**SUPPORT** Personal Firewall with Shorewall Tutorial

RlC · Guru Joined: 30 Jul 2005 Posts: 358 Location: austria

thank you

StarDragon · Guru Joined: 19 Jun 2005 Posts: 390 Location: tEXas

Ever since I installed shorewall I see these weird rejections in my dmesg file:

Specialized · Apprentice Joined: 11 Jan 2005 Posts: 264

I got it working. For ntp-clients and ntpd you need to open the udp-Port 123.

piraeus · n00b Joined: 18 Oct 2003 Posts: 41

Got gxine working w/ bbc radio streams etc. (RTSP), just wanted to add it here in case someone's looking for it. I'd assume it'd be the same for mplayer etc. See http://www.cs.columbia.edu/~hgs/rtsp/

/etc/shorewall/rules:

slackthumbz · Posted: Fri Sep 23, 2005 1:29 pm Post subject:

How would I set up shorewall to allow me to run traceroutes? my current rules file looks like this:

Matteo Azzali · Retired Dev Joined: 23 Sep 2004 Posts: 1133

I've read the tutorial and I have just a question:
rules seems pretty easy, how do shorewall "resists" to:
SYN Flooding,
Ping of death ,
invalid state flag combinations (scans),
etc.etc.?
there are rules "behind the userspace" doin this, or there aren't at all?
(just to know if I'm protected with this setup...)
_________________
Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/

winston_nolan · Posted: Mon Sep 26, 2005 7:06 pm Post subject:

good day guys, please xcuse this long post by i got my ass in a sling here that i cant seem to get out of.

#some info relating to my setup

i have a gentoo gateway with 3 interfaces

eth0=internel interface[10.1.30.252]
eth1=isp1externel interface[10.1.30.252]--->initial gateway (isp1) 10.1.30.254
eth2=isp2 wireless interface[192.168.1.22]--->second gateway (isp2) 196.*.*.*

my lan computers have a gateway of 10.1.30.252 and they get this via dhcp. the gateway have a gateway of 10.1.30.254 (my first isp's router).
i have also in /etc/sysctl.conf --> net.ipv4.ip_forward = 1
i have shorewall and squid(3128, transparent proxy) setup on the gateway and it's working fine, the workstations can surf and all is sweet.

#what i want to do - here is where it gets dodgy %-/

i want to drop(leave) isp1 and push all my traffic through isp2 (over my wireless line)
now i figure i can do this with two ways.

1.use shorewall and its routing capabilities (http://www.shorewall.net/Shorewall_and_Routing.html)
2.i can set the gateway of my gateway to the ip of a box on the otherside of the wireless.

#this is what i have done on my "to be gateway" (box on the otherside of the wireless
i have set /etc/sysctl.conf --> net.ipv4.ip_forward = 1
installed shorewall and iptables and used the two-interface example (http://www.shorewall.net/two-interface.htm)
shorewall starts fine i will include the status at the end of this post.

added the ip of this machine as the gateway of my gateway to my lan pc's
i also checked the route and all seems fine but i cannot ping anything except the internel ip of this machine(the new gateway)

i am not sure if i am correct here, please feel free to add advice

guys, i have been hitting my head against a brick wall for the past week

i seriously would appreciate it if the gurus out there could not tell me if there is a gentoo specific way of doing this, or, has anyone done this with shorewall?

#shorewall status

root@elcubano ~ # shorewall status
Shorewall-2.4.2 Status at elcubano - Mon Sep 26 21:01:41 SAST 2005

Counters reset Mon Sep 26 20:26:34 SAST 2005

Chain INPUT (policy DROP 139 packets, 9204 bytes)
pkts bytes target prot opt in out source destination
177 13015 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 1506 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 192.168.1.0/24
0 0 ACCEPT all -- eth0 eth1 192.168.1.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 132 packets, 14853 bytes)
pkts bytes target prot opt in out source destination

NAT Table

Chain PREROUTING (policy ACCEPT 5899 packets, 436K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 37 packets, 2793 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 37 packets, 2793 bytes)
pkts bytes target prot opt in out source destination

Mangle Table

Chain PREROUTING (policy ACCEPT 9229 packets, 677K bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 8531 packets, 510K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7175 packets, 887K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 7175 packets, 887K bytes)
pkts bytes target prot opt in out source destination

tcp 6 431652 ESTABLISHED src=192.168.1.10 dst=192.168.1.22 sport=57733 dport=445 packets=19435 bytes=11072913 src=192.168.1.22 dst=192.168.1.10 sport=445 dport=57733 packets=19938 bytes=11663290 [ASSURED] mark=0 use=1
tcp 6 425153 ESTABLISHED src=192.168.1.22 dst=192.168.1.255 sport=41164 dport=80 packets=1 bytes=40 [UNREPLIED] src=192.168.1.255 dst=192.168.1.22 sport=80 dport=41164 packets=0 bytes=0 mark=0 use=1
tcp 6 431999 ESTABLISHED src=192.168.1.22 dst=192.168.1.10 sport=58179 dport=22 packets=22017 bytes=1341560 src=192.168.1.10 dst=192.168.1.22 sport=22 dport=58179 packets=19619 bytes=3373022 [ASSURED] mark=0 use=1
tcp 6 425146 ESTABLISHED src=192.168.1.22 dst=192.168.1.0 sport=41165 dport=80 packets=1 bytes=40 [UNREPLIED] src=192.168.1.0 dst=192.168.1.22 sport=80 dport=41165 packets=0 bytes=0 mark=0 use=1
tcp 6 425146 ESTABLISHED src=192.168.1.22 dst=192.168.1.0 sport=41164 dport=80 packets=1 bytes=40 [UNREPLIED] src=192.168.1.0 dst=192.168.1.22 sport=80 dport=41164 packets=0 bytes=0 mark=0 use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:7a:b5:44 brd ff:ff:ff:ff:ff:ff
inet 196.36.166.122/25 brd 196.36.166.129 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:45:54:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0d:61:40:dc:09 brd ff:ff:ff:ff:ff:ff

IP Stats

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
3584 8 0 0 0 0
TX: bytes packets errors dropped carrier collsns
3584 8 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:7a:b5:44 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
20302710 74499 0 0 0 0
TX: bytes packets errors dropped carrier collsns
42324779 40717 0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:45:54:bf brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
33650191 85698 0 0 0 0
TX: bytes packets errors dropped carrier collsns
27614176 74105 0 0 0 1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:0d:61:40:dc:09 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0

/proc

/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 1
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 1
/proc/sys/net/ipv4/conf/eth1/log_martians = 0
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 0

Routing Rules

0: from all lookup local
32766: from all lookup main
32767: from all lookup default

Table default:

Table local:

broadcast 192.168.1.0 dev eth1 proto kernel scope link src 192.168.1.10
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 196.36.166.0 dev eth0 proto kernel scope link src 196.36.166.122
broadcast 196.36.166.129 dev eth0 proto kernel scope link src 196.36.166.122
broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.10
local 196.36.166.122 dev eth0 proto kernel scope host src 196.36.166.122
local 192.168.1.10 dev eth1 proto kernel scope host src 192.168.1.10
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 196.36.166.127 dev eth0 proto kernel scope link src 196.36.166.122
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

196.36.166.0/25 dev eth0 proto kernel scope link src 196.36.166.122
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
127.0.0.0/8 via 127.0.0.1 dev lo scope link
default via 196.36.166.1 dev eth0

ARP

? (192.168.1.22) at 00:02:6F:35:60:67 [ether] on eth1

Modules

ipt_REJECT 4544 0
ipt_pkttype 1856 0
ipt_CONNMARK 2368 0
ipt_connmark 1920 0
ipt_owner 3584 0
ipt_recent 9996 0
ipt_iprange 1984 0
ipt_multiport 2624 0
ipt_conntrack 2496 0
ip_nat_irc 2560 0
ip_nat_tftp 1984 0
ip_nat_ftp 3200 0
ip_conntrack_irc 71184 1 ip_nat_irc
ip_conntrack_tftp 3664 1 ip_nat_tftp
ip_conntrack_ftp 71952 1 ip_nat_ftp
ipt_REDIRECT 2176 0
ipt_LOG 6848 0
ipt_limit 2432 0
ipt_state 1984 2
ipt_MASQUERADE 3136 0
root@elcubano ~ #

thanks to all,

Matteo Azzali · Retired Dev Joined: 23 Sep 2004 Posts: 1133

Ok, I had to admit, I choosed kmyfirewall since it allows me
to define sourceports and destports for any connection.

But I'm using your method to log to a separate file with syslog-ng,
and I have a question: is it safe to use chmod to lower the permissions
on the firewall logfile? (read permissions to all users...)
_________________
Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/

Bob P · Posted: Wed Sep 28, 2005 8:04 am Post subject:

cpu · Posted: Fri Sep 30, 2005 1:18 pm Post subject:

Bob P · Posted: Thu Oct 13, 2005 5:09 am Post subject:

slyyls · ACCEPT net:192.168.0.0/24 fw - -

Hey,

Quick question, I have a loptop that connects via router to the internet. I want to install shorewall on the laptop in case i visit someone or i case i want to put myselft in the Routers DMZ. The same network card (could be eth0 --wired or eth1 --wireless) will be used to access the internet and the local network. If i want to allow total access to my laptop from the local network (samba, ssh, etc), but not the internet, how do i build this rule. I think it's something along the lines:

Stormkings · Guru Joined: 27 Sep 2002 Posts: 352 Location: Europe

Hi everyone,
I would like to enable multicast streaming through my firewall. Any suggestions how to do that? There is only very few information available.
Thanks in advance, dk

krolden · ACCEPT net:192.168.0.0/24 fw - -

Dr_Stein · Posted: Tue Nov 08, 2005 12:18 am Post subject:

Whoops.. I made a new thread here: http://forums.gentoo.org/viewtopic-p-2860121.html

If anyone could take a look at that one and help me solve it, I'd be a happy human. :-)

My_World · Posted: Wed Nov 23, 2005 7:50 pm Post subject:

Have a similar problem to winston_nolan, so if anyone can please help me sort this I would be very gratefull indeed!
My Setup-
Firewall/router/gateway machine with the following setup:
ppp0 internet (modem connection)
eth0 wired lan (gateway for wired network)
wlan0 wireless network (wireless card configured to be access point)

The problem, as soon as I start the firewall I have no access to the wireless network or an internet connection for wireless network. I cannot even ping the router/firewall PC! The wired network works 100%.
I have tried numours config options and still no joy. Here is what I currently have:

My_World · Posted: Wed Nov 23, 2005 9:09 pm Post subject:

I have had another look at the Shorewall documantation and reverted back to the default two-interface mode found here:
http://www.shorewall.net/two-interface.htm

My setup now looks almost identical to that one, but the same problem, the wireless lan is not allowed access to and from the internet or the router (cannot ping router, firewall blocks the traffic).

According to the documentation all that I should need is this:

Tatewaki · n00b Joined: 13 Jun 2005 Posts: 38 Location: Denmark

I got a question about the zones that shorewall uses. I like to block all the traffic from the lan, so i have added this in policy:

slyyls · ACCEPT net:192.168.1.0/24 fw all

Hello,

I want to allow local area network traffic to my computer. I have the following rule in my /etc/shorewall/rules file.

Qu4rk · n00b Joined: 22 Mar 2005 Posts: 74

Ok, so I've searched & I guess no one else has encountered this. I can't load yahoo games like chess & what not. Every time I try to click on a game it gives me the "you must be behind a firewall" error msg. So, I stopped shorewall & sure enough the game room opened. Someone in an earlier thread had port 5050 for yahoo msger, but that doesn't work for the games. Anyone know which port to open for Yahoo games?

Thanks

krolden · Posted: Fri Feb 10, 2006 6:12 pm Post subject:

Have you checked your logs to see what port it wants to connect to?

Qu4rk · n00b Joined: 22 Mar 2005 Posts: 74

Bear The Barbarian · n00b Joined: 17 Feb 2006 Posts: 1

I apologize for revisiting a topic that's been hit on before, but I just can't seem to get this to work.

Whenever I try /etc/init.d/shorewall start, I get

cherring · n00b Joined: 18 Feb 2006 Posts: 8 Location: Sydney

I have been putting off installing a firewall on my server as I was intimidated by the process. I always understood the concept, but not the mechanics of it. Luckily for me I had a server that I was just tinkering with, doing a little email serving, but really just learning a lot about running my own server. But as I started to set up all my services and started to get them configured to my liking the need for a firewall was all too apparent to me.

I searched around the net looking for something that could explain iptables to me, but as I didn't understand what it was doing properly I didn't even try to muddle through. Then I stumbled on this tutorial and it explained the whole process brilliantly and I now have a working firewall and I am very happy.

Many thanks for such a well written well documented tutorial that held my hand perfectly every step of the way, I am very grateful to great users such as yourself who pass on their knowledge and understanding of technology to others.

Cheers.

Old School · Posted: Wed Feb 22, 2006 2:30 am Post subject:

I'm getting this error: