I''m trying to configure shorewall 4.2.7 on my WRT54GS-TM router running
X-WRT Kamikaze (r17821)
I''ve compiled a bash script: "shorewall compile firewall"
but when I run "./firewall -v start"
I get an error:
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
Processing /etc/shorewall/continue ...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up SMURF control...
Processing /etc/shorewall/initdone ...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up SYN Flood Protection...
Setting up Rules...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
Activating Rules...
iptables: Bad rule (does a matching rule exist in that chain?).
ERROR: Command "/usr/sbin/iptables -D INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated
I have the default FASTACCEPT=No
My rules allow pings and ssh connection from my local network (loc) to the
router ($FW)
and forward connections from the internet (net) to local servers listening on
various ports:
# grep -v ''^#'' rules|grep -v ''^$''
SSH/ACCEPT loc $FW
DNAT net $WWW_IP tcp 22
Ping/ACCEPT loc $FW
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
DNS/ACCEPT loc $FW
DNAT net $WWW_IP tcp 443
DNAT net $WWW_IP:8080 tcp 8080
DNAT net $MAIL_IP tcp 143
DNAT net $MAIL_IP tcp 993
DNAT net $PBX_IP udp 4569
DNAT net $PBX_IP tcp 5060:5061
DNAT net $PBX_IP udp 8000:20000
DNAT net $PBX_IP tcp 9001
DNAT net $PBX_IP tcp 9030
DNAT net $AXP_IP tcp 6881:6889
And this is what my firewall script looks like (from the Progress Message
"Activating Rules")
progress_message2 "Activating Rules..."
run_iptables -A br_lan_out -d 0.0.0.0/0 -j fw2loc
run_iptables -A br_lan_in -s 0.0.0.0/0 -j loc2fw
run_iptables -A br_lan_fwd -s 0.0.0.0/0 -o eth0.1 -d 0.0.0.0/0 -j loc2net
run_iptables -A eth0_1_out -d 0.0.0.0/0 -j fw2net
run_iptables -t nat -I PREROUTING 1 -i eth0.1 -s 0.0.0.0/0 -j net_dnat
run_iptables -A eth0_1_in -s 0.0.0.0/0 -j net2fw
run_iptables -A eth0_1_fwd -s 0.0.0.0/0 -o br-lan -d 0.0.0.0/0 -j net2loc
run_iptables -A FORWARD -i br-lan -j br_lan_fwd
run_iptables -A INPUT -i br-lan -j br_lan_in
run_iptables -A OUTPUT -o br-lan -j br_lan_out
run_iptables -A FORWARD -i eth0.1 -j eth0_1_fwd
run_iptables -A INPUT -i eth0.1 -j eth0_1_in
run_iptables -A OUTPUT -o eth0.1 -j eth0_1_out
run_iptables -t nat -A POSTROUTING -o eth0.1 -j eth0_1_masq
run_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A INPUT -j Reject
do_log_rule_limit "info" "INPUT" "INPUT"
"REJECT" "" "" "-A"
run_iptables -A INPUT -j reject
run_iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A OUTPUT -j Reject
do_log_rule_limit "info" "OUTPUT" "OUTPUT"
"REJECT" "" "" "-A"
run_iptables -A OUTPUT -j reject
run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A FORWARD -j Reject
do_log_rule_limit "info" "FORWARD" "FORWARD"
"REJECT" "" "" "-A"
run_iptables -A FORWARD -j reject
run_iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D INPUT -p udp --dport 53 -j ACCEPT
run_iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
run_iptables -D INPUT -i br-lan -s 0.0.0.0/0 -j ACCEPT
THANKS.
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Jeremy wrote:> I''m trying to configure shorewall 4.2.7 on my WRT54GS-TM router running X-WRT Kamikaze (r17821) > > > I''ve compiled a bash script: "shorewall compile firewall" > but when I run "./firewall -v start" > I get an error: > > Starting Shorewall.... > Initializing... > Processing /etc/shorewall/init ... > Clearing Traffic Control/QOS > Deleting user chains... > Processing /etc/shorewall/continue ... > Enabling Loopback and DNS Lookups > Creating Interface Chains... > Setting up SMURF control... > Processing /etc/shorewall/initdone ... > Setting up Black List... > Adding Anti-smurf Jumps... > Setting up ARP filtering... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Accept Source Routing... > Setting up SYN Flood Protection... > Setting up Rules... > Setting up Actions... > Creating action chain Drop > Creating action chain Reject > Creating action chain dropBcast > Creating action chain dropInvalid > Creating action chain dropNotSyn > Applying Policies... > Setting up Masquerading/SNAT... > Activating Rules... > iptables: Bad rule (does a matching rule exist in that chain?). > ERROR: Command "/usr/sbin/iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" FailedPlease follow the guidelines for reporting start failures: http://www.shorewall.net/4.0/support.htm#Guidelines. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
On Friday 09 October 2009, Tom Eastep wrote:> Please follow the guidelines for reporting start failures: > http://www.shorewall.net/4.0/support.htm#Guidelines. > > -Tom >Turns out the Broadcom wifi driver wasn''t working in the X-WRT kamikaze snapshot, so I had to downgrade to Kamikaze 8.09 running shorewall-3.4.8 (doesn''t seem to be any prepackaged shorewall-4 nor shorewall6, so I may have to build my own packages) I then made your suggested shorewall trace which reported: + startup_error Invalid zone (lan) in record "lan br-lan detect " + echo ERROR: Invalid zone (lan) in record "lan br-lan detect " ERROR: Invalid zone (lan) in record "lan br-lan detect " So I had mistakenly used "lan" (from kamikaze /etc/config/network) instead of "loc" in /etc/shorewall/interfaces file. Shorewall (ipv4) is now starting properly. Thanks for the help. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference