I'm trying to configure shorewall 4.2.7 on my WRT54GS-TM router running X-WRT
Kamikaze (r17821)
I've compiled a bash script: "shorewall compile firewall"
but when I run "./firewall -v start"
I get an error:
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
Processing /etc/shorewall/continue ...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up SMURF control...
Processing /etc/shorewall/initdone ...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up SYN Flood Protection...
Setting up Rules...
Setting up Actions...
Creating action chain Drop
Creating action chain Reject
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
Activating Rules...
iptables: Bad rule (does a matching rule exist in that chain?).
ERROR: Command "/usr/sbin/iptables -D INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated
I have the default FASTACCEPT=No
My rules allow pings and ssh connection from my local network (loc) to the
router ($FW)
and forward connections from the internet (net) to local servers listening on
various ports:
# grep -v '^#' rules|grep -v '^$'
SSH/ACCEPT loc $FW
DNAT net $WWW_IP tcp 22
Ping/ACCEPT loc $FW
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
DNS/ACCEPT loc $FW
DNAT net $WWW_IP tcp 443
DNAT net $WWW_IP:8080 tcp 8080
DNAT net $MAIL_IP tcp 143
DNAT net $MAIL_IP tcp 993
DNAT net $PBX_IP udp 4569
DNAT net $PBX_IP tcp 5060:5061
DNAT net $PBX_IP udp 8000:20000
DNAT net $PBX_IP tcp 9001
DNAT net $PBX_IP tcp 9030
DNAT net $AXP_IP tcp 6881:6889
And this is what my firewall script looks like (from the Progress Message
"Activating Rules")
progress_message2 "Activating Rules..."
run_iptables -A br_lan_out -d 0.0.0.0/0 -j fw2loc
run_iptables -A br_lan_in -s 0.0.0.0/0 -j loc2fw
run_iptables -A br_lan_fwd -s 0.0.0.0/0 -o eth0.1 -d 0.0.0.0/0 -j loc2net
run_iptables -A eth0_1_out -d 0.0.0.0/0 -j fw2net
run_iptables -t nat -I PREROUTING 1 -i eth0.1 -s 0.0.0.0/0 -j net_dnat
run_iptables -A eth0_1_in -s 0.0.0.0/0 -j net2fw
run_iptables -A eth0_1_fwd -s 0.0.0.0/0 -o br-lan -d 0.0.0.0/0 -j net2loc
run_iptables -A FORWARD -i br-lan -j br_lan_fwd
run_iptables -A INPUT -i br-lan -j br_lan_in
run_iptables -A OUTPUT -o br-lan -j br_lan_out
run_iptables -A FORWARD -i eth0.1 -j eth0_1_fwd
run_iptables -A INPUT -i eth0.1 -j eth0_1_in
run_iptables -A OUTPUT -o eth0.1 -j eth0_1_out
run_iptables -t nat -A POSTROUTING -o eth0.1 -j eth0_1_masq
run_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A INPUT -j Reject
do_log_rule_limit "info" "INPUT" "INPUT" "REJECT" "" "" "-A"
run_iptables -A INPUT -j reject
run_iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A OUTPUT -j Reject
do_log_rule_limit "info" "OUTPUT" "OUTPUT" "REJECT" "" "" "-A"
run_iptables -A OUTPUT -j reject
run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -A FORWARD -j Reject
do_log_rule_limit "info" "FORWARD" "FORWARD" "REJECT" "" "" "-A"
run_iptables -A FORWARD -j reject
run_iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D INPUT -p udp --dport 53 -j ACCEPT
run_iptables -D OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D OUTPUT -p udp --dport 53 -j ACCEPT
run_iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
run_iptables -D FORWARD -p udp --dport 53 -j ACCEPT
run_iptables -D INPUT -i br-lan -s 0.0.0.0/0 -j ACCEPT
THANKS.
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
