LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva
User Name
Password
Mandriva This Forum is for the discussion of Mandriva (Mandrake) Linux.

Notices


Reply
  Search this Thread
Old 09-02-2004, 10:10 PM   #1
scuzzman
Senior Member
 
Registered: May 2004
Location: Hilliard, Ohio, USA
Distribution: Slackware, Kubuntu
Posts: 1,851

Rep: Reputation: 47
shorewall/iptables stopping all network traffic


I'm having a little bit of trouble configuring shorewall/iptables (I assume they're one in the same(?)). I installed it yesterday, and since have been having trouble. The main things i do online is check web sites and IRC. This is where the fun starts. As you've probably guessed, when I have shorewall/iptables running I can't do anything online. Can't ping, traceroute, or open IRC servers/web sites. Funny thing is, if I stop shorewall and open a connection to an IRC server, then restart shorewall, IRC works fine but still cannot access the internet. I tried searching this site, a lot of problem with shorewall, but no solutions listed. So, I figured I'd try again . A little help in configuring iptables is what I'm really asking as I don't know much about TCP/IP yet. It also might be helpful to know I connect thru dial-up and kppp and have never had a problem.
 
Old 09-02-2004, 11:38 PM   #2
amfoster
Member
 
Registered: Aug 2004
Distribution: debian, SuSE
Posts: 365

Rep: Reputation: 36
I only use iptables firewall from the command line so may not be a lot of help.
iptables -L displays the filter tables
iptables -F flushes them
If you see them listed, they are very easy to read. Writing them is another story.
 
Old 09-03-2004, 10:18 AM   #3
scuzzman
Senior Member
 
Registered: May 2004
Location: Hilliard, Ohio, USA
Distribution: Slackware, Kubuntu
Posts: 1,851

Original Poster
Rep: Reputation: 47
Well shorewall is a GUI frontend for iptables, although albeit, not a very good one. Not very descriptive at all.
Maybe this information will help though, this is my output from:
Code:
[root@localhost /home/scuzzy]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP      !icmp --  anywhere             anywhere            state INVALID 
eth0_in    all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP      !icmp --  anywhere             anywhere            state INVALID 
eth0_fwd   all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP      !icmp --  anywhere             anywhere            state INVALID 
fw2net     all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain Drop (1 references)
target     prot opt source               destination         
RejectAuth  all  --  anywhere             anywhere            
dropBcast  all  --  anywhere             anywhere            
DropSMB    all  --  anywhere             anywhere            
DropUPnP   all  --  anywhere             anywhere            
dropNonSyn  all  --  anywhere             anywhere            
DropDNSrep  all  --  anywhere             anywhere            

Chain DropDNSrep (2 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp spt:domain 

Chain DropSMB (1 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp dpt:135 
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn 
DROP       udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
DROP       tcp  --  anywhere             anywhere            tcp dpt:135 
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
DROP       tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 

Chain DropUPnP (2 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp dpt:1900 

Chain Reject (4 references)
target     prot opt source               destination         
RejectAuth  all  --  anywhere             anywhere            
dropBcast  all  --  anywhere             anywhere            
RejectSMB  all  --  anywhere             anywhere            
DropUPnP   all  --  anywhere             anywhere            
dropNonSyn  all  --  anywhere             anywhere            
DropDNSrep  all  --  anywhere             anywhere            

Chain RejectAuth (2 references)
target     prot opt source               destination         
reject     tcp  --  anywhere             anywhere            tcp dpt:auth 

Chain RejectSMB (1 references)
target     prot opt source               destination         
reject     udp  --  anywhere             anywhere            udp dpt:135 
reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn 
reject     udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
reject     tcp  --  anywhere             anywhere            tcp dpt:135 
reject     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
reject     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 

Chain all2all (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:all2all:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain dropBcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast 
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast 

Chain dropNonSyn (2 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp flags:!SYN,RST,ACK/SYN 

Chain dynamic (2 references)
target     prot opt source               destination         

Chain eth0_fwd (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state NEW 

Chain eth0_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state NEW 
net2fw     all  --  anywhere             anywhere            

Chain fw2net (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            

Chain icmpdef (0 references)
target     prot opt source               destination         

Chain net2all (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
Drop       all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:net2all:DROP:' 
DROP       all  --  anywhere             anywhere            

Chain net2fw (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
net2all    all  --  anywhere             anywhere            

Chain reject (11 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast 
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast 
DROP       all  --  255.255.255.255      anywhere            
DROP       all  --  224.0.0.0/4          anywhere            
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain shorewall (0 references)
target     prot opt source               destination         

Chain smurfs (0 references)
target     prot opt source               destination         
LOG        all  --  255.255.255.255      anywhere            LOG level info prefix `Shorewall:smurfs:DROP:' 
DROP       all  --  255.255.255.255      anywhere            
LOG        all  --  224.0.0.0/4          anywhere            LOG level info prefix `Shorewall:smurfs:DROP:' 
DROP       all  --  224.0.0.0/4          anywhere            
[root@localhost /home/scuzzy]#
<EDIT> I tried "iptables --flush" (That's what it says in the mans). It just returned me to a prompt, but didn't resolve the issue. </EDIT>

Last edited by scuzzman; 09-03-2004 at 10:20 AM.
 
Old 09-04-2004, 11:51 AM   #4
scuzzman
Senior Member
 
Registered: May 2004
Location: Hilliard, Ohio, USA
Distribution: Slackware, Kubuntu
Posts: 1,851

Original Poster
Rep: Reputation: 47
BUMP
 
Old 09-06-2004, 10:28 AM   #5
scuzzman
Senior Member
 
Registered: May 2004
Location: Hilliard, Ohio, USA
Distribution: Slackware, Kubuntu
Posts: 1,851

Original Poster
Rep: Reputation: 47
I take it there's nothing wrong with that output?
C'mon guys/gals
 
Old 09-06-2004, 04:18 PM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
Moved: This thread is more suitable in <Insert Forum Name Here> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 09-07-2004, 04:10 PM   #7
amf57
LQ Newbie
 
Registered: Feb 2003
Posts: 22

Rep: Reputation: 15
Strange,
The default is to drop everything, then there is the acception to accept everything then line 4 of the input tables turns around and rejects everything again. Right there on that line, you aren't accepting any packets from anywhere using any protocol.

There shouldn't be a surprise that you can't get any internet traffic.
The problem with tools like shorewall, etc is that they can certainly jumble up the logical flow. iptables is a huge flowchart. If you reject everything on line 4 you can't turn around and say "Oh yeah, let this in"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
shorewall iptables, ftp xilace Linux - Networking 8 11-16-2006 10:52 AM
Browsing is stopping with iptables saugato Linux - Security 3 02-05-2005 11:41 AM
Trying to make webmin + shorewall do Traffic Shaping PunkPT Slackware 0 09-27-2004 03:26 PM
iptables stopping startx firstclass Linux - General 2 10-06-2003 10:59 AM
Can't ping/ssh my box, Shorewall seems to block all traffic except http / ftp tiduck Linux - Networking 10 05-22-2003 09:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Mandriva

All times are GMT -5. The time now is 03:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration