Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?

Wed, 31 Jan 2018 06:05:42 -0800 

>What is the contents of /etc/shorewall/snat?
SNAT(192.168.15.145)    10.10.10.0/24    enp1s0
I receive private address 192.168.15.145 (configured as static) from my ISP which is seen as public 46.xxx.xxx.xxx 


>Also show the output of these two commands run on the 
Shorewall/gateway machine:

>ip -o -4 addr
>ip -o -4 route
ela@akacja:~$ ip -o -4 addr

1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever 
preferred_lft forever
2: enp1s0    inet 192.168.15.145/24 brd 192.168.15.255 scope global 
enp1s0\       valid_lft forever preferred_lft forever
4: enp3s0f1    inet 10.10.10.1/24 brd 10.10.10.255 scope global 
enp3s0f1\       valid_lft forever preferred_lft forever
5: wlp4s0    inet 10.10.11.1/24 brd 10.10.11.255 scope global 
wlp4s0\       valid_lft forever preferred_lft forever

ela@akacja:~$ ip -o -4 route
default via 192.168.15.1 dev enp1s0 proto static
10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1
10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1
192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145

>Are there any messages in the log?
Jan 31 14:43:23 Processing /etc/shorewall/params ...
Jan 31 14:43:23 Processing /etc/shorewall/shorewall.conf...
Jan 31 14:43:23 Loading Modules...
Jan 31 14:43:23 Compiling /etc/shorewall/zones...
Jan 31 14:43:23 Compiling /etc/shorewall/interfaces...

Jan 31 14:43:23    Interface "net enp1s0 detect 
tcpflags,logmartians,nosmurfs" Validated

Jan 31 14:43:23    Interface "loc enp3s0f1 detect dhcp" Validated
Jan 31 14:43:23    Interface "loc wlp4s0 detect dhcp" Validated
Jan 31 14:43:23 Determining Hosts in Zones...
Jan 31 14:43:23    fw (firewall)
Jan 31 14:43:23    net (ipv4)
Jan 31 14:43:23       enp1s0:0.0.0.0/0
Jan 31 14:43:23    loc (ipv4)
Jan 31 14:43:23       enp3s0f1:0.0.0.0/0
Jan 31 14:43:23       wlp4s0:0.0.0.0/0
Jan 31 14:43:23 Locating Action Files...
Jan 31 14:43:23 Compiling /etc/shorewall/policy...
Jan 31 14:43:23    Policy for loc to net is ACCEPT using chain loc-net
Jan 31 14:43:23    Policy for fw to net is ACCEPT using chain fw-net
Jan 31 14:43:23    Policy for net to fw is DROP using chain net-all
Jan 31 14:43:23    Policy for net to loc is DROP using chain net-all
Jan 31 14:43:23    Policy for fw to net is REJECT using chain all-all
Jan 31 14:43:23    Policy for fw to loc is REJECT using chain all-all
Jan 31 14:43:23    Policy for net to fw is REJECT using chain all-all
Jan 31 14:43:23    Policy for net to loc is REJECT using chain all-all
Jan 31 14:43:23    Policy for loc to fw is REJECT using chain all-all
Jan 31 14:43:23    Policy for loc to net is REJECT using chain all-all
Jan 31 14:43:23 Adding Anti-smurf Rules
Jan 31 14:43:23 Adding rules for DHCP
Jan 31 14:43:23 Compiling TCP Flags filtering...
Jan 31 14:43:23 Compiling Kernel Route Filtering...
Jan 31 14:43:23 Compiling Martian Logging...
Jan 31 14:43:23 Compiling /etc/shorewall/snat...

Jan 31 14:43:23     Snat record "SNAT(192.168.15.145) 10.10.10.0/24 
enp1s0" Compiled

Jan 31 14:43:23 Compiling MAC Filtration -- Phase 1...
Jan 31 14:43:23    Chain enp1s0_iop deleted
Jan 31 14:43:23    Chain enp1s0_fop deleted
Jan 31 14:43:23    Chain enp3s0f1_iop deleted
Jan 31 14:43:23    Chain enp3s0f1_fop deleted
Jan 31 14:43:23    Chain enp3s0f1_oop deleted
Jan 31 14:43:23    Chain wlp4s0_iop deleted
Jan 31 14:43:23    Chain wlp4s0_fop deleted
Jan 31 14:43:23    Chain wlp4s0_oop deleted
Jan 31 14:43:23 Compiling /etc/shorewall/rules...

Jan 31 14:43:23 ..Expanding inline action 
/usr/share/shorewall/action.Invalid...

Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid

Jan 31 14:43:23 ..Expanding inline action 
/usr/share/shorewall/action.Invalid...

Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid
Jan 31 14:43:23     Rule "Invalid(DROP) net all tcp" Compiled
Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH...
Jan 31 14:43:23     Rule "PARAM - - tcp 22" Compiled
Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.SSH
Jan 31 14:43:23     Rule "SSH(ACCEPT) loc fw" Compiled
Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.Ping...
Jan 31 14:43:23     Rule "PARAM - - icmp 8" Compiled
Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.Ping
Jan 31 14:43:23     Rule "Ping(ACCEPT) loc fw" Compiled
Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.Ping...
Jan 31 14:43:23     Rule "PARAM - - icmp 8" Compiled
Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.Ping
Jan 31 14:43:23     Rule "Ping(DROP) net fw" Compiled
Jan 31 14:43:23     Rule "ACCEPT fw loc icmp" Compiled
Jan 31 14:43:23     Rule "ACCEPT fw net icmp" Compiled
Jan 31 14:43:24     Rule "ACCEPT net fw tcp 6535" Compiled
Jan 31 14:43:24     Rule "ACCEPT net fw udp 6534" Compiled
Jan 31 14:43:24     Rule "ACCEPT net fw tcp 1007" Compiled
Jan 31 14:43:24     Rule "ACCEPT net fw tcp 22" Compiled
Jan 31 14:43:24 Compiling /etc/shorewall/conntrack...

Jan 31 14:43:24    Conntrack rule "CT:helper:amanda:PO - - udp 10080" 
Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:amanda:PO - - udp 10080" 
Compiled

Jan 31 14:43:24    Conntrack rule "CT:helper:ftp:PO - - tcp 21" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:ftp:PO - - tcp 21" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:RAS:PO - - udp 1719" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:RAS:PO - - udp 1719" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:irc:PO - - tcp 6667" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:irc:PO - - tcp 6667" Compiled

Jan 31 14:43:24    Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" 
Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" 
Compiled

Jan 31 14:43:24    Conntrack rule "CT:helper:pptp:PO - - tcp 1723" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:pptp:PO - - tcp 1723" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled
Jan 31 14:43:24    Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled
Jan 31 14:43:24 Compiling MAC Filtration -- Phase 2...
Jan 31 14:43:24 Applying Policies...
Jan 31 14:43:24    Policy ACCEPT from fw to net using chain fw-net

Jan 31 14:43:24 Compiling /usr/share/shorewall/action.Reject for chain 
Reject...

Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Jan 31 14:43:24     Rule "PARAM - - icmp fragmentation-needed" Compiled
Jan 31 14:43:24     Rule "PARAM - - icmp time-exceeded" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.AllowICMPs

Jan 31 14:43:24 Compiling /usr/share/shorewall/action.Broadcast for 
chain Broadcast...
Jan 31 14:43:24 ..Expanding inline action 
/usr/share/shorewall/action.Invalid...

Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.Invalid
Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.SMB...
Jan 31 14:43:24     Rule "PARAM - - udp 135,445" Compiled
Jan 31 14:43:24     Rule " PARAM - - udp 137:139" Compiled
Jan 31 14:43:24     Rule "PARAM - - udp 1024: 137" Compiled
Jan 31 14:43:24     Rule "PARAM - - tcp 135,139,445" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.SMB
Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Jan 31 14:43:24     Rule "PARAM - - udp 1900" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropUPnP

Jan 31 14:43:24 ..Expanding inline action 
/usr/share/shorewall/action.NotSyn...

Jan 31 14:43:24     Rule "DROP - - ;;+ -p 6 ! --syn" Compiled
Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.NotSyn
Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Jan 31 14:43:24     Rule "PARAM - - udp - 53" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropDNSrep
Jan 31 14:43:24    Policy REJECT from fw to loc using chain fw-loc
Jan 31 14:43:24 Compiling /usr/share/shorewall/action.Drop for chain Drop...
Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Jan 31 14:43:24     Rule "PARAM - - icmp fragmentation-needed" Compiled
Jan 31 14:43:24     Rule "PARAM - - icmp time-exceeded" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.AllowICMPs

Jan 31 14:43:24 ..Expanding inline action 
/usr/share/shorewall/action.Invalid...

Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.Invalid
Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.SMB...
Jan 31 14:43:24     Rule "PARAM - - udp 135,445" Compiled
Jan 31 14:43:24     Rule " PARAM - - udp 137:139" Compiled
Jan 31 14:43:24     Rule "PARAM - - udp 1024: 137" Compiled
Jan 31 14:43:24     Rule "PARAM - - tcp 135,139,445" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.SMB
Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Jan 31 14:43:24     Rule "PARAM - - udp 1900" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropUPnP

Jan 31 14:43:24 ..Expanding inline action 
/usr/share/shorewall/action.NotSyn...

Jan 31 14:43:24     Rule "DROP - - ;;+ -p 6 ! --syn" Compiled
Jan 31 14:43:24 ..End inline action /usr/share/shorewall/action.NotSyn
Jan 31 14:43:24 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Jan 31 14:43:24     Rule "PARAM - - udp - 53" Compiled
Jan 31 14:43:24 ..End Macro /usr/share/shorewall/macro.DropDNSrep
Jan 31 14:43:24    Policy DROP from net to fw using chain net-fw
Jan 31 14:43:24    Policy DROP from net to loc using chain net-loc
Jan 31 14:43:24    Policy REJECT from loc to fw using chain loc-fw
Jan 31 14:43:24    Policy ACCEPT from loc to net using chain loc-net
Jan 31 14:43:24 Generating Rule Matrix...
Jan 31 14:43:24    Handling complex zones...
Jan 31 14:43:24    Entering main matrix-generation loop...
Jan 31 14:43:24    Chain enp1s0_in deleted
Jan 31 14:43:24    Chain enp1s0_fwd deleted
Jan 31 14:43:24    Finishing matrix...
Jan 31 14:43:24 Creating iptables-restore input...

Jan 31 14:43:24 Shorewall configuration compiled to 
/var/lib/shorewall/.start

Jan 31 14:43:24 Starting Shorewall....
Jan 31 14:43:24 Initializing...
Jan 31 14:43:24 Setting up Route Filtering...
Jan 31 14:43:24 Setting up Martian Logging...
Jan 31 14:43:24 Disabling Kernel Automatic Helper Association
Jan 31 14:43:24 Preparing iptables-restore input...
Jan 31 14:43:24 Running /sbin/iptables-restore ...
Jan 31 14:43:24 IPv4 Forwarding Enabled
Jan 31 14:43:24 done.

Regards,
B

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



























					Reply via email to