thr3ads.net - Shorewall users - Shorewall compile problem [Apr 2009]

If this information is useful, please help other people find it:
Share via:

Eugene Koh

2009-Apr-22 02:41 UTC

Shorewall compile problem

Hi all,

I''ve been using Shorewall to generate iptable scripts all this while,
today
I came across a newly purchased server that got me stumped. Basically
Shorewall refused to compile and start and I get the following error.

Enabling Loopback and DNS Lookups
iptables: Unknown error 4294967295
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 449: 25975 Terminated ${VARDIR}/.start $debugging
start

I then decided to try to get around this problem by going to the actual
server and saving the iptable rules into a file and then uploading onto my
new server to do a iptables-restore to see if that would work however I get:

# iptables-restore < firewall.txt
iptables-restore: line 182 failed

So then here is my entire firewall file, seems like line 182 is the COMMIT
statement. I''m stumped. I''m no firewall expert but since it
had been working
for 6 other servers I''m not sure why this one refuses to accept the
rules.

# Generated by iptables-save v1.3.5 on Wed Apr 22 00:42:01 2009
*mangle
:PREROUTING ACCEPT [684274:153931454]
:INPUT ACCEPT [684274:153931454]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [854430:194015047]
:POSTROUTING ACCEPT [825162:190692935]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Wed Apr 22 00:42:01 2009
# Generated by iptables-save v1.3.5 on Wed Apr 22 00:42:01 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fire2fire - [0:0]
:fire2net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2all - [0:0]
:net2fire - [0:0]
:norfc1918 - [0:0]
:reject - [0:0]
:rfc1918 - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:venet0_fwd - [0:0]
:venet0_in - [0:0]
:venet0_out - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i venet0 -j venet0_in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Drop
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
-A INPUT -j DROP
-A FORWARD -i venet0 -j venet0_fwd
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j Drop
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:DROP:" --log-level 6
-A FORWARD -j DROP
-A OUTPUT -o venet0 -j venet0_out
-A OUTPUT -o lo -j fire2fire
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j Drop
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:DROP:" --log-level 6
-A OUTPUT -j DROP
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A dropBcast -d 213.175.192.69 -j DROP
-A dropBcast -d 213.175.192.70 -j DROP
-A dropBcast -d 255.255.255.255 -j DROP
-A dropBcast -d 224.0.0.0/240.0.0.0 -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A fire2fire -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fire2fire -p esp -j ACCEPT
-A fire2fire -p esp -j ACCEPT
-A fire2fire -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A fire2fire -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A fire2fire -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A fire2fire -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A fire2fire -j ACCEPT
-A fire2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fire2net -p icmp -j ACCEPT
-A fire2net -d 80.239.186.21 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.125 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.126 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.127 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.128 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.129 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.130 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.131 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.132 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.126 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.127 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.128 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.129 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.130 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.131 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.132 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 72.14.178.86 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 72.14.178.86 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -p tcp -m multiport --dports 3724,1119 -j ACCEPT
-A fire2net -d 4.2.2.1 -j ACCEPT
-A fire2net -d 4.2.2.2 -j ACCEPT
-A fire2net -d 77.235.33.160 -j ACCEPT
-A fire2net -d 77.235.35.160 -j ACCEPT
-A fire2net -d 77.235.33.38 -j ACCEPT
-A fire2net -j Reject
-A fire2net -j reject
-A logdrop -j LOG --log-prefix "Shorewall:logdrop:DROP:" --log-level 6
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level
6
-A logflags -j DROP
-A logreject -j LOG --log-prefix "Shorewall:logreject:REJECT:"
--log-level 6

-A logreject -j reject
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A net2fire -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fire -p icmp -j ACCEPT
-A net2fire -p tcp -m multiport --dports 22,11683,80,443,441,5190 -j ACCEPT
-A net2fire -p udp -j DROP
-A net2fire -j net2all
-A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918
-A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918
-A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918
-A reject -d 213.175.192.69 -j DROP
-A reject -d 213.175.192.70 -j DROP
-A reject -d 255.255.255.255 -j DROP
-A reject -d 224.0.0.0/240.0.0.0 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6
-A rfc1918 -j DROP
-A smurfs -s 213.175.192.69 -j LOG --log-prefix
"Shorewall:smurfs:DROP:"
--log-level 6
-A smurfs -s 213.175.192.69 -j DROP
-A smurfs -s 213.175.192.70 -j LOG --log-prefix
"Shorewall:smurfs:DROP:"
--log-level 6
-A smurfs -s 213.175.192.70 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix
"Shorewall:smurfs:DROP:"
--log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix
"Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j
logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j
logflags
-A venet0_fwd -m state --state INVALID,NEW -j dynamic
-A venet0_fwd -m state --state NEW -j norfc1918
-A venet0_fwd -p tcp -j tcpflags
-A venet0_in -m state --state INVALID,NEW -j dynamic
-A venet0_in -m state --state NEW -j norfc1918
-A venet0_in -p tcp -j tcpflags
-A venet0_in -j net2fire
-A venet0_out -j fire2net
COMMIT *<---- Line 182*
# Completed on Wed Apr 22 00:42:01 2009
# Generated by iptables-save v1.3.5 on Wed Apr 22 00:42:01 2009
*nat
:PREROUTING ACCEPT [9675:626016]
:POSTROUTING ACCEPT [195:12598]
:OUTPUT ACCEPT [195:12878]
COMMIT
# Completed on Wed Apr 22 00:42:01 2009

Any help will be most appreciated!

Best regards,
Eugene



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Tom Eastep

2009-Apr-22 03:42 UTC

head link

Re: Shorewall compile problem

Eugene Koh wrote:

<stuff deleted>

I suggest that you:

a) Go to www.shorewall.net
b) Click on ''Documentation'' in the left-hand frame
c) Select the ''Index'' for the release your are running on the
malfunctioning server (you will note that there are multiple
''Index''
links; I know that it may come as a shock, but different versions of
Shorewall are actually different! And you didn''t mention which version
you are running -- all we know is that you are running Shorewall-shell
rather than Shorewall-perl).
d) Near the top of the resulting page, there will be a
''Troubleshooting''
link. Click on that and see if the ''Shorewall start and Shorewall
restart errors'' section provides you any clues to your problem.
e) If that doesn''t give you any relief, then click on the
''Support'' link
in the left-hand frame and follow the instructions you find there.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Götz Reinicke

2009-Apr-22 05:46 UTC

head link

Re: {Disarmed} Shorewall compile problem

Eugene Koh schrieb:> Hi all,
>  
> I''ve been using Shorewall to generate iptable scripts all this
while,
> today I came across a newly purchased server that got me stumped.
> Basically Shorewall refused to compile and start and I get the following
> error.
> 
> Enabling Loopback and DNS Lookups
> iptables: Unknown error 4294967295
Hi,

searching this error with google shows up a lot off results concerning
kernel modul problems, e.g. module and static compilation ...

http://www.google.de/search?q=iptables%3A+Unknown+error+4294967295&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:de:official&client=firefox-a

So, Tom''s suggestions regarding your system setup (versions, custom
kernel, ... ?) seems to be a good starting point.


Regards

	Götz

-- 
Götz Reinicke
IT-Koordinator

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium

Geschäftsführer:
Prof. Thomas Schadt

------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p

Shorewall users - Apr 2009 - Shorewall compile problem

Shorewall compile problem

Re: Shorewall compile problem

Re: {Disarmed} Shorewall compile problem