Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-04-2006, 10:09 AM
|
#1
|
Senior Member
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623
Rep:
|
SHOREWALL Firewall Routing Problem
hi
I have setup sarge stable as a router now, with shorewall and bind9, works fantastic !
Except one little thing..
I cant seem to go to access my outside ip from the local network.
In my case I cant access internet like http://www.google.com from the LAN clients,
but I can access the local ip addresses ( http://192.168.115. X).
Is there anyone that knows how to setup shorewall in a way I can access the outside ip?
I've done following:
1.) ip forwarding in /etc/shorewall.conf is on:
2.) policy:
Code:
loc all ACCEPT
fw net ACCEPT
fw loc ACCEPT
net all DROP info
all all REJECT info
greetings
cc
3.) roules:
Code:
ACCEPT net $FW tcp ssh,www,https,ftp
ACCEPT net fw udp https,domain
ACCEPT fw net udp domain
If anyone could help out, i'd really appreciate it.
|
|
|
03-04-2006, 08:56 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
i am not familiar with shorewall, but does it have an option where you activate SNAT/Masquerading?? cuz that might be what you are missing...
what do your iptables look like??
Code:
iptables -L -v
iptables -L -v -t nat
|
|
|
03-04-2006, 10:42 PM
|
#3
|
Senior Member
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623
Original Poster
Rep:
|
Code:
# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8986 842K ACCEPT all -- lo any anywhere anywhere
47301 4544K eth0_in all -- eth0 any anywhere anywhere
2888 401K eth1_in all -- eth1 any anywhere anywhere
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_fwd all -- eth0 any anywhere anywhere
801 81459 eth1_fwd all -- eth1 any anywhere anywhere
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8986 842K ACCEPT all -- any lo anywhere anywhere
50255 8945K fw2net all -- any eth0 anywhere anywhere
378 124K fw2loc all -- any eth1 anywhere anywhere
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- any any anywhere anywhere
Chain AllowICMPs (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp fragmentation-needed
1 56 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
965 137K RejectAuth all -- any any anywhere anywhere
965 137K dropBcast all -- any any anywhere anywhere
87 7688 AllowICMPs icmp -- any any anywhere anywhere
964 137K dropInvalid all -- any any anywhere anywhere
961 136K DropSMB all -- any any anywhere anywhere
324 105K DropUPnP all -- any any anywhere anywhere
70 3396 dropNotSyn tcp -- any any anywhere anywhere
322 104K DropDNSrep all -- any any anywhere anywhere
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any any anywhere anywhere udp spt:domain
Chain DropSMB (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any any anywhere anywhere udp dpt:loc-srv
11 858 DROP udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn
0 0 DROP udp -- any any anywhere anywhere udp dpt:microsoft-ds
102 4976 DROP tcp -- any any anywhere anywhere tcp dpt:loc-srv
178 8584 DROP tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
346 17104 DROP tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- any any anywhere anywhere udp dpt:1900
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 RejectAuth all -- any any anywhere anywhere
0 0 dropBcast all -- any any anywhere anywhere
0 0 AllowICMPs icmp -- any any anywhere anywhere
0 0 dropInvalid all -- any any anywhere anywhere
0 0 RejectSMB all -- any any anywhere anywhere
0 0 DropUPnP all -- any any anywhere anywhere
0 0 dropNotSyn tcp -- any any anywhere anywhere
0 0 DropDNSrep all -- any any anywhere anywhere
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- any any anywhere anywhere tcp dpt:auth
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source destination
0 0 reject udp -- any any anywhere anywhere udp dpt:loc-srv
0 0 reject udp -- any any anywhere anywhere udp dpts:netbios-ns:netbios-ssn
0 0 reject udp -- any any anywhere anywhere udp dpt:microsoft-ds
0 0 reject tcp -- any any anywhere anywhere tcp dpt:loc-srv
0 0 reject tcp -- any any anywhere anywhere tcp dpt:netbios-ssn
0 0 reject tcp -- any any anywhere anywhere tcp dpt:microsoft-ds
Chain all2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 Reject all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
0 0 reject all -- any any anywhere anywhere
Chain blacklst (2 references)
pkts bytes target prot opt in out source destination
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast
0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
3 688 DROP all -- any any anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
2 80 DROP tcp -- any any anywhere anywhere tcp flags:!SYN,RST,ACK/SYN
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- any any anywhere anywhere state INVALID,NEW
0 0 blacklst all -- any any anywhere anywhere state INVALID,NEW
0 0 smurfs all -- any any anywhere anywhere state INVALID,NEW
0 0 norfc1918 all -- any any anywhere anywhere state NEW
0 0 tcpflags tcp -- any any anywhere anywhere
0 0 net2all all -- any eth1 anywhere anywhere
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
4561 353K dynamic all -- any any anywhere anywhere state INVALID,NEW
4561 353K blacklst all -- any any anywhere anywhere state INVALID,NEW
4561 353K smurfs all -- any any anywhere anywhere state INVALID,NEW
4557 353K norfc1918 all -- any any anywhere anywhere state NEW
44927 4286K tcpflags tcp -- any any anywhere anywhere
47301 4544K net2fw all -- any any anywhere anywhere
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
801 81459 dynamic all -- any any anywhere anywhere state INVALID,NEW
0 0 tcpflags tcp -- any any anywhere anywhere
801 81459 loc2all all -- any eth0 anywhere anywhere
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
2888 401K dynamic all -- any any anywhere anywhere state INVALID,NEW
0 0 tcpflags tcp -- any any anywhere anywhere
2888 401K loc2all all -- any any anywhere anywhere
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
378 124K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any anywhere anywhere
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
47909 8684K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
20 1562 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
2326 259K ACCEPT all -- any any anywhere anywhere
Chain icmpdef (0 references)
pkts bytes target prot opt in out source destination
Chain loc2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3689 482K ACCEPT all -- any any anywhere anywhere
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
965 137K Drop all -- any any anywhere anywhere
322 104K LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'
322 104K DROP all -- any any anywhere anywhere
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
42740 4191K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3283 197K ACCEPT tcp -- any any anywhere anywhere multiport dports ssh,www,https,ftp
25 1543 ACCEPT udp -- any any anywhere anywhere multiport dports https,domain
0 0 ACCEPT tcp -- any any 202.X.X.2 anywhere
0 0 ACCEPT udp -- any any 202.X.X.2 anywhere
288 18324 ACCEPT tcp -- any any 81-X-X-231.dclient.net anywhere
965 137K net2all all -- any any anywhere anywhere
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 rfc1918 all -- any any 172.16.0.0/12 anywhere
0 0 rfc1918 all -- any any anywhere anywhere ctorigdst 172.16.0.0/12
0 0 rfc1918 all -- any any 192.168.0.0/16 anywhere
0 0 rfc1918 all -- any any anywhere anywhere ctorigdst 192.168.0.0/16
0 0 rfc1918 all -- any any 10.0.0.0/8 anywhere
0 0 rfc1918 all -- any any anywhere anywhere ctorigdst 10.0.0.0/8
Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast
0 0 DROP all -- any any anywhere anywhere PKTTYPE = multicast
0 0 DROP all -- any any 202.X.X.15 anywhere
0 0 DROP all -- any any 192.168.115.255 anywhere
0 0 DROP all -- any any 255.255.255.255 anywhere
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywher e
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT icmp -- any any anywhere anywhere reject-with icmp-host-unreachable
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere LOG level info prefix `Shorewall:rfc1918:DROP:'
0 0 DROP all -- any any anywhere anywhere
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any 202.X.X.15 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any 202.X.X.15 anywhere
0 0 LOG all -- any any 192.168.115.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any 192.168.115.255 anywhere
0 0 LOG all -- any any 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any 255.255.255.255 anywhere
0 0 LOG all -- any any BASE-ADDRESS.MCAST.NET/4 anywher e LOG level info prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4 anywher e
Chain tcpflags (4 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 logflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 logflags tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 logflags tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 logflags tcp -- any any anywhere anywhere tcp spt:0 flags:SYN,RST,ACK/SYN
|
|
|
03-04-2006, 10:43 PM
|
#4
|
Senior Member
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623
Original Poster
Rep:
|
Code:
# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 5610 packets, 575K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1064 packets, 101K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 856 packets, 79830 bytes)
pkts bytes target prot opt in out source destination
|
|
|
03-04-2006, 10:47 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by cccc
Code:
# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 5610 packets, 575K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1064 packets, 101K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 856 packets, 79830 bytes)
pkts bytes target prot opt in out source destination
|
okay, as you can see there's nothing happening in your POSTROUTING chain... this means you aren't doing any SNAT/Masquerading... you need to check the shorewall documentation to find out how to activate SNAT/Masquerading...
|
|
|
03-04-2006, 10:53 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
here, i went ahead and did your homework for you...
http://www.shorewall.net/2.0/two-int....htm#id2507853
(i assume you are using shorewall 2.x instead of 3.x since you're on Sarge)
just my ... good luck!!!
|
|
|
03-07-2006, 11:14 AM
|
#7
|
Senior Member
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623
Original Poster
Rep:
|
this problem is solved now !
it needs in /etc/shorewall/masq following entry:
|
|
|
03-07-2006, 12:41 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by cccc
this problem is solved now !
it needs in /etc/shorewall/masq following entry:
|
ummm, yes, that's exactly what it says in the shorewall documentation linked above...
BTW, (Nick Burns voice) you're welcome!!!
|
|
|
03-07-2006, 02:50 PM
|
#9
|
Senior Member
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,623
Original Poster
Rep:
|
yep,
thanks !
|
|
|
All times are GMT -5. The time now is 06:14 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|