Hi all Firewall is Linux SLES8 kernel 2.4.21-278-default with 2 interfaces, fixed IP addresses on LAN and Internet (INT, WAN), NAT from LAN to INT (Masquerading-SNAT). Shorewall is v2.2.2. I am trying to allow access from LAN to Internet for all workstations EXCEPT for some of them. Default policy is REJECT LAN to INT traffic, so rule created in /etc/shorewall/rules is: ACCEPT LAN:!192.168.100.101,192.168.100.115 INT all ... like it is written in documentation: "!" before list of comma separated valuse with no blanks. It DOES NOT work. First address really can''t go to Internet, second and subsequent ones can. Shorewall status shows following IPTABLES tules: Chain LAN2INT (1 references) 2 96 ACCEPT all -- * * !192.168.100.151 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.100.115 0.0.0.0/0 Please note no "!" in front of address in second row. So i created different shorewall rule (opposit from what documentation says): ACCEPT LAN:!192.168.100.151,!192.168.100.115 INT all Shorewall status shows following IPTABLES tules: Chain LAN2INT (1 references) 0 0 ACCEPT all -- * * !192.168.100.151 0.0.0.0/0 0 0 ACCEPT all -- * * !192.168.100.115 0.0.0.0/0 "!" is now there in front of both addresses but still it does not work. Actually, I think Shorewall should create only ONE rule, not two or more in this case. Bug? I am using Webmin 1.200 to edit Shorewall rules because user likes GUI :) (I prefer shell) but same thing is with rules created in Webmin by him or in shell by me - Webmin seems to do the job OK, rules are identical. So, how can I make it work?? Thanks, regards Ivica Glavocic
2005/5/10, Ivica Glavocic <ivica.glavocic@laserline.hr>:> Hi all > > Firewall is Linux SLES8 kernel 2.4.21-278-default with 2 interfaces, fixed > IP addresses on LAN and Internet (INT, WAN), NAT from LAN to INT > (Masquerading-SNAT). Shorewall is v2.2.2. > > I am trying to allow access from LAN to Internet for all workstations EXCEPT > for some of them. Default policy is REJECT LAN to INT traffic, so rule > created in /etc/shorewall/rules is: > > ACCEPT LAN:!192.168.100.101,192.168.100.115 INT all > > ... like it is written in documentation: "!" before list of comma separated > valuse with no blanks. > > It DOES NOT work. First address really can''t go to Internet, second and > subsequent ones can. > > Shorewall status shows following IPTABLES tules: > > Chain LAN2INT (1 references) > 2 96 ACCEPT all -- * * !192.168.100.151 0.0.0.0/0 > 0 0 ACCEPT all -- * * 192.168.100.115 0.0.0.0/0 > > Please note no "!" in front of address in second row. > > So i created different shorewall rule (opposit from what documentation > says): > > ACCEPT LAN:!192.168.100.151,!192.168.100.115 INT all > > Shorewall status shows following IPTABLES tules: > > Chain LAN2INT (1 references) > 0 0 ACCEPT all -- * * !192.168.100.151 > 0.0.0.0/0 > 0 0 ACCEPT all -- * * !192.168.100.115 > 0.0.0.0/0 > > "!" is now there in front of both addresses but still it does not work. > Actually, I think Shorewall should create only ONE rule, not two or more in > this case. Bug? I am using Webmin 1.200 to edit Shorewall rules because user > likes GUI :) (I prefer shell) but same thing is with rules created in Webmin > by him or in shell by me - Webmin seems to do the job OK, rules are > identical. > > So, how can I make it work?? > > Thanks, regards > > Ivica Glavocicplease attach the output of "shorewall show capabilities" and "shorewall status" (compressed)
2005/5/10, Cristian Rodriguez <judas.iscariote@gmail.com>:> > please attach the output of "shorewall show capabilities" and > "shorewall status" (compressed) >sorry "shorewall show capabilities" has been added only to shorewall 2.2.4 #rpm -Fvh http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.4/shorewall-2.2.4-1.noarch.rpm ;)
Cristian Rodriguez wrote on 10/05/2005 14:26:22:> 2005/5/10, Ivica Glavocic <ivica.glavocic@laserline.hr>: > > Hi all > > > > I am trying to allow access from LAN to Internet for all workstationsEXCEPT> > for some of them. Default policy is REJECT LAN to INT traffic, so rule > > created in /etc/shorewall/rules is: > >[... snip ...]> > > > So i created different shorewall rule (opposit from what documentation > > says): > > > > ACCEPT LAN:!192.168.100.151,!192.168.100.115 INT all > > > > Shorewall status shows following IPTABLES tules: > > > > Chain LAN2INT (1 references) > > 0 0 ACCEPT all -- * * !192.168.100.151 > > 0.0.0.0/0 > > 0 0 ACCEPT all -- * * !192.168.100.115 > > 0.0.0.0/0 > > > > So, how can I make it work??Ivica: the problem here is: if machine 192.168.100.115 tries to go from LAN to INT, it will be accepted in the first rule. if machine 192.168.100.151 tries to go from LAN to INT, it will be accepted in the second rule. maybe you should create a separate action that states: action.AllowLan2Int: RETURN LAN:192.168.100.151,192.168.100.115 - - - ACCEPT - - and call that action from your rules... HIH, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606