-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/07/2017 10:19 AM, Luke Jordan wrote: > Am 07.01.2017 um 18:38 schrieb Tom Eastep: >>>> Did you add DNPT as a nat builtin action in >>>> /etc/shorewall6/actions? >> >> I meant 'mangle' rather than 'nat'. > > sure > > # shorewall6 show actions A_AllowICMPs # Audited > Accept needed ICMP6 types A_Drop # Audited > Default Action for DROP policy allowBcasts # > Accept multicast and anycast packets AllowICMPs > # Accept needed ICMP6 types allowInvalid inline # Accepts > packets > in the INVALID conntrack state A_Reject # Audited > Default Action for REJECT policy AutoBLL noinline # > Helper for AutoBL AutoBL noinline # Auto-blacklist > IPs that exceed thesholds Broadcast noinline # Handles > Broadcast/Multicast/Anycast DNPT builtin,mangle,terminating > dropBcasts # Silently Drop multicast and > anycast packets Drop # Default Action for DROP > policy > dropInvalid inline # Drops packets in the INVALID conntrack > state dropNotSyn # Silently Drop Non-syn TCP packets > DropSmurfs noinline # Handles packets with a broadcast > source address Established inline,\ # Handles packets in the > ESTABLISHED state IfEvent noinline # Perform an > action based on an event Invalid inline,audit,\ # Handles > packets in the INVALID conntrack state New inline,state=NEW # > Handles packets in the NEW conntrack state NotSyn inline > # > Handles TCP packets that do not have SYN=1 and ACK=0 Reject > # Default Action for REJECT policy rejNotSyn # Silently > Reject Non-syn TCP packets Related inline,\ # Handles > packets > in the RELATED conntrack state ResetEvent inline # Reset an > Event RST inline # Handle packets with RST set > SetEvent inline # Initialize an event SNPT > builtin,mangle,terminating TCPFlags # Handles bad > flags > combinations Untracked inline,\ # Handles packets in > the UNTRACKED conntrack state > >>> Nevermind -- it is a bug in the IP6TABLES parser -- it doesn't >>> expect IPv6 addresses in the action parameters :-( >> >> >> You can work around the problem by fully expressing the IP >> addresses (e.g., 2001:XXXX:YYYY:100:0:0:0:0/64). > > this workaround show a new problem: > > # shorewall6 start [...] Preparing ip6tables-restore input... > Running /sbin/ip6tables-restore ... ip6tables-restore: line 34 > failed ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall6/.ip6tables-restore-input Preparing > ip6tables-restore input... Running /sbin/ip6tables-restore... > Terminated > > line 32 is "COMMIT" > > # cat /var/lib/shorewall6/.ip6tables-restore-input # # Generated by > Shorewall 5.0.14.1 - Sa 7. Jan 19:13:28 CET 2017 # *raw :PREROUTING > ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT > [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT > *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD > ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :tcfor > - [0:0] :tcin - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - > [0:0] -A PREROUTING -j tcpre -A INPUT -j tcin -A FORWARD -j MARK > --set-mark 0/0xff00 -A FORWARD -j tcfor -A OUTPUT -j tcout -A > POSTROUTING -j tcpost -A tcpre -p 6 -m multiport --dports > 22,47238,52486 -i eth0 -j MARK --set-mark 768 -A tcpre -i eth0 -j > MARK --set-mark 512 -A tcpre -i eth0 -j DNPT --src-pfx > 2001:XXXX:YYYY:100:0:0:0:0/64 --dst-pfx > fdae:fa7:dead:beef:0:0:0:0/64 -A tcpre -i eth0 -j SNPT --src-pfx > fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx > 2001:XXXX:YYYY:100:0:0:0:0/64 COMMIT *filter :INPUT DROP [0:0] > :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :AllowICMPs - [0:0] > :Broadcast - [0:0] :Reject - [0:0] :cbl-dsl - [0:0] :cbl-fw - > [0:0] :cbl-int - [0:0] :cbl_frwd - [0:0] :dsl-cbl - [0:0] :dsl-fw - > [0:0] :dsl-int - [0:0] :dsl_frwd - [0:0] :dynamic - [0:0] :fw-cbl - > [0:0] :fw-dsl - [0:0] :fw-int - [0:0] :int-cbl - [0:0] :int-dsl - > [0:0] :int-fw - [0:0] :int_frwd - [0:0] :logdrop - [0:0] :logflags > - [0:0] :logreject - [0:0] :reject - [0:0] :sfilter - [0:0] > :tcpflags - [0:0] :sha-lh-780b52025322fe413b49 - [0:0] > :sha-rh-88253ba662f5e71f112e - [0:0] -A INPUT -i eth1 -j dsl-fw -A > INPUT -i eth2 -j cbl-fw -A INPUT -i eth0 -j int-fw -A INPUT -i lo > -j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-level 6 > --log-prefix "Shorewall:INPUT:REJECT:" -A INPUT -g reject -A > FORWARD -i eth1 -j dsl_frwd -A FORWARD -i eth2 -j cbl_frwd -A > FORWARD -i eth0 -j int_frwd -A FORWARD -j Reject -A FORWARD -j LOG > --log-level 6 --log-prefix "Shorewall:FORWARD:REJECT:" -A FORWARD > -g reject -A OUTPUT -o eth1 -j fw-dsl -A OUTPUT -o eth2 -j fw-cbl > -A OUTPUT -o eth0 -j fw-int -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j > Reject -A OUTPUT -j LOG --log-level 6 --log-prefix > "Shorewall:OUTPUT:REJECT:" -A OUTPUT -g reject -A AllowICMPs -p 58 > --icmpv6-type 1 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 2 -j ACCEPT -m comment > --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 > --icmpv6-type 3 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 4 -j ACCEPT -m comment > --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 > --icmpv6-type 133 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 134 -j ACCEPT -m > comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 > --icmpv6-type 135 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 136 -j ACCEPT -m > comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 > --icmpv6-type 137 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 141 -j ACCEPT -m > comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 > --icmpv6-type 142 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 130 -j > ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A > AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 131 -j ACCEPT -m > comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s > fe80::/10 -p 58 --icmpv6-type 132 -j ACCEPT -m comment --comment > "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 > --icmpv6-type 143 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 148 -j ACCEPT -m > comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 > --icmpv6-type 149 -j ACCEPT -m comment --comment "Needed ICMP types > (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 151 -j > ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A > AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 152 -j ACCEPT -m > comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s > fe80::/10 -p 58 --icmpv6-type 153 -j ACCEPT -m comment --comment > "Needed ICMP types (RFC4890)" -A Broadcast -d 2001:XXXX:YYYY:0:: -j > DROP -A Broadcast -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j > DROP -A Broadcast -d 2a02:XXXX:YYYY:f972:: -j DROP -A Broadcast -d > 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A Broadcast -d > ff00::/8 -j DROP -A Reject -A Reject -p 58 -j AllowICMPs -A Reject > -j Broadcast -A Reject -m conntrack --ctstate INVALID -j DROP -A > Reject -p 17 -m multiport --dports 135,445 -g reject -m comment > --comment "SMB" -A Reject -p 17 --dport 137:139 -g reject -m > comment --comment "SMB" -A Reject -p 17 --dport 1024:65535 --sport > 137 -g reject -m comment --comment "SMB" -A Reject -p 6 -m > multiport --dports 135,139,445 -g reject -m comment --comment > "SMB" -A Reject -p 17 --dport 1900 -j DROP -m comment --comment > "UPnP" -A Reject -p 6 ! --syn -j DROP -A Reject -p 17 --sport 53 -j > DROP -m comment --comment "Late DNS Replies" -A cbl-dsl -m > conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A cbl-dsl -j > Reject -A cbl-dsl -j LOG --log-level 6 --log-prefix > "Shorewall:cbl-dsl:REJECT:" -A cbl-dsl -g reject -A cbl-fw -m > conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A cbl-fw -p > tcp -j tcpflags -A cbl-fw -m conntrack --ctstate > ESTABLISHED,RELATED -j ACCEPT -A cbl-fw -j Reject -A cbl-fw -j LOG > --log-level 6 --log-prefix "Shorewall:cbl-fw:REJECT:" -A cbl-fw -g > reject -A cbl-int -m conntrack --ctstate ESTABLISHED,RELATED -j > ACCEPT -A cbl-int -j Reject -A cbl-int -j LOG --log-level 6 > --log-prefix "Shorewall:cbl-int:REJECT:" -A cbl-int -g reject -A > cbl_frwd -o eth2 -g sfilter -A cbl_frwd -m conntrack --ctstate > NEW,INVALID,UNTRACKED -j dynamic -A cbl_frwd -p tcp -j tcpflags -A > cbl_frwd -o eth1 -j cbl-dsl -A cbl_frwd -o eth0 -j cbl-int -A > dsl-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A > dsl-cbl -j Reject -A dsl-cbl -j LOG --log-level 6 --log-prefix > "Shorewall:dsl-cbl:REJECT:" -A dsl-cbl -g reject -A dsl-fw -m > conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A dsl-fw -p > tcp -j tcpflags -A dsl-fw -m conntrack --ctstate > ESTABLISHED,RELATED -j ACCEPT -A dsl-fw -p 58 -j ACCEPT -A dsl-fw > -j Reject -A dsl-fw -j LOG --log-level 6 --log-prefix > "Shorewall:dsl-fw:REJECT:" -A dsl-fw -g reject -A dsl-int -m > conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A dsl-int -j > Reject -A dsl-int -j LOG --log-level 6 --log-prefix > "Shorewall:dsl-int:REJECT:" -A dsl-int -g reject -A dsl_frwd -o > eth1 -g sfilter -A dsl_frwd -m conntrack --ctstate > NEW,INVALID,UNTRACKED -j dynamic -A dsl_frwd -p tcp -j tcpflags -A > dsl_frwd -o eth2 -j dsl-cbl -A dsl_frwd -o eth0 -j dsl-int -A > fw-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A > fw-cbl -j LOG --log-level 6 --log-prefix > "Shorewall:fw-cbl:ACCEPT:" -A fw-cbl -j ACCEPT -A fw-dsl -m > conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw-dsl -j LOG > --log-level 6 --log-prefix "Shorewall:fw-dsl:ACCEPT:" -A fw-dsl -j > ACCEPT -A fw-int -m conntrack --ctstate ESTABLISHED,RELATED -j > ACCEPT -A fw-int -p 58 -j ACCEPT -A fw-int -j LOG --log-level 6 > --log-prefix "Shorewall:fw-int:ACCEPT:" -A fw-int -j ACCEPT -A > int-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A > int-cbl -j LOG --log-level 6 --log-prefix > "Shorewall:int-cbl:ACCEPT:" -A int-cbl -j ACCEPT -A int-dsl -m > conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-dsl -j LOG > --log-level 6 --log-prefix "Shorewall:int-dsl:ACCEPT:" -A int-dsl > -j ACCEPT -A int-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j > dynamic -A int-fw -p tcp -j tcpflags -A int-fw -m conntrack > --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-fw -j LOG > --log-level 6 --log-prefix "Shorewall:int-fw:ACCEPT:" -A int-fw -j > ACCEPT -A int_frwd -o eth0 -g sfilter -A int_frwd -m conntrack > --ctstate NEW,INVALID,UNTRACKED -j dynamic -A int_frwd -p tcp -j > tcpflags -A int_frwd -o eth1 -j int-dsl -A int_frwd -o eth2 -j > int-cbl -A logdrop -j DROP -A logflags -j LOG --log-ip-options > --log-level 6 --log-prefix "Shorewall:logflags:DROP:" -A logflags > -j DROP -A logreject -j reject -A reject -d 2001:XXXX:YYYY:0:: -j > DROP -A reject -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j DROP > -A reject -d 2a02:XXXX:YYYY:f972:: -j DROP -A reject -d > 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A reject -s > ff00::/8 -j DROP -A reject -p 2 -j DROP -A reject -p 6 -j REJECT > --reject-with tcp-reset -A reject -p 17 -j REJECT -A reject -p 58 > -j REJECT --reject-with icmp6-addr-unreachable -A reject -j REJECT > --reject-with icmp6-adm-prohibited -A sfilter -j LOG --log-level 6 > --log-prefix "Shorewall:sfilter:DROP:" -A sfilter -j DROP -A > tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -g logflags -A tcpflags > -p tcp --tcp-flags ALL NONE -g logflags -A tcpflags -p tcp > --tcp-flags SYN,RST SYN,RST -g logflags -A tcpflags -p tcp > --tcp-flags FIN,RST FIN,RST -g logflags -A tcpflags -p tcp > --tcp-flags SYN,FIN SYN,FIN -g logflags -A tcpflags -p tcp > --tcp-flags ACK,PSH,FIN PSH,FIN -g logflags -A tcpflags -p tcp > --syn --sport 0 -g logflags COMMIT > > # dmesg [...] [5944577.629325] xt_addrtype: ipv6 does not support > BROADCAST matching [5944579.777435] x_tables: ip6_tables: SNPT > target: used from hooks PREROUTING, but only usable from > INPUT/POSTROUTING > > the problem is the following line in /etc/shorewall6/mangle: > > IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx > 2001:XXXX:YYYY:100:0:0:0:0/64 ):P
That should be :T, not :P - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYcU/YAAoJEJbms/JCOk0QaDEP/jrgUObZDbwZYdVjA4kxHdWV 5MVMrG0CdaViKx2A4NzlhF3I2ITQuZit9ue6uxgZZHYWFIS1lW5szrZ7ZiSnpEqq Ai/Kxs1PFLXsgY61Ddo881TG1HhJuCjMXF+fAdRtI2UFp1ZlH1MzBwwSRKg44R2E XqvUUR6Kjy3Q/l55uwGnt870rzy5/4v208jJ/6brMVGK0A3OlXWivjTFHzTIqgId EpYe+oq8SAC90FAhb2IzgfjGTABIoHiMS20AVHHSW3dMgiDGbfKB1t7wKI3QPghw dlX3XDgSWJcf8drn6rmZHTpddvcIjW6PLM3v15ugXS4lxUL0L3OrOCQKUEynpHbE 2ETLDwURIN8+a1VKrlBjnmRO/2EPd1WgnGgH40q1H8bYTJXbP8X+0l0e6QEIMd28 1NANWrYhrx1zMoEyK9+rmjGAs5xbaojLOIYQvjCBrvWT5KyNLVJ0E4DI1qk+23Dv 7gO/beKHLBE3iOXVgsvgLc4QZj6aGMNLtOhbV+tc1QJkd0bjV444bt9I9srDmphA 2ICAHhbcgTcUHECeErZk/MOdCMurTpmBeWgJckRYFaBAxmU08zyMBCeWX/tOH/uJ C5qbiaU3f1LJ8t1n+DmeVKnS/62/jHqLckQb9jEawwZEi88MLUIodgKvbuRXenVv JuMA5hVcmCRgesLwPIcc =sa2I -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users