Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am having some weirdness with Shorewall on my RHEL 4 Server. I installed the latest version and it runs fine. Then I set it up with its own public IP, setting the local zone to my internal network, which accesses the server just fine. The net zone is obviously 0.0.0.0 and fw is the server itself. I set the rules to allow POP3, SSH, SMTP, and Webmin from net to fw. Then I set the policy for net to fw to reject. Now it won't allow any inbound connections on ANY ports. The local connects just fine. For testing I set the net to fw policy to accept and it works, but leaving it that way is obviously dumb. Why is Shorewall blocking all inbound connections from net if the rules for pop3, ssh, smtp, and Webmin are set to accept?
I am having some weirdness with Shorewall on my RHEL 4 Server. I installed the latest version and it runs fine. Then I set it up with its own public IP, setting the local zone to my internal network, which accesses the server just fine. The net zone is obviously 0.0.0.0 and fw is the server itself. I set the rules to allow POP3, SSH, SMTP, and Webmin from net to fw. Then I set the policy for net to fw to reject. Now it won't allow any inbound connections on ANY ports. The local connects just fine. For testing I set the net to fw policy to accept and it works, but leaving it that way is obviously dumb. Why is Shorewall blocking all inbound connections from net if the rules for pop3, ssh, smtp, and Webmin are set to accept?
well, it would seem something's not right with the rules... for some reason they aren't matching the packets you want them to match, and hence the packets run into the policy... we should be able to determine what the problem is if you post the output of this command:
Code:
iptables -nvL
NOTE: please use [code] tags when you post the output, or else it will a pain to read it... =)
if you could also post what your relevant shorewall config files look like, that would be cool too...
Here is the result of the iptables command you requested.
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 160 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
625 48864 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 160 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
44 7807 fw2all all -- * eth0 0.0.0.0/0 *IP_DELETED*/29
428 66843 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (3 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
27 1424 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
27 1424 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
25 1344 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain Reject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
Chain blacklst (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 211.0.0.0 0.0.0.0/0
0 0 DROP all -- * * 210.0.0.0 0.0.0.0/0
0 0 DROP all -- * * 60.0.0.0 0.0.0.0/0
0 0 DROP all -- * * 86.0.0.0 0.0.0.0/0
0 0 DROP all -- * * 85.94.160.0/19 0.0.0.0/0
0 0 DROP all -- * * 210.0.0.0/19 0.0.0.0/0
0 0 DROP all -- * * 210.0.64.0/18 0.0.0.0/0
0 0 DROP all -- * * 210.1.192.0/19 0.0.0.0/0
0 0 DROP all -- * * 210.4.80.0/21 0.0.0.0/0
0 0 DROP all -- * * 210.4.224.0/20 0.0.0.0/0
0 0 DROP all -- * * 210.5.32.0/21 0.0.0.0/0
0 0 DROP all -- * * 210.8.0.0/14 0.0.0.0/0
0 0 DROP all -- * * 210.14.96.0/20 0.0.0.0/0
0 0 DROP all -- * * 210.15.192.0/18 0.0.0.0/0
0 0 DROP all -- * * 210.18.192.0/18 0.0.0.0/0
0 0 DROP all -- * * 210.48.208.0/21 0.0.0.0/0
0 0 DROP all -- * * 210.49.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 210.50.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 210.56.64.0/19 0.0.0.0/0
0 0 DROP all -- * * 210.56.152.0/21 0.0.0.0/0
0 0 DROP all -- * * 210.56.224.0/19 0.0.0.0/0
0 0 DROP all -- * * 210.79.16.0/20 0.0.0.0/0
0 0 DROP all -- * * 210.80.128.0/18 0.0.0.0/0
0 0 DROP all -- * * 210.84.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 210.87.0.0/18 0.0.0.0/0
0 0 DROP all -- * * 210.89.128.0/19 0.0.0.0/0
0 0 DROP all -- * * 210.185.64.0/18 0.0.0.0/0
0 0 DROP all -- * * 210.193.128.0/17 0.0.0.0/0
0 0 DROP all -- * * 210.211.64.0/18 0.0.0.0/0
0 0 DROP all -- * * 210.215.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 210.247.128.0/18 0.0.0.0/0
0 0 DROP all -- * * 211.26.0.0/15 0.0.0.0/0
0 0 DROP all -- * * 211.28.0.0/14 0.0.0.0/0
0 0 DROP all -- * * 216.14.192.0/20 0.0.0.0/0
0 0 DROP all -- * * 218.100.0.0/24 0.0.0.0/0
0 0 DROP all -- * * 218.100.2.0/23 0.0.0.0/0
0 0 DROP all -- * * 218.100.12.0/23 0.0.0.0/0
0 0 DROP all -- * * 218.100.19.0/24 0.0.0.0/0
0 0 DROP all -- * * 218.100.36.0/23 0.0.0.0/0
0 0 DROP all -- * * 218.100.39.0/24 0.0.0.0/0
0 0 DROP all -- * * 218.100.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 218.100.43.0/24 0.0.0.0/0
0 0 DROP all -- * * 218.185.0.0/17 0.0.0.0/0
0 0 DROP all -- * * 218.214.0.0/15 0.0.0.0/0
0 0 DROP all -- * * 219.90.128.0/17 0.0.0.0/0
0 0 DROP all -- * * 220.101.0.0/17 0.0.0.0/0
0 0 DROP all -- * * 220.101.128.0/18 0.0.0.0/0
0 0 DROP all -- * * 220.152.112.0/21 0.0.0.0/0
0 0 DROP all -- * * 220.157.64.0/19 0.0.0.0/0
0 0 DROP all -- * * 220.233.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 220.235.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 220.236.0.0/14 0.0.0.0/0
0 0 DROP all -- * * 220.240.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 220.244.0.0/15 0.0.0.0/0
0 0 DROP all -- * * 220.247.176.0/21 0.0.0.0/0
0 0 DROP all -- * * 220.253.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 221.120.128.0/19 0.0.0.0/0
0 0 DROP all -- * * 221.121.64.0/19 0.0.0.0/0
0 0 DROP all -- * * 221.133.192.0/19 0.0.0.0/0
0 0 DROP all -- * * 221.199.208.0/20 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (2 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
0 0 local2net all -- * eth0 *IP_DELETED*/29 0.0.0.0/0
0 0 net2local all -- * eth0 0.0.0.0/0 *IP_DELETED*/29
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
31 1629 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
31 1629 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
37 1671 local2fw all -- * * *IP_DELETED*/29 0.0.0.0/0
588 47193 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2all (2 references)
pkts bytes target prot opt in out source destination
44 7807 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
22 1527 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
406 65316 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 reject icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
22 1527 fw2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain local2fw (1 references)
pkts bytes target prot opt in out source destination
34 1527 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:10000 dpt:10000
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:10000 dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:22 dpt:22
3 144 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain local2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
27 1424 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
25 1344 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
560 45708 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:110 dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:10000 dpt:10000
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:10000 dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:22 dpt:22
1 61 reject icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
27 1424 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2local (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:110 dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:10000 dpt:10000
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:10000 dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:22 dpt:22
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (9 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
1 61 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * IP_DELETED 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * IP_DELETED 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Here is the text of the rules file:
Code:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT net fw tcp pop3 pop3
ACCEPT net fw tcp smtp smtp
ACCEPT net fw tcp 10000 10000
ACCEPT net fw udp 10000 10000
ACCEPT net local tcp pop3 pop3
ACCEPT net local tcp smtp smtp
ACCEPT net local tcp 10000 10000
ACCEPT net local udp 10000 10000
ACCEPT local fw tcp 10000 10000
ACCEPT local fw udp 10000 10000
ACCEPT net fw tcp http http
ACCEPT net local tcp http http
ACCEPT local fw tcp http http
ACCEPT net fw tcp 22 22
ACCEPT net fw udp 22 22
ACCEPT net local tcp 22 22
ACCEPT net local udp 22 22
ACCEPT local fw tcp 22 22
ACCEPT local fw udp 22 22
REJECT net fw icmp echo-request echo-request
REJECT fw net icmp echo-request echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Here is the policy file:
Code:
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
local fw ACCEPT
fw all ACCEPT
local net ACCEPT
net all DROP
#LAST LINE -- DO NOT REMOVE
All connections from the outside are blocked with the above config for some reason. By changing the DROP in the policy file to ACCEPT, everything connects but of course it leaves me wide open. What am I missing?
Last edited by DeusExMichael; 03-06-2007 at 02:26 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.