Kinnaert
2006-Aug-15 20:11 UTC
Trouble with VPN PPTP/Shorewall, certain LAN Ports not working properly.
My problem is that when a remote client is connected to the poptop server running on the firewall we can''t reach certain ports on the LAN servers, certain ports like 80, 443, HTTP port 10000 on the LAN->Remote Host etc. aren''t working right. It seems like the server is getting the request. On the remote client the browser just hangs forever no error responses etc. from HTTP server.>From studying the packet sniffer a little bit it looks like the GETrequest are recieved properly but then the response is broken, or none at all from the LAN server? I checked one of the LAN server''s httpd log files and can see the remote host hitting it. 192.168.2.100 - - [15/Aug/2006:16:05:00 -0400] "GET / HTTP/1.1" 403 3931 but nothing is being returned to the remote host though? The strange thing is that other services work fine like SSH 22 ICMP DNS 53 XXXXXXXXXXXXXXXX Here''s my setup below XXXXXXXXXXXXXXXXXXXXX SERVER CentOS 4.2 Shorewall version 3.0.6 PoPToP version 1.3.2 kernel_ppp_mppe 1.0.2-3dkms ppp 2.4.3-5.rhel4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX CLIENT Windows XP SP2 media edition Windows firewall on PPTP CHAPv2 only 128 bit XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ZONES #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 dmz ipv4 wlan ipv4 rem ipv4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX INTERFACES #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,filterping,norfc1918,routefilter,tcpflags,logmartians,nosmurfs loc eth2 detect tcpflags,nosmurfs,detectnets dmz eth1 detect routeback wlan dev26407 detect routeback rem ppp+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX POLICY #SOURCE Dest POLICY LOG LIMIT:BURST # WiFi Network, Simliar to DMZ wlan net ACCEPT info #Outbound from LAN loc net ACCEPT info loc $FW ACCEPT info loc dmz ACCEPT info #VPN rem loc ACCEPT info loc rem ACCEPT info rem $FW ACCEPT info $FW rem ACCEPT info #DMZ, this is where the pulblic DNS server is. dmz net ACCEPT info dmz $FW ACCEPT info #From this host the actual firewall out, which could be internal or external $FW net ACCEPT info $FW dmz ACCEPT info $FW loc ACCEPT info #Inbound from internet net all DROP info #The following line must be last all all REJECT info XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX RULES #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # Allow IAX2, SIP and RTP To Firewall #ACCEPT:info net $FW udp 69,4569,5060,5061,5062,5063,10000:20000 #Inbound email #DNAT:info net dmz:192.168.1.42 tcp 25,110,366,465,993,20001,444 #Inbound DNS queries & zone transfers DNAT:info net dmz:192.168.1.42 udp 53 DNAT:info net dmz:192.168.1.42 tcp 53 #Inbound SSH DNAT:info net loc:192.168.2.43 tcp 22 #LAN access to public HTTP no proxy from LAN #DNAT loc dmz:192.168.1.43 tcp 80 - 216.15.64.119 #Outbound this host to internet for DNS on port UDP 53 ACCEPT:info $FW net udp 53 # Outbound Allow LAN to reach this host for squid proxy on port 8181 #ACCEPT:info loc $FW tcp 8181 #Allow VPN in ACCEPT:info net $FW tcp 1723 ACCEPT:info $FW net 47 ACCEPT:info net $FW 47 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TUNNELS #pptpserver net 0.0.0.0/0 pptpserver net XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Masquerading #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth1 eth0 eth2 eth0 dev26407 eth1:192.168.1.42 eth1 192.168.1.1 tcp 25 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX I studied the articles below but I couldn''t find anything in there about port level issues. http://www.shorewall.net/VPNBasics.html http://www.shorewall.net/PPTP.htm ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Aug-15 20:53 UTC
Re: Trouble with VPN PPTP/Shorewall, certain LAN Ports not working properly.
Kinnaert wrote:> > > The strange thing is that other services work fine like > SSH 22 > ICMP > DNS 53 > > > XXXXXXXXXXXXXXXX Here''s my setup below XXXXXXXXXXXXXXXXXXXXX >I prefer to see the output of "shorewall dump" as explained at http://www.shorewall.net/support.htm. I suggest though that you try setting CLAMPMSS=Yes in shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Kinnaert
2006-Aug-16 18:40 UTC
Re: Trouble with VPN PPTP/Shorewall, certain LAN Ports not working properly.
HTTP URLs are working now, a server reboot seems to have fixed that
problem, but netbios doesn''t seem to be working.
I''m trying to reach my LAN shares from my VPN remote client. There is
no log activity on the firewall server, and the VPN client doesn''t
seem to be, so I assume that netbios traffic isn''t reaching even the
PPTPD server which I have setup as instructed with SAMBA and WINS as
per. http://www.shorewall.net/PPTP.htm#Samba instructions.
Here is my shorewall dump. I tried send once as zip attachment but it
just bounced back saying zip attachments are not allowed.
----------------------------------------
Shorewall-3.0.6 Dump at gateway.localhost - Wed Aug 16 13:54:00 EDT 2006
Counters reset Wed Aug 16 01:53:18 EDT 2006
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1416 381K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
53085 35M eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
28501 4575K eth2_in all -- eth2 * 0.0.0.0/0
0.0.0.0/0
1823 203K eth1_in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
175 9136 dev26407_in all -- dev26407 * 0.0.0.0/0
0.0.0.0/0
12637 2046K ppp_in all -- ppp+ * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
14795 3833K eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
7241 2772K eth2_fwd all -- eth2 * 0.0.0.0/0
0.0.0.0/0
5823 609K eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
3798 989K dev26407_fwd all -- dev26407 * 0.0.0.0/0
0.0.0.0/0
1590 153K ppp_fwd all -- ppp+ * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1416 381K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
168 55104 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
49137 18M fw2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
37693 29M fw2loc all -- * eth2 0.0.0.0/0
192.168.2.0/24
0 0 fw2loc all -- * eth2 0.0.0.0/0
169.254.0.0/16
0 0 fw2loc all -- * eth2 0.0.0.0/0
255.255.255.255
0 0 fw2loc all -- * eth2 0.0.0.0/0
224.0.0.0/4
1106 118K fw2dmz all -- * eth1 0.0.0.0/0
0.0.0.0/0
419 30967 all2all all -- * dev26407 0.0.0.0/0
0.0.0.0/0
13607 12M fw2rem all -- * ppp+ 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
1934 404K dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3 code 4
1 56 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
1933 404K dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445
1004 102K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
27 1332 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
42 5516 dropNotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain Reject (4 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
510 37559 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
510 37559 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445
247 23823 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
253 13156 dropNotSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain all2all (14 references)
pkts bytes target prot opt in out source
destination
172 7144 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
510 37559 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
263 13736 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
263 13736 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dev26407_fwd (1 references)
pkts bytes target prot opt in out source
destination
369 19627 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
3798 989K wlan2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * eth2 0.0.0.0/0
192.168.2.0/24
0 0 all2all all -- * eth2 0.0.0.0/0
169.254.0.0/16
0 0 all2all all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * dev26407 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain dev26407_in (1 references)
pkts bytes target prot opt in out source
destination
175 9136 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
175 9136 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source
destination
90 11414 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1733 192K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:dmz2fw:ACCEPT:''
1733 192K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2net (1 references)
pkts bytes target prot opt in out source
destination
5822 609K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1 48 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:dmz2net:ACCEPT:''
1 48 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
260 27062 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
9 3924 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (10 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
2277 154K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
2277 154K smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
2277 154K norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
6784 3219K tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
4382 393K net2loc all -- * eth2 0.0.0.0/0
192.168.2.0/24
0 0 net2loc all -- * eth2 0.0.0.0/0
169.254.0.0/16
6102 391K net2dmz all -- * eth1 0.0.0.0/0
0.0.0.0/0
4292 3048K net2all all -- * dev26407 0.0.0.0/0
0.0.0.0/0
0 0 net2all all -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
5382 1749K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
5382 1749K smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
3457 1349K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
1676 377K norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
32227 30M tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
49628 33M net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
1 48 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
5823 609K dmz2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * eth2 0.0.0.0/0
192.168.2.0/24
0 0 all2all all -- * eth2 0.0.0.0/0
169.254.0.0/16
0 0 ACCEPT all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * dev26407 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
1733 192K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
1823 203K dmz2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source
destination
1901 208K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
1901 208K smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
4728 2516K tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
7241 2772K loc_frwd all -- * * 192.168.2.0/24
0.0.0.0/0
0 0 loc_frwd all -- * * 169.254.0.0/16
0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source
destination
6161 1334K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
6161 1334K smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
23202 3281K tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
28501 4575K loc2fw all -- * * 192.168.2.0/24
0.0.0.0/0
0 0 loc2fw all -- * * 169.254.0.0/16
0.0.0.0/0
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source
destination
85 11487 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1021 107K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2dmz:ACCEPT:''
1021 107K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (4 references)
pkts bytes target prot opt in out source
destination
36241 29M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1452 157K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2loc:ACCEPT:''
1452 157K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
45990 18M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
139 8967 LOG udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 LOG flags 0 level 6 prefix
`Shorewall:fw2net:ACCEPT:''
139 8967 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
2 138 LOG 47 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2net:ACCEPT:''
2 138 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
3006 229K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2net:ACCEPT:''
3006 229K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2rem (1 references)
pkts bytes target prot opt in out source
destination
13581 12M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
26 5460 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2rem:ACCEPT:''
26 5460 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 160 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:loc2dmz:ACCEPT:''
3 160 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (2 references)
pkts bytes target prot opt in out source
destination
22340 3241K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
356 17088 LOG tcp -- * * 192.168.2.32
0.0.0.0/0 tcp dpt:9999 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
356 17088 ACCEPT tcp -- * * 192.168.2.32
0.0.0.0/0 tcp dpt:9999
5805 1317K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
5805 1317K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
3147 240K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG tcp -- * * 192.168.2.32
0.0.0.0/0 multiport dports
20,21,22,23,1433,3389,25,465,143,993 LOG flags 0 level 6 prefix
`Shorewall:loc2net:ACCEPT:''
0 0 ACCEPT tcp -- * * 192.168.2.32
0.0.0.0/0 multiport dports
20,21,22,23,1433,3389,25,465,143,993
0 0 LOG tcp -- * * 192.168.2.44
0.0.0.0/0 multiport dports 53,80,443 LOG flags 0 level 6
prefix `Shorewall:loc2net:ACCEPT:''
0 0 ACCEPT tcp -- * * 192.168.2.44
0.0.0.0/0 multiport dports 53,80,443
0 0 LOG udp -- * * 192.168.2.44
0.0.0.0/0 multiport dports 43,53 LOG flags 0 level 6 prefix
`Shorewall:loc2net:ACCEPT:''
0 0 ACCEPT udp -- * * 192.168.2.44
0.0.0.0/0 multiport dports 43,53
0 0 LOG tcp -- * * 192.168.2.66
0.0.0.0/0 multiport dports 25,53,80,443 LOG flags 0 level 6
prefix `Shorewall:loc2net:ACCEPT:''
0 0 ACCEPT tcp -- * * 192.168.2.66
0.0.0.0/0 multiport dports 25,53,80,443
0 0 LOG udp -- * * 192.168.2.66
0.0.0.0/0 multiport dports 43,53 LOG flags 0 level 6 prefix
`Shorewall:loc2net:ACCEPT:''
0 0 ACCEPT udp -- * * 192.168.2.66
0.0.0.0/0 multiport dports 43,53
0 0 LOG tcp -- * * 192.168.2.43
0.0.0.0/0 tcp dpt:873 LOG flags 0 level 6 prefix
`Shorewall:loc2net:ACCEPT:''
0 0 ACCEPT tcp -- * * 192.168.2.43
0.0.0.0/0 tcp dpt:873
1898 208K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:loc2net:ACCEPT:''
1898 208K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2rem (1 references)
pkts bytes target prot opt in out source
destination
2193 2325K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:loc2rem:ACCEPT:''
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc_frwd (2 references)
pkts bytes target prot opt in out source
destination
5045 448K loc2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
3 160 loc2dmz all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * dev26407 0.0.0.0/0
0.0.0.0/0
2193 2325K loc2rem all -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 4 level 6 prefix
`Shorewall:logflags:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (5 references)
pkts bytes target prot opt in out source
destination
4292 3048K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1934 404K Drop all -- * * 0.0.0.0/0
0.0.0.0/0
633 269K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
633 269K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source
destination
3849 239K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2253 152K ACCEPT udp -- * * 0.0.0.0/0
192.168.1.42 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.42 tcp dpt:53
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
47691 33M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 156 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 LOG flags 0 level 6 prefix
`Shorewall:net2fw:ACCEPT:''
3 156 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
0 0 LOG 47 -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:net2fw:ACCEPT:''
0 0 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 47 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723
1934 404K net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (2 references)
pkts bytes target prot opt in out source
destination
4377 392K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
5 300 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.43 tcp dpt:22
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 rfc1918 all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
19 1261 rfc1918 all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
Chain ppp_fwd (1 references)
pkts bytes target prot opt in out source
destination
206 10768 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
88 4600 all2all all -- * eth0 0.0.0.0/0
0.0.0.0/0
1502 148K rem2loc all -- * eth2 0.0.0.0/0
192.168.2.0/24
0 0 rem2loc all -- * eth2 0.0.0.0/0
169.254.0.0/16
0 0 all2all all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * dev26407 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * ppp+ 0.0.0.0/0
0.0.0.0/0
Chain ppp_in (1 references)
pkts bytes target prot opt in out source
destination
3379 317K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
12637 2046K rem2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 DROP all -- * * 192.168.1.255
0.0.0.0/0
0 0 DROP all -- * * 192.168.4.255
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
253 13156 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
257 24403 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rem2fw (1 references)
pkts bytes target prot opt in out source
destination
9258 1729K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3379 317K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:rem2fw:ACCEPT:''
3379 317K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain rem2loc (2 references)
pkts bytes target prot opt in out source
destination
1384 142K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
118 6168 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:rem2loc:ACCEPT:''
118 6168 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source
destination
19 1261 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
19 1261 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (4 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 255.255.255.255
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG all -- * * 192.168.2.255
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 LOG all -- * * 192.168.1.255
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.1.255
0.0.0.0/0
0 0 LOG all -- * * 192.168.4.255
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.4.255
0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
Chain tcpflags (4 references)
pkts bytes target prot opt in out source
destination
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:0 flags:0x16/0x02
Chain wlan2net (1 references)
pkts bytes target prot opt in out source
destination
3429 970K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
369 19627 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:wlan2net:ACCEPT:''
369 19627 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
On 8/15/06, Tom Eastep <teastep@shorewall.net>
wrote:> Kinnaert wrote:
> >
> >
> > The strange thing is that other services work fine like
> > SSH 22
> > ICMP
> > DNS 53
> >
> >
> > XXXXXXXXXXXXXXXX Here''s my setup below XXXXXXXXXXXXXXXXXXXXX
> >
>
> I prefer to see the output of "shorewall dump" as explained at
> http://www.shorewall.net/support.htm. I suggest though that you try
> setting CLAMPMSS=Yes in shorewall.conf.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Aug-16 20:08 UTC
Re: Trouble with VPN PPTP/Shorewall, certain LAN Ports not working properly.
On Wed, 2006-08-16 at 14:40 -0400, Kinnaert wrote:> HTTP URLs are working now, a server reboot seems to have fixed that > problem, but netbios doesn''t seem to be working. > > I''m trying to reach my LAN shares from my VPN remote client. There is > no log activity on the firewall server, and the VPN client doesn''t > seem to be, so I assume that netbios traffic isn''t reaching even the > PPTPD server which I have setup as instructed with SAMBA and WINS as > per. http://www.shorewall.net/PPTP.htm#Samba instructions. > > > Here is my shorewall dump. I tried send once as zip attachment but it > just bounced back saying zip attachments are not allowed.From what I can see in what you sent, your problem doesn''t have anything to do with Shorewall. Shorewall has not dropped/rejected a single packet from rem->loc or rem2loc. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Kinnaert
2006-Aug-17 00:08 UTC
Re: Trouble with VPN PPTP/Shorewall, certain LAN Ports not working properly.
You are correct Tom as always! I just discovered that I''m actually able to connect to LAN shares from the VPN client by using the numerical IP format instead of the name i.e \\192.168.2.32\C$ for example Something must be wrong with my firewall''s WINS samba/wins server because the remote VPN client is not registering with the WINS server, that''s why the LAN can''t see the remote client and why the remote client can''t see the LAN. I try net lookup RemoteClientName from the firewall or any workstations in the LAN and they don''t see the Remote client as being part of the workgroup? Any ideas where to look and check this? I have samba running as master browser and wins server for the workgroup. After connecting to the firewall my ipconfig has the WINS server and DNS server IP set correctly by PPTPD, so I don''t know what''s wrong, but samba running on the firewall doesn''t seem to recognize the remote client? By the way Tom is there an documentation on the shorewall dump command and how to interpret the output? Thanks so much! On 8/16/06, Tom Eastep <teastep@shorewall.net> wrote:> On Wed, 2006-08-16 at 14:40 -0400, Kinnaert wrote: > > HTTP URLs are working now, a server reboot seems to have fixed that > > problem, but netbios doesn''t seem to be working. > > > > I''m trying to reach my LAN shares from my VPN remote client. There is > > no log activity on the firewall server, and the VPN client doesn''t > > seem to be, so I assume that netbios traffic isn''t reaching even the > > PPTPD server which I have setup as instructed with SAMBA and WINS as > > per. http://www.shorewall.net/PPTP.htm#Samba instructions. > > > > > > Here is my shorewall dump. I tried send once as zip attachment but it > > just bounced back saying zip attachments are not allowed. > > > From what I can see in what you sent, your problem doesn''t have anything > to do with Shorewall. Shorewall has not dropped/rejected a single packet > from rem->loc or rem2loc. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep
2006-Aug-17 02:38 UTC
Re: Trouble with VPN PPTP/Shorewall, certain LAN Ports not working properly.
Kinnaert wrote:> Something must be wrong with my firewall''s WINS samba/wins server > because the remote VPN client is not registering with the WINS server, > that''s why the LAN can''t see the remote client and why the remote > client can''t see the LAN. I try > net lookup RemoteClientName from the firewall or any workstations in > the LAN and they don''t see the Remote client as being part of the > workgroup? Any ideas where to look and check this?The local Windows systems must also be configured to use the WINS server -- have you done that?> > By the way Tom is there an documentation on the shorewall dump command > and how to interpret the output?Yes, but it is not Shorewall documentation. The "dump" command itself produces only headings -- the rest of the output from that command is produced by standard Linux utilities (iptables, ip, cat, lsmod, ...). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Kinnaert
2006-Aug-18 18:48 UTC
Re: Trouble with VPN PPTP/Shorewall, certain LAN Ports not working properly.
Here''s my remote client''s IP config below. By the way
isn''t my default
gateway suppose to be 192.168.2.1 which is the firewall? Why does
poptop set it to the client IP it gives me of 192.168.2.100? I can''t
reach the WAN either from VPN, could this be why? How do you change
the defualt gateway in poptop?
Also wondering why when I''m connected in the wlan zone of our network
and try to reach the VPN at the net eth0 external IP it rejects it? It
works if I allow policy of wlan ->$FW, but then anyone on the wlan can
mess with firewall box. What rules etc. would I need to setup to
routeback with VPN PPTP to another zone like this?
------------------------------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : acer
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Networ
k Connection
Physical Address. . . . . . . . . : XX XX XX XX XX
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.168.1.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.168.1.1
DHCP Server . . . . . . . . . . . : 10.168.1.1
DNS Servers . . . . . . . . . . . : 207.172.3.9
207.172.3.8
Lease Obtained. . . . . . . . . . : Friday, August 18, 2006 8:55:33 AM
Lease Expires . . . . . . . . . . : Sunday, August 20, 2006 8:55:33 AM
PPP adapter tonal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : XX XX XX XX XX
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.100
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.2.100
DNS Servers . . . . . . . . . . . : 192.168.2.1
192.168.2.1
Primary WINS Server . . . . . . . : 192.168.2.1
Secondary WINS Server . . . . . . : 192.168.2.1
On 8/16/06, Tom Eastep <teastep@shorewall.net>
wrote:> Kinnaert wrote:
>
> > Something must be wrong with my firewall''s WINS samba/wins
server
> > because the remote VPN client is not registering with the WINS server,
> > that''s why the LAN can''t see the remote client and
why the remote
> > client can''t see the LAN. I try
> > net lookup RemoteClientName from the firewall or any workstations in
> > the LAN and they don''t see the Remote client as being part of
the
> > workgroup? Any ideas where to look and check this?
>
>
> The local Windows systems must also be configured to use the WINS server
> -- have you done that?
> >
> > By the way Tom is there an documentation on the shorewall dump command
> > and how to interpret the output?
>
> Yes, but it is not Shorewall documentation. The "dump" command
itself
> produces only headings -- the rest of the output from that command is
> produced by standard Linux utilities (iptables, ip, cat, lsmod, ...).
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642