[Shorewall-newbies] shorewall and bridge...

Personaje personaje at bigfoot.com
Tue Feb 24 20:12:31 PST 2004


Hello,
    I'm new to shorewall but not so new to linux, (although I do not 
claim that I am not a noob :) ). I've experimented with linux as a 
router on my house since I found that windoze couldn't handle as many 
connections as eDonkey was willing to open. So got myself Gentoo, 
emerged a coupla things and got it running piece by piece... I'm using a 
box with 3 NICs one for the inet connection (eth0) and the other two are 
bridged together (eth1 + eth2 = br0). Bridgin' works, but the I got my 
hands on shorewall, did the 2 nics install (thought it was the right one 
as I have eth0 and br0 with assigned IPs) so, when I start shorewall I 
loose connectivity between computers on opposite sides of the bridge, 
NAT and everything works, but I can't ping from one side to the other.

    I'm attaching al*l configur*ation files as well as an output of 
iptables -L after shorewall starts, hope that can help.

Thanks.
-------------- next part --------------
FILE = accounting

FILE = blacklist



FILE = common.def

run_iptables -A common -p icmp -j icmpdef
run_iptables -A common -p udp --dport 135	  -j reject
run_iptables -A common -p udp --dport 137:139     -j reject
run_iptables -A common -p udp --dport 445         -j reject
run_iptables -A common -p tcp --dport 139         -j reject
run_iptables -A common -p tcp --dport 445         -j reject
run_iptables -A common -p tcp --dport 135	  -j reject
run_iptables -A common -p udp --dport 1900	  -j DROP
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP
run_iptables -A common -p tcp --dport 113 -j reject
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP



FILE = ecn

FILE = hosts

FILE = init

FILE = interfaces

net	eth0		detect		dhcp
loc	zbr0		detect
FILE = maclist

FILE = masq

eth0			zbr0	
FILE = modules


    loadmodule ip_tables
    loadmodule iptable_filter
    loadmodule ip_conntrack
    loadmodule ip_conntrack_ftp
    loadmodule ip_conntrack_tftp
    loadmodule ip_conntrack_irc
    loadmodule iptable_nat
    loadmodule ip_nat_ftp
    loadmodule ip_nat_tftp
    loadmodule ip_nat_irc

FILE = nat

FILE = params

FILE = policy

loc		net		ACCEPT
fw		net		ACCEPT
net		all		DROP

loc		loc		ACCEPT
loc		fw		ACCEPT




all		all		REJECT
FILE = proxyarp

FILE = rfc1918

FILE = routestopped

eth1		-
FILE = rules

ACCEPT		fw		net		tcp	53
ACCEPT		fw		net		udp	53
ACCEPT		loc		fw		tcp	22
ACCEPT		loc		fw		icmp	8
ACCEPT		net		fw		icmp	8
ACCEPT		fw		loc		icmp	8
ACCEPT		fw		net		icmp	8
ACCEPT		loc		loc		icmp	8

ACCEPT		net		fw		tcp	22
ACCEPT		net		fw		tcp	21
ACCEPT		net		fw		tcp	143
ACCEPT		net		fw		tcp	993
ACCEPT		net		fw		tcp	www
ACCEPT		net		fw		tcp	443

DNAT		net		loc:10.0.0.2	tcp	5662
DNAT		net		loc:10.0.0.2	udp	3343

FILE = shorewall.conf


LOGFILE=/var/log/messages


LOGFORMAT="Shorewall:%s:%s:"


LOGRATE=10/hour
LOGBURST=5


LOGUNCLEAN=info

BLACKLIST_LOGLEVEL=



LOGNEWNOTSYN=info


MACLIST_LOG_LEVEL=info


TCP_FLAGS_LOG_LEVEL=info


RFC1918_LOG_LEVEL=info

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin


SHOREWALL_SHELL=/bin/sh


SUBSYSLOCK=/var/lock/subsys/shorewall


STATEDIR=/var/lib/shorewall


MODULESDIR=


FW=fw

IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

TC_ENABLED=No


CLEAR_TC=No


MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No


ROUTE_FILTER=No


NAT_BEFORE_RULES=Yes


DETECT_DNAT_IPADDRS=Yes


MUTEX_TIMEOUT=60


NEWNOTSYN=No

ADMINISABSENTMINDED=Yes

BLACKLIST_DISPOSITION=DROP


MACLIST_DISPOSITION=REJECT


TCP_FLAGS_DISPOSITION=DROP

FILE = start

FILE = stop

FILE = stopped

FILE = tcrules

FILE = tos

all	all		tcp		-		ssh		16
all	all		tcp		ssh		-		16
all	all		tcp		-		ftp		16
all	all		tcp		ftp		-		16
all	all		tcp		ftp-data	-		8
all	all		tcp		-		ftp-data	8
FILE = tunnels

FILE = users


FILE = usersets

FILE = zones

net	Net		Internet
loc	Local		Local Networks
-------------- next part --------------
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP      !icmp --  anywhere             anywhere            state INVALID 
eth0_in    all  --  anywhere             anywhere            
zbr0_in    all  --  anywhere             anywhere            
common     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP      !icmp --  anywhere             anywhere            state INVALID 
eth0_fwd   all  --  anywhere             anywhere            
zbr0_fwd   all  --  anywhere             anywhere            
common     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP      !icmp --  anywhere             anywhere            state INVALID 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
fw2net     all  --  anywhere             anywhere            
fw2loc     all  --  anywhere             anywhere            
common     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain all2all (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
common     all  --  anywhere             anywhere            
reject     all  --  anywhere             anywhere            

Chain common (5 references)
target     prot opt source               destination         
icmpdef    icmp --  anywhere             anywhere            
reject     udp  --  anywhere             anywhere            udp dpt:epmap 
reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn 
reject     udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
reject     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
reject     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
reject     tcp  --  anywhere             anywhere            tcp dpt:epmap 
DROP       udp  --  anywhere             anywhere            udp dpt:1900 
DROP       all  --  anywhere             255.255.255.255     
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4 
reject     tcp  --  anywhere             anywhere            tcp dpt:auth 
DROP       udp  --  anywhere             anywhere            udp spt:domain state NEW 
DROP       all  --  anywhere             255.255.255.255     
DROP       all  --  anywhere             10.0.0.255          

Chain dynamic (4 references)
target     prot opt source               destination         

Chain eth0_fwd (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            
net2loc    all  --  anywhere             anywhere            

Chain eth0_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc 
net2fw     all  --  anywhere             anywhere            

Chain fw2loc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
all2all    all  --  anywhere             anywhere            

Chain fw2net (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     all  --  anywhere             anywhere            

Chain icmpdef (1 references)
target     prot opt source               destination         

Chain loc2fw (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     all  --  anywhere             anywhere            

Chain loc2loc (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     all  --  anywhere             anywhere            

Chain loc2net (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     all  --  anywhere             anywhere            

Chain net2all (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
common     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain net2fw (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap2 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
net2all    all  --  anywhere             anywhere            

Chain net2loc (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     tcp  --  anywhere             10.0.0.2            state NEW tcp dpt:5662 ctorigdst OL23-121.fibertel.com.ar 
ACCEPT     udp  --  anywhere             10.0.0.2            state NEW udp dpt:3343 ctorigdst OL23-121.fibertel.com.ar 
net2all    all  --  anywhere             anywhere            

Chain newnotsyn (9 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            limit: avg 10/hour burst 5 LOG level info prefix `Shorewall:newnotsyn:DROP:' 
DROP       all  --  anywhere             anywhere            

Chain reject (11 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain shorewall (0 references)
target     prot opt source               destination         

Chain zbr0_fwd (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            
loc2net    all  --  anywhere             anywhere            

Chain zbr0_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            
loc2fw     all  --  anywhere             anywhere            


More information about the Shorewall-newbies mailing list