I changed the version of iptables to 1.3.4 and now i get this error Processing /etc/shorewall/providers... Provider ISP1 1 1 main ppp0 detect track,balance none Added Default route nexthop via 200.38.193.226 dev ppp0 weight 1 Added. iptables: No chain/target/match by that name ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j CONNMARK --restore-mark" Failed This is my last attempt, thanks for your help Fernando Rodriguez V.
On Sunday 05 February 2006 14:19, Fernando Rodriguez wrote:> I changed the version of iptables to 1.3.4 and now i get this error > > > Processing /etc/shorewall/providers... > Provider ISP1 1 1 main ppp0 detect track,balance none Added > Default route nexthop via 200.38.193.226 dev ppp0 weight 1 Added. > iptables: No chain/target/match by that name > ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! > --mark 0 -j CONNMARK --restore-mark" Failed >Looks like your kernel and/or iptables doesn''t include CONNMARK target support or connmark match support. What does "shorewall show capabilities" show about those features? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
have been trying to make shorewall work with dual pppoe (DSL) for almost one month but for some reason it seems imposible for me, I really need some help y read and applied everything on the shorewall page without getting it to work. Does any one have this working on dual DSL ?? Or maybe im not doing something right ?? Does some one has a working configuration on this setup and will be able to share his files. Fernando Rodriguez V.
Fernando Rodriguez wrote:> have been trying to make shorewall work with dual pppoe (DSL) for almost one > month but for some reason it seems imposible for me, I really need some help > y read and applied everything on the shorewall page without getting it to > work. > > Does any one have this working on dual DSL ?? > > Or maybe im not doing something right ?? > > Does some one has a working configuration on this setup and will be able to > share his files.We don''t know Fernando.as you haven''t show us the facts of your configuration....however the error message looks like you are running a kernel which doesn''t support CONNMARK target... hint : SUSE 10 supports it out-of-the-box, no need to recompile.
Cristian, Im running Redhat 8 kernel 2.4.20-28 out of the box using iptables version 1.3.4 recompiled from source shorewall the latest version, and lots of other modifications, this machine has been running for 2+ years My question is do I have to patch the kernel then or do I have to use another version of the kernel, which version do u recommend I know I have to stick with the 2.4.x Thanks for your support -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Cristian Rodriguez Enviado el: Lunes, 06 de Febrero de 2006 12:12 p.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] Dual DSL Fernando Rodriguez wrote:> have been trying to make shorewall work with dual pppoe (DSL) for almostone> month but for some reason it seems imposible for me, I really need somehelp> y read and applied everything on the shorewall page without getting it to > work. > > Does any one have this working on dual DSL ?? > > Or maybe im not doing something right ?? > > Does some one has a working configuration on this setup and will be ableto> share his files.We don''t know Fernando.as you haven''t show us the facts of your configuration....however the error message looks like you are running a kernel which doesn''t support CONNMARK target... hint : SUSE 10 supports it out-of-the-box, no need to recompile. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Fernando Rodriguez wrote:> Cristian, > > Im running Redhat 8 kernel 2.4.20-28 out of the box using iptables version > 1.3.4 recompiled from source shorewall the latest version, and lots of other > modifications, this machine has been running for 2+ yearsHow you expect such an old,unsupported, buggy distribution will be suited for **firewall** usage ? your firewall is quite insecure at this time.,.how you really think it will protect your network ?? running 3000+ vulnerable packages ????> > My question is do I have to patch the kernel then or do I have to use > another version of the kernel, which version do u recommend I know I have to > stick with the 2.4.xwhat you need is upgrade your firewall to a current distribution. but if you want to waste your time, you need to get a recent 2.4 or 2.6 kernel. your firewall will be unsecure anyway.
Cristian, Hill you recomend CentOS 4, Fedora C 4 or what version ?? Thanks.. -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Cristian Rodriguez Enviado el: Lunes, 06 de Febrero de 2006 06:46 p.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] Dual DSL Fernando Rodriguez wrote:> Cristian, > > Im running Redhat 8 kernel 2.4.20-28 out of the box using iptables version > 1.3.4 recompiled from source shorewall the latest version, and lots ofother> modifications, this machine has been running for 2+ yearsHow you expect such an old,unsupported, buggy distribution will be suited for **firewall** usage ? your firewall is quite insecure at this time.,.how you really think it will protect your network ?? running 3000+ vulnerable packages ????> > My question is do I have to patch the kernel then or do I have to use > another version of the kernel, which version do u recommend I know I haveto> stick with the 2.4.xwhat you need is upgrade your firewall to a current distribution. but if you want to waste your time, you need to get a recent 2.4 or 2.6 kernel. your firewall will be unsecure anyway. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Fernando Rodriguez wrote:> Cristian, > > Hill you recomend CentOS 4, Fedora C 4 or what version ?? > > Thanks.. >distribution to choose depends on your own skills or preferences. if you like something similar to RH8 ( I say similar because RH8 is quite old, an things change over the time) maybe Fedora Core 4 will be ok for your needs. We actually test and use SUSE 10 or later, since it works for us. but your mileage may vary. I have no idea if Fedora Core 4 kernel supports CONNMARK target ( I think it should) I haven''t used FC since release 1. Im sure other people in this list can confirm if the feature exists or not in current Fedora versions.
Tom, I was reading the example on Multiple Internet connections and I wonder what is this Regardless of whether you have masqueraded hosts or not, YOU MUST ADD THESE TWO ENTRIES TO /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS eth0 130.252.99.27 206.124.146.176 eth1 206.124.146.176 130.252.99.27 I wanto to work with 2 DSL that I don''t know their ip address Could this be Ppp0 ppp1 ppp0 Ppp1 ppp0 ppp1 Or is there another way Tnaks Fernando Rodriguez V.
Fernando Rodriguez wrote:> Tom, > > I was reading the example on Multiple Internet connections > > and I wonder what is this > > Regardless of whether you have masqueraded hosts or not, YOU MUST ADD THESE > TWO ENTRIES TO /etc/shorewall/masq: > #INTERFACE SUBNET ADDRESS > eth0 130.252.99.27 206.124.146.176 > eth1 206.124.146.176 130.252.99.27 > > > I wanto to work with 2 DSL that I don''t know their ip address > > Could this be > > Ppp0 ppp1 ppp0 > Ppp1 ppp0 ppp1 > > Or is there another way > > Tnaks > > > > Fernando Rodriguez V. > > >Check out: http://www.shorewall.net/FAQ.html In faq 1d there is an example on how to grab the external ip address.... ---quote-- If your external IP address is dynamic, then you must do the following: In /etc/shorewall/params: <snip> ETH0_IP=`find_first_interface_address eth0` ---/quote--- To apply that to your setup, in params: PPP0_IP=`find_first_interface_address ppp0` PPP1_IP=`find_first_interface_address ppp1` In masq: ppp0 $PPP1_IP $PPP0_IP ppp1 $PPP0_IP $PPP1_IP Note, you only need these entries if your using tcrules to force outbound traffic to a preferred provider from the firewall itself. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642