| View previous topic :: View next topic |
| Author |
Message |
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
 Posted: Wed Nov 21, 2007 1:59 pm Post subject: shorewall NAT query. |
 |
|
I cant see where to sort this
Ive followed the 2 interface config for shorewall and now get this
| Code: | gravity paul # /etc/init.d/shorewall start
* Starting firewall ...
WARNING: NAT disabled; masq rule ignored
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/shorewall: line 375: 9373 Terminated ${VARDIR}/.start $debugging start [ !! ]
|
| Code: | gravity linux # lsmod
Module Size Used by
xt_tcpmss 1920 0
xt_tcpudp 2816 0
xt_pkttype 1664 0
iptable_raw 1920 0
xt_CLASSIFY 1664 0
xt_MARK 2048 0
xt_comment 1664 0
xt_length 1792 0
xt_policy 3200 0
xt_multiport 2816 0
iptable_mangle 2176 0
ipt_ULOG 6148 0
ipt_TTL 1920 0
ipt_ttl 1664 0
ipt_TOS 1792 0
ipt_tos 1408 0
ipt_REJECT 3200 0
ipt_recent 7064 0
ipt_owner 1792 0
ipt_LOG 5248 0
ipt_iprange 1664 0
ipt_ECN 2432 0
ipt_ecn 1920 0
ipt_ah 1664 0
ipt_addrtype 1664 0
iptable_filter 2304 1
ip_tables 9032 3 iptable_raw,iptable_mangle,iptable_filter
x_tables 10244 24 xt_tcpmss,xt_tcpudp,xt_pkttype,xt_CLASSIFY,xt_MARK,xt_comment,xt_length,xt_policy,xt_multiport,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_REJECT,ipt_recent,ipt_owner,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,ip_tables
i915 19840 2
michael_mic 2304 6
ieee80211_crypt_tkip 8960 3
8139cp 16256 0
pcmcia 32936 0
8139too 19072 0
ipw2100 58800 0
yenta_socket 21132 2
rsrc_nonstatic 9728 1 yenta_socket
pcmcia_core 31508 3 pcmcia,yenta_socket,rsrc_nonstatic
gravity linux #
gravity linux # cat .config |grep -i IP_NF
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_IPRANGE=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
|
| Code: |
gravity linux # shorewall show ( a bit of it )
Shorewall 3.4.6 filter Table at gravity - Wed Nov 21 14:25:18 GMT 2007
Counters reset Fri Jan 12 08:51:25 UTC 2007
Chain INPUT (policy DROP 1 packets, 330 bytes)
pkts bytes target prot opt in out source destination
140 17256 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
gravity linux # shorewall dump
Shorewall 3.4.6 Dump at gravity - Wed Nov 21 14:25:24 GMT 2007
Counters reset Fri Jan 12 08:51:25 UTC 2007
Chain INPUT (policy DROP 1 packets, 330 bytes)
pkts bytes target prot opt in out source destination
153 18664 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Log (/var/log/messages)
NAT Table
iptables v1.3.8: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
|
so where is NAT disabled ?
man shorewall-nat doenst really provide any information
_________________
join the optout - http://nhsconfidentiality.org
Last edited by thecooptoo on Wed Nov 21, 2007 2:27 pm; edited 2 times in total |
|
| Back to top |
|
 |
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Nov 21, 2007 2:04 pm Post subject: |
|
|
Have you compiled the NAT modules for your kernel?
// SteveB |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Wed Nov 21, 2007 2:20 pm Post subject: |
|
|
just added the kernel config and the output of lsmod
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Nov 21, 2007 2:23 pm Post subject: |
|
|
Can you post your rules and your policy?
// SteveB |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Wed Nov 21, 2007 2:29 pm Post subject: |
|
|
| Code: | gravity linux # grep ^[A-Za-z] /etc/shorewall/policy
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
net $FW DROP info
net loc DROP info
net all DROP info
all all REJECT info
gravity linux # grep ^[A-Za-z] /etc/shorewall/rules
DNS/ACCEPT $FW net
SSH/ACCEPT loc $FW
Ping/ACCEPT loc $FW
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
gravity linux # grep ^[A-Za-z] /etc/shorewall/interfaces
net eth1 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfs
gravity linux # grep ^[A-Za-z] /etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
gravity linux # |
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Nov 21, 2007 2:48 pm Post subject: |
|
|
Your rule file appears to be missing one of those: | Code: | SECTION ESTABLISHED
SECTION RELATED
SECTION NEW |
// SteveB |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Wed Nov 21, 2007 3:11 pm Post subject: |
|
|
i copied if from /usr/share/docs/shorewall-3..4.6/Samples/
so is sometihng missing from there ?
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Wed Nov 21, 2007 3:20 pm Post subject: |
|
|
| Code: | gravity two-interfaces # grep ^[A-Za-z] /etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
VERBOSITY=1
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=No
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=No
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
gravity two-interfaces # |
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Nov 21, 2007 3:26 pm Post subject: |
|
|
Please post your rules file WITHOUT using grep. Just the full file. With everything you have in it.
// SteveB |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Wed Nov 21, 2007 3:32 pm Post subject: |
|
|
| Code: | gravity linux # cat /etc/shorewall/rules
#
# Shorewall version 3.4 - Sample Rules File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
#
# For more information, see http://www.shorewall.net/Documentation.htm#Rules
#
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
gravity linux #
|
| Code: |
gravity linux # cat /etc/shorewall/policy
#
# Shorewall version 3.4 - Sample Policy File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
#
# See http://shorewall.net/Documentation.htm#Policy for additional information.
#
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Note about policies and logging:
# This file contains an explicit policy for every combination of
# zones defined in this sample. This is solely for the purpose of
# providing more specific messages in the logs. This is not
# necessary for correct operation of the firewall, but greatly
# assists in diagnosing problems.
#
#
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc net ACCEPT
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW net ACCEPT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
gravity linux #
|
_________________
join the optout - http://nhsconfidentiality.org
Last edited by thecooptoo on Wed Nov 21, 2007 4:05 pm; edited 1 time in total |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Nov 21, 2007 3:54 pm Post subject: |
|
|
In your rule file add after "#ACTION SOURCE " or before the first rule the following lines: | Code: | #SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW |
Does that fixes the issue?
// SteveB |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Wed Nov 21, 2007 4:04 pm Post subject: |
|
|
| Code: | gravity paul # /etc/init.d/shorewall restart
* Restarting firewall ...
WARNING: NAT disabled; masq rule ignored
Shorewall is not running
iptables: No chain/target/match by that name
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
/sbin/shorewall: line 665: 21834 Terminated $SHOREWALL_SHELL ${VARDIR}/.restart $debugging r [ !! ]
gravity paul # cat etc/shorewall/rules
cat: etc/shorewall/rules: No such file or directory
gravity paul # cat /etc/shorewall/rules
#
# Shorewall version 3.4 - Sample Rules File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
#
# For more information, see http://www.shorewall.net/Documentation.htm#Rules
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#############################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS/ACCEPT $FW net
#
# Accept SSH connections from the local network for administration
#
SSH/ACCEPT loc $FW
#
# Allow Ping from the local network
#
Ping/ACCEPT loc $FW
#
# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping/REJECT net $FW
ACCEPT $FW loc icmp |
ACCEPT $FW net icmp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
gravity paul #
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Wed Nov 21, 2007 4:57 pm Post subject: |
|
|
ive also put it to the shorewall mailinglist and they said
"Looks like you haven't configured either connection tracking or state
matching in your kernel. You need both."
so ive recompiled the kernel and now have
| Code: | gravity paul # lsmod
Module Size Used by
xt_state 2048 0
xt_tcpmss 1920 0
xt_tcpudp 2816 0
xt_pkttype 1664 0
iptable_raw 1920 0
xt_CLASSIFY 1664 0
xt_CONNMARK 2304 0
xt_MARK 2048 0
xt_comment 1664 0
xt_length 1792 0
xt_connmark 1920 0
xt_policy 3200 0
xt_multiport 2816 0
xt_conntrack 2304 0
nf_conntrack 45912 4 xt_state,xt_CONNMARK,xt_connmark,xt_conntrack
iptable_mangle 2176 0
ipt_ULOG 6148 0
ipt_TTL 1920 0
ipt_ttl 1664 0
ipt_TOS 1792 0
ipt_tos 1408 0
ipt_REJECT 3328 0
ipt_recent 7064 0
ipt_owner 1792 0
ipt_LOG 5248 0
ipt_iprange 1664 0
ipt_ECN 2432 0
ipt_ecn 1920 0
ipt_ah 1664 0
ipt_addrtype 1664 0
iptable_filter 2304 1
ip_tables 9032 3 iptable_raw,iptable_mangle,iptable_filter
x_tables 10244 28 xt_state,xt_tcpmss,xt_tcpudp,xt_pkttype,xt_CLASSIFY,xt_CONNMARK,xt_MARK,xt_comment,xt_length,xt_connmark,xt_policy,xt_multiport,xt_conntrack,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_REJECT,ipt_recent,ipt_owner,ipt_LOG,ipt_iprange,ipt_ECN,ipt_ecn,ipt_ah,ipt_addrtype,ip_tables
i915 19840 2
michael_mic 2304 4
ieee80211_crypt_tkip 8960 2
pcmcia 32936 0
yenta_socket 21132 2
rsrc_nonstatic 9728 1 yenta_socket
pcmcia_core 31508 3 pcmcia,yenta_socket,rsrc_nonstatic
ipw2100 58800 0
8139cp 16256 0
8139too 19072 0
|
anything wrong with this ?
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
steveb
Advocate
Joined: 18 Sep 2002
Posts: 4564
|
| Posted: Wed Nov 21, 2007 5:14 pm Post subject: |
|
|
On my setup, where ShoreWall and NAT is working, I have this: | Code: | mail ~ # lsmod|grep "^\(ipt\|xt\)"
iptable_raw 1792 0
xt_comment 1536 0
xt_policy 3136 0
xt_multiport 3008 13
ipt_ULOG 6308 0
ipt_TTL 1792 0
ipt_ttl 1536 0
ipt_TOS 1792 0
ipt_tos 1344 0
ipt_SAME 2048 0
ipt_REJECT 3264 4
ipt_REDIRECT 1920 0
ipt_recent 7344 0
ipt_owner 1664 0
ipt_NETMAP 1856 0
ipt_MASQUERADE 2880 1
ipt_LOG 5184 13
ipt_iprange 1472 0
ipt_ECN 2304 0
ipt_ecn 1792 0
ipt_CLUSTERIP 6340 0
ipt_ah 1536 0
ipt_addrtype 1536 0
xt_tcpmss 1856 0
xt_pkttype 1600 4
xt_NFQUEUE 1664 0
xt_NFLOG 1728 0
xt_MARK 1920 0
xt_mark 1600 0
xt_mac 1600 0
xt_limit 2048 0
xt_length 1664 0
xt_helper 2048 0
xt_hashlimit 7628 0
xt_dccp 2692 0
xt_conntrack 2176 3
xt_CONNMARK 2048 0
xt_connmark 1856 0
xt_CLASSIFY 1536 0
xt_tcpudp 2944 101
xt_state 1920 23
iptable_nat 6340 1
iptable_mangle 2176 1
iptable_filter 2244 1
mail ~ # |
In your setup I miss: iptable_nat and ipt_MASQUERADE
// SteveB |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
