| View previous topic :: View next topic |
| Author |
Message |
Dillius
Tux's lil' helper
Joined: 12 Mar 2005
Posts: 119
|
 Posted: Thu Apr 21, 2005 11:04 pm Post subject: Assortment of troubles with shorewall |
 |
|
Having a vast assortment of troubles trying to get iptables working with shorewall.
First of all, whenever I enable it, I can't do anything at all. No outgoing or incoming packets. My policy file is as follows:
| Quote: | #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE |
It seems like it's something to do with the final part that has a reject all, but I followed a guide for setting this up that mentioned doing that. Also my rules file is as follows:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT fw net tcp 80 #http
ACCEPT fw net udp 80 #http
ACCEPT fw net tcp 443 #https
ACCEPT fw net udp 443 #https
ACCEPT fw net tcp 21 #ftp
ACCEPT fw net tcp 22 #ssh
ACCEPT fw net tcp 110 #unsecure Pop3
ACCEPT fw net tcp 995 #Secure Pop3
ACCEPT fw net tcp 873 #rsync
ACCEPT fw net tcp 25 #unsecure SMTP
ACCEPT fw net tcp 465 #SMTP over SSL
ACCEPT fw net tcp 5190 #AIM/ICQ
ACCEPT fw net tcp 143 #Unsecure IMAP
ACCEPT fw net tcp 993 #Secure IMAP
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
I had truly believed what I put in here to be of no use, because of the way in which i had my policies set up.
Also whenever I start up shorewall, I get the following error. Again, this is quite possibly the problem:
bash-2.05b# /etc/init.d/shorewall start
* Please make sure that /etc/conf.d/net has $ifconfig_eth1 set
* (or $iface_eth1 for old-style configuration)
* Starting firewall...
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/runscript.sh: line 532: 12162 Terminated /sbin/shorewall start >/dev/null [ !! ]
No forwarding? Ouch... yea that may be it.
My IPTables chain list is as follows with shorewall cleared:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
With shorewall first started up(though this is a point to note the above error regarding the FORWARD chain):
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Anyone know what best to do about this? |
|
| Back to top |
|
 |
Petyr
Guru
Joined: 08 Jan 2003
Posts: 471
Location: San Diego, CA, USA
|
| Posted: Fri Apr 22, 2005 4:06 pm Post subject: |
|
|
Check your kernel config. Usually when shorewall gives errors like that it has to do with not having all the modules needed for iptables. Basically go through the iptables section of the kernel and make just about everything in there a module. Ignore things like SCTP (unless you enabled that elsewhere), but you can pretty much just make the rest modules and call it good.
hth,
Petyr |
|
| Back to top |
|
|
Johnyp
Guru
Joined: 23 Mar 2005
Posts: 301
|
|
| Back to top |
|
|
Dillius
Tux's lil' helper
Joined: 12 Mar 2005
Posts: 119
|
| Posted: Sun Apr 24, 2005 11:03 pm Post subject: |
|
|
Alright... sorry that took a while but I've been insanely busy. And thanks for your help.
It's now starting up without blocking absolutely everything, so it's pretty much working. However, there are still a few little errors being thrown.
upon startup it shows:
| Code: |
* Starting firewall...
FATAL: Error inserting iptable_nat (/lib/modules/2.6.11-gentoo-r3/kernel/net/ipv4/netfilter/iptable_nat.ko): Unknown symbol in module, orunknown parameter (see dmesg)
WARNING: Error inserting iptable_nat (/lib/modules/2.6.11-gentoo-r3/kernel/net/ipv4/netfilter/iptable_nat.ko): Unknown symbol in module, or unknown parameter (see dmesg)
FATAL: Error inserting ip_nat_ftp (/lib/modules/2.6.11-gentoo-r3/kernel/net/ipv4/netfilter/ip_nat_ftp.ko): Unknown symbol in module, or unknown parameter (see dmesg)
WARNING: Error inserting iptable_nat (/lib/modules/2.6.11-gentoo-r3/kernel/net/ipv4/netfilter/iptable_nat.ko): Unknown symbol in module, or unknown parameter (see dmesg)
FATAL: Error inserting ip_nat_tftp (/lib/modules/2.6.11-gentoo-r3/kernel/net/ipv4/netfilter/ip_nat_tftp.ko): Unknown symbol in module, orunknown parameter (see dmesg)
WARNING: Error inserting iptable_nat (/lib/modules/2.6.11-gentoo-r3/kernel/net/ipv4/netfilter/iptable_nat.ko): Unknown symbol in module, or unknown parameter (see dmesg)
FATAL: Error inserting ip_nat_irc (/lib/modules/2.6.11-gentoo-r3/kernel/net/ipv4/netfilter/ip_nat_irc.ko): Unknown symbol in module, or unknown parameter (see dmesg) |
dmesg shows
| Code: |
iptable_nat: Unknown symbol ip_conntrack_tcp_update
iptable_nat: Unknown symbol ip_conntrack_tcp_update
ip_nat_ftp: Unknown symbol ip_nat_mangle_tcp_packet
ip_nat_ftp: Unknown symbol ip_nat_follow_master
iptable_nat: Unknown symbol ip_conntrack_tcp_update
ip_nat_tftp: Unknown symbol ip_nat_follow_master
iptable_nat: Unknown symbol ip_conntrack_tcp_update
ip_nat_irc: Unknown symbol ip_nat_mangle_tcp_packet
ip_nat_irc: Unknown symbol ip_nat_follow_master
iptable_nat: Unknown symbol ip_conntrack_tcp_update
iptable_nat: Unknown symbol ip_conntrack_tcp_update
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=213.25.238.94 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=62707 DF PROTO=TCP SPT=2190 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=68.0.227.241 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=51051 DF PROTO=TCP SPT=60264 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=60.240.9.149 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=15263 DF PROTO=TCP SPT=3386 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=213.25.238.94 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=62776 DF PROTO=TCP SPT=2190 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=68.163.133.252 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=3590 DF PROTO=TCP SPT=4765 DPT=6881 WINDOW=37592 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=68.0.227.241 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=51256 DF PROTO=TCP SPT=60264 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=81.231.227.214 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=30476 DF PROTO=TCP SPT=4036 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=68.163.133.252 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=3715 DF PROTO=TCP SPT=4765 DPT=6881 WINDOW=37592 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=65.4.255.184 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=27546 DF PROTO=TCP SPT=50567 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=60.240.9.149 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=15505 DF PROTO=TCP SPT=3386 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=81.231.227.214 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=30780 DF PROTO=TCP SPT=4036 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=219.128.138.64 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=44911 DF PROTO=TCP SPT=2752 DPT=6881 WINDOW=64800 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=24.6.214.133 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=41287 DF PROTO=TCP SPT=4730 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=82.25.11.29 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=25520 DF PROTO=TCP SPT=3661 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=213.84.149.69 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=22738 DF PROTO=TCP SPT=3683 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=213.25.238.94 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=62940 DF PROTO=TCP SPT=2190 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=68.0.227.241 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=51698 DF PROTO=TCP SPT=60270 DPT=6881 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=65.4.255.184 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=27942 DF PROTO=TCP SPT=50567 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:11:09:66:02:b4:00:0f:b5:10:39:8c:08:00 SRC=219.128.138.64 DST=192.168.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=45149 DF PROTO=TCP SPT=2752 DPT=6881 WINDOW=64800 RES=0x00 SYN URGP=0
|
Anything I should be concerned about? |
|
| Back to top |
|
|
Petyr
Guru
Joined: 08 Jan 2003
Posts: 471
Location: San Diego, CA, USA
|
| Posted: Mon Apr 25, 2005 4:33 pm Post subject: |
|
|
Did you forget to enable the connection tracking part in the kernel config?
Petyr
_________________
If someone solves a problem for you put [SOLVED] in the title |
|
| Back to top |
|
|
|
Networking & Security
