Hello, I am using shorewall for 2 years, few days ago my rules file stopped working. My rules: f.e. ports redirection, accepts are no working. First idea was shorewall restart: don't solve problem, so i have upgraded shorewall to version 4.2 and also it doesn't solve the problem :(
When I do shorewall restart i can see all my rules starting, but is is not working, what is going on ? Few important rules from rules file: REJECT net $FW tcp 901 DROP net fw icmp 8 REJECT net fw tcp 139 DNAT net loc:192.168.0.22:3389 tcp 3389 DNAT net loc:192.168.0.22:3389 udp 3389 ACCEPT loc:192.168.0.22 net tcp 3389 ACCEPT loc:192.168.0.22 net udp 3389 DNAT net loc:192.168.0.22:13393 tcp 13393 DNAT net loc:192.168.0.22:13393 udp 13393 DNAT net loc:192.168.0.22:5671 tcp 5671 DNAT net loc:192.168.0.22:5671 udp 5671 ACCEPT loc:192.168.0.22 net tcp 5671 ACCEPT loc:192.168.0.22 net udp 5671 DNAT net loc:192.168.0.22:5681 tcp 5681 DNAT net loc:192.168.0.22:5681 udp 5681 DNAT net loc:192.168.0.22:5681 tcp 5691 DNAT net loc:192.168.0.22:5681 udp 5691 ACCEPT loc:192.168.0.22 net tcp 5681 ACCEPT loc:192.168.0.22 net udp 5681 ACCEPT loc:192.168.0.22 net tcp 5691 ACCEPT loc:192.168.0.22 net udp 5691 REJECT loc net tcp 8074 - REJECT net loc tcp 8074 - REJECT loc net udp 8074 - REJECT net loc udp 8074 - REJECT loc net tcp 1000:8073 REJECT loc net tcp 8073:60000 REJECT loc net udp 1000:8073 REJECT loc net udp 8073:60000 Rules are not working on all local computers in office (also on my 192.168.0.22), shorewall is on a linux gateway to internet, for example I can't login from other network to my remote desktop on local IP 192.168.0.22 (poort:3389), it was also working for 2 years time, I was loging from my home to office local comp:192.168.0.22 and working. -------------------------------------------------------------------- -------------------------------------------------------------------- [EMAIL PROTECTED]:/etc/shorewall# cat tcdevices | grep -v ^# eth1 4000kbit 500kbit -------------------------------------------------------------------- -------------------------------------------------------------------- [EMAIL PROTECTED]:/etc/shorewall# cat interfaces | grep -v ^# net eth1 83.14.53.15 #blacklist ## adres sieci .8 loc eth0 192.168.0.255 #maclist #dhcp,maclist#,routeback -------------------------------------------------------------------- -------------------------------------------------------------------- [EMAIL PROTECTED]:/etc/shorewall# cat masq | grep -v ^# eth1 eth0 -------------------------------------------------------------------- -------------------------------------------------------------------- [EMAIL PROTECTED]:/etc/shorewall# cat policy | grep -v ^# loc net ACCEPT ### net loc ACCEPT ### loc fw ACCEPT fw loc ACCEPT net fw ACCEPT ### fw net ACCEPT ### fw fw ACCEPT info net all DROP info all all REJECT info -------------------------------------------------------------------- -------------------------------------------------------------------- [EMAIL PROTECTED]:/etc/shorewall# cat zones | grep -v ^# net net loc loc dmz dmz -------------------------------------------------------------------- -------------------------------------------------------------------- Some parts of shorewall.conf file: LOGTAGONLY=No IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall CONFIG_PATH=/etc/shorewall:/usr/share/shorewall FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes DROPINVALID=No RFC1918_STRICT=No MACLIST_TTL=60 SAVE_IPSETS=No CROSSBEAM=No CROSSBEAM_BACKBONE=eth0 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP That rules was working for a long time, but no more from few days/week. Maybe it is a problem with iptables ? -- Maciek ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
