Results 1 to 5 of 5

Thread: shorewall linux firewall

  1. #1

    shorewall linux firewall

    i need some help guys. I am an iptables newbie. I am trying to configure it using shorewall however I am having problems. i have an internal network on the 192.168.1.0 network with the gateway 192.168.1.1. I can ping all the computers on the network. However, I cannot go out on the internet on any machine and i have no idea why. The rules are set up that to accept all connections from the local to the net.

    What is even more odd is that if the internal network is down and the external network is up then I can access the internet, but if both networks are up then I cant access the internet.

    I have been working on this for hours now so any help would be appreciated. Let me know if I need to provide more information

    eMpTyKnOw
    kNoWLeDgE

  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I have no experience with shorewall as I have never used it. But I don't know if that is your problem.

    First, as said again, again, and again, please provide more information.

    What operating system, what version, what type of equipment, and in this case the firewall rules ( both the actual file and the results: i.e. “iptables -L –line-numbers”

    But because you say you can not ping out “from any machine” when the Lan is on, it may be due to equipment. Are you using twin Ethernet, or ethenet and phone line, or USB??

    There may be a conflict with the devices. If you are using two Ethernet devices, and they are the same type, they MUST be loaded as modules, not in the kernel.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #3
    thanks for replying

    I am running RH8.0 on the firewall/gateway machine. I have two computers on the network one RH8 and the other win2K
    .
    The internet connection(cable modem) is going into eth1. eth0 is then going to a linksys workgroup switch. The two internal computers are also connected to the switch. I dont think it is a problem with the equipment because i can communicate with all computers on the internal network. By communicate i mean every computer can pinged and I can ssh into the internal computers on the 192.168.1.x network. If the equipment was bad this would not be possible. Also if I connect the cable modem directly to a computer and receive an Ip address via DHCP it works just fine. This leads me to think that something is wrong with my setup.

    I knowNot-- how do I make sure that my interfaces are loaded as modules and not in the kernel
    This is all of course on ethernet no usb or anything else you mentioned

    iptables -L and iptables -L --line-numbers are attached in the file iptables-L.txt

    im pretty sure the error is in here somewhere but i dont know where

    I appreciate your help

    eMpTyKnOw
    kNoWLeDgE

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    450
    While I am sure Shorewall is very good at what it does, it is not exactly all that user friendly. Well it wasn't for me, although I did get it running I had trouble modifying it to do what I wanted at the time, so in saying that I dumped it and went for gShield from http://muse.linuxmafia.org/gshield.html. Shorewall is the official firewall of Mandrake these days although I must admit I did prefer Bastille when it was officially supported.

    Gshield is a small 47kb tarball file, easy to install and only one very well documented config file to modify to get you running and secure. It is quite configurable, IP Masq, transparent proxy support, P2P, SSH, IRC, port forwarding, webserver, ftp etc.. etc.. is supported "out of the box", generally with a simple "NO or OPEN" comment in the appropriate places to allow or deny access to the service.

    It also offers blacklisting of IP's either automatically or manually. In the end it is just a script that sets up IPtables according to your choices in the conf file.

    It's worth checking out until you come to grips with "rolling your own" firewall script or get your head around Shorewall.

    As a Redhat user dont overlook Bastille (http://www.bastille-linux.org), I think there is a version for Redhat 8 and it is very good at locking down the box with its "hardening script" over and above just firewalling it. Bastille has a very user friendly setup interface, asks the question and give a detailed explanation of what it is doing for your given choice.

    Good luck with whatever you chose to go with but there are easier ways to achieve the same result without Shorewall.

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    First, sorry for the delay, but my ISP decided to do maintenance and I was out for hours.

    If you did not build your own kernel, the distro you are using probably loaded the ethernet card drivers as modules.

    Like I said I have never used Shorewall, but here is what I did find in your rules:


    INPUT chain: (policy DROP)
    num target prot opt source destination
    1 ACCEPT all -- anywhere anywhere

    why have a default policy of drop when the first rule is to accept everything ?
    The other rules following rule 1 will not be used as the packet is already accepted, it will now move to the postrouting ( built in ) table.

    same as above for the output chain

    Chain FORWARD (policy DROP)
    num target prot opt source destination
    1 DROP !icmp -- anywhere anywhere state INVALID

    First rule for this table ( used to send packets from Internet to boxes inside the Lan and from inside the Lan to the Internet ) says everything NOT icmp that is not associated with a known connection gets dropped. You can not make a connection to anything because only packets which are already established would be accepted, but they can't be established because it drops any packets trying to make a connection because they are not established ( did that make sense? )
    The only packets that could get through to the next rule in the FORWARD table would be icmp.


    I also see no rules for the eth1_in, eth0_in, eth1_fwd, eth0_fwd, fw2net, fw2loc targets, but hey, at this point nothing really important will reach them.

    Remember, simplified, the packets will flow down the table rules until it hits a wall ( DROP or REJECT ), is passed to another table ( by a jump ) is returned to a previous table (by RETURN ) or passed to the next built in table ( example, an ACCEPT in the INPUT table would then pass the packet to the POSTROUTING table, and if there was no rule there to stop it would go to its destination ) A packet that goes to the FORWARD table ( from the PREROUTING table ) will never see the INPUT or OUTPUT table.

    Hope this helps.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •