Grant Pasley | 8 Sep 04:45 2014
Picon

DNAT on pppoe not working.

good day all

i have shorewall-4.6.3.2 running on centos 2.6.32-431.23.3.el6.x86_64. i 
have 2 ethernet interfaces, eth0 and eth1. eth0 is lan 192.168.65.0/24 
and eth1 is only used for a pppoe adsl account with dynamic ip address 
from isp.
i am trying to forward incoming remote desktop connections to a windows 
server, the connections are hitting the firewall but not getting as far 
as the windows server. i have the following info:

vim /etc/shorewall/rules

DNAT            net             loc:192.168.65.2        tcp     3389

shorewall show nat:

Chain net_dnat (1 references)
  pkts bytes target     prot opt in     out     source destination
     0     0 DNAT       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:3389 to:192.168.65.2

tail -f /var/log/messages:

Sep  7 22:41:33 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=ppp0 OUT= 
MAC= SRC=120.146.190.53 DST=197.87.29.171 LEN=52 TOS=0x18 PREC=0x00 
TTL=99 ID=6044 DF PROTO=TCP SPT=56452 DPT=3389 WINDOW=8192 RES=0x00 SYN 
URGP=0

so as per above, connection hits firewall, is accepted, knows to forward 
to windows server, but no traffic being passed on to windows server if 
(Continue reading)

Paolo Nesti Poggi | 5 Sep 20:20 2014

Re: Changed ISP and DNAT stopped working for external IP addresses

Den 05-09-2014 16:37, Wayne S skrev:
At 9/5/2014 06:29 AM, you wrote:
Hi
We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) that has been working flawlessly for years.
Now we have changed broadband provider and with it we've got new IP addresses.
I've reconfigured shorewall with the new addresses and since then we no longer have functioning DNAT for boxes that are forwarded from IP different from the main IP address.

As far as I could see, for doing the provider change we only needed to edit the params (params for main IP and ekstra IPs)and  masq file (main IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf

Having done those changes everything works OK, even DNAT from the main IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes forwarded to from other IPs in the address range are not working at all (ssh: connect to host 89.233.14.37 port 22: Connection timed out)

What is in your masq file? and what type of ISP connection do you have? I have fios that uses pppoe and the pppoe link goes through a 10.0.0.0 ip address. Therefore I cannot include 10.0.0.0 in the masq file without causing problems similar to yours.

The masq file is:
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0                    10.0.0.0/8,\
                        169.254.0.0/16,\
                        172.16.0.0/12,\
                        192.168.0.0/16  89.233.14.34

That is we're using our main IP address for everything.

About the connection: it's a fiber connection and in our end there are a media converter and a switch, we connect our NIC to the switch. I don't know the underlying technology.

Could I try having something else in the masq file? I tryed removing it but nothing works any longer if I do that.
/paolo

Wayne S



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Paolo Nesti Poggi | 5 Sep 12:29 2014

Changed ISP and DNAT stopped working for external IP addresses

Hi
We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) 
that has been working flawlessly for years.
Now we have changed broadband provider and with it we've got new IP 
addresses.
I've reconfigured shorewall with the new addresses and since then we no 
longer have functioning DNAT for boxes that are forwarded from IP 
different from the main IP address.

As far as I could see, for doing the provider change we only needed to 
edit the params (params for main IP and ekstra IPs)and  masq file (main 
IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf

Having done those changes everything works OK, even DNAT from the main 
IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes 
forwarded to from other IPs in the address range are not working at all 
(ssh: connect to host 89.233.14.37 port 22: Connection timed out)

I hope you can help me find a way to further troubleshoot this.

I've re-read the section regarding the 3-interface setup: 
http://shorewall.net/three-interface.htm
and the
DNAT troubleshooting http://shorewall.net/FAQ.htm#faq1a and #faq1b

The routes I'm troubleshooting all show 0 packets in the output of 
'shorewall show nat', however the ISP ensures me that they are not 
dropping anything (this is a 200Mb/sec symmetric connection).

The output of 'shorewal show nat' for one of the hosts in question is:
      0     0 DNAT       tcp  --  *      *       0.0.0.0/0 89.233.14.37 
        multiport dports 22,80,443,3690,8000,5001,3306 to:192.168.37.37
      0     0 DNAT       udp  --  *      *       0.0.0.0/0 89.233.14.37 
        multiport dports 5001,22,3306 to:192.168.37.37

where doing 'ssh 89.233.14.37' from a  host outside of this network 
should connect me to my box on 192.168.37.37 in the local network.
If I set up a Windows PC with static address 89.233.14.37 and connect it 
to the switch of my provider I can ping it from outside, but if I try 
and connect to my box on 192.168.37.37 I only get "Connection timed out"

Do you have any idea of what might be going wrong and/or how I can move 
forward in troubleshooting this issue?

I have attached a dump file.

Many thanks, Paolo

Attachment (shorewall_dump.gz): application/x-gzip, 63 KiB
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Tom Eastep | 4 Sep 02:21 2014
Picon

Shorewall 4.6.3.2

Shorewall 4.6.3.2 is now available for download.

Problems Corrected:

1)  The shorewall[6]-actions manpages previously contained incorrect
    examples of the usage of table names with builtin actions.

    Incorrect:

	FOOBAR,filter,mangle

    Correct:

	FOOBAR   builtin,filter,mangle

2)  Previously, if /etc/iproute2/rt_tables was not writeable, then
    KEEP_RT_TABLES=No behaved like KEEP_RT_TABLES=Yes. Now, a warning
    message is issued if that file is not writeable and KEEP_RT_TABLES
    is set to No.

      WARNING: /etc/iproute2/rt_tables is missing or is not writeable

3)  In earlier 4.6.3 versions, the help text from shorewall-lite and
    shorewall6-lite included two versions of the 'run' command.

      run <command> [ <parameter> ... ]
      ..
      run <function> [ <parameter> ... ]

    The second one has now been deleted.

New Features:

1)  Eric Teeter has contributed a Citrix Goto Meeting macro.

Thank you for using Shorewall.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
PGNd | 3 Sep 06:00 2014
Picon

implementing lsm, per 'MultiISP' example, "device=" spec not propagating from lib.private to lsm config include

I'm setting up intfc monitoring using lsm in a 2-intfc MultiISP config.

Following

	http://shorewall.net/MultiISP.html#lsm

I've created 

	cat /lib.private
		...
		start_lsm() {
			killall lsm 2> /dev/null
		cat <<EOF > /usr/local/etc/lsm/shorewall.conf
		connection {
			name=Prov1
			checkip=XX.XX.XX.XX
			device=$EXTIF
			ttl=2
		}
		connection {
			name=Prov1
			checkip=YY.YY.YY.YY
			device=$VPNIF
			ttl=2
		}
		EOF
			rm -f /usr/local/etc/shorewall/*.status
			/usr/local/sbin/lsm \
			 -c /usr/local/etc/lsm/lsm.conf \
			 -p /var/run/lsm/lsm.pid >> /var/log/lsm.log
		}
		...

	/started
		if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
			start_lsm
		fi

	/restored
		if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
			start_lsm
		fi

After compile/push, 

	/usr/local/etc/lsm/shorewall.conf

is created & populated on the remote.

But, the

	"device="

is empty,

	cat /usr/local/etc/lsm/shorewall.conf
		connection {
			name=Prov1
			checkip=XX.XX.XX.XX
			device=
			ttl=2
		}
		connection {
			name=Prov1
			checkip=YY.YY.YY.YY
			device=
			ttl=2
		}

$EXTIF & $VPNIF are used throughout the fw, elsewhere.  It's not clear why 'device=' is not getting
populated ...  bad config?  

Poring over the multiISP wiki page some more ...

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Steve Wray | 3 Sep 03:34 2014
Picon

firewalld support?

Hi,
I've been hearing about firewalld and how this will become the default in future releases of Redhat and therefore CentOS. Its possible it might show up in other places like Ubuntu, maybe even Debian.

https://fedoraproject.org/wiki/FirewallD

Shorewall has been great, we use Puppet and an excellent Shorewall module which makes managing a distributed firewall configuration very easy.

I didn't find anything regarding Shorewall support. Is there any plan to support this?

Thanks!


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
PGNd | 2 Sep 21:23 2014
Picon

please clarify `shorewall run` usage with shorewall{, 6}-lite

I've compiled and deployed to a remote instance

	shorewall-lite version
		4.6.3.1

my firewall config includes a number of  <at> lib.private declared functions

they're seen  <at>  the remote instance in the pushed fw script; for example,

	cat /var/lib/shorewall-lite/firewall
		...
		load_ipsets4() {
		        SH="/bin/sh"
		        IPSET="/usr/sbin/ipset"
		...

v4.6.3's new `shorewall run ...` support
(https://www.mail-archive.com/shorewall-users <at> lists.sourceforge.net/msg17241.html) is quite
useful.  in a centrally-managed scheme, the runnable scripts need be in the context of the remote
instance.  i.e,. using 'shorewall{,6}-lite' to exec.

fyi, checking on the remote, there are duplicate/different usage docs  <at>  `help`

	shorewall-lite help
		Usage: shorewall-lite [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>
		where <command> is one of:
		...
		   run <command> [ <parameter> ... ]
		...
		   run <function> [ function ... ]
		...

and if I try to exec it

	shorewall-lite run load_ipsets4

I get an odd return

	Usage: /var/lib/shorewall-lite/firewall [ options ] <command>

	<command> is one of:
	   start
	   stop
	   clear
	   disable <interface>
	   down <interface>
	   enable <interface>
	   reset
	   refresh
	   restart
	   status
	   up <interface>
	   version

	Options are:

	   -v and -q        Standard Shorewall verbosity controls
	   -n               Don't update routing configuration
	   -p               Purge Conntrack Table
	   -t               Timestamp progress Messages
	   -V <verbosity>   Set verbosity explicitly
	   -R <file>        Override RESTOREFILE setting

and the function, itself, is not executed

can correct usage be clarified further?  or is it likely a bug?

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Steve | 2 Sep 17:25 2014
Picon

A (hopefully simple) question about logging...

I have a Shorewall installation which works (almost) perfectly... it 
implements a firewall bridging an OpenVPN interface, and services on the 
host running Shorewall - traffic is permitted from the OpenVPN interface 
to a minimal set of ports - each corresponding to a specific service 
running on the server running Shorewall.

My problem is that my syslog is filling with messages of the form:

> Sep  2 15:37:31 server kernel: [52835.565836]
> Shorewall:pub2fw:DROP:IN=tun0 OUT= MAC= SRC=SS.SS.SS.SS
> DST=DD.DD.DD.DD LEN=143 TOS=0x00 PREC=0x00 TTL=64 ID=8370 DF PROTO=UDP
> SPT=17500 DPT=17500 LEN=123

SS.SS.SS.SS is the public IP address of the server that runs the remote 
OpenVPN endpoint.

DD.DD.DD.DD is the IP address of the local end-point for the OpenVPN link.

The source port identifies the traffic as from the Dropbox Lansync 
protocol.  I know this to be run on the remote server - and I am not in 
a position to influence the configuration of the remote server. The 
local server does not support/use the Dropbox Lansync protocol. I am 
very happy that these packets are dropped... but I'd prefer not to fill 
my syslog with notifications about this benign dropped packet.

Please can someone point me towards some minimal change I can make to my 
Shorewall configuration that will eliminate this recurring syslog 
message - but otherwise leave Shorewall behaviour as is?

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
PGNd | 2 Sep 08:10 2014
Picon

after 4.6.2.5 -> 4.6.3.1 upgrade, `show routing` no longer displays provider's routing tables

running Shorewall 4.6.2.5, with a provider defined, in routing I'd see (e.g.)

	shorewall show routing
		...
		Routing Rules

		0:      from all lookup local 
		10000:  from all fwmark 0x100/0xff00 lookup Prov1 
		20000:  from xx.xx.xx.xx lookup Prov1 
		32766:  from all lookup main 
		32767:  from all lookup default 

		Table Prov1:
		...

after upgrading from Shorewall 4.6.2.5 -> 4.6.3.1, I no longer see the providers' routing tables

	shorewall show routing
		...
		Routing Rules

		0:      from all lookup local 
		32766:  from all lookup main 
		32767:  from all lookup default 

		Table default:
		...

yet packet marking and routing to providers works as always, whether for one, or multiple, providers.

Has 'show routing' function/display been changed?  Looking at most recent changelog, I've missed any;
diggeing further back ...

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Tom Eastep | 28 Aug 03:22 2014
Picon

Shorewall 4.6.3.1

Shorewall 4.6.3.1 is now available for download.

Problems Corrected:

1)  The DNSAmp action released in 4.6.3 matched more packets than it
    should have. That has now been corrected.

2)  The handling of REJECT in IP[6]TABLES rules has been clarified in
    the shorewall-rules(5) and shorewall6-rules(5) manpages.

3)  The following misleading error message has now been corrected:

      ERROR: The xxx TARGET is now allowed in the filter table

    The message now reads:

      ERROR: The xxx TARGET is not allowed in the filter table

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Eric Teeter | 22 Aug 17:14 2014
Picon

Macro for Citrix Goto-Meeting

Tom:

Macro you can add for Citrix Goto Meeting

#
# Shorewall version 4 - Citrix/Goto Meeting macro
#
# /usr/share/shorewall/macro.Goto-Meeting
#          by Eric Teeter
#       This macro handles Citrix/Goto Meeting
#       Assumed that ports 80 and 443 are already open
#       If need use those macros that open Http and Https to reduce redundancy
####################################################################################
#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
#                                        PORT(S) PORT(S) LIMIT   GROUP
PARAM      -               -           tcp        8200    # Goto Meeting only needed (TCP outbound)

--
Eric Teeter


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

Gmane