im using shorewall 3.0.7 n mandriva 2005LE and replace firewall from errata my config /etc/shorewall/providers ISP1 8 8 main eth0 10.70.19.1 track ISP2 9 9 main tun0 10.6.0.9 track when starting shorewall i have some problem n trace /sbin/shorewall trace start 2> /tmp/trace [root@kafilah shorewall]# tail -30 /tmp/trace + iface=tun0 + eval ''mark_value=$tun0_routemark'' ++ mark_value=9 + run_iptables -t mangle -A PREROUTING -i tun0 -m mark --mark 0 -j routemark + ''['' -n '''' '']'' + ''['' -n Yes '']'' + ''['' -f /tmp/shorewall.k28674/iprange '']'' + /sbin/iptables -t mangle -A PREROUTING -i tun0 -m mark --mark 0 -j routemark + run_iptables -t mangle -A routemark -i tun0 -j MARK --set-mark 9 + ''['' -n '''' '']'' + ''['' -n Yes '']'' + ''['' -f /tmp/shorewall.k28674/iprange '']'' + /sbin/iptables -t mangle -A routemark -i tun0 -j MARK --set-mark 9 + run_iptables -t mangle -A routemark -m mark ''!'' --mark 0 -j CONNMARK --save-mark --mask 255 + ''['' -n '''' '']'' + ''['' -n Yes '']'' + ''['' -f /tmp/shorewall.k28674/iprange '']'' + /sbin/iptables -t mangle -A routemark -m mark ''!'' --mark 0 -j CONNMARK --save-mark --mask 255 iptables v1.2.9: Unknown arg `--mask'' Try `iptables -h'' or ''iptables --help'' for more information. + ''['' -z '''' '']'' + error_message ''ERROR: Command "/sbin/iptables -t'' mangle -A routemark -m mark ''!'' --mark 0 -j CONNMARK --save-mark --mask ''255" Failed'' + echo '' ERROR: Command "/sbin/iptables -t'' mangle -A routemark -m mark ''!'' --mark 0 -j CONNMARK --save-mark --mask ''255" Failed'' ERROR: Command "/sbin/iptables -t mangle -A routemark -m mark ! --mark 0 -j CONNMARK --save-mark --mask 255" Failed + stop_firewall + ''['' -n /var/lib/shorewall/shorewall.h29024 '']'' + rm -f /var/lib/shorewall/shorewall.h29024 + case $COMMAND in + set +x WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables Henry -- Kamus Online Dari YM Yahoo ID = kamusbot http://linux.or.id/wiki/index.php?pagename=TopReply http://linux.or.id/wiki/index.php?pagename=TataTertibMilis
Henry Suhatman wrote:> im using shorewall 3.0.7 n mandriva 2005LE > and replace firewall from errata > my config /etc/shorewall/providers > ISP1 8 8 main eth0 10.70.19.1 track > ISP2 9 9 main tun0 10.6.0.9 track > > when starting shorewall i have some problem > n trace > > /sbin/shorewall trace start 2> /tmp/trace > > > [root@kafilah shorewall]# tail -30 /tmp/trace > + iface=tun0 > + eval ''mark_value=$tun0_routemark'' > ++ mark_value=9 > + run_iptables -t mangle -A PREROUTING -i tun0 -m mark --mark 0 -j routemark > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + ''['' -f /tmp/shorewall.k28674/iprange '']'' > + /sbin/iptables -t mangle -A PREROUTING -i tun0 -m mark --mark 0 -j routemark > + run_iptables -t mangle -A routemark -i tun0 -j MARK --set-mark 9 > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + ''['' -f /tmp/shorewall.k28674/iprange '']'' > + /sbin/iptables -t mangle -A routemark -i tun0 -j MARK --set-mark 9 > + run_iptables -t mangle -A routemark -m mark ''!'' --mark 0 -j CONNMARK > --save-mark --mask 255 > + ''['' -n '''' '']'' > + ''['' -n Yes '']'' > + ''['' -f /tmp/shorewall.k28674/iprange '']'' > + /sbin/iptables -t mangle -A routemark -m mark ''!'' --mark 0 -j > CONNMARK --save-mark --mask 255 > iptables v1.2.9: Unknown arg `--mask'' > Try `iptables -h'' or ''iptables --help'' for more information. > + ''['' -z '''' '']'' > + error_message ''ERROR: Command "/sbin/iptables -t'' mangle -A > routemark -m mark ''!'' --mark 0 -j CONNMARK --save-mark --mask ''255" > Failed'' > + echo '' ERROR: Command "/sbin/iptables -t'' mangle -A routemark -m > mark ''!'' --mark 0 -j CONNMARK --save-mark --mask ''255" Failed'' > ERROR: Command "/sbin/iptables -t mangle -A routemark -m mark ! > --mark 0 -j CONNMARK --save-mark --mask 255" FailedYour iptables doesn''t support the extended CONNMARK syntax. You can see that by issuing these two commands: iptables -t mangle -N foo iptables -t mangle -A foo -m mark ! --mark 0 -j CONNMARK --save-mark --mask 255 Those two commands succeed on a system that has the required support for multiple providers. Also, the output of "shorewall show capabilities" will give: Extended CONNMARK Target: Available -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 6/13/06, Tom Eastep <teastep@shorewall.net> wrote:> Henry Suhatman wrote: > > im using shorewall 3.0.7 n mandriva 2005LE > > [snip] > Your iptables doesn''t support the extended CONNMARK syntax. > [snip]If you upgrade to Mandriva 2006, it has CONNMARK support out of the box. In 2005LE, you''ll need to replace both iptables and the kernel (either new versions or old ones patched for CONNMARK). Rune
Hello, Sorry if I''m sending the same message again but I believe my previous post didn''t make it to this list (got a "Message body is too big: 84203 bytes with a limit of 40 KB"). I am trying to setup my first bridge just like in: http://www.shorewall.net/bridge.html /etc/init.d/shorewall start (or /sbin/shorewall start): ERROR: Unknown interface eth0 /etc/init.d/shorewall: line 14: 18343 Terminated /sbin/shorewall start >/dev/null http://www.shorewall.net/ErrorMessages.html: ERROR: Unknown interface <interface> The interface appears in a configuration file but is not defined in /etc/shorewall/interfaces. eth0 appears in hosts file as described in the documentation. Shorewall 3.0.7 /sbin/shorewall trace start 2> /tmp/trace (not attached because of size limit) Help appreciated. Vieri __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Vieri Di Paola wrote:> > /sbin/shorewall trace start 2> /tmp/trace (not > attached because of size limit)a) You can compress it and attach the compressed file to a post. b) You can post the file somewhere on the net where we can download it. c) You can post your /etc/shorewall configuration and we can try to see what is wrong from that. We need SOMETHING to go on other than "it doesn''t work" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
--- Tom Eastep <teastep@shorewall.net> wrote:> Vieri Di Paola wrote: > > > > > /sbin/shorewall trace start 2> /tmp/trace (not > > attached because of size limit) > > a) You can compress it and attach the compressed > file to a post. > b) You can post the file somewhere on the net where > we can download it. > c) You can post your /etc/shorewall configuration > and we can try to see what is > wrong from that. > > We need SOMETHING to go on other than "it doesn''t > work"I appreciate your suggestions. I already tried a) and compressed a 500K+ trace to 80K via gzip --best. The post was rejected due to size. So I put the file on the net and would be grateful if someone could take a look at it: http://vieri.homelinux.com/trace.gz __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Vieri Di Paola wrote:> --- Tom Eastep <teastep@shorewall.net> wrote: >> Vieri Di Paola wrote: >> >>> /sbin/shorewall trace start 2> /tmp/trace (not >>> attached because of size limit) >> a) You can compress it and attach the compressed >> file to a post. >> b) You can post the file somewhere on the net where >> we can download it. >> c) You can post your /etc/shorewall configuration >> and we can try to see what is >> wrong from that. >> >> We need SOMETHING to go on other than "it doesn''t >> work" > > I appreciate your suggestions. I already tried a) and > compressed a 500K+ trace to 80K via gzip --best. The > post was rejected due to size. > > So I put the file on the net and would be grateful if > someone could take a look at it: > http://vieri.homelinux.com/trace.gzIf this is a bridge, why do you have an entry in /etc/shorewall/masq? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
--- Tom Eastep <teastep@shorewall.net> wrote:> Vieri Di Paola wrote: > > So I put the file on the net and would be grateful > if > > someone could take a look at it: > > http://vieri.homelinux.com/trace.gz > > If this is a bridge, why do you have an entry in > /etc/shorewall/masq?I was convinced I commented that line out. The system was previously a router. Sorry for wasting your time. Thank you. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On 6/14/06, Rune Kock <rune.kock@gmail.com> wrote:> On 6/13/06, Tom Eastep <teastep@shorewall.net> wrote: > > Henry Suhatman wrote: > > > im using shorewall 3.0.7 n mandriva 2005LE > > > [snip] > > Your iptables doesn''t support the extended CONNMARK syntax. > > [snip] > > If you upgrade to Mandriva 2006, it has CONNMARK support out of the > box. In 2005LE, you''ll need to replace both iptables and the kernel > (either new versions or old ones patched for CONNMARK).ok solved just upgrade iptables 1.2.9 to iptables 1.3.3 henry> > > Rune > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Kamus Online Dari YM Yahoo ID = kamusbot http://linux.or.id/wiki/index.php?pagename=TopReply http://linux.or.id/wiki/index.php?pagename=TataTertibMilis