Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
here is what shorewall set up for iptables on my squid server. even though it looks like ftp should be going through it doesnt. when i connect to a ftp server where you have to log in it lets me log in and then when it trys to read the directory it hangs and finally just times out. any ideas?
keep in mind im new to iptables and dont have a clue what most of those switchs are doing.
Code:
# Generated by iptables-save v1.2.11 on Fri Oct 29 09:21:44 2004
*mangle
:PREROUTING ACCEPT [1318792:910891079]
:INPUT ACCEPT [43171:6816862]
:FORWARD ACCEPT [1275591:904071325]
:OUTPUT ACCEPT [25279:4430217]
:POSTROUTING ACCEPT [1301485:908490701]
:outtos - [0:0]
:pretos - [0:0]
-A PREROUTING -j pretos
-A OUTPUT -j outtos
-A outtos -p tcp -j TOS --set-tos 0x10
-A outtos -p udp -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 20 --dport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 21 --dport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 20 --dport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 21 --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -j TOS --set-tos 0x10
-A pretos -p udp -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 20 --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 21 --dport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 20 --dport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 21 --dport 20 -j TOS --set-tos 0x08
COMMIT
# Completed on Fri Oct 29 09:21:44 2004
# Generated by iptables-save v1.2.11 on Fri Oct 29 09:21:44 2004
*nat
:PREROUTING ACCEPT [11801:1869274]
:POSTROUTING ACCEPT [36:2320]
:OUTPUT ACCEPT [602:44675]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 29 09:21:44 2004
# Generated by iptables-save v1.2.11 on Fri Oct 29 09:21:44 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:icmpdef - [0:0]
:loc2net - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ! icmp -m state --state INVALID -j DROP
-A INPUT -i eth1 -j eth1_in
-A INPUT -i eth0 -j eth0_in
-A INPUT -j ACCEPT
-A FORWARD -p ! icmp -m state --state INVALID -j DROP
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p ! icmp -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j all2all
-A OUTPUT -o eth1 -j all2all
-A OUTPUT -j ACCEPT
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j ACCEPT
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -o eth0 -j ACCEPT
-A eth0_fwd -o eth1 -j net2loc
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -j all2all
-A eth1_fwd -m state --state INVALID,NEW -j dynamic
-A eth1_fwd -o eth0 -j loc2net
-A eth1_fwd -o eth1 -j ACCEPT
-A eth1_in -m state --state INVALID,NEW -j dynamic
-A eth1_in -j all2all
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -p tcp -j ACCEPT
-A loc2net -p udp -j ACCEPT
-A loc2net -j all2all
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -p tcp -j ACCEPT
-A net2loc -p udp -j ACCEPT
-A net2loc -j all2all
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 192.168.1.255 -j DROP
-A reject -s 192.168.7.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 192.168.1.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.1.255 -j DROP
-A smurfs -s 192.168.7.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.7.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
COMMIT
# Completed on Fri Oct 29 09:21:44 2004
still nothing. i can connect and log in. but not able to retrieve content listing.
here are what my files all look like
/etc/shorewall/rules
Code:
ACCEPT loc net tcp - - -
ACCEPT net loc tcp - - -
ACCEPT loc net udp - - -
ACCEPT net loc udp - - -
ACCEPT loc fw tcp
ACCEPT fw loc tcp
ACCEPT loc fw udp
ACCEPT fw loc udp
ACCEPT net fw tcp
ACCEPT fw net tcp
ACCEPT net fw udp
ACCEPT fw net udp
AllowFTP loc net
AllowFTP net loc
AllowFTP fw loc
AllowFTP loc fw
AllowFTP fw net
AllowFTP net fw
/etc/shorewall/policy
Code:
all all ACCEPT
/etc/shorewall/interfaces
Code:
loc eth1 detect routeback,dhcp
net eth0 detect routeback,dhcp
/etc/shorewall/start
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128
iptables -A FORWARD -m state --state ESTABILISHED,RELATED -j ACCEPT
/etc/shorewall/init --taken from shorewall's site
Code:
if [ -z "`ip rule list | grep www.out`" ] ; then
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.1 dev eth1 table www.out
ip route flush cache
echo 0 /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
and when it is started/restarted
Code:
[root@squid shorewall]# service shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Determining Zones...
Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Error: argument "CA" is wrong: fwmark value is invalid
RTNETLINK answers: File exists
0 /proc/sys/net/ipv4/conf/eth1/send_redirects
Deleting user chains...
WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear t
o have ip6tables
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.DropSMB...
Pre-processing /usr/share/shorewall/action.RejectSMB...
Pre-processing /usr/share/shorewall/action.DropUPnP...
Pre-processing /usr/share/shorewall/action.RejectAuth...
Pre-processing /usr/share/shorewall/action.DropPing...
Pre-processing /usr/share/shorewall/action.DropDNSrep...
Pre-processing /usr/share/shorewall/action.AllowPing...
Pre-processing /etc/shorewall/action.AllowFTP...
Pre-processing /usr/share/shorewall/action.AllowDNS...
Pre-processing /usr/share/shorewall/action.AllowSSH...
Pre-processing /usr/share/shorewall/action.AllowWeb...
Pre-processing /usr/share/shorewall/action.AllowSMB...
Pre-processing /usr/share/shorewall/action.AllowAuth...
Pre-processing /usr/share/shorewall/action.AllowSMTP...
Pre-processing /usr/share/shorewall/action.AllowPOP3...
Pre-processing /usr/share/shorewall/action.AllowIMAP...
Pre-processing /usr/share/shorewall/action.AllowTelnet...
Pre-processing /usr/share/shorewall/action.AllowVNC...
Pre-processing /usr/share/shorewall/action.AllowVNCL...
Pre-processing /usr/share/shorewall/action.AllowNTP...
Pre-processing /usr/share/shorewall/action.AllowRdate...
Pre-processing /usr/share/shorewall/action.AllowNNTP...
Pre-processing /usr/share/shorewall/action.AllowTrcrt...
Pre-processing /usr/share/shorewall/action.AllowSNMP...
Pre-processing /usr/share/shorewall/action.AllowPCA...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
Rule "ACCEPT loc net tcp - - -" added.
Rule "ACCEPT net loc tcp - - -" added.
Rule "ACCEPT loc net udp - - -" added.
Rule "ACCEPT net loc udp - - -" added.
Rule "ACCEPT loc fw tcp" added.
Rule "ACCEPT fw loc tcp" added.
Rule "ACCEPT loc fw udp" added.
Rule "ACCEPT fw loc udp" added.
Rule "ACCEPT net fw tcp" added.
Rule "ACCEPT fw net tcp" added.
Rule "ACCEPT net fw udp" added.
Rule "ACCEPT fw net udp" added.
Rule "AllowFTP loc net" added.
Rule "AllowFTP net loc" added.
Rule "AllowFTP fw loc" added.
Rule "AllowFTP loc fw" added.
Rule "AllowFTP fw net" added.
Rule "AllowFTP net fw" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
Processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/action.AllowFTP...
Rule "ACCEPT - - tcp - -" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain all2all
Policy ACCEPT for fw to loc using chain all2all
Policy ACCEPT for net to fw using chain all2all
Policy ACCEPT for net to loc using chain all2all
Policy ACCEPT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain all2all
Masqueraded Networks and Hosts:
Processing /etc/shorewall/tos...
Rule "all all tcp - - 16" added.
Rule "all all udp - - 16" added.
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 8" added.
Rule "all all tcp ftp - 8" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Rule "all all tcp 20 20 8" added.
Rule "all all tcp 21 21 8" added.
Rule "all all tcp 20 21 8" added.
Rule "all all tcp 21 20 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Bad state `ESTABILISHED,RELATED'
Try `iptables -h' or 'iptables --help' for more information.
Shorewall Restarted
[root@squid shorewall]#
It appears from your commandline output that you got things a bit messed up. If you read it close you will see that you have zones defined that do not have a nic or ip-range, and you are allowing scary things in the policy file for example:
-Policy ACCEPT for net to fw using chain all2all
-Policy ACCEPT for net to loc using chain all2all
These lines are like blowing a hole in the wall with a shotgun.
What is said is that "everyone is welcome in"
You need to DROP packets from net to $fw and net to loc.
Then in /etc/shorewall/rules you need to DNAT incoming connections from net to "ip-addr-given" on loc (or preferably a DMZ-zone if you can spare a nic) for the ftp connection, and also ALLOW with the same specs. Sample from my own firewall:
DNAT net dmz:x.x.x.x:21 tcp 21
FTP/ACCEPT:info net dmz:x.x.x.x
The documentation section at www.shorewall.net has several excellent howtos for many applications.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
