LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-04-2006, 10:09 AM   #1
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Rep: Reputation: 51
SHOREWALL Firewall Routing Problem


hi

I have setup sarge stable as a router now, with shorewall and bind9, works fantastic !
Except one little thing..
I cant seem to go to access my outside ip from the local network.
In my case I cant access internet like http://www.google.com from the LAN clients,
but I can access the local ip addresses (http://192.168.115. X).
Is there anyone that knows how to setup shorewall in a way I can access the outside ip?

I've done following:
1.) ip forwarding in /etc/shorewall.conf is on:

2.) policy:
Code:
loc all ACCEPT
fw net ACCEPT
fw loc ACCEPT 
net	all	DROP	info
all all REJECT info
greetings
cc
3.) roules:
Code:
ACCEPT	net	$FW	tcp	ssh,www,https,ftp
ACCEPT net fw udp https,domain
ACCEPT fw net udp domain
If anyone could help out, i'd really appreciate it.
 
Old 03-04-2006, 08:56 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i am not familiar with shorewall, but does it have an option where you activate SNAT/Masquerading?? cuz that might be what you are missing...

what do your iptables look like??
Code:
iptables -L -v

iptables -L -v -t nat
 
Old 03-04-2006, 10:42 PM   #3
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Original Poster
Rep: Reputation: 51
Code:
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 8986  842K ACCEPT     all  --  lo     any     anywhere             anywhere 
47301 4544K eth0_in    all  --  eth0   any     anywhere             anywhere 
 2888  401K eth1_in    all  --  eth1   any     anywhere             anywhere 
    0     0 Reject     all  --  any    any     anywhere             anywhere 
    0     0 LOG        all  --  any    any     anywhere             anywhere         LOG level info prefix `Shorewall:INPUT:REJECT:'
    0     0 reject     all  --  any    any     anywhere             anywhere 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 eth0_fwd   all  --  eth0   any     anywhere             anywhere 
  801 81459 eth1_fwd   all  --  eth1   any     anywhere             anywhere 
    0     0 Reject     all  --  any    any     anywhere             anywhere 
    0     0 LOG        all  --  any    any     anywhere             anywhere         LOG level info prefix `Shorewall:FORWARD:REJECT:'
    0     0 reject     all  --  any    any     anywhere             anywhere 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 8986  842K ACCEPT     all  --  any    lo      anywhere             anywhere 
50255 8945K fw2net     all  --  any    eth0    anywhere             anywhere 
  378  124K fw2loc     all  --  any    eth1    anywhere             anywhere 
    0     0 Reject     all  --  any    any     anywhere             anywhere 
    0     0 LOG        all  --  any    any     anywhere             anywhere         LOG level info prefix `Shorewall:OUTPUT:REJECT:'
    0     0 reject     all  --  any    any     anywhere             anywhere 

Chain AllowICMPs (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere         icmp fragmentation-needed
    1    56 ACCEPT     icmp --  any    any     anywhere             anywhere         icmp time-exceeded

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  965  137K RejectAuth  all  --  any    any     anywhere             anywhere 
  965  137K dropBcast  all  --  any    any     anywhere             anywhere 
   87  7688 AllowICMPs  icmp --  any    any     anywhere             anywhere 
  964  137K dropInvalid  all  --  any    any     anywhere             anywhere 
  961  136K DropSMB    all  --  any    any     anywhere             anywhere 
  324  105K DropUPnP   all  --  any    any     anywhere             anywhere 
   70  3396 dropNotSyn  tcp  --  any    any     anywhere             anywhere 
  322  104K DropDNSrep  all  --  any    any     anywhere             anywhere 

Chain DropDNSrep (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       udp  --  any    any     anywhere             anywhere         udp spt:domain

Chain DropSMB (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       udp  --  any    any     anywhere             anywhere         udp dpt:loc-srv
   11   858 DROP       udp  --  any    any     anywhere             anywhere         udp dpts:netbios-ns:netbios-ssn
    0     0 DROP       udp  --  any    any     anywhere             anywhere         udp dpt:microsoft-ds
  102  4976 DROP       tcp  --  any    any     anywhere             anywhere         tcp dpt:loc-srv
  178  8584 DROP       tcp  --  any    any     anywhere             anywhere         tcp dpt:netbios-ssn
  346 17104 DROP       tcp  --  any    any     anywhere             anywhere         tcp dpt:microsoft-ds

Chain DropUPnP (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       udp  --  any    any     anywhere             anywhere         udp dpt:1900

Chain Reject (4 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 RejectAuth  all  --  any    any     anywhere             anywhere 
    0     0 dropBcast  all  --  any    any     anywhere             anywhere 
    0     0 AllowICMPs  icmp --  any    any     anywhere             anywhere 
    0     0 dropInvalid  all  --  any    any     anywhere             anywhere 
    0     0 RejectSMB  all  --  any    any     anywhere             anywhere 
    0     0 DropUPnP   all  --  any    any     anywhere             anywhere 
    0     0 dropNotSyn  tcp  --  any    any     anywhere             anywhere 
    0     0 DropDNSrep  all  --  any    any     anywhere             anywhere 

Chain RejectAuth (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 reject     tcp  --  any    any     anywhere             anywhere         tcp dpt:auth

Chain RejectSMB (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 reject     udp  --  any    any     anywhere             anywhere         udp dpt:loc-srv
    0     0 reject     udp  --  any    any     anywhere             anywhere         udp dpts:netbios-ns:netbios-ssn
    0     0 reject     udp  --  any    any     anywhere             anywhere         udp dpt:microsoft-ds
    0     0 reject     tcp  --  any    any     anywhere             anywhere         tcp dpt:loc-srv
    0     0 reject     tcp  --  any    any     anywhere             anywhere         tcp dpt:netbios-ssn
    0     0 reject     tcp  --  any    any     anywhere             anywhere         tcp dpt:microsoft-ds

Chain all2all (0 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere         state RELATED,ESTABLISHED
    0     0 Reject     all  --  any    any     anywhere             anywhere 
    0     0 LOG        all  --  any    any     anywhere             anywhere         LOG level info prefix `Shorewall:all2all:REJECT:'
    0     0 reject     all  --  any    any     anywhere             anywhere 

Chain blacklst (2 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       all  --  any    any     anywhere             anywhere         PKTTYPE = broadcast
    0     0 DROP       all  --  any    any     anywhere             anywhere         PKTTYPE = multicast

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    3   688 DROP       all  --  any    any     anywhere             anywhere         state INVALID

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    2    80 DROP       tcp  --  any    any     anywhere             anywhere         tcp flags:!SYN,RST,ACK/SYN

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 dynamic    all  --  any    any     anywhere             anywhere         state INVALID,NEW
    0     0 blacklst   all  --  any    any     anywhere             anywhere         state INVALID,NEW
    0     0 smurfs     all  --  any    any     anywhere             anywhere         state INVALID,NEW
    0     0 norfc1918  all  --  any    any     anywhere             anywhere         state NEW
    0     0 tcpflags   tcp  --  any    any     anywhere             anywhere 
    0     0 net2all    all  --  any    eth1    anywhere             anywhere 

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 4561  353K dynamic    all  --  any    any     anywhere             anywhere         state INVALID,NEW
 4561  353K blacklst   all  --  any    any     anywhere             anywhere         state INVALID,NEW
 4561  353K smurfs     all  --  any    any     anywhere             anywhere         state INVALID,NEW
 4557  353K norfc1918  all  --  any    any     anywhere             anywhere         state NEW
44927 4286K tcpflags   tcp  --  any    any     anywhere             anywhere 
47301 4544K net2fw     all  --  any    any     anywhere             anywhere 

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  801 81459 dynamic    all  --  any    any     anywhere             anywhere         state INVALID,NEW
    0     0 tcpflags   tcp  --  any    any     anywhere             anywhere 
  801 81459 loc2all    all  --  any    eth0    anywhere             anywhere 

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination 
 2888  401K dynamic    all  --  any    any     anywhere             anywhere         state INVALID,NEW
    0     0 tcpflags   tcp  --  any    any     anywhere             anywhere 
 2888  401K loc2all    all  --  any    any     anywhere             anywhere 

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination 
  378  124K ACCEPT     all  --  any    any     anywhere             anywhere         state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere 

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination 
47909 8684K ACCEPT     all  --  any    any     anywhere             anywhere         state RELATED,ESTABLISHED
   20  1562 ACCEPT     udp  --  any    any     anywhere             anywhere         udp dpt:domain
 2326  259K ACCEPT     all  --  any    any     anywhere             anywhere 

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain loc2all (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere         state RELATED,ESTABLISHED
 3689  482K ACCEPT     all  --  any    any     anywhere             anywhere 

Chain logflags (5 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  any    any     anywhere             anywhere         LOG level info ip-options prefix `Shorewall:logflags:DROP:'
    0     0 DROP       all  --  any    any     anywhere             anywhere 

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere         state RELATED,ESTABLISHED
  965  137K Drop       all  --  any    any     anywhere             anywhere 
  322  104K LOG        all  --  any    any     anywhere             anywhere         LOG level info prefix `Shorewall:net2all:DROP:'
  322  104K DROP       all  --  any    any     anywhere             anywhere 

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination 
42740 4191K ACCEPT     all  --  any    any     anywhere             anywhere         state RELATED,ESTABLISHED
 3283  197K ACCEPT     tcp  --  any    any     anywhere             anywhere         multiport dports ssh,www,https,ftp
   25  1543 ACCEPT     udp  --  any    any     anywhere             anywhere         multiport dports https,domain
    0     0 ACCEPT     tcp  --  any    any     202.X.X.2         anywhere 
    0     0 ACCEPT     udp  --  any    any     202.X.X.2         anywhere 
  288 18324 ACCEPT     tcp  --  any    any     81-X-X-231.dclient.net  anywhere
  965  137K net2all    all  --  any    any     anywhere             anywhere 

Chain norfc1918 (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 rfc1918    all  --  any    any     172.16.0.0/12        anywhere 
    0     0 rfc1918    all  --  any    any     anywhere             anywhere         ctorigdst 172.16.0.0/12
    0     0 rfc1918    all  --  any    any     192.168.0.0/16       anywhere 
    0     0 rfc1918    all  --  any    any     anywhere             anywhere         ctorigdst 192.168.0.0/16
    0     0 rfc1918    all  --  any    any     10.0.0.0/8           anywhere 
    0     0 rfc1918    all  --  any    any     anywhere             anywhere         ctorigdst 10.0.0.0/8

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 DROP       all  --  any    any     anywhere             anywhere         PKTTYPE = broadcast
    0     0 DROP       all  --  any    any     anywhere             anywhere         PKTTYPE = multicast
    0     0 DROP       all  --  any    any     202.X.X.15        anywhere 
    0     0 DROP       all  --  any    any     192.168.115.255      anywhere 
    0     0 DROP       all  --  any    any     255.255.255.255      anywhere 
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywher e
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere         reject-with tcp-reset
    0     0 REJECT     udp  --  any    any     anywhere             anywhere         reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  any    any     anywhere             anywhere         reject-with icmp-host-unreachable
    0     0 REJECT     all  --  any    any     anywhere             anywhere         reject-with icmp-host-prohibited

Chain rfc1918 (6 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  any    any     anywhere             anywhere         LOG level info prefix `Shorewall:rfc1918:DROP:'
    0     0 DROP       all  --  any    any     anywhere             anywhere 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination 

Chain smurfs (2 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 LOG        all  --  any    any     202.X.X.15        anywhere         LOG level info prefix `Shorewall:smurfs:DROP:'
    0     0 DROP       all  --  any    any     202.X.X.15        anywhere 
    0     0 LOG        all  --  any    any     192.168.115.255      anywhere         LOG level info prefix `Shorewall:smurfs:DROP:'
    0     0 DROP       all  --  any    any     192.168.115.255      anywhere 
    0     0 LOG        all  --  any    any     255.255.255.255      anywhere         LOG level info prefix `Shorewall:smurfs:DROP:'
    0     0 DROP       all  --  any    any     255.255.255.255      anywhere 
    0     0 LOG        all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywher e            LOG level info prefix `Shorewall:smurfs:DROP:'
    0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  anywher e

Chain tcpflags (4 references)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 logflags   tcp  --  any    any     anywhere             anywhere         tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0     0 logflags   tcp  --  any    any     anywhere             anywhere         tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0     0 logflags   tcp  --  any    any     anywhere             anywhere         tcp flags:SYN,RST/SYN,RST
    0     0 logflags   tcp  --  any    any     anywhere             anywhere         tcp flags:FIN,SYN/FIN,SYN
    0     0 logflags   tcp  --  any    any     anywhere             anywhere         tcp spt:0 flags:SYN,RST,ACK/SYN
 
Old 03-04-2006, 10:43 PM   #4
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Original Poster
Rep: Reputation: 51
Code:
# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 5610 packets, 575K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1064 packets, 101K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 856 packets, 79830 bytes)
 pkts bytes target     prot opt in     out     source               destination
 
Old 03-04-2006, 10:47 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by cccc
Code:
# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 5610 packets, 575K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1064 packets, 101K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 856 packets, 79830 bytes)
 pkts bytes target     prot opt in     out     source               destination
okay, as you can see there's nothing happening in your POSTROUTING chain... this means you aren't doing any SNAT/Masquerading... you need to check the shorewall documentation to find out how to activate SNAT/Masquerading...
 
Old 03-04-2006, 10:53 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
here, i went ahead and did your homework for you...

http://www.shorewall.net/2.0/two-int....htm#id2507853

(i assume you are using shorewall 2.x instead of 3.x since you're on Sarge)

just my ... good luck!!!
 
Old 03-07-2006, 11:14 AM   #7
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Original Poster
Rep: Reputation: 51
this problem is solved now !

it needs in /etc/shorewall/masq following entry:
Code:
eth0	eth1
 
Old 03-07-2006, 12:41 PM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by cccc
this problem is solved now !

it needs in /etc/shorewall/masq following entry:
Code:
eth0	eth1
ummm, yes, that's exactly what it says in the shorewall documentation linked above...

BTW, (Nick Burns voice) you're welcome!!!
 
Old 03-07-2006, 02:50 PM   #9
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623

Original Poster
Rep: Reputation: 51
yep,

thanks !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Shorewall Routing Internet access issues Raidmax Linux - Newbie 0 11-15-2005 08:29 PM
shorewall firewall problem wisdom Linux - Security 1 02-02-2005 09:27 PM
Advanced Networking - Multiple gateways, routing question/shorewall micaheli Linux - Networking 2 09-30-2004 01:05 AM
shorewall problem with firewall itself peter72 Linux - Networking 1 08-01-2004 02:09 PM
Problem with Shorewall Firewall & IPTables Led*Zep Linux - Networking 1 03-15-2003 10:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration