Shorewall & drak wizards don't handle my tw
Community Support question - to convert into a paid question, click here
Lines in bold below have not yet been seen by the customer - those in blue are from the customer
| Username : Date : Action : Comments [ close all ] |
|
|
|
newren : 26/10/02 09:08 PM : Incident created |
|
- Hi,
I have two NICs on my machine, eth0 connected to my dsl modem and eth1
connected to my internal LAN. The GUI configuration tools got IP
masquerading up and working fairly painlessly. Everything works EXCEPT
for outgoing ssh over eth1 to any of my other LAN machines. When I do
a 'tail -f /var/log/messages' as root and then as anyone try a 'ssh
192.168.1.51', I get the following line added to the screen that
watches the log file:
Oct 26 12:51:05 athlon kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.1 DST=192.168.1.51 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=19199 DF PROTO=TCP SPT=32965 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Ingoing ssh works on eth1 and both ingoing and outgoing ssh work over
eth0. I couldn't find any way to fix this in the gui firewall wizard
(I selected allow ssh, but this didn't fix the problem). I read up on
iptables and thought I was understanding it, until I looked at the
output of 'iptables -L' (which I have put at
http://www.math.utah.edu/~newren/firewall.txt, as this form is not
allowing me to attach it here). The first line of that from both INPUT
and OUTPUT chains really confuses me--doesn't that just allow all
traffic through?
My questions:
(1) How can I allow outgoing ssh over eth1 (or, in general, over any device)?
(2) What does the first link in the INPUT and OUTPUT chains mean? It
obviously can't mean "let everything through", as outgoing ssh
obviously isn't allowed through. Thanks in advance, Elijah Output of
'iptables -L -n' (quite hideous, IMHO):
Thanks in advance,
Elijah
|
|
|
|
Linegod_7611 : 27/10/02 06:06 PM : Reply received |
|
- And the explicit 'reject all -- anywhere
anywhere ' cancels it out.
I would suggest that you take a look at the files in '/etc/shorewall',
especially the 'rules' file, to adjust your internal network rules. It
should be fairly straight-forward, but further documentation is available
within /usr/share/doc/shorewall-x-x or at http://www.shorewall.net
You can restart shorewall after adjusting your settings with:
# /etc/rc.d/init.d/shorewall restart
----
Note: If this answer resolves your problem, please remember to close this
incident.
|
|
|
|
newren : 30/10/02 03:57 AM : More info provided |
|
- Thank you for your answers. I'll take a look at the /etc/shorewall directory and see if I can figure anything out. However, I still don't see how the 'reject all anywhere anywhere' line cancels out the 'accept all anywhere anywhere' line. From what I read, I was under the impression that iptables goes through the rules in order and quits processing once it has a valid target. Is this not true? It seems that it can't be if the reject all line cancels the accept all line. How are the iptables rules traversed?
Thanks again,
Elijah
|
|
|
|
newren : 30/10/02 03:57 AM : More info provided |
|
- Thank you for your answers. I'll take a look at the /etc/shorewall directory and see if I can figure anything out. However, I still don't see how the 'reject all anywhere anywhere' line cancels out the 'accept all anywhere anywhere' line. From what I read, I was under the impression that iptables goes through the rules in order and quits processing once it has a valid target. Is this not true? It seems that it can't be if the reject all line cancels the accept all line. How are the iptables rules traversed?
Thanks again,
Elijah
|
|
|
|
newren : 30/10/02 03:57 AM : More info provided |
|
- Thank you for your answers. I'll take a look at the /etc/shorewall directory and see if I can figure anything out. However, I still don't see how the 'reject all anywhere anywhere' line cancels out the 'accept all anywhere anywhere' line. From what I read, I was under the impression that iptables goes through the rules in order and quits processing once it has a valid target. Is this not true? It seems that it can't be if the reject all line cancels the accept all line. How are the iptables rules traversed?
Thanks again,
Elijah
|
|
|
|
newren : 30/10/02 03:58 AM : More info provided |
|
- Sorry for the multiple entries--#$&!*#% 'Back' button on Mozilla!!
|
|
|
|
Linegod_7611 : 30/10/02 07:28 AM : Reply received |
|
- I shouldn't have said 'cancels it out'. Since it was not defined for the internal
interface, the 'reject' statement is the only one that matches that 'zone' in shorewall.
For example:
'/etc/shorewall/rules'
ACCEPT net fw udp 53,631 -
ACCEPT net fw tcp 80,443,53,22,20,21,8000 -
ACCEPT masq fw udp 53,631 -
ACCEPT masq fw tcp 80,443,53,22,20,21,8000 -
These rules allow the same type of traffic that comes in from the internet as the
traffic that can be accessed on the masqeraded (internal) side.
|
|
|
|
newren : 12/11/02 05:52 AM : More info provided |
|
- Ah, I get it!!!
'iptables -L -v' (with the -v added) shows
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
That is, the rule is not to accept every packet from everywhere to anywhere, but rather just any packet from the 'lo' interface from anywhere to anywhere. Now everything makes MUCH more sense.
Thanks for your _super fast_ replies; the pointers to where to find the shorewall information is very helpful.
|
|
|
|
newren : 12/11/02 05:53 AM : Incident closed |
|
-
|
|
|
|
Language
Search Mandriva Expert
|
