Shorewall blocking SSH on mandriva 2006..

di11rod · 11-23-2005, 10:38 PM

Been scratching my head a few days on this one. Would appreciate any suggestions that would head me in a direction towards resolving this issue.

Fresh install. I can SSH from the server to itself. Can't from any box on my LAN. Services such as Webmin (port 10000- ssl), http (port 80), and SMB work. Mail (postfix) doesn't seem to be accepting stuff, though.

When I did the install, I selected 'Higher' in the security settings. This seems to have automatically enabled Shorewall with a bunch of reject policies, but also a bunch of accept policies. Some are in conflict such as the accept port 22 and 25 connections, but they aren't accepting. I also see reject SMB, but that does work. I wish I could just lower the security setting to 'high', but I can't find any control panel in the X gui for making that sweeping adjustment.

Below is the Shorewall config file. Any tips appreciated. I'm pretty familiar with all the other linux conventions, so I don't need much handholding. Just a clue!

Appreciatively,

di11rod

/etc/shorewall/policy

###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE

/etc/shorewall/rules

####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net $FW tcp 10000
ACCEPT net fw udp 137,138,139,445,1024:1100 -
ACCEPT net $FW tcp 80,443,22,25,109,110,143,137,138,139,445,1024:1100
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Oh, I found this in the 'linux firewall' webmin module--

# Generated by iptables-save v1.3.3 on Wed Nov 23 21:24:37 2005
*mangle
:PREROUTING ACCEPT [313359:58225233]
:INPUT ACCEPT [313325:58223872]
:FORWARD ACCEPT [9:641]
:OUTPUT ACCEPT [456441:536798511]
:POSTROUTING ACCEPT [456788:536860688]
COMMIT
# Completed on Wed Nov 23 21:24:37 2005
# Generated by iptables-save v1.3.3 on Wed Nov 23 21:24:37 2005
*nat
:PREROUTING ACCEPT [7269:436329]
:POSTROUTING ACCEPT [5761:237663]
:OUTPUT ACCEPT [5761:237663]
COMMIT
# Completed on Wed Nov 23 21:24:37 2005
# Generated by iptables-save v1.3.3 on Wed Nov 23 21:24:37 2005
*filter
:AllowICMPs - [0:0]

rop - [0:0]

ropDNSrep - [0:0]

ropSMB - [0:0]

ropUPnP - [0:0]
:INPUT DROP [1:60]
:FORWARD DROP [0:0]
:Ifw - [0:0]
:OUTPUT DROP [0:0]
:Reject - [0:0]
:RejectAuth - [0:0]
:RejectSMB - [0:0]
:all2all - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:fw2net - [0:0]
:net2all - [0:0]
:net2fw - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
-A AllowICMPs -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A AllowICMPs -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j RejectAuth
-A Drop -j dropBcast
-A Drop -p icmp -j AllowICMPs
-A Drop -j dropInvalid
-A Drop -j DropSMB
-A Drop -j DropUPnP
-A Drop -p tcp -j dropNotSyn
-A Drop -j DropDNSrep
-A DropDNSrep -p udp -m udp --sport 53 -j DROP
-A DropSMB -p udp -m udp --dport 135 -j DROP
-A DropSMB -p udp -m udp --dport 137:139 -j DROP
-A DropSMB -p udp -m udp --dport 445 -j DROP
-A DropSMB -p tcp -m tcp --dport 135 -j DROP
-A DropSMB -p tcp -m tcp --dport 139 -j DROP
-A DropSMB -p tcp -m tcp --dport 445 -j DROP
-A DropUPnP -p udp -m udp --dport 1900 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -j Ifw
-A INPUT -i eth0 -j eth0_in
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -j reject
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -j reject
-A Ifw -m set --set ifw_wl src -j RETURN
-A Ifw -m set --set ifw_bl src -j DROP
-A Ifw -m state --state INVALID,NEW -m psd --psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 1 --psd-hi-ports-weight 2 -j IFWLOG --log-prefix "SCAN"
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j fw2net
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -j reject
-A Reject -j RejectAuth
-A Reject -j dropBcast
-A Reject -p icmp -j AllowICMPs
-A Reject -j dropInvalid
-A Reject -j RejectSMB
-A Reject -j DropUPnP
-A Reject -p tcp -j dropNotSyn
-A Reject -j DropDNSrep
-A RejectAuth -p tcp -m tcp --dport 113 -j reject
-A RejectSMB -p udp -m udp --dport 135 -j reject
-A RejectSMB -p udp -m udp --dport 137:139 -j reject
-A RejectSMB -p udp -m udp --dport 445 -j reject
-A RejectSMB -p tcp -m tcp --dport 135 -j reject
-A RejectSMB -p tcp -m tcp --dport 139 -j reject
-A RejectSMB -p tcp -m tcp --dport 445 -j reject
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j Reject
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6
-A all2all -j reject
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -j net2fw
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -j ACCEPT
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all

ROP:" --log-level 6
-A net2all -j DROP
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p tcp -m tcp --dport 10000 -j ACCEPT
-A net2fw -p udp -m multiport --dports 137,138,139,445,1024:1100 -j ACCEPT
-A net2fw -p tcp -m multiport --dports 80,443,22,25,109,110,143,137,138,139,445,1024:1100 -j ACCEPT
-A net2fw -j net2all
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 192.168.1.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 192.168.1.255 -j LOG --log-prefix "Shorewall:smurfs

ROP:" --log-level 6
-A smurfs -s 192.168.1.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs

ROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs

ROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
COMMIT
# Completed on Wed Nov 23 21:24:37 2005

pingu · 11-24-2005, 04:06 AM

It doesn't look like the firewall is blocking.
Check your /etc/sshd_config
Also, what message do you get trying to login?

(If it actually is shorewall, you can track it by manually deleting the rules one by one - shorewall adds a lot of rules so it will take time... )