shorewall = frustration

renato167 · 05-17-2003, 02:45 AM

need help please!

newbie here.

trying to build my first linux firewall w/ shorewall

redhat 8.0

latest version of shorewall firewall

eth0 connected to cable modem (dhcp)

eth1 masquerade 192.168.1.254

two-interface sample downloaded from shorewall and files
copied to /etc/shorewall directory

/sbin/shorewall start

i get

"connection refused when accessing www.google.com"

or something to that effect.

definitely "connection refused'

i have to /sbin/shorewall clear to get access to the Internet.

any assistance from the board would be appreciated.

Robert0380 · 05-17-2003, 02:57 PM

i always suggest using iptables for firewalling:

#!/bin/bash
IPTABLES="/sbin/iptables"
NETIFACE="eth0"
LANIFACE="eth1"
LAN_IP="192.168.1.254" ##### FOR YOU ITS 192.168.1.254
www="80" ### http port
XPORT="6000" ### X11 open port
SSH="22" #### ssh port

### FLUSH TABLES ###
$IPTABLES -F
$IPTABLES -t nat -F

### SET POLICIES ###
echo Setting Firewall Policies
$IPTABLES -P INPUT DROP #### PUT SYSTEM ON LOCK DOWN ###
$IPTABLES -P FORWARD DROP #### ROUTING LOCK DOWN
$IPTABLES -P OUTPUT ACCEPT #### ALLOW ALL OUTGOING

### ALLOW established INTERNET CONNECTIONS ###
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ALLOW CONNECTIONS ON PORT 22(SSH) ###
$IPTABLES -A INPUT -p tcp --dport $SSH -j ACCEPT

### ALLOW http CONNECTIONS ###
$IPTABLES -A INPUT -p tcp --dport $www -j ACCEPT

### ALLOW PING ###
$IPTABLES -A INPUT -p icmp -j ACCEPT

### TRUST THE LAN COMPUTER ###
$IPTABLES -A INPUT -s LAN_IP -j ACCEPT

### MASQUERADING ###
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP -o $NETIFACE -j MASQUERADE

echo Done

As you can see by the comments, my box only allows incomming connections on port 80, 22 and any icmp requests ( i wanted the box to be pingable). You can take this, copy it to a file called firewall.sh, and run it:

# sh firewall.sh

if you decided to try this and you get errors, post again and i'll help you fix em, i just went through this and edited it about 4 or 5 times in this post so it might have some errors. You can check your firewall rules by typing the following:

#iptables -L
and
#iptables -t nat -L

and you can delete all the rules (if something isnt working and u just want the firewall down)

#iptables -F
#iptables -t nat -F

if just typing iptables doesnt work try /sbin/iptables

renato167 · 05-18-2003, 11:01 PM

thanks

everything is working just fine.

again, many thanks.

renato

Robert0380 · 05-19-2003, 12:25 AM

did you actually use iptables or did you get shorewall working?