Can't ping/ssh my box, Shorewall seems to block all traffic except http / ftp
I'm running Mandrake 9.1 on security level Higher which seems to bring with it a whole bunch of config headaches. Never had to deal with this cos my previous setup was with Mandrake 8.1.
I can access webpages served off my box, as well as FTP in. But I can't SSH in or even get a reply when I ping it! Turning shorewall off doesn't seem to make a difference (maybe I'm missing a step there). I'm very new to this and after spending many days unsuccessfully Googling for any related info, I would really appreciate it if someone would give me a step-by-step guide on how I should work out what's wrong. /etc/shorewall/rules currently contains: ACCEPT net fw tcp for 80, 22, 21 I don't understand why SSH wouldn't work if HTTP and FTP work fine. What other config files should I be looking at? |
If it helps, I am having the same problem. Everything seems to work except ssh and ping. I am hoping to spend some time playing with it this evening. I will let you know what I find out.
One thing to note, I uninstalled the mdk9.1 rpms and installed shorewall from their tar ball. I did this so I could use their documentation to set up a two interface firewall/router. If you find the solution before I do please post it. Thanks, PhilD :study: |
Maybe try another iptables frontend, like Guarddog :)
|
okay tiduck,
I figured out the ssh problem. It is because of the higher security setting. By default, the /etc/hosts.deny includes everyone but the local host. To allow ssh into the box do the following: Add to /etc/hosts.allow: sshd : all : allow This should allow you ssh into the box. If you want, you can allow only a given IP the ability to ssh. For me this is all I needed to do. I found this by tail -f the /var/log/messages file and noticing that shorewall was accepting the ssh, but sshd was rejecting the connection. As far as the ping goes, I have had no luck. I can ping local from the firewall, and I can ping the net from local, but I can not ping the firewall from local. I will have to work on that some more. Also, if there are those more knowledgeable on the subject, if I have the policy file as such: loc net ACCEPT loc fw ACCEPT Is there any reason for me to have rules for loc2net or loc2fw? Shouldn't everything be accepted as it is? Or would it be better to deny everything and add rules for every connection I want to allow? Just looking for ideas from those more knowledgeable than I. Thanks, PhilD |
PhilD: Awesome!!! Although I actually had to add "sshd:all allow". Did you add an extra colon by mistake?
Thanks for your help! |
I may have. I thought I double checked it but that doesn't mean much. Either way, I assume it worked for you too. Now if we could just get the ping to work. Granted, I don't really need it, but it would be nice as a way to do a quick "are you alive" to the firewall.
|
I noticed that shorewall/rules doesn't include any entries for ICMP. Wouldn't that block all pings? I'll have to check it out later.
|
So far, this is my history with the PING!
I have tried all variations with no success. These being: ACCEPT loc fw icmp 8 ACCEPT loc fw icmp echo-request I have tried each one alone and both together. The behavior I have seen is as follows. With neither rule, I see the message rejected - icmp - 8 (summary) by tail -f 'ing the /var/log/messages file. If I add either or both this message is not generated. The client side correctly identifies the fw and its IP and sets there. When I ^c it shows 100% failure. As I mentioned before, I can ping from the fw to loc and from loc to net with the following rules. ACCEPT loc net icmp 8 ACCEPT fw loc icmp 8 Actually, the loc2net may be a echo-request. I am still looking for the correct way to set this up. Let me know what you find. Thanks, PhilD |
Proud,
Thanks for the point to Guarddog. It looks like a very useful firewall configure tool. The only problem is I don't have KDE on this box, and I doubt I have room for it. One of the joys of linux is seting up minimal hardware for network tasks. Thanks for the hint. I may very well try it if/when I upgrade this box. PhilD |
Well I see your problem, but if it helps, you should only need Qt and a few other things, not all of KDE. Guarddog does make creating a detailed firewall much easier for beginners :)
|
tiduck,
I found the Ping culprit, :D well, I found it on another non related post and thought I should check it out. Here is what I did: in file: /etc/sysctl.conf change line: net.ipv4.icmp_echo_ignore_all=1 to: net.ipv4.icmp_echo_ignore_all=0 Then restart the network and shorewall. This, with the icmp 8 rules in shorewall worked. Now to complete the rule set for the firewall. I still have the question about the rules vs. policies. Why do I need a rule to accept www from loc to net if the policy for loc2net is accept? I know this shouldn't be that difficult, but.... I am sure I will get it sometime. Thanks for the help! PhilD |
All times are GMT -5. The time now is 05:03 PM. |