Hi,
yesterday I got a very strange error on our productive firewall when I
tried a "shorewall restart".
Following the output:
....
Processing /etc/shorewall/init ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Adding Providers...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
iptables-restore v1.4.2: Can''t use -A with -A
Error occurred at line: 182
Try `iptables-restore -h'' or ''iptables-restore
--help'' for more information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
...
When looking at /var/lib/shorewall/.iptables-restore-input, I saw lines
with a double -A :
-A setsticky -A -p 6 -m multiport --dports 22,5000:10000 -s 10.1.0.49 -d
212.202.229.26 -m mark --mark 0x2/0xFF -m recent --name sticky001 --set
instead of:
-A setsticky -p 6 -m multiport --dports 22,5000:10000 -s 10.1.0.49 -d
212.202.229.26 -m mark --mark 0x2/0xFF -m recent --name sticky001 --set
I tried shorewall restore, shorewall safe-restart, all without luck.
Finally I decided to install an older version of shorewall, and that did
the trick - by installing the deb file, shorewall started up with
correct ruleset.
Today the same event happened. What the heck is going on on my firewall?
This time I solved the problem with installing the newer deb file again.
Very strange.
System is Debian Lenny with Kernel 2.6.26-2-686. Shorewall debian
package was 4.4.11.4-1 and then 4.4.10.3-1. iptables is version 1.4.2-6.
What further info do you need to examine this problem? Would a shorewall
dump help?
What steps can I take to prevent not getting the firewall up again?
Thank you very much for your help,
Christian
# shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Extended Connection Tracking Match Support: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Extended MARK Target 2: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Realm Match: Available
Helper Match: Available
Connlimit Match: Available
Time Match: Available
Goto Support: Available
LOGMARK Target: Not available
IPMARK Target: Not available
LOG Target: Available
Persistent SNAT: Not available
TPROXY Target: Not available
FLOW Classifier: Available
fwmark route mask: Available
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
I wrote:> What steps can I take to prevent not getting the firewall up again?Of course I remembered in the meantime the save and restore command of shorewall. :-) I took a look at the produced restore script, there is the correct iptables syntax used. Interesting question: what''s the difference between shorewall (re)start and the start procedure in the Debian package? First method produces the wrong iptables syntax, second not. Thanks for any help, Christian ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
On 10/12/10 12:54 AM, Christian Vieser wrote:> Hi, > > yesterday I got a very strange error on our productive firewall when I > tried a "shorewall restart". > Following the output: > > .... > Processing /etc/shorewall/init ... > Setting up Route Filtering... > Setting up Martian Logging... > Setting up Proxy ARP... > Adding Providers... > Setting up Traffic Control... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > iptables-restore v1.4.2: Can''t use -A with -A > > Error occurred at line: 182 > Try `iptables-restore -h'' or ''iptables-restore --help'' for more information. > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > Processing /etc/shorewall/stop ... > Running /sbin/iptables-restore... > IPv4 Forwarding Enabled > Processing /etc/shorewall/stopped ... > ... > > When looking at /var/lib/shorewall/.iptables-restore-input, I saw lines > with a double -A : > -A setsticky -A -p 6 -m multiport --dports 22,5000:10000 -s 10.1.0.49 -d > 212.202.229.26 -m mark --mark 0x2/0xFF -m recent --name sticky001 --set >From the current Known 4,4,11 Problems linked from the Shorewall home page: 18) The SAME target in tcrules generates invalid iptables-restore (ip6tables-restore) input. Corrected in Shorewall 4.4.11.5. I don''t believe that Roberto has received authorization to upload 4.4.11.6 yet but you can install the tarball over the .deb and everything will work out fine when 4.4.11.6 is finally uploaded to testing. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
On Tue, Oct 12, 2010 at 12:16:36PM -0700, Tom Eastep wrote:> > I don''t believe that Roberto has received authorization to upload > 4.4.11.6 yet but you can install the tarball over the .deb and > everything will work out fine when 4.4.11.6 is finally uploaded to testing. >Approval came from the release team today, so I have just uploaded the 4.4.11.6-1 packages to Sid and I am preparing the packages for my personal repository for Lenny users tracking that one. Those should be up shortly. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
On 10/12/10 12:16 PM, vieser@opti-serv.de wrote:> Interesting question: what''s the difference between shorewall (re)start > and the start procedure in the Debian package? First method produces the > wrong iptables syntax, second not.There is no difference between start and restart. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb