[Shorewall-users] Problem with my simple local+ net shorewall configuration

Jimi Frechette djimix at free.fr
Mon Dec 1 22:51:52 PST 2003


Hi!
I've just installed the new mandrake 9.2 on my linux box. I've also
installed shorewall in order to make my linux box a firewall. But it doesn't
seem to work.
I've tried to apply the HOWTO config but still doesn't work. Can anybody
help me out?
Here is my network

Window                        Linux
|192.168.0.2| <--------> eth0:192.168.0.1    eth1 : adsl dhcp <------>
Internet

My Windows has gateway configured at 192.168.0.1

Quite simple network! I can ping everything from my linux box but I can't
ping my linux from my windows PC although my policy permits it!
I now think it may be a kernel problem?

Here are my config files:

ZONES:
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
#     ZONE        Short name of the zone (5 Characters or less in length).
#     DISPLAY           Display name of the zone
#     COMMENTS    Comments about the zone
#
#ZONE DISPLAY           COMMENTS
net   Net   Internet zone
loc   Local Local
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


No RULES

POLICY:
#SOURCE           DEST        POLICY            LOG LEVEL   LIMIT:BURST
loc   net   ACCEPT
fw    net   ACCEPT
net   all   DROP  info
fw    loc   ACCEPT
loc   fw    ACCEPT
#all  all   ACCEPT      info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


MASQ:

#INTERFACE          SUBNET          ADDRESS

eth1  eth0


#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


INTERFACES:

#ZONE INTERFACE  BROADCAST   OPTIONS
net   eth1  detect      dhcp
loc   eth0  detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE




EXPORT OF VERSION, IP ADDR, IP ROUTE OTHER STUFF:

1.4.6c

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
      2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
          link/ether 52:54:00:e7:35:8e brd ff:ff:ff:ff:ff:ff
              inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
            3: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc
pfifo_fast qlen 100
                link/ether 00:0d:88:19:bd:5c brd ff:ff:ff:ff:ff:ff
                    inet 127.255.255.255/8 brd 127.255.255.255 scope host
eth1:9
                      inet 81.57.22.44/24 brd 81.57.22.255 scope global eth1


81.57.22.0/24 dev eth1  proto kernel  scope link  src 81.57.22.44
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 81.57.22.254 dev eth1


STATUS (SORRY FOR THE LENGTH)

Shorewall-1.4.6c Status at gate - dim nov 30 18:37:05 CET 2003

Counters reset Sun Nov 30 18:22:48 CET 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   168 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
  285 98190 eth1_in    all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
   51  5670 eth0_in    all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:'
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:'
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   168 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0
0.0.0.0/0          udp dpts:67:68
  301 37335 fw2net     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0
   59  3213 fw2loc     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:DROP:'
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain common (4 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:135
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:445
    7   336 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0
224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:113
    1    65 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0
127.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0
192.168.0.255

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source
destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 loc2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
   51  5670 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
   51  5670 loc2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 net2all    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
  285 98190 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:67:68
  285 98190 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source
destination
   52  2697 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
    7   516 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source
destination
  238 33433 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
   63  3902 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source
destination

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
   37  5014 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
   14   656 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source
destination
  264 96957 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    7   280 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
   14   953 common     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    6   552 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
    6   552 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain newnotsyn (5 references)
 pkts bytes target     prot opt in     out     source
destination
    7   280 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:'
    7   280 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain reject (7 references)
 pkts bytes target     prot opt in     out     source
destination
    7   336 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination

Nov 29 13:57:41 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1 OUT=
SRC=81.57.213.81 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=61841
PROTO=TCP SPT=1463 DPT=1786 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 13:59:47 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1 OUT=
SRC=81.57.135.15 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34004
PROTO=TCP SPT=2620 DPT=1419 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:04 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1 OUT=
SRC=81.57.75.95 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=45722
PROTO=TCP SPT=2782 DPT=1014 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:40 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1 OUT=
SRC=81.57.115.58 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=63212
PROTO=TCP SPT=1025 DPT=1379 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:44 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1 OUT=
SRC=81.57.132.123 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=15000
PROTO=TCP SPT=1025 DPT=1969 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:00:59 marcadet-1-81-57-22-44 Shorewall:newnotsyn:DROP:IN=eth1 OUT=
SRC=81.57.219.169 DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=25826
PROTO=TCP SPT=2724 DPT=1656 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 29 14:01:35 marcadet-1-81-57-22-44 Shorewall:net2all:DROP:IN=eth1 OUT=
SRC=81.57.2.149 DST=81.57.22.44 LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=17383
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=1573
Nov 30 18:28:27 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.128.99 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=60768 PROTO=TCP SPT=2447 DPT=1497
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:28:44 net2all:DROP:IN=eth1 OUT= SRC=81.57.2.31 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=49651 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=45802
Nov 30 18:29:13 net2all:DROP:IN=eth1 OUT= SRC=81.57.117.152 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=52071 PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=60679
Nov 30 18:29:13 net2all:DROP:IN=eth1 OUT= SRC=81.57.70.83 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=18645 PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=2085
Nov 30 18:29:25 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.191.90 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34710 PROTO=TCP SPT=2169 DPT=1078
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:29:25 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.191.90 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34711 PROTO=TCP SPT=2169 DPT=1078
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:30:30 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.219.169
DST=81.57.22.44 LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=60547 PROTO=TCP
SPT=1311 DPT=1031 WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:31:59 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.48.41 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=34276 PROTO=TCP SPT=2506 DPT=1208
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:33:39 net2all:DROP:IN=eth1 OUT= SRC=81.57.92.117 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=26347 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=3621
Nov 30 18:34:30 net2all:DROP:IN=eth1 OUT= SRC=81.56.192.142 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=123 ID=62023 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=1827
Nov 30 18:35:14 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.222.31 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=3887 PROTO=TCP SPT=1025 DPT=1693
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:35:36 newnotsyn:DROP:IN=eth1 OUT= SRC=81.57.188.75 DST=81.57.22.44
LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=8587 PROTO=TCP SPT=1025 DPT=1799
WINDOW=0 RES=0x00 ACK RST URGP=0
Nov 30 18:35:37 net2all:DROP:IN=eth1 OUT= SRC=81.59.124.140 DST=81.57.22.44
LEN=92 TOS=0x00 PREC=0x00 TTL=111 ID=56291 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=45613

NAT Table

Chain PREROUTING (policy ACCEPT 124 packets, 6071 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 93 packets, 5769 bytes)
 pkts bytes target     prot opt in     out     source
destination
   70  4182 eth1_masq  all  --  *      eth1    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 86 packets, 5489 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      *       192.168.0.0/24
0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 587 packets, 241K bytes)
 pkts bytes target     prot opt in     out     source
destination
  375  106K pretos     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain INPUT (policy ACCEPT 521 packets, 238K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 540 packets, 56294 bytes)
 pkts bytes target     prot opt in     out     source
destination
  362 40716 outtos     all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 540 packets, 56294 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10
   42  2349 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08
    4   168 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 TOS set 0x10
   28  2048 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:21 TOS set 0x10
    6  2678 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 TOS set 0x08






More information about the Shorewall-users mailing list