[gentoo-user] Looking for help with Shorewall

[gentoo-user] Looking for help with Shorewall

[Jerry]

I am setting up gentoo on another computer and cannot get shorewall  to 
start properly. I had used another version of shorewall previously but 
cannot get 3.0.4  to work. I have read and tried to follow the 
instruction in /usr/share/doc/shorewall-3.0.4/Samples/one-interface but 
no success. I have  dialup modem, one other computer connected via eth0. 
If root runs  'which ip' the response is '/sbin/ip'.

/etc/shorewall/zones:
#ZONE   TYPE    OPTIONS                 IN                      
OUT                                         OPTIONS                 OPTIONS
net     ipv4    -
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0    -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             net             ACCEPT
net             all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/rules: has all rules commented out to try to make the 
startup as simple as possible.

When I run shorewall start:

root@backup:/etc/shorewall #  shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Not available
   Packet Mangling: Available
   Multi-port Match: Not available
   Connection Tracking Match: Not available
   Packet Type Match: Not available
   Policy Match: Not available
   Physdev Match: Not available
   IP range Match: Not available
   Recent Match: Not available
   Owner Match: Not available
   Ipset Match: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
   Raw Table: Available
   CLASSIFY Target: Not available
Determining Zones...
   IPv4 Zones: net
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   net Zone: ppp0:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ..Expanding Macro /usr/share/shorewall/macro.Auth...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.SMB...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   ..End Macro
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
iptables: No chain/target/match by that name
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
ESTABLISHED,RELATED -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated

root@backup:/etc/shorewall #  shorewall status
Shorewall-3.0.4 Status at backup - Thu May 18 16:30:45 UTC 2006

Shorewall is stopped
State:Stopped (Thu May 18 16:28:59 UTC 2006)

Now I cannot connect to the internet through the modem nor ssh to the 
other computer. I was able to do both before running shorewall start.

root@backup:/etc/shorewall #  /etc/init.d/iptables stop
 * Saving iptables state 
...                                                    [ ok ]
 * Stopping firewall 
...                                                        [ ok ]
root@backup:/etc/shorewall #  ssh main
Password:

Now I can ssh and connect to the internet.

What am I doing wrong? Any advice appreciated.

Jerry

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Looking for help with Shorewall

[John Jolet]

Jerry wrote:

> I am setting up gentoo on another computer and cannot get shorewall  
> to start properly. I had used another version of shorewall previously 
> but cannot get 3.0.4  to work. I have read and tried to follow the 
> instruction in /usr/share/doc/shorewall-3.0.4/Samples/one-interface 
> but no success. I have  dialup modem, one other computer connected via 
> eth0. If root runs  'which ip' the response is '/sbin/ip'.
>
> /etc/shorewall/zones:
> #ZONE   TYPE    OPTIONS                 IN                      
> OUT                                         OPTIONS                 
> OPTIONS
> net     ipv4    -
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
>
> /etc/shorewall/interfaces:
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> net     ppp0    -
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> /etc/shorewall/policy:
> #SOURCE         DEST            POLICY          LOG LEVEL       
> LIMIT:BURST
> $FW             net             ACCEPT
> net             all             DROP            info
> # The FOLLOWING POLICY MUST BE LAST
> all             all             REJECT          info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> /etc/shorewall/rules: has all rules commented out to try to make the 
> startup as simple as possible.
>
> When I run shorewall start:
>
> root@backup:/etc/shorewall #  shorewall start
> Loading /usr/share/shorewall/functions...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Starting Shorewall...
> Initializing...
> Shorewall has detected the following iptables/netfilter capabilities:
>   NAT: Not available
>   Packet Mangling: Available
>   Multi-port Match: Not available
>   Connection Tracking Match: Not available
>   Packet Type Match: Not available
>   Policy Match: Not available
>   Physdev Match: Not available
>   IP range Match: Not available
>   Recent Match: Not available
>   Owner Match: Not available
>   Ipset Match: Not available
>   CONNMARK Target: Not available
>   Connmark Match: Not available
>   Raw Table: Available
>   CLASSIFY Target: Not available
> Determining Zones...
>   IPv4 Zones: net
>   Firewall Zone: fw
> Validating interfaces file...
> Validating hosts file...
> Validating Policy file...
> Determining Hosts in Zones...
>   net Zone: ppp0:0.0.0.0/0
> Processing /etc/shorewall/init ...
> Pre-processing Actions...
>   Pre-processing /usr/share/shorewall/action.Drop...
>   ..Expanding Macro /usr/share/shorewall/macro.Auth...
>   ..End Macro
>   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
>   ..End Macro
>   ..Expanding Macro /usr/share/shorewall/macro.SMB...
>   ..End Macro
>   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
>   ..End Macro
>   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
>   ..End Macro
>   Pre-processing /usr/share/shorewall/action.Reject...
>   Pre-processing /usr/share/shorewall/action.Limit...
> Deleting user chains...
> iptables: No chain/target/match by that name
>   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
> ESTABLISHED,RELATED -j ACCEPT" Failed
> Processing /etc/shorewall/stop ...
> iptables: No chain/target/match by that name
> iptables: No chain/target/match by that name
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> Terminated
>
> root@backup:/etc/shorewall #  shorewall status
> Shorewall-3.0.4 Status at backup - Thu May 18 16:30:45 UTC 2006
>
> Shorewall is stopped
> State:Stopped (Thu May 18 16:28:59 UTC 2006)
>
> Now I cannot connect to the internet through the modem nor ssh to the 
> other computer. I was able to do both before running shorewall start.
>
> root@backup:/etc/shorewall #  /etc/init.d/iptables stop
> * Saving iptables state 
> ...                                                    [ ok ]
> * Stopping firewall 
> ...                                                        [ ok ]
> root@backup:/etc/shorewall #  ssh main
> Password:
>
> Now I can ssh and connect to the internet.
>
> What am I doing wrong? Any advice appreciated.
>
> Jerry
>
to get your access back, issue "shorewall clear"
the problem on start is that you don't have those capabilities listed 
activated in your kernel....
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Looking for help with Shorewall

[Ryan Tandy]

Jerry wrote:

> root@backup:/etc/shorewall #  shorewall start
Any particular reason why you're running that instead of 
/etc/init.d/shorewall start?

> Shorewall has detected the following iptables/netfilter capabilities:
>   NAT: Not available
>   Packet Mangling: Available
>   Multi-port Match: Not available
>   Connection Tracking Match: Not available
>   Packet Type Match: Not available
>   Policy Match: Not available
>   Physdev Match: Not available
>   IP range Match: Not available
>   Recent Match: Not available
>   Owner Match: Not available
>   Ipset Match: Not available
>   CONNMARK Target: Not available
>   Connmark Match: Not available
>   Raw Table: Available
>   CLASSIFY Target: Not available
Hmmm... looks like you're missing a few fairly necessary components. 
Might want to add a bit more to your iptables configuration in your 
kernel config, or have some fun with modprobe.

> iptables: No chain/target/match by that name
>   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
> ESTABLISHED,RELATED -j ACCEPT" Failed
This is caused by the line "Connection Tracking Match: Not available" - 
you need to build in to your kernel or modprobe the conntrack module.

> Now I cannot connect to the internet through the modem nor ssh to the 
> other computer. I was able to do both before running shorewall start.
shorewall clear    or    /etc/init.d/shorewall clear

> 
> root@backup:/etc/shorewall #  /etc/init.d/iptables stop
> * Saving iptables state 
> ...                                                    [ ok ]
> * Stopping firewall 
> ...                                                        [ ok ]
You don't need to have iptables running for shorewall to work (I know I 
don't).

delta ~ # /etc/init.d/shorewall status
  * status:  started
delta ~ # /etc/init.d/iptables status
  * status:  stopped

HTH.

Ryan
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Looking for help with Shorewall

[Uwe Thiem]

On 18 May 2006 17:38, Jerry wrote:

> Shorewall has detected the following iptables/netfilter capabilities:
>    NAT: Not available
>    Packet Mangling: Available
>    Multi-port Match: Not available
>    Connection Tracking Match: Not available
>    Packet Type Match: Not available
>    Policy Match: Not available
>    Physdev Match: Not available
>    IP range Match: Not available
>    Recent Match: Not available
>    Owner Match: Not available
>    Ipset Match: Not available
>    CONNMARK Target: Not available
>    Connmark Match: Not available
>    Raw Table: Available
>    CLASSIFY Target: Not available

> What am I doing wrong? Any advice appreciated.

You haven't configured your kernel for firewalling.

Uwe

-- 
Mark Twain: I rather decline two drinks than a German adjective.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Looking for help with Shorewall

[Jerry Turba]

John Jolet wrote:

> Jerry wrote:
>
>> I am setting up gentoo on another computer and cannot get shorewall  
>> to start properly. I had used another version of shorewall previously 
>> but cannot get 3.0.4  to work. I have read and tried to follow the 
>> instruction in /usr/share/doc/shorewall-3.0.4/Samples/one-interface 
>> but no success. I have  dialup modem, one other computer connected 
>> via eth0. If root runs  'which ip' the response is '/sbin/ip'.
>>
>> /etc/shorewall/zones:
>> #ZONE   TYPE    OPTIONS                 IN                      
>> OUT                                         OPTIONS                 
>> OPTIONS
>> net     ipv4    -
>> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
>>
>> /etc/shorewall/interfaces:
>> #ZONE   INTERFACE       BROADCAST       OPTIONS
>> net     ppp0    -
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>>
>> /etc/shorewall/policy:
>> #SOURCE         DEST            POLICY          LOG LEVEL       
>> LIMIT:BURST
>> $FW             net             ACCEPT
>> net             all             DROP            info
>> # The FOLLOWING POLICY MUST BE LAST
>> all             all             REJECT          info
>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>>
>> /etc/shorewall/rules: has all rules commented out to try to make the 
>> startup as simple as possible.
>>
>> When I run shorewall start:
>>
>> root@backup:/etc/shorewall #  shorewall start
>> Loading /usr/share/shorewall/functions...
>> Processing /etc/shorewall/params ...
>> Processing /etc/shorewall/shorewall.conf...
>> Loading Modules...
>> Starting Shorewall...
>> Initializing...
>> Shorewall has detected the following iptables/netfilter capabilities:
>>   NAT: Not available
>>   Packet Mangling: Available
>>   Multi-port Match: Not available
>>   Connection Tracking Match: Not available
>>   Packet Type Match: Not available
>>   Policy Match: Not available
>>   Physdev Match: Not available
>>   IP range Match: Not available
>>   Recent Match: Not available
>>   Owner Match: Not available
>>   Ipset Match: Not available
>>   CONNMARK Target: Not available
>>   Connmark Match: Not available
>>   Raw Table: Available
>>   CLASSIFY Target: Not available
>> Determining Zones...
>>   IPv4 Zones: net
>>   Firewall Zone: fw
>> Validating interfaces file...
>> Validating hosts file...
>> Validating Policy file...
>> Determining Hosts in Zones...
>>   net Zone: ppp0:0.0.0.0/0
>> Processing /etc/shorewall/init ...
>> Pre-processing Actions...
>>   Pre-processing /usr/share/shorewall/action.Drop...
>>   ..Expanding Macro /usr/share/shorewall/macro.Auth...
>>   ..End Macro
>>   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
>>   ..End Macro
>>   ..Expanding Macro /usr/share/shorewall/macro.SMB...
>>   ..End Macro
>>   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
>>   ..End Macro
>>   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
>>   ..End Macro
>>   Pre-processing /usr/share/shorewall/action.Reject...
>>   Pre-processing /usr/share/shorewall/action.Limit...
>> Deleting user chains...
>> iptables: No chain/target/match by that name
>>   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
>> ESTABLISHED,RELATED -j ACCEPT" Failed
>> Processing /etc/shorewall/stop ...
>> iptables: No chain/target/match by that name
>> iptables: No chain/target/match by that name
>> IP Forwarding Enabled
>> Processing /etc/shorewall/stopped ...
>> Terminated
>>
>> root@backup:/etc/shorewall #  shorewall status
>> Shorewall-3.0.4 Status at backup - Thu May 18 16:30:45 UTC 2006
>>
>> Shorewall is stopped
>> State:Stopped (Thu May 18 16:28:59 UTC 2006)
>>
>> Now I cannot connect to the internet through the modem nor ssh to the 
>> other computer. I was able to do both before running shorewall start.
>>
>> root@backup:/etc/shorewall #  /etc/init.d/iptables stop
>> * Saving iptables state 
>> ...                                                    [ ok ]
>> * Stopping firewall 
>> ...                                                        [ ok ]
>> root@backup:/etc/shorewall #  ssh main
>> Password:
>>
>> Now I can ssh and connect to the internet.
>>
>> What am I doing wrong? Any advice appreciated.
>>
>> Jerry
>>
> to get your access back, issue "shorewall clear"
> the problem on start is that you don't have those capabilities listed 
> activated in your kernel....

I figured out which capabilites I needed in the kernel and now shorewall 
starts without complaining.

thanks john.

jerry
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Looking for help with Shorewall

[Jerry Turba]

Ryan Tandy wrote:

> Jerry wrote:
>
>> root@backup:/etc/shorewall #  shorewall start
>
> Any particular reason why you're running that instead of 
> /etc/init.d/shorewall start?
>
Thats is what the docs suggested as the start command.

>> Shorewall has detected the following iptables/netfilter capabilities:
>>   NAT: Not available
>>   Packet Mangling: Available
>>   Multi-port Match: Not available
>>   Connection Tracking Match: Not available
>>   Packet Type Match: Not available
>>   Policy Match: Not available
>>   Physdev Match: Not available
>>   IP range Match: Not available
>>   Recent Match: Not available
>>   Owner Match: Not available
>>   Ipset Match: Not available
>>   CONNMARK Target: Not available
>>   Connmark Match: Not available
>>   Raw Table: Available
>>   CLASSIFY Target: Not available
>
> Hmmm... looks like you're missing a few fairly necessary components. 
> Might want to add a bit more to your iptables configuration in your 
> kernel config, or have some fun with modprobe.
>
I rebuilt the kernel with more iptables modules and shorewall works fine.


>> iptables: No chain/target/match by that name
>>   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
>> ESTABLISHED,RELATED -j ACCEPT" Failed
>
> This is caused by the line "Connection Tracking Match: Not available" 
> - you need to build in to your kernel or modprobe the conntrack module.
>
>> Now I cannot connect to the internet through the modem nor ssh to the 
>> other computer. I was able to do both before running shorewall start.
>
> shorewall clear    or    /etc/init.d/shorewall clear
>
>>
>> root@backup:/etc/shorewall #  /etc/init.d/iptables stop
>> * Saving iptables state 
>> ...                                                    [ ok ]
>> * Stopping firewall 
>> ...                                                        [ ok ]
>
> You don't need to have iptables running for shorewall to work (I know 
> I don't).
>
> delta ~ # /etc/init.d/shorewall status
>  * status:  started
> delta ~ # /etc/init.d/iptables status
>  * status:  stopped
>
> HTH.
>
> Ryan

Thanks for the help ryan.

jerry
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Looking for help with Shorewall

[Jerry Turba]

Uwe Thiem wrote:

>On 18 May 2006 17:38, Jerry wrote:
>
>  
>
>>Shorewall has detected the following iptables/netfilter capabilities:
>>   NAT: Not available
>>   Packet Mangling: Available
>>   Multi-port Match: Not available
>>   Connection Tracking Match: Not available
>>   Packet Type Match: Not available
>>   Policy Match: Not available
>>   Physdev Match: Not available
>>   IP range Match: Not available
>>   Recent Match: Not available
>>   Owner Match: Not available
>>   Ipset Match: Not available
>>   CONNMARK Target: Not available
>>   Connmark Match: Not available
>>   Raw Table: Available
>>   CLASSIFY Target: Not available
>>    
>>
>
>  
>
>>What am I doing wrong? Any advice appreciated.
>>    
>>
>
>You haven't configured your kernel for firewalling.
>
>Uwe
>
>  
>
Reconfigurred the kernel and all is fine.
 thanks uwe.

jerry
-- 
gentoo-user@gentoo.org mailing list