Hi, > > I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web) from > the internet to the firewall but it does not work. > I managed to DNAT ftp to a host in the loc network (192.168.0.50) successful > but I don''t know why SSH: > > Does not work for me: > ACCEPT net fw tcp 22 > > Works from the loc network: > ACCEPT loc fw tcp 22 > > I have tried also with (no success): > AllowSSH net fw > > I have setup the "two interface example" with modifications: > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > connected to LAN. > > (I tried the connections from the internet (job) + I used web services that > check a firewall for open ports > http://probe.hackerwatch.org/probe/probe.asp or > https://grc.com/x/ne.dll?bh0bkyd2) > > Please help me I''m desperate! > > My shorewall config files (I posted only the files that have something set): > > INTERFACES: > ---------------------------------------------------------------------------- > ------------------ > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,norfc1918,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > MASQ: > ---------------------------------------------------------------------------- > ------------------ > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > MODULES: > ---------------------------------------------------------------------------- > ------------------ > # > > loadmodule ip_tables > loadmodule iptable_filter > loadmodule ip_conntrack > loadmodule ip_conntrack_ftp > loadmodule ip_conntrack_tftp > loadmodule ip_conntrack_irc > loadmodule iptable_nat > loadmodule ip_nat_ftp > loadmodule ip_nat_tftp > loadmodule ip_nat_irc > > NAT: > ---------------------------------------------------------------------------- > ------------------ > #EXTERNAL INTERFACE INTERNAL ALL > LOCAL > # INTERFACES > #213.155.200.43 ppp0 192.168.0.50 yes yes > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > POLICY: > ---------------------------------------------------------------------------- > ------------------ > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc net ACCEPT > # If you want open access to the Internet from your Firewall > # remove the comment from the following line. > fw net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > ROUTESTOPED: > ---------------------------------------------------------------------------- > ------------------ > #INTERFACE HOST(S) > eth0 - > #eth1 IP POINTERCOM > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > ROULES: > ---------------------------------------------------------------------------- > ------------------ > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > AllowDNS loc fw > AllowDNS fw net > # Allow Ping To And From Firewall > # > ACCEPT loc fw icmp 8 > ACCEPT net fw icmp 8 > ACCEPT fw loc icmp > ACCEPT fw net icmp > # > # Accept SSH connections from the local + internet network for > administration > # > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 22 > # > # > # Accept WEBMIN connections from the local to firewall > # > ACCEPT loc fw tcp 10000 > # > # ACCEPT FTP TO loc LAN PC > DNAT net loc:192.168.0.50 tcp 21 21 > # > # INCOMING > #AllowPing net fw > #AllowSSH net fw > #AllowSSH loc fw > #AllowDNS net fw > #AllowFTP net fw > #AllowWeb net fw > #AllowSMTP net fw > #AllowPOP3 net fw > #AllowIMAP net fw > #REDIRECT net 22 tcp 22 > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > SHOREWALL.CONF: > ---------------------------------------------------------------------------- > ------------------ > LOGFILE=/var/log/firewall > LOGFORMAT="Shorewall:%s:%s:" > LOGRATE> LOGBURST> BLACKLIST_LOGLEVEL> LOGNEWNOTSYN=info > MACLIST_LOG_LEVEL=info > TCP_FLAGS_LOG_LEVEL=info > RFC1918_LOG_LEVEL=info > SMURF_LOG_LEVEL=info > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > SHOREWALL_SHELL=/bin/sh > SUBSYSLOCK=/var/lock/subsys/shorewall > STATEDIR=/var/lib/shorewall > MODULESDIR> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall > RESTOREFILE> FW=fw > IP_FORWARDING=On > ADD_IP_ALIASES=Yes > ADD_SNAT_ALIASES=No > TC_ENABLED=No > CLEAR_TC=Yes > MARK_IN_FORWARD_CHAIN=No > CLAMPMSS=yes > ROUTE_FILTER=Yes > DETECT_DNAT_IPADDRS=No > MUTEX_TIMEOUT=60 > NEWNOTSYN=Yes > ADMINISABSENTMINDED=Yes > BLACKLISTNEWONLY=Yes > MODULE_SUFFIX> DISABLE_IPV6=No > BRIDGING=No > DYNAMIC_ZONES=No > PKTTYPE=Yes > BLACKLIST_DISPOSITION=DROP > MACLIST_DISPOSITION=REJECT > TCP_FLAGS_DISPOSITION=DROP > #LAST LINE -- DO NOT REMOVE > > START: > ---------------------------------------------------------------------------- > ------------------ > run_iptables -I INPUT -i eth0 -j LOG --log-prefix BANDWIDTH_IN: --log-level > debug > run_iptables -I FORWARD -i eth0 -j LOG --log-prefix BANDWIDTH_IN: > --log-level debug > run_iptables -I FORWARD -o eth0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I OUTPUT -o eth0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I INPUT -i ppp0 -j LOG --log-prefix BANDWIDTH_IN: --log-level > debug > run_iptables -I FORWARD -i ppp0 -j LOG --log-prefix BANDWIDTH_IN: > --log-level debug > run_iptables -I FORWARD -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I OUTPUT -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > > TOS: > ---------------------------------------------------------------------------- > ------------------ > #SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS > all all tcp - ssh 16 > all all tcp ssh - 16 > all all tcp - ftp 16 > all all tcp ftp - 16 > all all tcp ftp-data - 8 > all all tcp - ftp-data 8 > #LAST LINE -- Add your entries above -- DO NOT REMOVE > > ZONES: > ---------------------------------------------------------------------------- > ------------------ > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local Networks > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > Thanks for any help, > Marc > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > >
What do you mean? Maby: substitue fw with $FW ??? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Gary Buckmaster Sent: martedì 19 aprile 2005 15.26 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] allow ssh access from net to fw? s/fw/$FW On 4/19/05, Marc Schillinger <m.schillinger@pointercom.it> wrote:> > > Hi, > > I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web) > from the internet to the firewall but it does not work. > I managed to DNAT ftp to a host in the loc network (192.168.0.50) > successful but I don''t know why SSH: > > Does not work for me: > ACCEPT net fw tcp 22 > > Works from the loc network: > ACCEPT loc fw tcp 22 > > I have tried also with (no success): > AllowSSH net fw > > I have setup the "two interface example" with modifications: > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > connected to LAN. > > (I tried the connections from the internet (job) + I used web services > that check a firewall for open ports > http://probe.hackerwatch.org/probe/probe.asp or > https://grc.com/x/ne.dll?bh0bkyd2) > > Please help me I''m desperate! > > My shorewall config files (I posted only the files that have somethingset):> > INTERFACES: > ---------------------------------------------------------------------- > ------ > ------------------ > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,norfc1918,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > MASQ: > ---------------------------------------------------------------------- > ------ > ------------------ > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > MODULES: > ---------------------------------------------------------------------- > ------ > ------------------ > # > > loadmodule ip_tables > loadmodule iptable_filter > loadmodule ip_conntrack > loadmodule ip_conntrack_ftp > loadmodule ip_conntrack_tftp > loadmodule ip_conntrack_irc > loadmodule iptable_nat > loadmodule ip_nat_ftp > loadmodule ip_nat_tftp > loadmodule ip_nat_irc > > NAT: > ---------------------------------------------------------------------- > ------ > ------------------ > #EXTERNAL INTERFACE INTERNAL ALL > LOCAL > # INTERFACES > #213.155.200.43 ppp0 192.168.0.50 yes yes > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > POLICY: > ---------------------------------------------------------------------- > ------ > ------------------ > #SOURCE DEST POLICY LOG LEVELLIMIT:BURST> loc net ACCEPT > # If you want open access to the Internet from your Firewall # remove > the comment from the following line. > fw net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > ROUTESTOPED: > ---------------------------------------------------------------------- > ------ > ------------------ > #INTERFACE HOST(S) > eth0 - > #eth1 IP POINTERCOM > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > ROULES: > ---------------------------------------------------------------------- > ------ > ------------------ > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > AllowDNS loc fw > AllowDNS fw net > # Allow Ping To And From Firewall > # > ACCEPT loc fw icmp 8 > ACCEPT net fw icmp 8 > ACCEPT fw loc icmp > ACCEPT fw net icmp > # > # Accept SSH connections from the local + internet network for > administration > # > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 22 > # > # > # Accept WEBMIN connections from the local to firewall > # > ACCEPT loc fw tcp 10000 > # > # ACCEPT FTP TO loc LAN PC > DNAT net loc:192.168.0.50 tcp 21 21 > # > # INCOMING > #AllowPing net fw > #AllowSSH net fw > #AllowSSH loc fw > #AllowDNS net fw > #AllowFTP net fw > #AllowWeb net fw > #AllowSMTP net fw > #AllowPOP3 net fw > #AllowIMAP net fw > #REDIRECT net 22 tcp 22 > # > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > SHOREWALL.CONF: > ---------------------------------------------------------------------- > ------ > ------------------ > LOGFILE=/var/log/firewall > LOGFORMAT="Shorewall:%s:%s:" > LOGRATE> LOGBURST> BLACKLIST_LOGLEVEL> LOGNEWNOTSYN=info > MACLIST_LOG_LEVEL=info > TCP_FLAGS_LOG_LEVEL=info > RFC1918_LOG_LEVEL=info > SMURF_LOG_LEVEL=info > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin > SHOREWALL_SHELL=/bin/sh > SUBSYSLOCK=/var/lock/subsys/shorewall > STATEDIR=/var/lib/shorewall > MODULESDIR> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall > RESTOREFILE> FW=fw > IP_FORWARDING=On > ADD_IP_ALIASES=Yes > ADD_SNAT_ALIASES=No > TC_ENABLED=No > CLEAR_TC=Yes > MARK_IN_FORWARD_CHAIN=No > CLAMPMSS=yes > ROUTE_FILTER=Yes > DETECT_DNAT_IPADDRS=No > MUTEX_TIMEOUT=60 > NEWNOTSYN=Yes > ADMINISABSENTMINDED=Yes > BLACKLISTNEWONLY=Yes > MODULE_SUFFIX> DISABLE_IPV6=No > BRIDGING=No > DYNAMIC_ZONES=No > PKTTYPE=Yes > BLACKLIST_DISPOSITION=DROP > MACLIST_DISPOSITION=REJECT > TCP_FLAGS_DISPOSITION=DROP > #LAST LINE -- DO NOT REMOVE > > START: > ---------------------------------------------------------------------- > ------ > ------------------ > run_iptables -I INPUT -i eth0 -j LOG --log-prefix BANDWIDTH_IN: > --log-level debug run_iptables -I FORWARD -i eth0 -j LOG --log-prefix > BANDWIDTH_IN: > --log-level debug > run_iptables -I FORWARD -o eth0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I OUTPUT -o eth0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I INPUT -i ppp0 -j LOG --log-prefix BANDWIDTH_IN: > --log-level debug run_iptables -I FORWARD -i ppp0 -j LOG --log-prefix > BANDWIDTH_IN: > --log-level debug > run_iptables -I FORWARD -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > run_iptables -I OUTPUT -o ppp0 -j LOG --log-prefix BANDWIDTH_OUT: > --log-level debug > > TOS: > ---------------------------------------------------------------------- > ------ > ------------------ > #SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTSTOS> all all tcp - ssh 16 > all all tcp ssh - 16 > all all tcp - ftp 16 > all all tcp ftp - 16 > all all tcp ftp-data - 8 > all all tcp - ftp-data 8 > #LAST LINE -- Add your entries above -- DO NOT REMOVE > > ZONES: > ---------------------------------------------------------------------- > ------ > ------------------ > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local Networks > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > Thanks for any help, > Marc > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Marc Schillinger wrote:> > > > Hi, > > I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web) from > the internet to the firewall but it does not work. > I managed to DNAT ftp to a host in the loc network (192.168.0.50) successful > but I don''t know why SSH: > > Does not work for me: > ACCEPT net fw tcp 22 > > Works from the loc network: > ACCEPT loc fw tcp 22 > > I have tried also with (no success): > AllowSSH net fw > > > I have setup the "two interface example" with modifications: > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > connected to LAN. > > (I tried the connections from the internet (job) + I used web services that > check a firewall for open ports > http://probe.hackerwatch.org/probe/probe.asp or > https://grc.com/x/ne.dll?bh0bkyd2) > > Please help me I''m desperate! >NOT ALL CONNECTION PROBLEMS ARE SHOREWALL CONFIGURATION PROBLEMS!! Try this: a) shorewall clear b) Try to connect to your firewall from the net. c) Does it work? Yes -- Problem is a Shorewall problem (which I doubt since your rules look fine). No -- Your problem has nothing to do with Shorewall. d) shorewall start I''m betting that your problem is not Shorewall-related. If it IS Shorewall related then please follow the instructions at http://shorewall.net/supportlhtm#Guidelines when you submit your next problem report. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
You might want to make sure that: 1. TCP Wrappers isn''t blocking the connection (make sure /etc/hosts.allow says sshd: ALL or ALL: ALL) 2. Your ISP isn''t filtering that port 3. sshd is actually running Go to grc, probe *just port 22* , then as root, go to a command prompt and type: tail -n 70 /var/log/messages Do you see an entry for the scan? If you don''t your ISP may be dropping port 22 traffic. This workaround (substitute 192.168.1.1 for your LAN IP) is what I use: DNAT net fw:192.168.1.1:22 tcp 5190 **5190 is the AOL instant messenger port - its unlikely any residential ISP would block it, you may also want to try 8080. On Tue, 2005-04-19 at 06:51 -0700, Tom Eastep wrote:> Marc Schillinger wrote: > > > > > > > > Hi, > > > > I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web) from > > the internet to the firewall but it does not work. > > I managed to DNAT ftp to a host in the loc network (192.168.0.50) successful > > but I don''t know why SSH: > > > > Does not work for me: > > ACCEPT net fw tcp 22 > > > > Works from the loc network: > > ACCEPT loc fw tcp 22 > > > > I have tried also with (no success): > > AllowSSH net fw > > > > > > I have setup the "two interface example" with modifications: > > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > > connected to LAN. > > > > (I tried the connections from the internet (job) + I used web services that > > check a firewall for open ports > > http://probe.hackerwatch.org/probe/probe.asp or > > https://grc.com/x/ne.dll?bh0bkyd2) > > > > Please help me I''m desperate! > > > > NOT ALL CONNECTION PROBLEMS ARE SHOREWALL CONFIGURATION PROBLEMS!! > > Try this: > > a) shorewall clear > b) Try to connect to your firewall from the net. > c) Does it work? > > Yes -- Problem is a Shorewall problem (which I doubt since your > rules look fine). > > No -- Your problem has nothing to do with Shorewall. > > d) shorewall start > > I''m betting that your problem is not Shorewall-related. If it IS > Shorewall related then please follow the instructions at > http://shorewall.net/supportlhtm#Guidelines when you submit your next > problem report. > > -Tom
----- Original Message ----- From: "Marc Schillinger" <m.schillinger@pointercom.it> To: <shorewall-users@lists.shorewall.net> Sent: Tuesday, April 19, 2005 08:16 Subject: [Shorewall-users] allow ssh access from net to fw? <snip>> > I have setup the "two interface example" with modifications: > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > connected to LAN.> INTERFACES: > ---------------------------------------------------------------------------- > ------------------ > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,norfc1918,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > MASQ: > ---------------------------------------------------------------------------- > ------------------ > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > >Think your MASQ file is wrong, if your using pppoe then eth1 s/b ppp0 Jerry Vonau
Why? The example in the masq file says: # Example 1: # # You have a simple masquerading setup where eth0 connects to # a DSL or cable modem and eth1 connects to your local network # with subnet 192.168.0.0/24. # # Your entry in the file can be either: # # #INTERFACE SUBNET ADDRESS # eth0 eth1 # # or # # #INTERFACE SUBNET ADDRESS # eth0 192.168.0.0/24 Whith the difference that my interfaces are inverted: (eth1 ->adsl and eth0 ->lan). Am I missunderstanding the example? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jerry Vonau Sent: martedì 19 aprile 2005 16.37 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] allow ssh access from net to fw? ----- Original Message ----- From: "Marc Schillinger" <m.schillinger@pointercom.it> To: <shorewall-users@lists.shorewall.net> Sent: Tuesday, April 19, 2005 08:16 Subject: [Shorewall-users] allow ssh access from net to fw? <snip>> > I have setup the "two interface example" with modifications: > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > connected to LAN.> INTERFACES: > ---------------------------------------------------------------------- > ------ > ------------------ > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,norfc1918,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > MASQ: > ---------------------------------------------------------------------- > ------ > ------------------ > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > >Think your MASQ file is wrong, if your using pppoe then eth1 s/b ppp0 Jerry Vonau _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Marc Schillinger wrote:> Why? The example in the masq file says: > > # Example 1: > # > # You have a simple masquerading setup where eth0 > connects to > # a DSL or cable modem and eth1 connects to your local > network > # with subnet 192.168.0.0/24. > # > # Your entry in the file can be either: > # > # #INTERFACE SUBNET ADDRESS > # eth0 eth1 > # > # or > # > # #INTERFACE SUBNET ADDRESS > # eth0 192.168.0.0/24 > > Whith the difference that my interfaces are inverted: (eth1 ->adsl and eth0 > ->lan). > Am I missunderstanding the example? >The interface named in the #INTERFACE column should be the same as your ''net'' interface in /etc/shorewall/interfaces: /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,norfc1918,tcpflags loc eth0 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth1 eth0 213.155.200.43 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE One of the two files must be wrong... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
There is no problem with my ISP blocking ports. All works fine with windows server (mail server, web server, ftp server,....) I''ll check my "/etc/hosts.allow" as soon as I get back home ;-) -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of ryan Sent: martedì 19 aprile 2005 16.32 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] allow ssh access from net to fw? You might want to make sure that: 1. TCP Wrappers isn''t blocking the connection (make sure /etc/hosts.allow says sshd: ALL or ALL: ALL) 2. Your ISP isn''t filtering that port 3. sshd is actually running Go to grc, probe *just port 22* , then as root, go to a command prompt and type: tail -n 70 /var/log/messages Do you see an entry for the scan? If you don''t your ISP may be dropping port 22 traffic. This workaround (substitute 192.168.1.1 for your LAN IP) is what I use: DNAT net fw:192.168.1.1:22 tcp 5190 **5190 is the AOL instant messenger port - its unlikely any residential ISP would block it, you may also want to try 8080. On Tue, 2005-04-19 at 06:51 -0700, Tom Eastep wrote:> Marc Schillinger wrote: > > > > > > > > Hi, > > > > I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web)from> > the internet to the firewall but it does not work. > > I managed to DNAT ftp to a host in the loc network (192.168.0.50)successful> > but I don''t know why SSH: > > > > Does not work for me: > > ACCEPT net fw tcp 22 > > > > Works from the loc network: > > ACCEPT loc fw tcp 22 > > > > I have tried also with (no success): > > AllowSSH net fw > > > > > > I have setup the "two interface example" with modifications: > > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > > connected to LAN. > > > > (I tried the connections from the internet (job) + I used web servicesthat> > check a firewall for open ports > > http://probe.hackerwatch.org/probe/probe.asp or > > https://grc.com/x/ne.dll?bh0bkyd2) > > > > Please help me I''m desperate! > > > > NOT ALL CONNECTION PROBLEMS ARE SHOREWALL CONFIGURATION PROBLEMS!! > > Try this: > > a) shorewall clear > b) Try to connect to your firewall from the net. > c) Does it work? > > Yes -- Problem is a Shorewall problem (which I doubt since your > rules look fine). > > No -- Your problem has nothing to do with Shorewall. > > d) shorewall start > > I''m betting that your problem is not Shorewall-related. If it IS > Shorewall related then please follow the instructions at > http://shorewall.net/supportlhtm#Guidelines when you submit your next > problem report. > > -Tom_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Ok that sounds logical ;-). I''ll change: /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth1 eth0 213.155.200.43 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE To: /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth1 ppp0 213.155.200.43 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE In about 2 hours (when I''m back home) thanks -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: martedì 19 aprile 2005 17.00 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] allow ssh access from net to fw? Marc Schillinger wrote:> Why? The example in the masq file says: > > # Example 1: > # > # You have a simple masquerading setup where eth0 > connects to > # a DSL or cable modem and eth1 connects to your local > network > # with subnet 192.168.0.0/24. > # > # Your entry in the file can be either: > # > # #INTERFACE SUBNET ADDRESS > # eth0 eth1 > # > # or > # > # #INTERFACE SUBNET ADDRESS > # eth0 192.168.0.0/24 > > Whith the difference that my interfaces are inverted: (eth1 ->adsl and > eth0 > ->lan). > Am I missunderstanding the example? >The interface named in the #INTERFACE column should be the same as your ''net'' interface in /etc/shorewall/interfaces: /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,norfc1918,tcpflags loc eth0 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth1 eth0 213.155.200.43 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE One of the two files must be wrong... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Marc Schillinger wrote:> Ok that sounds logical ;-). > I''ll change: > /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > To: > /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS > eth1 ppp0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > In about 2 hours (when I''m back home)No,no,no,no... /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS ppp0 eth0 213.155.200.43 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
when you have /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,norfc1918,tcpflags .. then you should use ppp0 as the interface to the Internet for other shorewall files. Also you may want to double check how you start SSH (stand-alone or TCP wrapper) and if you need to allow SSH in /etc/hosts.allow or not. ----- Original Message ----- From: "Marc Schillinger" <m.schillinger@pointercom.it> To: "''Mailing List for Shorewall Users''" <shorewall-users@lists.shorewall.net> Sent: Tuesday, April 19, 2005 10:52 AM Subject: RE: [Shorewall-users] allow ssh access from net to fw? Why? The example in the masq file says: # Example 1: # # You have a simple masquerading setup where eth0 connects to # a DSL or cable modem and eth1 connects to your local network # with subnet 192.168.0.0/24. # # Your entry in the file can be either: # # #INTERFACE SUBNET ADDRESS # eth0 eth1 # # or # # #INTERFACE SUBNET ADDRESS # eth0 192.168.0.0/24 Whith the difference that my interfaces are inverted: (eth1 ->adsl and eth0 ->lan). Am I missunderstanding the example? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jerry Vonau Sent: martedì 19 aprile 2005 16.37 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] allow ssh access from net to fw? ----- Original Message ----- From: "Marc Schillinger" <m.schillinger@pointercom.it> To: <shorewall-users@lists.shorewall.net> Sent: Tuesday, April 19, 2005 08:16 Subject: [Shorewall-users] allow ssh access from net to fw? <snip>> > I have setup the "two interface example" with modifications: > Eth1 is the interface connected to adsl (ppp0) and eth0 the interface > connected to LAN.> INTERFACES: > ---------------------------------------------------------------------- > ------ > ------------------ > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,norfc1918,tcpflags > loc eth0 detect tcpflags > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > MASQ: > ---------------------------------------------------------------------- > ------ > ------------------ > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > >Think your MASQ file is wrong, if your using pppoe then eth1 s/b ppp0 Jerry Vonau _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Why? The example in the masq file says: # Example 1: # # You have a simple masquerading setup where eth0 connects to # a DSL or cable modem and eth1 connects to your local network # with subnet 192.168.0.0/24. # # Your entry in the file can be either: # # #INTERFACE SUBNET ADDRESS # eth0 eth1 # # or # # #INTERFACE SUBNET ADDRESS # eth0 192.168.0.0/24 Whith the difference that my interfaces are inverted: (eth1 ->adsl and eth0 ->lan). Am I missunderstanding the example? Yes.... INTERFACE = net interface SUBNET = local subnet Your not really using the NAT file are you? Looks like you were when you had the DNAT ftp working. This would prevent anything connecting to the firewall itself, from the outside, as all connections would be headed for 192.168.0.50, if the rules allow it. Jerry
No I''m not using the nat file. NAT: #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES #213.155.200.43 ppp0 192.168.0.50 yes yes #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE As you can see the line is commented. But I do use: RULES: # ACCEPT FTP TO ZEUS DNAT net loc:192.168.0.50 tcp 21 21 to forward ftp to my internal server and it is working. So my nat file is ''empty'' and the rules file has the DNAT rule => my ftp server is accessible from internet. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Jerry Vonau Sent: martedì 19 aprile 2005 17.46 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] allow ssh access from net to fw? Why? The example in the masq file says: # Example 1: # # You have a simple masquerading setup where eth0 connects to # a DSL or cable modem and eth1 connects to your local network # with subnet 192.168.0.0/24. # # Your entry in the file can be either: # # #INTERFACE SUBNET ADDRESS # eth0 eth1 # # or # # #INTERFACE SUBNET ADDRESS # eth0 192.168.0.0/24 Whith the difference that my interfaces are inverted: (eth1 ->adsl and eth0 ->lan). Am I missunderstanding the example? Yes.... INTERFACE = net interface SUBNET = local subnet Your not really using the NAT file are you? Looks like you were when you had the DNAT ftp working. This would prevent anything connecting to the firewall itself, from the outside, as all connections would be headed for 192.168.0.50, if the rules allow it. Jerry _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
OK got it working!! The solution is: /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS ppp0 eth0 213.155.200.43 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE I replaced eth1 with ppp0 (see setting above). Thank you all for your help, it''s always nice to have people who help out ;-) -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: martedì 19 aprile 2005 17.15 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] allow ssh access from net to fw? Marc Schillinger wrote:> Ok that sounds logical ;-). > I''ll change: > /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS > eth1 eth0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > To: > /etc/shorewall/masq: > > #INTERFACE SUBNET ADDRESS > eth1 ppp0 213.155.200.43 > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > In about 2 hours (when I''m back home)No,no,no,no... /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS ppp0 eth0 213.155.200.43 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm