Re: [Shorewall-users] Problem starting shorewall on Debian Sid

Mahashakti89 Mon, 29 Jul 2019 10:22:18 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Le Mon, 29 Jul 2019 08:47:33 -0700,
Tom Eastep <teas...@shorewall.net> a �crit :


> On 7/29/19 4:11 AM, Mahashakti89 wrote:
> > Hi,
> >
> > Shorewall won't start .... I am running Debian Sid. Could need some
> > help.
> > I used the documentation > examples > two-interfaces to set up the
> > firewall.
> >
> > 1.On start I get following error message : Starting Shorewall....
> > Initializing...
> > Setting up Route Filtering...
> > Setting up Martian Logging...
> > Setting up Accept Source Routing...
> > Preparing iptables-restore input...
> > Running /sbin/iptables-restore --wait 60...
> > iptables-restore v1.8.3 (nf_tables):
> > line 5: CHAIN_UPDATE failed (Operation not supported): chain
> > PREROUTING line 6: CHAIN_UPDATE failed (Operation not supported):
> > chain OUTPUT ERROR: iptables-restore Failed. Input is
> > in /var/lib/shorewall/.iptables-restore-input Preparing
> > iptables-restore input... Running /sbin/iptables-restore --wait
> > 60... iptables-restore v1.8.3 (nf_tables):
> > line 5: CHAIN_UPDATE failed (Operation not supported): chain
> > PREROUTING line 6: CHAIN_UPDATE failed (Operation not supported):
> > chain OUTPUT ERROR: /sbin/iptables-restore --wait 60 Failed.
> > IPv4 Forwarding Enabled
> > Terminated
> > zsh: exit 143   sudo shorewall start
> >
> > 2.So I used :
> >
> > iptables-legacy -t nat -v -L -n --line-number
> > Chain PREROUTING (policy ACCEPT 152 packets, 8722 bytes)
> > num   pkts bytes target     prot opt in     out
> > source               destination         
> >
> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> > num   pkts bytes target     prot opt in     out
> > source               destination         
> >
> > Chain OUTPUT (policy ACCEPT 2507 packets, 153K bytes)
> > num   pkts bytes target     prot opt in     out
> > source               destination         
> >
> > Chain POSTROUTING (policy ACCEPT 2507 packets, 153K bytes)
> > num   pkts bytes target     prot opt in     out
> > source               destination         
> >
> >
> > 3.I wanted to delete PREROUTING and OUTPUT rules using :
> >
> > iptables-legacy -t nat -D POSTROUTING {number-here}
> >
> > but it won't work I have no rule number to use
> >
> >
> > Hope you understand my english.
> > Could need some help
> >
> > mahashakti89  
> 
> Try switching to the legacy iptables backend.
> 
> Example:
> 
> root@testing:/usr/share/doc/iptables# update-alternatives --config
> iptables There are 2 choices for the alternative iptables
> (providing /usr/sbin/iptables).
> 
>   Selection    Path                       Priority   Status
> ------------------------------------------------------------
> * 0            /usr/sbin/iptables-nft      20        auto mode
>   1            /usr/sbin/iptables-legacy   10        manual mode
>   2            /usr/sbin/iptables-nft      20        manual mode
> 
> Press <enter> to keep the current choice[*], or type selection
> number: 1 update-alternatives: using /usr/sbin/iptables-legacy to
> provide /usr/sbin/iptables (iptables) in manual mode
> root@testing:/usr/share/doc/iptables# 
> 
> If that works, please send me (privately) a tarball of your
> /etc/shorewall directory.
> 
> Thanks,
> 
> -Tom
> 

Hi,

I already tried the trick with the update-alternatives --config
iptables command. Shorewall is indeed starting but I have no internet
access.In /var/log/syslog  I find following errors :

loc-fw REJECT IN=eth1 OUT= MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 
SRC=94.124.134.53 DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16711 DF 
PROTO=TCP SPT=443 DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 
Jul 29 19:12:06 ishwara kernel: [  207.392482] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
PROTO=TCP SPT=50430 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 
Jul 29 19:12:06 ishwara kernel: [  207.798926] loc-fw REJECT IN=eth1 OUT= 
MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53 
DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16712 DF PROTO=TCP SPT=443 
DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 
Jul 29 19:12:06 ishwara kernel: [  207.798938] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
PROTO=TCP SPT=50430 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 
Jul 29 19:12:07 ishwara kernel: [  208.213091] loc-fw REJECT IN=eth1 OUT= 
MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53 
DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16713 DF PROTO=TCP SPT=443 
DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 
Jul 29 19:12:07 ishwara kernel: [  208.213135] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
PROTO=TCP SPT=50430 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 
Jul 29 19:12:08 ishwara kernel: [  209.045584] loc-fw REJECT IN=eth1 OUT= 
MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53 
DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16714 DF PROTO=TCP SPT=443 
DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 
Jul 29 19:12:08 ishwara kernel: [  209.045629] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
PROTO=TCP SPT=50430 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 
Jul 29 19:12:08 ishwara kernel: [  209.345187] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=192.168.1.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=56117 DF 
PROTO=UDP SPT=58742 DPT=53 LEN=47 
Jul 29 19:12:08 ishwara kernel: [  209.345319] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=192.168.1.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=56118 DF 
PROTO=UDP SPT=43055 DPT=53 LEN=47 
Jul 29 19:12:08 ishwara kernel: [  209.345477] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=192.168.1.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=56119 DF 
PROTO=UDP SPT=49654 DPT=53 LEN=52 
Jul 29 19:12:08 ishwara kernel: [  209.345616] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=192.168.1.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=56120 DF 
PROTO=UDP SPT=59124 DPT=53 LEN=52 
Jul 29 19:12:08 ishwara kernel: [  209.346288] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=192.168.1.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=56121 DF 
PROTO=UDP SPT=44769 DPT=53 LEN=47 
Jul 29 19:12:08 ishwara kernel: [  209.346466] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=192.168.1.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=56122 DF 
PROTO=UDP SPT=50842 DPT=53 LEN=47 
Jul 29 19:12:08 ishwara kernel: [  209.346598] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=192.168.1.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=56123 DF 
PROTO=UDP SPT=33377 DPT=53 LEN=52 
Jul 29 19:12:09 ishwara kernel: [  210.673458] loc-fw REJECT IN=eth1 OUT= 
MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53 
DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16715 DF PROTO=TCP SPT=443 
DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 
Jul 29 19:12:09 ishwara kernel: [  210.673502] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
PROTO=TCP SPT=50430 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 
Jul 29 19:12:13 ishwara kernel: [  214.065616] loc-fw REJECT IN=eth1 OUT= 
MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53 
DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16716 DF PROTO=TCP SPT=443 
DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 
Jul 29 19:12:13 ishwara kernel: [  214.065661] fw-loc REJECT IN= OUT=eth1 
SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF 
PROTO=TCP SPT=50430 DPT=443 WINDOW=0 RES=0x00 RST URGP=0 

I will send you privately the tarball of /etc/shorewall.

Thanks
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEqwnUSptd4nUozSorgCLNhIOctIAFAl0/KusACgkQgCLNhIOc
tIBOvwf9EMwRc9jK6o+hQZYCONLYZRmPyCodlWQvvwGL2HXnm38uAJ1Vs7h9dBKi
4UGV/yJ4E6BAvhHK4uoTqzgkbzefKURBrVChhDJighZW4qg6HjVcAeaTYLxgBNF8
ZhWFygN8/S3cZSjUasDSoo28iolJGPhtiFTsDllOXInPwc0xqMBfcQLhwm7kH3GS
ImSVXjmzbRk71Bqp6D304X4op8Ws3YQrRl8mqJdzYzmWtdmBvqAIyRMenluADczx
UrWMpJ5POWlEvtmyqJsGpNSQlJsq3WeYztC32M5YZM2PI4QkC8fE2fziH2vuAyAi
FhbTvCOlafSMNUk+aIagcDJoG5nGSw==
=Phhu
-----END PGP SIGNATURE-----

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Problem starting shorewall on Debian Sid

Reply via email to