German Jimenez Leal
2006-May-14 14:04 UTC
ERROR: Command "/sbin/iptables -A OUTPUT -o vdpf0 -d eth0 -j all2all" Failed
Hello
!
My problem its iptables command error shorewall:
Help me please..!
[root@localhost shorewall]# service shorewall restart
Restarting shorewall: [FALLÓ]
May 8 15:50:58 localhost shorewall: Validating /etc/shorewall/tcclasses...
May 8 15:50:58 localhost shorewall: Activating Rules...
May 8 15:50:58 localhost shorewall: iptables v1.2.11: host/network
`eth0''
not f ound
May 8 15:50:58 localhost shorewall: Try `iptables -h'' or
''iptables --help''
for more information.
May 8 15:50:58 localhost shorewall: ERROR: Command "/sbin/iptables -A
OUTPUT -o vdpf0 -d eth0 -j all2all" Failed
May 8 15:50:58 localhost shorewall: Processing /etc/shorewall/stop ...
May 8 15:50:58 localhost shorewall: IP Forwarding Enabled
May 8 15:50:58 localhost shorewall: Processing /etc/shorewall/stopped ...
May 8 15:50:58 localhost root: Shorewall Stopped
May 8 15:50:58 localhost shorewall: Iniciación de shorewall failed
[root@localhost shorewall]# shorewall check
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Available
CLASSIFY Target: Available
Verifying Configuration...
Determining Zones...
IPv4_Zones: net loc
Firewall Zone: fw
Setting up IPSEC...
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
net Zone: vdpf0:eth0
loc Zone: vdpf0:eth1
Validating policy file...
Policy for loc to net is ACCEPT using chain loc2net
Policy for net to loc is DROP using chain net2all
Policy for net to fw is DROP using chain net2all
Policy for loc to fw is REJECT using chain all2all
Policy for fw to net is REJECT using chain all2all
Policy for fw to loc is REJECT using chain all2all
Checking Black List...
Validating Proxy ARP
Validating NAT...
Pre-validating Actions...
Pre-processing /usr/share/shorewall/action.Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Pre-processing /usr/share/shorewall/action.Reject...
Pre-processing /usr/share/shorewall/action.Limit...
Validating rules file...
Rule "ACCEPT net fw TCP 20,21,22,25,80,110,143,443,995,465 "
checked.
Rule "ACCEPT loc net TCP 20,21,22,25,80,110,143,443,995,465 "
checked.
Rule "ACCEPT loc net UDP 20,21,22,25,80,110,143,443,995,465 "
checked.
Validating Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" checked.
..End Macro
Rule "dropBcast " checked.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" checked.
Rule "ACCEPT - - icmp time-exceeded - -" checked.
..End Macro
Rule "dropInvalid " checked.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "DROP - - udp 135,445 - -" checked.
Rule "DROP - - udp 137:139 - -" checked.
Rule "DROP - - udp 1024: 137 -" checked.
Rule "DROP - - tcp 135,139,445 - -" checked.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" checked.
..End Macro
Rule "dropNotSyn - - tcp " checked.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" checked.
..End Macro
Processing /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
Rule "REJECT - - tcp 113 - -" checked.
..End Macro
Rule "dropBcast " checked.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed - -" checked.
Rule "ACCEPT - - icmp time-exceeded - -" checked.
..End Macro
Rule "dropInvalid " checked.
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "REJECT - - udp 135,445 - -" checked.
Rule "REJECT - - udp 137:139 - -" checked.
Rule "REJECT - - udp 1024: 137 -" checked.
Rule "REJECT - - tcp 135,139,445 - -" checked.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "DROP - - udp 1900 - -" checked.
..End Macro
Rule "dropNotSyn - - tcp " checked.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "DROP - - udp - 53 -" checked.
..End Macro
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 0.0.0.0/0 through vdpf0
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Configuration Validated
Notice: The ''check'' command is provided to catch
obvious errors in a Shorewall configuration.
It is not designed to catch all possible errors
so please don''t submit problem reports about
error conditions that ''check'' doesn''t find
My scripts Network interfaces:
Ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
BRIDGE=vdpf0
ONBOOT=yes
BOOTPROTO=static
Ifcfg-eth1
DEVICE=eth1
TYPE=ETHER
BRIDGE=vdpf0
ONBOOT=yes
BOOTPROTO=static
Ifcfg-vdpf0
DEVICE=vdpf0
TYPE=Bridge
IPADDR=192.168.64.253
NETMASK=255.255.255.0
GATEWAY=192.168.64.250
ONBOOT=yes
STP=no
My scripts Shorewall:
HOSTS:
#ZONE HOST(S) OPTIONS
net vdpf0:eth0
loc vdpf0:eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
INTERFACES:
#ZONE INTERFACE BROADCAST OPTIONS
- vdpf0 192.168.64.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
MASQ
#INTERFACE SUBNET ADDRESS PROTO PORT(S)
IPSEC
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
eth0 vdpf0
MACLIST
#INTERFACE MAC IP ADDRESSES (Optional)
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
vdpf0:eth0 00:0F:20:2C:7D:46
ROUTESTOPED
#INTERFACE HOST(S) OPTIONS
vdpf0 - routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
ZONES
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
RULES
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER//etc/shorewall/zones
# PORT PORT(S)
DEST #LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW
#ACTION SOURCE DEST PROTO DEST
# PORT
ACCEPT net fw TCP
20,21,22,25,80,110,143,443,995,465
ACCEPT loc net TCP
20,21,22,25,80,110,143,443,995,465
ACCEPT loc net UDP
20,21,22,25,80,110,143,443,995,465
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tom Eastep
2006-May-14 14:19 UTC
Re: ERROR: Command "/sbin/iptables -A OUTPUT -o vdpf0 -d eth0 -j all2all" Failed
German Jimenez Leal wrote:> > Hello…! > My problem its iptables command error shorewall: > Help me please..! > > *[_root@localhost shorewall]# service shorewall restart_* > Restarting shorewall: [FALLÓ] > > May 8 15:50:58 localhost shorewall: Validating /etc/shorewall/tcclasses... > May 8 15:50:58 localhost shorewall: Activating Rules... > May 8 15:50:58 localhost shorewall: iptables v1.2.11: host/network > `eth0'' not f ound > _May 8 15:50:58 localhost shorewall: Try `iptables -h'' or ''iptables > --help'' for more information._ > _May 8 15:50:58 localhost shorewall: ERROR: Command "/sbin/iptables > -A OUTPUT -o vdpf0 -d eth0 -j all2all" Failed_a) You apparently haven''t set BRIDGING=Yes in shorewall.conf. b) You will need the ''routeback'' option on vdpf0 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2006-May-14 14:25 UTC
Re: ERROR: Command "/sbin/iptables -A OUTPUT -o vdpf0 -d eth0 -j all2all" Failed
German Jimenez Leal wrote:> > MASQ > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > eth0 vdpf0 >Also a) the above entry is absurd -- you can''t masquerade out of a bridge port. b) Even though the comment clearly says (in capital letters) that you should add your entry ABOVE that line, you have added your after the line. c) You apparently didn''t terminate the entry with a new-line character so Shorewall ignored it (which is why all of the config files have the ''#LAST LINE'' entry in the first place. Please refer to http://www.shorewall.net/bridge.html for instructions about configuring Shorewall with a bridge. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2006-May-14 15:57 UTC
Re: ERROR: Command "/sbin/iptables -A OUTPUT -o vdpf0 -d eth0 -j all2all" Failed
Tom Eastep wrote:> > Please refer to http://www.shorewall.net/bridge.html for instructions > about configuring Shorewall with a bridge. >And if after following all of advice, "shorewall start" still fails, then please forward a trace as described at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Ray Booysen
2006-May-15 08:14 UTC
Re: ERROR: Command "/sbin/iptables -A OUTPUT -o vdpf0 -d eth0 -j all2all" Failed
iptables is telling shorewall that eth0 cannot be found. Are you sure the interface is up and working correctly? Regards Ray German Jimenez Leal wrote:> > Hello…! > My problem its iptables command error shorewall: > Help me please..! > > *[_root@localhost shorewall]# service shorewall restart_* > Restarting shorewall: [FALLÓ] > > May 8 15:50:58 localhost shorewall: Validating > /etc/shorewall/tcclasses... > May 8 15:50:58 localhost shorewall: Activating Rules... > May 8 15:50:58 localhost shorewall: iptables v1.2.11: host/network > `eth0'' not f ound > _May 8 15:50:58 localhost shorewall: Try `iptables -h'' or ''iptables > --help'' for more information._ > _May 8 15:50:58 localhost shorewall: ERROR: Command "/sbin/iptables -A > OUTPUT -o vdpf0 -d eth0 -j all2all" Failed_ > May 8 15:50:58 localhost shorewall: Processing /etc/shorewall/stop ... > May 8 15:50:58 localhost shorewall: IP Forwarding Enabled > May 8 15:50:58 localhost shorewall: Processing /etc/shorewall/stopped ... > May 8 15:50:58 localhost root: Shorewall Stopped > May 8 15:50:58 localhost shorewall: Iniciación de shorewall failed > > _*[root@localhost shorewall]# shorewall check*_ > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Not available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Not available > Connmark Match: Not available > Raw Table: Available > CLASSIFY Target: Available > Verifying Configuration... > Determining Zones... > IPv4_Zones: net loc > Firewall Zone: fw > Setting up IPSEC... > Validating interfaces file... > Validating hosts file... > Determining Hosts in Zones... > net Zone: vdpf0:eth0 > loc Zone: vdpf0:eth1 > Validating policy file... > Policy for loc to net is ACCEPT using chain loc2net > Policy for net to loc is DROP using chain net2all > Policy for net to fw is DROP using chain net2all > Policy for loc to fw is REJECT using chain all2all > Policy for fw to net is REJECT using chain all2all > Policy for fw to loc is REJECT using chain all2all > Checking Black List... > Validating Proxy ARP > Validating NAT... > Pre-validating Actions... > Pre-processing /usr/share/shorewall/action.Drop... > ..Expanding Macro /usr/share/shorewall/macro.Auth... > ..End Macro > ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... > ..End Macro > ..Expanding Macro /usr/share/shorewall/macro.SMB... > ..End Macro > ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... > ..End Macro > ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... > ..End Macro > Pre-processing /usr/share/shorewall/action.Reject... > Pre-processing /usr/share/shorewall/action.Limit... > Validating rules file... > Rule "ACCEPT net fw TCP 20,21,22,25,80,110,143,443,995,465 " checked. > Rule "ACCEPT loc net TCP 20,21,22,25,80,110,143,443,995,465 " checked. > Rule "ACCEPT loc net UDP 20,21,22,25,80,110,143,443,995,465 " checked. > Validating Actions... > Generating Transitive Closure of Used-action List... > Processing /usr/share/shorewall/action.Drop for Chain Drop... > ..Expanding Macro /usr/share/shorewall/macro.Auth... > Rule "REJECT - - tcp 113 - -" checked. > ..End Macro > Rule "dropBcast " checked. > ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... > Rule "ACCEPT - - icmp fragmentation-needed - -" checked. > Rule "ACCEPT - - icmp time-exceeded - -" checked. > ..End Macro > Rule "dropInvalid " checked. > ..Expanding Macro /usr/share/shorewall/macro.SMB... > Rule "DROP - - udp 135,445 - -" checked. > Rule "DROP - - udp 137:139 - -" checked. > Rule "DROP - - udp 1024: 137 -" checked. > Rule "DROP - - tcp 135,139,445 - -" checked. > ..End Macro > ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... > Rule "DROP - - udp 1900 - -" checked. > ..End Macro > Rule "dropNotSyn - - tcp " checked. > ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... > Rule "DROP - - udp - 53 -" checked. > ..End Macro > Processing /usr/share/shorewall/action.Reject for Chain Reject... > ..Expanding Macro /usr/share/shorewall/macro.Auth... > Rule "REJECT - - tcp 113 - -" checked. > ..End Macro > Rule "dropBcast " checked. > ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... > Rule "ACCEPT - - icmp fragmentation-needed - -" checked. > Rule "ACCEPT - - icmp time-exceeded - -" checked. > ..End Macro > Rule "dropInvalid " checked. > ..Expanding Macro /usr/share/shorewall/macro.SMB... > Rule "REJECT - - udp 135,445 - -" checked. > Rule "REJECT - - udp 137:139 - -" checked. > Rule "REJECT - - udp 1024: 137 -" checked. > Rule "REJECT - - tcp 135,139,445 - -" checked. > ..End Macro > ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... > Rule "DROP - - udp 1900 - -" checked. > ..End Macro > Rule "dropNotSyn - - tcp " checked. > ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... > Rule "DROP - - udp - 53 -" checked. > ..End Macro > Masqueraded Networks and Hosts: > To 0.0.0.0/0 (all) from 0.0.0.0/0 through vdpf0 > Validating /etc/shorewall/tcdevices... > Validating /etc/shorewall/tcclasses... > Configuration Validated > > Notice: The ''check'' command is provided to catch > obvious errors in a Shorewall configuration. > It is not designed to catch all possible errors > so please don''t submit problem reports about > error conditions that ''check'' doesn''t find > > _*My scripts Network interfaces:*_ > Ifcfg-eth0 > DEVICE=eth0 > TYPE=Ethernet > BRIDGE=vdpf0 > ONBOOT=yes > BOOTPROTO=static > > Ifcfg-eth1 > DEVICE=eth1 > TYPE=ETHER > BRIDGE=vdpf0 > ONBOOT=yes > BOOTPROTO=static > > Ifcfg-vdpf0 > DEVICE=vdpf0 > TYPE=Bridge > IPADDR=192.168.64.253 > NETMASK=255.255.255.0 > GATEWAY=192.168.64.250 > ONBOOT=yes > STP=no > > _*My scripts Shorewall:*_ > HOSTS: > #ZONE HOST(S) OPTIONS > net vdpf0:eth0 > loc vdpf0:eth1 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE > > INTERFACES: > #ZONE INTERFACE BROADCAST OPTIONS > - vdpf0 192.168.64.255 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > MASQ > #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > eth0 vdpf0 > > MACLIST > #INTERFACE MAC IP ADDRESSES (Optional) > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > vdpf0:eth0 00:0F:20:2C:7D:46 > > ROUTESTOPED > #INTERFACE HOST(S) OPTIONS > vdpf0 - routeback > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > ZONES > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > RULES > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE > USER//etc/shorewall/zones > > # PORT PORT(S) DEST #LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > #SECTION NEW > #ACTION SOURCE DEST PROTO DEST > # PORT > ACCEPT net fw TCP 20,21,22,25,80,110,143,443,995,465 > ACCEPT loc net TCP 20,21,22,25,80,110,143,443,995,465 > ACCEPT loc net UDP 20,21,22,25,80,110,143,443,995,465 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > >-- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-May-15 16:09 UTC
Re: ERROR: Command "/sbin/iptables -A OUTPUT -o vdpf0 -d eth0 -j all2all" Failed
Ray Booysen wrote:> iptables is telling shorewall that eth0 cannot be found. Are you sure > the interface is up and working correctly? >See my earlier response to the OP. "-d eth0" is illegal iptables syntax since the argument to "-d" is expected to be an IP address rather than an interface name. It indicates that BRIDGING is not set to Yes in /etc/shorewall/shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key