| View previous topic :: View next topic |
| Author |
Message |
supernick_84
n00b
Joined: 22 Feb 2006
Posts: 2
|
 Posted: Wed Feb 22, 2006 5:43 pm Post subject: |
 |
|
I'm having trouble connecting to an FTP server with my laptop. I've installed shorewall on my desctop computer according to your HOWTO (which is very nice!) and it works fine there.
Could it be that the problem is that I have 2 interfaces?
Anyway, this is the error i get :
| Code: | ftp users.pandora.be
Connected to users.pandora.be.
220 Telenet-ops FTP Server
Name (users.pandora.be:nick): xxxxxx
500 AUTH not understood
SSL not available
331 Password required for xxxxxx
Password:
230 User xxxxxx logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
425 Unable to build data connection: Connection timed out
|
Here's my /etc/shorewall/rules
| Code: | ACCEPT fw net tcp 80 #http
ACCEPT fw net udp 80 #http
ACCEPT fw net tcp 443 #https
ACCEPT fw net udp 443 #https
ACCEPT fw net tcp 21,20 #ftp
ACCEPT fw net tcp 53 #DNS
ACCEPT fw net udp 53 #DNS
ACCEPT fw net tcp 110 #unsecure Pop3
ACCEPT fw net tcp 995 #Secure Pop3
ACCEPT fw net tcp 873 #rsync
ACCEPT fw net tcp 25 #unsecure SMTP
ACCEPT fw net tcp 465 #SMTP over SSL
ACCEPT fw net tcp 6667 #IRC
ACCEPT fw net tcp 1863 #GAIM
|
here's the /etc/shorewall/interfaces
| Code: | #ZONE INTERFACE BROADCAST OPTIONS GATEWAY
#
net eth0 detect dhcp,nosmurfs
net wlan0 detect dhcp,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
the policy says
| Code: | ###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE |
and the zones
| Code: | #ZONE DISPLAY COMMENTS
net internet the big and bad internet |
Does anyone have an idea why I can't connect to FTP servers? (Using gFTP or the ftp command)
Thanks in advance! |
|
| Back to top |
|
 |
nagual
n00b
Joined: 15 Jan 2006
Posts: 34
|
| Posted: Fri Feb 24, 2006 3:25 am Post subject: |
|
|
After following the tutorial, I get this
| Code: | gentoo ~ # shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Not available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Available
CLASSIFY Target: Available
Determining Zones...
ERROR: No ipv4 or ipsec Zones Defined
Terminated
|
Any suggestions? |
|
| Back to top |
|
|
nagual
n00b
Joined: 15 Jan 2006
Posts: 34
|
| Posted: Fri Feb 24, 2006 1:48 pm Post subject: |
|
|
| Should I just add in the REDIRECT? I am only trying to open port 80 on that box, since it just sits there and folds. |
|
| Back to top |
|
|
supernick_84
n00b
Joined: 22 Feb 2006
Posts: 2
|
| Posted: Mon Feb 27, 2006 8:34 am Post subject: |
|
|
| did you define a zone in /etc/shorewall/zones ? |
|
| Back to top |
|
|
nagual
n00b
Joined: 15 Jan 2006
Posts: 34
|
| Posted: Mon Feb 27, 2006 1:52 pm Post subject: |
|
|
| I'm pretty sure I did. I will post my configs when I get home. |
|
| Back to top |
|
|
davmonster
n00b
Joined: 02 Mar 2006
Posts: 1
|
| Posted: Thu Mar 02, 2006 6:58 am Post subject: Bittorrent & Shorewall |
|
|
After following this personal internet firewall HOWTO I struggled for a bit trying to get bittorrent to work.
This is how I got it working:
/etc/shorewall/policy:
| Code: |
###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- DO NOT REMOVE
|
I realise this is a security risk in that it allows outbound connections, but it seems that the standard bittorrent client connects to unpredicatable high-level ports on the other bt clients, and so this cannot be helped.
You'll also have to put this in your /etc/shorewall/rules file:
| Code: |
..
BitTorrent/ACCEPT net fw
..
|
This is a macro to accept connections on tcp ports 6881:6889 which is also needed for a bit-torrent client. Please let me know if you find a way of running BT without letting all outbound connections through.
- Dav |
|
| Back to top |
|
|
pressenter
n00b
Joined: 06 Dec 2005
Posts: 48
|
| Posted: Sun Apr 16, 2006 4:49 pm Post subject: |
|
|
I have such a problem with my shorewall:
| Code: | * Starting firewall ...
ERROR: No ipv4 or ipsec Zones Defined
/etc/init.d/shorewall: line 14: 24479 Zakoñczony /sbin/shorewall start >/dev/nu [ !! ] |
What to do ?? |
|
| Back to top |
|
|
patroy
n00b
Joined: 14 Oct 2004
Posts: 60
Location: Vancouver BC
|
| Posted: Mon Apr 17, 2006 2:26 am Post subject: |
|
|
If you are using shorewall 3.x a few things have changed since the "tutorial" was written.
I'm still trying to figure them all out.
though that error was the fixed by adding the following to /etc/shorewall/zones
I just inserted that after the
hope that helps.
_________________
It's all about finger strength, baby.
SpongeBob SquarePants |
|
| Back to top |
|
|
to_kallon
Tux's lil' helper
Joined: 27 Oct 2004
Posts: 89
|
| Posted: Tue Apr 18, 2006 12:54 am Post subject: *confused* |
|
|
hello everyone.
sith great guide, thanks mate.
i've run into a problem, i've seen a few people post about it but nothing i've tried has worked. i hit a few of the upgrade problems everyone has mentioned, but once shorewall got started everything seemed ok, i could ssh in and out just like i wanted to. but it turned out that was the only thing i could do. i cannot ping servers/view webpages, which may be the central problem, i also cannot emerge anything. i get this error:
| Code: |
Resolving gentoo.chem.wisc.edu... failed: Temporary failure in name resolution.
|
here is my /etc/shorewall/rules file:
| Code: |
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT fw net tcp 80 #http-out
ACCEPT fw net udp 80
ACCEPT fw net tcp 443 #https-out
ACCEPT fw net udp 443
ACCEPT net fw tcp 80 #http-in
ACCEPT net fw udp 80
#
ACCEPT fw net tcp 22 #ssh-out
ACCEPT net fw tcp 22 #ssh-in
#
ACCEPT net fw udp 8767 #teamspeak
ACCEPT net fw tcp 14534 #ts webadmin
#
ACCEPT fw net tcp 873 #rsync-out
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
since i'm able to ssh my assumption is i've made an error here somewhere. strangely it is allowing 8767 through to my teamspeak server. at this point i've not tried to hit a served web page so i can't speak to in-bound http working.
does anything jump out as being wrong? thanks in advance. |
|
| Back to top |
|
|
patroy
n00b
Joined: 14 Oct 2004
Posts: 60
Location: Vancouver BC
|
| Posted: Tue Apr 18, 2006 1:36 am Post subject: |
|
|
I 've just recently set-up and configured my firewall via shorewall. I had numerous problems and figured them all out by going to the shorewall website and reading through almost all of their docs. I was having a problem with connecting to the net untill I changed my policy to
| Code: | #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
net all DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE |
This essentially allows all connections from my firewall to the net to exist, and drops all incoming connections not setup in rules.
My rules are simply.
| Code: | #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
DROP net fw tcp 113 #AUTH/IDENT
ACCEPT net fw tcp **** #Secure Shell
ACCEPT net fw tcp 13269 #Gtk-Gnutella
ACCEPT net fw udp 13269 #Gtk-Gnutella
ACCEPT net fw tcp 1863 #Gaim
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
I remember reading something about how if you are upgrading from a 2.X shorewall to the 3.X you need to decide if you are going to use the ipsec or zones info, my zones are
| Code: | #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
I've tested it all and everything is running smoothly.
Hope this helps.
_________________
It's all about finger strength, baby.
SpongeBob SquarePants |
|
| Back to top |
|
|
to_kallon
Tux's lil' helper
Joined: 27 Oct 2004
Posts: 89
|
| Posted: Tue Apr 18, 2006 1:51 am Post subject: |
|
|
| that seems to have done the trick. thanks! |
|
| Back to top |
|
|
arabis
Apprentice
Joined: 11 Apr 2005
Posts: 195
Location: Québec, Canada
|
| Posted: Wed May 17, 2006 10:55 pm Post subject: |
|
|
With my notebook, I want to be able to use a dialup connection with Shorewall. So far I succeeded, but recently after some update, when I start my laptop with no ethernet cable plugged in, I get:
| Code: | | * WARNING: shorewall is scheduled to start when net.eth0 has started. |
When the dial-up connection is established, and if I try to start manually Shorewall, it gives the same answer and refuses to start and I get an unsecured ppp connection.
What can I do to correct this situation?
_________________
Acer Ferrari 4002 WLMI fr
AMD64, Turion ML-30
ATI Mobility X700
DVDR double couche |
|
| Back to top |
|
|
iusebash
n00b
Joined: 21 May 2006
Posts: 70
|
| Posted: Mon May 29, 2006 5:16 am Post subject: |
|
|
I am on the first part, and I am already stuck.
From tut:
| Quote: | # For 2.6 kernels look under:
Device Drivers --->
Networking support --->
Networking options --->
[*] Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
<*> Connection tracking (required for masq/NAT)
<*> IP Tables Support (required for filtering/masq/NAT)
# Include (<*> not <M>) all options and sub options under IP
|
My IP: Netfilter Configuration:
| Code: | lqqqqqqqqqqqqqqqqqqqqqqq IP: Netfilter Configuration qqqqqqqqqqqqqqqqqqqqqqqqk
x x <*> Connection tracking (required for masq/NAT) x x
x x [ ] Connection tracking flow accounting x x
x x [ ] Connection mark tracking support x x
x x [ ] Connection tracking events (EXPERIMENTAL) x x
x x < > SCTP protocol connection tracking support (EXPERIMENTAL) x x
x x < > FTP protocol support x x
x x < > IRC protocol support x x
x x < > NetBIOS name service protocol support (EXPERIMENTAL) x x
x x < > TFTP protocol support x x
x x < > Amanda backup protocol support x x
x x < > PPTP protocol support x x
x x <*> IP Userspace queueing via NETLINK (OBSOLETE) |
There is no 'IP Tables Support (required for filtering/masq/NAT)'!
I did a search:
| Code: | lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq Search Results qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Symbol: IP_NF_TARGET_MASQUERADE [=n] x
x Prompt: MASQUERADE target support x
x Defined at net/ipv4/netfilter/Kconfig:407 x
x Depends on: NET && INET && NETFILTER && IP_NF_NAT x
x Location: x
x -> Networking x
x -> Networking support (NET [=y]) x
x -> Networking options x
x -> Network packet filtering (replaces ipchains) (NETFILTER [=y]) x
x -> IP: Netfilter Configuration x
x -> IP tables support (required for filtering/masq/NAT) (IP_N x
x -> Full NAT (IP_NF_NAT [=n]) |
It says there is 'IP tables support' under IP: Netfilter Configuration. As as you see from the first code, it isn't on the list. WTF? |
|
| Back to top |
|
|
NotQuiteSane
Guru
Joined: 30 Jan 2005
Posts: 444
Location: Klamath Falls, Jefferson, USA, North America, Midgarth
|
| Posted: Mon Jul 17, 2006 7:42 am Post subject: |
|
|
I'm trying to follow the guide, but am stuck on section 2. Since the kernel outline has changed since the guide was written, I'm a bit confused.
Here is what I have under "Networking"
| Code: |
#
# Networking
#
CONFIG_NET=y
#
# Networking options
#
# CONFIG_NETDEBUG is not set
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_DRR=m
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_TUNNEL is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_TCP_CONG_ADVANCED=y
#
# TCP congestion control
#
CONFIG_TCP_CONG_BIC=y
CONFIG_TCP_CONG_CUBIC=m
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
# CONFIG_TCP_CONG_HSTCP is not set
# CONFIG_TCP_CONG_HYBLA is not set
# CONFIG_TCP_CONG_VEGAS is not set
# CONFIG_TCP_CONG_SCALABLE is not set
#
# IP: Virtual Server Configuration
#
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
# CONFIG_IP_NF_NETBIOS_NS is not set
CONFIG_IP_NF_TFTP=y
CONFIG_IP_NF_AMANDA=y
CONFIG_IP_NF_PPTP=y
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y
CONFIG_IP_NF_MATCH_HASHLIMIT=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_NAT_AMANDA=y
CONFIG_IP_NF_NAT_PPTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_TTL=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
#
# DCCP Configuration (EXPERIMENTAL)
#
# CONFIG_IP_DCCP is not set
#
# SCTP Configuration (EXPERIMENTAL)
#
# CONFIG_IP_SCTP is not set
#
# TIPC Configuration (EXPERIMENTAL)
#
# CONFIG_TIPC is not set
CONFIG_ATM=m
# CONFIG_ATM_CLIP is not set
# CONFIG_ATM_LANE is not set
# CONFIG_ATM_BR2684 is not set
# CONFIG_BRIDGE is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_DECNET is not set
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_NET_DIVERT is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
#
# QoS and/or fair queueing
#
# CONFIG_NET_SCHED is not set
CONFIG_NET_CLS_ROUTE=y
#
# Network testing
#
# CONFIG_NET_PKTGEN is not set
# CONFIG_HAMRADIO is not set
# CONFIG_IRDA is not set
# CONFIG_BT is not set
# CONFIG_IEEE80211 is not set |
Are the options correctly set (and I can go ahead and compile), or are changes needed (and if so, where)?
I've left kernel items marked "EXPERIMENTAL" unselected.
IF it matters for kernel setup, I'm building a 4 legged firewall/router: Red (internet), Green (filtered to linux boxes) Orange (unfiltered (DMZ) to windows boxes*) and Black to print server (accessable by Green and Orange only)
NQS
* Doze boxes belong to roommate and he has explicitly stated he wants no firewall of any kind.
_________________
These opinions are mine, mine I say! Piss off and get your own.
As I see it -- An irregular blog, Improved with new location
To delete French language packs from system use 'sudo rm -fr /' |
|
| Back to top |
|
|
NotQuiteSane
Guru
Joined: 30 Jan 2005
Posts: 444
Location: Klamath Falls, Jefferson, USA, North America, Midgarth
|
| Posted: Wed Jul 19, 2006 4:47 am Post subject: |
|
|
Found a gotcha. don't think it's been reported.
on my firewall, I have use flag "minimal" set. this needs to be deactivated for iproute2. putting it in package.use worked.
NQS
_________________
These opinions are mine, mine I say! Piss off and get your own.
As I see it -- An irregular blog, Improved with new location
To delete French language packs from system use 'sudo rm -fr /' |
|
| Back to top |
|
|
Netfeed
n00b
Joined: 24 Jan 2004
Posts: 19
|
| Posted: Sat Jul 22, 2006 1:31 pm Post subject: |
|
|
im getting this error when im trying to start shorewall
| Code: |
root@nakor[~]: /etc/init.d/shorewall start
* Caching service dependencies ... [ ok ]
* Starting firewall ...
iptables: Unknown error 4294967295
ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
/etc/init.d/shorewall: line 14: 19546 Terminated /sbin/shorewall -f start >/dev/null
|
anyone that has an idea how to fix it?
_________________
tie me up, spank me hard and call me virgin mary |
|
| Back to top |
|
|
Beefrum
Apprentice
Joined: 23 May 2006
Posts: 234
|
| Posted: Sat Jul 22, 2006 1:38 pm Post subject: |
|
|
Re to netfeed:
Current iptables options in kernel-configuration are probably missing some abilities.
_________________
 Give adaptive answers to unknown problems!
Last edited by Beefrum on Sun Jul 23, 2006 6:24 pm; edited 1 time in total |
|
| Back to top |
|
|
Netfeed
n00b
Joined: 24 Jan 2004
Posts: 19
|
| Posted: Sat Jul 22, 2006 2:17 pm Post subject: |
|
|
| Beefrum wrote: | Re to netfeed:
Current iptables options in kernel-configuration are probably missing some abilities. |
yeap, works like a charm now
ty
_________________
tie me up, spank me hard and call me virgin mary |
|
| Back to top |
|
|
happyduck
n00b
Joined: 24 Jul 2006
Posts: 1
|
| Posted: Mon Jul 24, 2006 2:10 pm Post subject: ip6_tables solution |
|
|
| Bear The Barbarian wrote: | I apologize for revisiting a topic that's been hit on before, but I just can't seem to get this to work.
Whenever I try /etc/init.d/shorewall start, I get
| Code: | /etc/init.d/shorewall start
* Starting firewall ...
FATAL: Module ip_tables not found.
iptables v1.3.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
ERROR: Command "/sbin/iptables -P INPUT DROP" Failed
FATAL: Module ip6_tables not found.
ip6tables v1.3.4: can't initialize ip6tables table `filter': Module is wrong version
Perhaps ip6tables or your kernel needs to be upgraded.
FATAL: Module ip6_tables not found.
ip6tables v1.3.4: can't initialize ip6tables table `filter': Module is wrong version
Perhaps ip6tables or your kernel needs to be upgraded.
... The error repeats a lot in here, and then ...
iptables v1.3.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/etc/init.d/shorewall: line 14: 26201 Terminated /sbin/shorewall start >/dev/null
|
|
(This is my first post so please bare with me.)
I also had the problem with ip6_tables with my 2.6.10-r6 kernel. As far as I remember I did the following to solve it, after having followed sith_happens guide to the letter:
1. Entirely removed ipv6 support from the kernel.
2. Told Shorewall *not* to ignore ipv6 support in the kernel.
3. Rebooted.
In more detail:
1. Remove ipv6 stuff from the kernel:
| Code: |
Device drivers --->
Networking support --->
[ ] The IPv6 protocol (EXPERIMENTAL)
|
Exit and save the configuration.
| Quote: |
I'm using genkernel. I've checked to make sure that all the options under IP Tables Support were checked (compiled into the kernel, not as modules), and I've even checked everything under IP: Netfilter Configuration submenu just for good measure. Am I just missing an option somewhere? I'm kind of noobish for this, so it could be an incredibly simple mistake.
|
I do not use genkernel, but the steps in the Gentoo Handbook (x86), chapter 7 if I am not mistaken, should carry you through if you do. (Remember to point your boot loader to the new kernel.)
Now, step 2: In /etc/shorewall/shorewall.conf, set
This tells Shorewall that it should *not* ignore ipv6 support in the kernel. Since there is no longer support in the kernel Shorewall should not expect support, and thus not try to ignore it. Actually, I do not remember if this step is necessary, but that's the way my config file looks currently, and it works.
Step 3:
Reboot and see whether "firewall" has stopped complaining about ip6_tables.
I hope this sketched solution helps. |
|
| Back to top |
|
|
Alchera
n00b
Joined: 24 Feb 2005
Posts: 17
Location: Ballarat, Australia
|
| Posted: Wed Sep 06, 2006 6:29 am Post subject: |
|
|
For any one needing a graphical guide to setting up their kernel for Shorewall: Kernel Configuration
More information: Ports Required for Various Services/Applications
Logging: Configuring a Separate Log for Shorewall Messages (ulogd)
NB: The above configuration works to keep Shorewall information out of /var/log/messages. My policy is below.
| Quote: | ###############################################################################
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT $LOG
net all DROP $LOG
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT $LOG
#LAST LINE -- DO NOT REMOVE
|
shorewall (of course) has to be stopped, cleared and then fired up again.
_________________
"Live Outside The Square You Live In"
"Vivez hors du quartier où vous habitez" |
|
| Back to top |
|
|
nabla²
Apprentice
Joined: 17 May 2005
Posts: 272
|
| Posted: Sun Jan 07, 2007 2:23 pm Post subject: |
|
|
Which ports do I have to open for printer which uses a print server. I configured cups with | Code: | | URI: lpd://192.168.0.100/binary_p1 |
and included | Code: | ACCEPT fw net tcp 631 #CUPS
ACCEPT net fw tcp 631 #CUPS |
in the rules file. It does not work when printing in kde.
thx
_________________
Gentoo on Intel Core Duo 2 E6750, Gigabyte P35-DS3P, NVIDIA 8800GTS (amd64) |
|
| Back to top |
|
|
Karim
Apprentice
Joined: 13 Apr 2004
Posts: 218
|
| Posted: Thu Apr 19, 2007 1:17 pm Post subject: Shorewall with 2.6.19 genkernel, configuration not uptodate! |
|
|
Hi!
I tried to follow the tutorial with the latest kernel 2.6.19, but the network configuration har really changed a lot.
Is there an uptodate genkernel configuration guide anywhere?
Anyone has a useful pointer?
Thanks!
/Karim |
|
| Back to top |
|
|
manouchk
Apprentice
Joined: 08 May 2006
Posts: 288
Location: Vitória (ES), Brasil
|
| Posted: Sat Nov 10, 2007 5:34 am Post subject: |
|
|
I was using firestarter for simplicity and because it can be use to dynamically accept connection but as it ends up behing unsecure, I had to switch, I tried kmyfirewall which was not very good for me (standart desktop configuration was not allowing traffic over loopback and kmyfirewall has almost no documentation etc...)
Well i ended up trying shorewall and well the documentation is good! ! (3 minutes to setup a standalone shorewall, loved that!)
I have some comment, I hope it is okay to post here?
I had 1 problem, I missed one thing from the first post of http://forums.gentoo.org/viewtopic-t-308153.html (Prompt and Powerful Personal Firewalling with Shorewall). I had to had one line in /etc/shorewall/zones
net ipv4
I mean with that instead of 3mn, it could have been 2mn30...
I also liked to use the "new" syntax of /etc/shorewall/rules :
| Code: |
DNS/ACCEPT fw net
FTP/ACCEPT fw net
POP3/ACCEPT fw net
POP3S/ACCEPT fw net
IMAP/ACCEPT fw net
IMAPS/ACCEPT fw net
SMTP/ACCEPT fw net
SMTPS/ACCEPT fw net
Trcrt/ACCEPT fw net #traceroute
Rsync/ACCEPT fw net
HTTP/ACCEPT fw net
HTTPS/ACCEPT fw net
SSH/ACCEPT fw net
BitTorrent/ACCEPT fw net
NTP/ACCEPT fw net
PCA/ACCEPT fw net #pcanywhere
#ICQ/ACCEPT fw net#ICQ/AIM
#SVN/ACCEPT fw net
|
Those 2 links also were helpfull during setup :
http://www.shorewall.net/ports.htm
http://www.shorewall.net/standalone.htm |
|
| Back to top |
|
|
trikolon
Apprentice
Joined: 04 Dec 2004
Posts: 297
Location: Erlangen
|
| Posted: Sun Dec 16, 2007 12:02 am Post subject: |
|
|
hi.
i have a server/home-router with 3 eth interfaces. eth0 is my lan with ip range 192.168.0.255, eth1 is connected with my dsl modem and eth2 is connected with my wlan-accesspoint with the subnet 192.168.1.255. lan and internet is working! but i cant ping from or to the eth2-net from or to lan nor surfing. the two subnets are not communicating and i cant enter the internet form the eth2 subnet.
here are my configs:
| Code: |
interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - norfc1918,routefilter,tcpflags
loc eth0 192.168.0.255 routeback,tcpflags
wifi eth2 192.168.1.255 dhcp,routeback,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
| Code: |
masq
#INTERFACE SUBNET ADDRESS
##eth1 eth0
ppp0 eth0
ppp0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
| Code: |
policy
#SOURCE DEST POLICY LOG LIMIT:BURST
wifi all ACCEPT
net all ACCEPT
loc all ACCEPT
fw all ACCEPT
#LAST LINE -- DO NOT REMOVE
|
| Code: |
rules - only the wifi part
#Wifi
ACCEPT loc wifi all
ACCEPT wifi loc all
ACCEPT wifi net icmp 8
#ACCEPT net $FW icmp 8
ACCEPT $FW wifi icmp
ACCEPT wifi $FW icmp
ACCEPT wifi loc icmp 8
ACCEPT loc wifi icmp 8
DROP net wifi icmp
DROP net wifi icmp 8 |
| Code: |
zones
fw firewall
net ipv4
loc ipv4
wifi ipv4
|
files like nat, routes.. are empty.
hope somebody can help me, i cant get it work after hours of reading, searching and trying.
greets ben |
|
| Back to top |
|
|
|
Networking & Security
