thr3ads.net - Shorewall users - trouble with shorewall on Mandriva 2006 (2nd) [Dec 2005]

If this information is useful, please help other people find it:
Share via:

Gary E. Terry

2005-Dec-08 19:31 UTC

trouble with shorewall on Mandriva 2006 (2nd)

(Sorry, my previous post was sent in HTML format)

I am having a hell of a time with shorewall...

I have a Dlink DCM202 Cable modem with the Ethernet connected directly to 
eth0 on the linux box. Then I have a second nic on the linux box connected 
to a hub for
the internal network.

I am trying to allow traffic from the internet connect to my FTP and WEB 
servers on my Winbloze box on the lan. The address of the FTP and WEB 
servers is
192.168.1.2

When I try using the Webmin interface or by adding the line:

DNAT         net        loc:192.168.1.2 tcp       21

to /usr/share/shorewall/action.AllowFTP

I get the following error when restarting shorewall:

Error: Invalid TARGET in rule "DNAT net loc:192.168.1.2 tcp 21"

I thought this might mean that I need a line in /etc/shorewall/hosts, so I 
added

loc    eth1:192.168.1.0/24

and get this error message when shorewall restarts:

Error: Invalid zone definition for zone loc

from /etc/shorewall/zones:

#ZONE   DISPLAY  COMMENTS
net Net Internet zone
loc Local Local
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


Does anyone have any advice? This is a clean install, I have made no other 
modifications to any of the shorewall files, except what is noted above.

Thanks In Advance.


It''s installed on the new version of Mandriva Linux. Here are the
outputs of
#uname -a; #shorewall version; #shorewall status; #ip addr show; #ip route 
show

uname:
Linux pcp08479598pcs.spedwy01.in.comcast.net 2.6.12-12mdk #1 Fri Sep 9 
18:15:22 CEST 2005 i686 AMD Duron(tm)  unknown GNU/Linux

shorewall version output:

2.4.1

shorewall status:

Shorewall-2.4.1 Status at pcp08479598pcs.spedwy01.in.comcast.net - Thu Dec 
8 06:04:45 EST 2005

Counters reset Wed Dec  7 08:10:49 EST 2005

Chain AllowICMPs (2 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 3 code 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           icmp type 11

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source 
destination
20731 6964K RejectAuth  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
20710 6963K dropBcast  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
  318 26103 AllowICMPs  icmp --  *      *       0.0.0.0/0 
0.0.0.0/0
 2320  694K dropInvalid  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
 2107  676K DropSMB    all  --  *      *       0.0.0.0/0 
0.0.0.0/0
 1842  616K DropUPnP   all  --  *      *       0.0.0.0/0 
0.0.0.0/0
  109 32193 dropNotSyn  tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
 1797  588K DropDNSrep  all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain DropDNSrep (2 references)
 pkts bytes target     prot opt in     out     source 
destination
    1   200 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp spt:53

Chain DropSMB (1 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:135
  265 59248 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpts:137:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:445
    0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:135
    0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:139
    0     0 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:445

Chain DropUPnP (2 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:1900

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination
26470 7783K LOG        all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:''
 2738  156K ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0
26470 7783K eth0_in    all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0
    0     0 ath0_in    all  --  ath0   *       0.0.0.0/0 
0.0.0.0/0
48209 3248K eth1_in    all  --  eth1   *       0.0.0.0/0 
0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination
1061K  240M LOG        all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:''
1384K 1325M LOG        all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_IN:''
1384K 1325M eth0_fwd   all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0
    0     0 ath0_fwd   all  --  ath0   *       0.0.0.0/0 
0.0.0.0/0
1061K  240M eth1_fwd   all  --  eth1   *       0.0.0.0/0 
0.0.0.0/0
   10  2639 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination
 6049  486K LOG        all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 7 prefix `BANDWIDTH_OUT:''
 2738  156K ACCEPT     all  --  *      lo      0.0.0.0/0 
0.0.0.0/0
 6049  486K fw2net     all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
    0     0 fw2loc     all  --  *      ath0    0.0.0.0/0 
0.0.0.0/0
 139K  195M fw2loc     all  --  *      eth1    0.0.0.0/0 
0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain Reject (4 references)
 pkts bytes target     prot opt in     out     source 
destination
   10  2639 RejectAuth  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   10  2639 dropBcast  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
    0     0 AllowICMPs  icmp --  *      *       0.0.0.0/0 
0.0.0.0/0
   10  2639 dropInvalid  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   10  2639 RejectSMB  all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   10  2639 DropUPnP   all  --  *      *       0.0.0.0/0 
0.0.0.0/0
   10  2639 dropNotSyn  tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0
    0     0 DropDNSrep  all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain RejectAuth (2 references)
 pkts bytes target     prot opt in     out     source 
destination
   21  1260 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:113

Chain RejectSMB (1 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:135
    0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:135
    0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:445

Chain all2all (0 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain ath0_fwd (1 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0 
0.0.0.0/0

Chain ath0_in (1 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
    0     0 loc2fw     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source 
destination
18390 6269K DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = multicast

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source 
destination
  213 18395 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source 
destination
   55 31388 DROP       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp flags:!0x17/0x02

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source 
destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
    0     0 net2all    all  --  *      ath0    0.0.0.0/0 
0.0.0.0/0
1384K 1325M net2all    all  --  *      eth1    0.0.0.0/0 
0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source 
destination
20731 6964K dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
26470 7783K net2all    all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source 
destination
 7471  553K dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
1061K  240M loc2net    all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0
    0     0 ACCEPT     all  --  *      ath0    0.0.0.0/0 
0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source 
destination
  663 87699 dynamic    all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state INVALID,NEW
48209 3248K loc2fw     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain fw2loc (2 references)
 pkts bytes target     prot opt in     out     source 
destination
 138K  195M ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
  369 70518 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source 
destination
 3461  255K ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
 2588  231K ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain loc2fw (2 references)
 pkts bytes target     prot opt in     out     source 
destination
47546 3160K ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
  663 87699 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source 
destination
1053K  240M ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
 7471  553K ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source 
destination
1389K 1325M ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           state RELATED,ESTABLISHED
20731 6964K Drop       all  --  *      *       0.0.0.0/0 
0.0.0.0/0
 1796  587K LOG        all  --  *      *       0.0.0.0/0 
0.0.0.0/0           LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
 1796  587K DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0 
0.0.0.0/0           PKTTYPE = multicast
    0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
    0     0 DROP       all  --  *      *       192.168.1.255 
0.0.0.0/0
    0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
    0     0 DROP       all  --  *      *       224.0.0.0/4 
0.0.0.0/0
   21  1260 REJECT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0           reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source 
destination

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 LOG        all  --  *      *       255.255.255.255 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
    0     0 LOG        all  --  *      *       192.168.1.255 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       192.168.1.255 
0.0.0.0/0
    0     0 LOG        all  --  *      *       255.255.255.255 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       255.255.255.255 
0.0.0.0/0
    0     0 LOG        all  --  *      *       224.0.0.0/4 
0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       224.0.0.0/4 
0.0.0.0/0

Dec  8 05:54:15 net2all:DROP:IN=eth0 OUT= SRC=220.163.76.35 DST=68.57.216.61 
LEN=90 TOS=0x00 PREC=0x00 TTL=40 ID=2813 PROTO=UDP SPT=14607 DPT=62777 
LEN=70
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=1028 
LEN=356
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=1029 
LEN=356
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=1030 
LEN=356
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=1031 
LEN=356
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=1032 
LEN=356
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=1033 
LEN=356
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=4081 
LEN=356
Dec  8 05:54:34 net2all:DROP:IN=eth0 OUT= SRC=221.10.229.30 DST=68.57.216.61 
LEN=376 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=49962 DPT=2 LEN=356
Dec  8 05:56:10 net2all:DROP:IN=eth0 OUT= SRC=66.122.5.12 DST=68.57.216.61 
LEN=677 TOS=0x00 PREC=0x00 TTL=114 ID=6943 PROTO=UDP SPT=10304 DPT=1026 
LEN=657
Dec  8 06:01:03 net2all:DROP:IN=eth0 OUT= SRC=221.10.254.97 DST=68.57.216.61 
LEN=501 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=32775 DPT=1027 
LEN=481
Dec  8 06:01:46 net2all:DROP:IN=eth0 OUT= SRC=213.84.99.76 DST=68.57.216.61 
LEN=90 TOS=0x00 PREC=0x00 TTL=43 ID=61437 PROTO=UDP SPT=9800 DPT=63072 
LEN=70
Dec  8 06:02:22 net2all:DROP:IN=eth0 OUT= SRC=222.136.130.87 
DST=68.57.216.61 LEN=293 TOS=0x00 PREC=0x00 TTL=110 ID=64872 PROTO=UDP 
SPT=21842 DPT=64026 LEN=273
Dec  8 06:02:29 net2all:DROP:IN=eth0 OUT= SRC=221.211.255.11 
DST=68.57.216.61 LEN=485 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP 
SPT=56474 DPT=1027 LEN=465
Dec  8 06:03:25 net2all:DROP:IN=eth0 OUT= SRC=202.103.86.66 DST=68.57.216.61 
LEN=384 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=37936 DPT=1026 
LEN=364
Dec  8 06:03:25 net2all:DROP:IN=eth0 OUT= SRC=202.103.86.66 DST=68.57.216.61 
LEN=384 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=37936 DPT=1030 
LEN=364
Dec  8 06:03:25 net2all:DROP:IN=eth0 OUT= SRC=202.103.86.66 DST=68.57.216.61 
LEN=384 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=37936 DPT=1031 
LEN=364
Dec  8 06:03:25 net2all:DROP:IN=eth0 OUT= SRC=202.103.86.66 DST=68.57.216.61 
LEN=384 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=37936 DPT=1032 
LEN=364
Dec  8 06:03:25 net2all:DROP:IN=eth0 OUT= SRC=202.103.86.66 DST=68.57.216.61 
LEN=384 TOS=0x00 PREC=0x00 TTL=39 ID=0 DF PROTO=UDP SPT=37936 DPT=4081 
LEN=364
Dec  8 06:03:37 net2all:DROP:IN=eth0 OUT= SRC=61.230.73.185 DST=68.57.216.61 
LEN=293 TOS=0x00 PREC=0x00 TTL=110 ID=50414 PROTO=UDP SPT=19355 DPT=64029 
LEN=273

NAT Table

Chain PREROUTING (policy ACCEPT 27459 packets, 7410K bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain POSTROUTING (policy ACCEPT 2728 packets, 232K bytes)
 pkts bytes target     prot opt in     out     source 
destination
 8728  662K eth0_masq  all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2707 packets, 231K bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source 
destination
 6919  507K MASQUERADE  all  --  *      *       192.168.1.0/24 
0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 2522K packets, 1576M bytes)
 pkts bytes target     prot opt in     out     source 
destination
2522K 1576M tcpre      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain INPUT (policy ACCEPT 77417 packets, 11M bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain FORWARD (policy ACCEPT 2444K packets, 1565M bytes)
 pkts bytes target     prot opt in     out     source 
destination
2444K 1565M tcfor      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 147K packets, 195M bytes)
 pkts bytes target     prot opt in     out     source 
destination
 147K  195M tcout      all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 2592K packets, 1760M bytes)
 pkts bytes target     prot opt in     out     source 
destination
2592K 1760M tcpost     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source 
destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source 
destination

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source 
destination

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source 
destination

tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=217.155.75.100 sport=61215 
dport=6881 packets=67934 bytes=31455663 src=217.155.75.100 dst=68.57.216.61 
sport=6881 dport=61215 packets=43839 bytes=6859620 [ASSURED] mark=0 use=2 
rate=30
tcp      6 74 TIME_WAIT src=192.168.1.2 dst=65.54.161.253 sport=64046 
dport=80 packets=9 bytes=2546 src=65.54.161.253 dst=68.57.216.61 sport=80 
dport=64046 packets=6 bytes=670 [ASSURED] mark=0 use=1 rate=950
tcp      6 431982 ESTABLISHED src=192.168.1.2 dst=205.188.248.112 
sport=60784 dport=5190 packets=415 bytes=19505 src=205.188.248.112 
dst=68.57.216.61 sport=5190 dport=60784 packets=415 bytes=17211 [ASSURED] 
mark=0 use=1 rate=10
tcp      6 431936 ESTABLISHED src=192.168.1.2 dst=207.46.6.193 sport=63828 
dport=1863 packets=156 bytes=15068 src=207.46.6.193 dst=68.57.216.61 
sport=1863 dport=63828 packets=154 bytes=15042 [ASSURED] mark=0 use=1 
rate=70
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=66.17.144.1 sport=61206 
dport=6883 packets=88801 bytes=3766553 src=66.17.144.1 dst=68.57.216.61 
sport=6883 dport=61206 packets=160923 bytes=126804585 [ASSURED] mark=0 use=3 
rate=11760
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=80.14.198.128 sport=63477 
dport=6881 packets=13338 bytes=5632523 src=80.14.198.128 dst=68.57.216.61 
sport=6881 dport=63477 packets=10076 bytes=807274 [ASSURED] mark=0 use=1 
rate=70
tcp      6 429881 ESTABLISHED src=192.168.1.2 dst=81.56.91.16 sport=63556 
dport=6881 packets=1 bytes=576 [UNREPLIED] src=81.56.91.16 dst=68.57.216.61 
sport=6881 dport=63556 packets=0 bytes=0 mark=0 use=1 rate=0
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=195.75.219.114 sport=61209 
dport=6881 packets=13452 bytes=566856 src=195.75.219.114 dst=68.57.216.61 
sport=6881 dport=61209 packets=17416 bytes=11135904 [ASSURED] mark=0 use=1 
rate=890
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=213.251.136.104 
sport=61207 dport=10002 packets=27002 bytes=1135740 src=213.251.136.104 
dst=68.57.216.61 sport=10002 dport=61207 packets=29708 bytes=35848507 
[ASSURED] mark=0 use=2 rate=3590
tcp      6 431982 ESTABLISHED src=192.168.1.2 dst=205.188.8.200 sport=60782 
dport=5190 packets=454 bytes=22500 src=205.188.8.200 dst=68.57.216.61 
sport=5190 dport=60782 packets=460 bytes=26027 [ASSURED] mark=0 use=1 
rate=10
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=201.34.38.98 sport=61202 
dport=6203 packets=7676 bytes=2148066 src=201.34.38.98 dst=68.57.216.61 
sport=6203 dport=61202 packets=6907 bytes=2132583 [ASSURED] mark=0 use=1 
rate=30
tcp      6 92 TIME_WAIT src=192.168.1.2 dst=212.85.150.182 sport=64049 
dport=8080 packets=6 bytes=613 src=212.85.150.182 dst=68.57.216.61 
sport=8080 dport=64049 packets=5 bytes=427 [ASSURED] mark=0 use=1 rate=260
tcp      6 100 SYN_SENT src=192.168.1.2 dst=81.56.91.16 sport=64050 
dport=6881 packets=3 bytes=156 [UNREPLIED] src=81.56.91.16 dst=68.57.216.61 
sport=6881 dport=64050 packets=0 bytes=0 mark=0 use=1 rate=0
tcp      6 75 TIME_WAIT src=192.168.1.2 dst=65.19.179.10 sport=64048 
dport=110 packets=8 bytes=385 src=65.19.179.10 dst=68.57.216.61 sport=110 
dport=64048 packets=8 bytes=405 [ASSURED] mark=0 use=1 rate=160
tcp      6 75 TIME_WAIT src=192.168.1.2 dst=65.54.161.253 sport=64047 
dport=80 packets=9 bytes=2555 src=65.54.161.253 dst=68.57.216.61 sport=80 
dport=64047 packets=6 bytes=670 [ASSURED] mark=0 use=1 rate=950
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=65.5.211.24 sport=61210 
dport=6881 packets=17095 bytes=739595 src=65.5.211.24 dst=68.57.216.61 
sport=6881 dport=61210 packets=26505 bytes=34627846 [ASSURED] mark=0 use=1 
rate=7630
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=168.75.98.100 sport=61212 
dport=6887 packets=31481 bytes=1354074 src=168.75.98.100 dst=68.57.216.61 
sport=6887 dport=61212 packets=54232 bytes=37862904 [ASSURED] mark=0 use=1 
rate=3460
tcp      6 429071 ESTABLISHED src=192.168.1.2 dst=87.249.40.80 sport=61259 
dport=6884 packets=10196 bytes=423251 src=87.249.40.80 dst=68.57.216.61 
sport=6884 dport=61259 packets=10351 bytes=500271 [ASSURED] mark=0 use=1 
rate=0
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=65.67.155.153 sport=63760 
dport=6881 packets=1930 bytes=524785 src=65.67.155.153 dst=68.57.216.61 
sport=6881 dport=63760 packets=1557 bytes=254382 [ASSURED] mark=0 use=1 
rate=90
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=212.85.147.179 sport=61204 
dport=6882 packets=68154 bytes=2936471 src=212.85.147.179 dst=68.57.216.61 
sport=6882 dport=61204 packets=131258 bytes=181384830 [ASSURED] mark=0 use=2 
rate=31110
tcp      6 429521 ESTABLISHED src=192.168.1.2 dst=81.56.91.16 sport=63481 
dport=6881 packets=1 bytes=576 [UNREPLIED] src=81.56.91.16 dst=68.57.216.61 
sport=6881 dport=63481 packets=0 bytes=0 mark=0 use=1 rate=0
tcp      6 421840 ESTABLISHED src=192.168.1.2 dst=81.56.91.16 sport=62099 
dport=6881 packets=1 bytes=576 [UNREPLIED] src=81.56.91.16 dst=68.57.216.61 
sport=6881 dport=62099 packets=0 bytes=0 mark=0 use=1 rate=0
tcp      6 431981 ESTABLISHED src=192.168.1.2 dst=216.155.193.174 
sport=60780 dport=5050 packets=435 bytes=26435 src=216.155.193.174 
dst=68.57.216.61 sport=5050 dport=60780 packets=427 bytes=18239 [ASSURED] 
mark=0 use=1 rate=10
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=87.249.40.80 sport=63555 
dport=6884 packets=35435 bytes=17148246 src=87.249.40.80 dst=68.57.216.61 
sport=6884 dport=63555 packets=24923 bytes=1460573 [ASSURED] mark=0 use=4 
rate=8330
tcp      6 429044 ESTABLISHED src=192.168.1.2 dst=81.56.91.16 sport=63402 
dport=6881 packets=2 bytes=1152 [UNREPLIED] src=81.56.91.16 dst=68.57.216.61 
sport=6881 dport=63402 packets=0 bytes=0 mark=0 use=1 rate=0
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=61.211.241.52 sport=62810 
dport=12000 packets=1411 bytes=70412 src=61.211.241.52 dst=68.57.216.61 
sport=12000 dport=62810 packets=1409 bytes=58942 [ASSURED] mark=0 use=1 
rate=30
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=71.131.33.109 sport=61205 
dport=6881 packets=62086 bytes=26783943 src=71.131.33.109 dst=68.57.216.61 
sport=6881 dport=61205 packets=51123 bytes=24227253 [ASSURED] mark=0 use=1 
rate=5950
tcp      6 421720 ESTABLISHED src=192.168.1.2 dst=81.56.91.16 sport=62097 
dport=6881 packets=1 bytes=576 [UNREPLIED] src=81.56.91.16 dst=68.57.216.61 
sport=6881 dport=62097 packets=0 bytes=0 mark=0 use=1 rate=0
tcp      6 426040 ESTABLISHED src=192.168.1.2 dst=81.56.91.16 sport=63221 
dport=6881 packets=1 bytes=576 [UNREPLIED] src=81.56.91.16 dst=68.57.216.61 
sport=6881 dport=63221 packets=0 bytes=0 mark=0 use=1 rate=0
tcp      6 431999 ESTABLISHED src=192.168.1.2 dst=82.116.73.110 sport=61211 
dport=6881 packets=248666 bytes=119727374 src=82.116.73.110 dst=68.57.216.61 
sport=6881 dport=61211 packets=176141 bytes=35296560 [ASSURED] mark=0 use=1 
rate=17750
tcp      6 431940 ESTABLISHED src=192.168.1.2 dst=71.113.230.31 sport=61203 
dport=65535 packets=16123 bytes=701697 src=71.113.230.31 dst=68.57.216.61 
sport=65535 dport=61203 packets=27804 bytes=37013336 [ASSURED] mark=0 use=1 
rate=0
tcp      6 431980 ESTABLISHED src=192.168.1.2 dst=207.46.6.22 sport=60781 
dport=1863 packets=900 bytes=39288 src=207.46.6.22 dst=68.57.216.61 
sport=1863 dport=60781 packets=526 bytes=44038 [ASSURED] mark=0 use=1 
rate=20

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen
1000
    link/ether 00:0b:6a:3f:e6:72 brd ff:ff:ff:ff:ff:ff
    inet 68.57.216.61/25 brd 255.255.255.255 scope global eth0
    inet6 fe80::20b:6aff:fe3f:e672/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0f:3d:f4:5e:9d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    inet6 fe80::20f:3dff:fef4:5e9d/64 scope link
       valid_lft forever preferred_lft forever
4: ath0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 200
    link/ether 00:0f:3d:ad:c7:7a brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    156264     2738     0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    156264     2738     0       0       0       0
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen
1000
    link/ether 00:0b:6a:3f:e6:72 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    1588142415 5313955  0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    255620899  1068259  0       0       0       0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0f:3d:f4:5e:9d brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    264986522  1110232  0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    1547925215 1521816  0       0       0       0
4: ath0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 200
    link/ether 00:0f:3d:ad:c7:7a brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0

/proc

   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 0
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0: from all lookup local
32766: from all lookup main
32767: from all lookup default

Table default:


Table local:

local 192.168.1.1 dev eth1  proto kernel  scope host  src 192.168.1.1
broadcast 192.168.1.0 dev eth1  proto kernel  scope link  src 192.168.1.1
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
broadcast 68.57.216.0 dev eth0  proto kernel  scope link  src 68.57.216.61
broadcast 192.168.1.255 dev eth1  proto kernel  scope link  src 192.168.1.1
broadcast 68.57.216.127 dev eth0  proto kernel  scope link  src 68.57.216.61
local 68.57.216.61 dev eth0  proto kernel  scope host  src 68.57.216.61
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

68.57.216.0/25 dev eth0  proto kernel  scope link  src 68.57.216.61  metric 
10
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1  metric 
10
default via 68.57.216.1 dev eth0  metric 10

ARP

? (68.57.216.1) at 00:01:5C:22:92:42 [ether] on eth0
? (192.168.1.2) at 00:11:95:07:7A:F9 [ether] on eth1

Modules

ipt_MASQUERADE          2816  1
ipt_REJECT              4256  4
ipt_LOG                 6272  13
ipt_state               1312  13
ipt_pkttype             1184  4
ipt_CONNMARK            1696  0
ipt_MARK                1984  0
ipt_ROUTE               4260  0
ipt_connmark            1216  0
ipt_owner               2432  0
ipt_recent              9292  0
ipt_iprange             1312  0
ipt_physdev             1744  0
ipt_multiport           2112  0
ipt_conntrack           1792  0
ip_set_portmap          3840  0
ip_set_macipmap         3780  0
ip_set_ipmap            3872  0
ip_set_iphash           5924  0
ip_set                 18876  8 
ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash
ip_nat_irc              1824  0
ip_nat_tftp             1216  0
ip_nat_ftp              2560  0
ip_conntrack_irc       70352  1 ip_nat_irc
ip_conntrack_tftp       3088  1 ip_nat_tftp
ip_conntrack_ftp       71408  1 ip_nat_ftp
ip_conntrack           40824  10 
ipt_MASQUERADE,ipt_state,ipt_conntrack,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,iptable_nat,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp
ip_tables              20416  18 
ipt_MASQUERADE,ipt_REJECT,ipt_LOG,ipt_state,ipt_pkttype,ipt_CONNMARK,ipt_MARK,ipt_ROUTE,ipt_connmark,ipt_owner,ipt_recent,ipt_iprange,ipt_physdev,ipt_multiport,ipt_conntrack,iptable_mangle,iptable_nat,iptable_filter

ip addr show:

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen
1000
    link/ether 00:0b:6a:3f:e6:72 brd ff:ff:ff:ff:ff:ff
    inet 68.57.216.61/25 brd 255.255.255.255 scope global eth0
    inet6 fe80::20b:6aff:fe3f:e672/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0f:3d:f4:5e:9d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    inet6 fe80::20f:3dff:fef4:5e9d/64 scope link
       valid_lft forever preferred_lft forever
4: ath0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 200
    link/ether 00:0f:3d:ad:c7:7a brd ff:ff:ff:ff:ff:ff
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

ip route show:

68.57.216.0/25 dev eth0  proto kernel  scope link  src 68.57.216.61  metric 
10
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1  metric 
10
default via 68.57.216.1 dev eth0  metric 10



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Tom Eastep

2005-Dec-08 20:17 UTC

head link

Re: trouble with shorewall on Mandriva 2006 (2nd)

On Thursday 08 December 2005 11:31, Gary E. Terry wrote:> (Sorry, my previous post was sent in HTML format)
>
> I am having a hell of a time with shorewall...
>
> I have a Dlink DCM202 Cable modem with the Ethernet connected directly to
> eth0 on the linux box. Then I have a second nic on the linux box connected
> to a hub for
> the internal network.
>
> I am trying to allow traffic from the internet connect to my FTP and WEB
> servers on my Winbloze box on the lan. The address of the FTP and WEB
> servers is
> 192.168.1.2
>
> When I try using the Webmin interface or by adding the line:
>
> DNAT         net        loc:192.168.1.2 tcp       21
>
> to /usr/share/shorewall/action.AllowFTP
>
I don''t know where you got the idea to do that but it''s wrong.
If you want
that rule, you need to add it to /etc/shorewall/rules.

NEVER MODIFY ANY OF THE FILES IN /usr/share/shorewall. If you have a *valid* 
reason to modify one of these files, you must copy it to /etc/shorewall and 
modify the copy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Gary E. Terry

2005-Dec-08 21:30 UTC

head link

Re: trouble with shorewall on Mandriva 2006 (2nd)

Thanks for the tip.. Don''t know where I got that from...

But, I did add:

DNAT net loc:192.168.1.2 tcp 21
DNAT net loc:192.168.1.2 tcp 80

to the /etc/shorewall/rules

I get no errors when I restart shorewall, this is good...

I see this in the output of shorewall check:

Validating rules file...
   Rule "DNAT net loc:192.168.1.2 tcp 21    " checked.
   Rule "DNAT net loc:192.168.1.2 tcp 80    " checked.
Validating Actions...
...
Masqueraded Networks and Hosts:
   To 0.0.0.0/0 (all) from 192.168.1.0/255.255.255.0 through eth0
   To 0.0.0.0/0 (all) from 192.168.0.0/255.255.255.0 through eth0
Validating /etc/shorewall/tcdevices...

Looks good!!!

However, nothing gets past the firewall and to the host 192.168.1.2

And I don''t see any mention of it in the logs. Almost as if there
isn''t a
rule.

Any ideas?

also, why is it when I add:

loc    eth1:192.168.1.0/24

to /etc/shorewall/hosts I get this error message:

Error: Invalid zone definition for zone loc

Thanks again for your help!!

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@lists.sourceforge.net>
Cc: "Gary E. Terry" <terry@quickinet.net>
Sent: Thursday, December 08, 2005 3:17 PM
Subject: Re: [Shorewall-users] trouble with shorewall on Mandriva 2006 (2nd)




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

Tom Eastep

2005-Dec-08 21:35 UTC

head link

Re: trouble with shorewall on Mandriva 2006 (2nd)

On Thursday 08 December 2005 13:30, Gary E. Terry wrote:> Thanks for the tip.. Don''t know where I got that from...
>
> But, I did add:
>
> DNAT net loc:192.168.1.2 tcp 21
> DNAT net loc:192.168.1.2 tcp 80
>
> to the /etc/shorewall/rules
>
> I get no errors when I restart shorewall, this is good...
>
> I see this in the output of shorewall check:
>
> Validating rules file...
>    Rule "DNAT net loc:192.168.1.2 tcp 21    " checked.
>    Rule "DNAT net loc:192.168.1.2 tcp 80    " checked.
> Validating Actions...
> ...
> Masqueraded Networks and Hosts:
>    To 0.0.0.0/0 (all) from 192.168.1.0/255.255.255.0 through eth0
>    To 0.0.0.0/0 (all) from 192.168.0.0/255.255.255.0 through eth0
> Validating /etc/shorewall/tcdevices...
>
> Looks good!!!
>
> However, nothing gets past the firewall and to the host 192.168.1.2
>
> And I don''t see any mention of it in the logs. Almost as if there
isn''t a
> rule.
>
> Any ideas?
Please follow the DNAT troubleshooting tips in Shorewall FAQs 1a and 1b.
>
> also, why is it when I add:
>
> loc    eth1:192.168.1.0/24
>
> to /etc/shorewall/hosts I get this error message:
>
> Error: Invalid zone definition for zone loc
>
Because you have an entry in /etc/shorewall/interfaces as follows:

loc	eth1	...

That is equivalent to having an entry in /etc/shorewall/hosts like:

loc	eth1:0.0.0.0/0	...

So the entry that you added is totally redundant and Shorewall is telling you 
so.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Seemingly Similar Threads

Search for more maybe matching threads

Shorewall users - Dec 2005 - trouble with shorewall on Mandriva 2006 (2nd)

trouble with shorewall on Mandriva 2006 (2nd)

Re: trouble with shorewall on Mandriva 2006 (2nd)

Re: trouble with shorewall on Mandriva 2006 (2nd)

Re: trouble with shorewall on Mandriva 2006 (2nd)

Seemingly Similar Threads