Eddy Geez
2009-Jan-21 21:03 UTC
REDIRECT rule causing failure of shorewall (iptables-restore)
Greetings. I''ve recently moved a server (which was running Shorewall 3.0.4) to new hardware with a new OS release (which included moving to the latest stable shorewall-perl release, 4.2.4). Everything was going smoothly until I actually tried to start the firewall. "shorewall check" said everything was OK: Shorewall configuration verified but when I tried to run "shorewall start", it failed. Here is the relevant output: ... Setting up Traffic Control... Preparing iptables-restore input... Running /usr/sbin/iptables-restore... iptables-restore v1.4.2-rc1: conntrack: Bad value for "--ctorigdstport" option: "1025:65535" Error occurred at line: 191 Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Restoring Shorewall... ... The referenced line 191 is: -A net2fw -p 6 --dport 1111 -m conntrack --ctorigdstport 1025:65535 -s 192.168.1.1 -j ACCEPT which was generated as a result of this entry in my shorewall ''rules'' file: REDIRECT loc:192.168.1.1 1111 tcp 1025:65535 (Note that this REDIRECT worked fine under 3.0.4, and commenting out the REDIRECT from the ''rules'' file lets shorewall start up correctly.) Looking at the iptables man page, it appears ''ctorigdstport'' only accepts a single port and not a port range. Is there a recommended course of action in this situation? aTdHvAaNnKcSe! ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy
2009-Jan-21 23:06 UTC
Re: REDIRECT rule causing failure of shorewall (iptables-restore)
Eddy Geez wrote:> > Looking at the iptables man page, it appears ''ctorigdstport'' only > accepts a single port and not a port range. > > Is there a recommended course of action in this situation?As a workaround: a) shorewall show -f capabilities /etc/shorewall/capabilities b) Edit /etc/shorewall/capabilities and change: NEW_CONNTRACK_MATCH=Yes to NEW_CONNTRACK_MATCH ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword