Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
>Can I ask what you are using to set up your WLAN? Of course. As a software I use hostapd+dhcp and as a hardware mpcie Qualcomm Atheros AR9380 AR5BHB112 card: https://wikidevi.com/files/Atheros/specsheets/AR9380.pdf In my 'Ubuntu server' 17.10 adapted as a home router/server I set this card as 802.11n/2.4GHz Regards, B W dniu 2018-02-02 o 09:37, Bill Shirley pisze: Glad it's working. I have a friend that is trying to set up his WLAN interface as an access point/gateway. Can I ask what you are using to set up your WLAN? Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
Glad it's working. I have a friend that is trying to set up his WLAN interface as an access point/gateway. Can I ask what you are using to set up your WLAN? Bill On 2/2/2018 2:54 AM, Bernard Drozd wrote: Thank you Bill :-) After adding two rows you suggested to the '/etc/shorewall/policy' routing works fine. My 'policy' file is now: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT $FW net ACCEPT $FW loc ACCEPT loc $FW ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info I can reach the internet from LAN and WLAN hosts. Since Shorewall works on my machine I'll try to learn Shorewall in details. Regards, B W dniu 2018-02-02 o 04:06, Bill Shirley pisze: Try adding to policy: fw loc ACCEPT loc fw ACCEPT So devices on loc can ping the gateway? Ping www.google.com? Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
Thank you Bill :-) After adding two rows you suggested to the '/etc/shorewall/policy' routing works fine. My 'policy' file is now: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT $FW net ACCEPT $FW loc ACCEPT loc $FW ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info I can reach the internet from LAN and WLAN hosts. Since Shorewall works on my machine I'll try to learn Shorewall in details. Regards, B W dniu 2018-02-02 o 04:06, Bill Shirley pisze: Try adding to policy: fw loc ACCEPT loc fw ACCEPT So devices on loc can ping the gateway? Ping www.google.com? Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
Try adding to policy: fw loc ACCEPT loc fw ACCEPT So devices on loc can ping the gateway? Ping www.google.com? Bill On 2/1/2018 1:29 PM, Bernard Drozd wrote: Hi, >When you say that the LAN can't connect to the internet, are the LAN devices using 10.10.10.1 for their gateway? Yes, see below: ela@akacja:~$ arp Address HWtype HWaddress Flags Mask Iface 10.10.10.13 ether f4:6d:04:63:aa:64 C enp3s0f1 10.10.11.10 ether 34:23:ba:c4:3c:78 C wlp4s0 10.10.10.12 ether 7c:2f:80:0f:b7:b9 C enp3s0f1 10.10.10.11 ether 6c:62:6d:2c:fc:9f C enp3s0f1 192.168.15.1 ether 00:27:22:35:40:df C enp1s0 10.10.11.12 ether e0:b9:a5:34:57:83 C wlp4s0 Seethe fragment of the /etc/dhcp/dhcpd.conf file . subnet 10.10.10.0 netmask 255.255.255.0 { range 10.10.10.10 10.10.10.50; option routers 10.10.10.1; option broadcast-address 10.10.10.255; option domain-name-servers 10.10.10.1; option ntp-servers 10.10.10.1; option netbios-name-servers 10.10.10.1; option netbios-node-type 2; default-lease-time 600; max-lease-time 7200; } '' and /etc/netplan/03-netcfg.yaml file network: version: 2 renderer: networkd ethernets: enp3s0f1: addresses: - 10.10.10.1/24 dhcp4: no >Since you been through many revisions of your Shorewall configuration, it would be helpful to list the following files again: >params file empty >rules ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network # #DNS(ACCEPT)$FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT)loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # # ACCEPT net $FW tcp 6535 ACCEPT net $FW udp 6534 ACCEPT net $FW tcp 1007 ACCEPT net $FW tcp 22 >zones fw firewall net ipv4 loc ipv4 >interfaces net enp1s0 detect tcpflags,logmartians,nosmurfs loc enp3s0f1detect dhcp >hosts I don't use maclist option >policy loc net ACCEPT $FW net ACCEPT net all DROPinfo # THE FOLLOWING POLICY MUST BE LAST all all REJECT info >I noticed in your messages: >Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid >Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled >Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... >Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled >You're blocking all incoming TCP from the internet so your SSH ACCEPT rule will never be reached. ACCEPT net $FW tcp 22 is the last line of 'rules' file and port 22 can be reached from outside (I've checked this) >I don't see anything wrong with your IP addresses or routes. I now that it should works. It is probably my small configuration mistake... Regards, B W dniu 2018-01-31 o 15:38, Bill Shirley pisze: When you say that the LAN can't connect to the internet, are the LAN devices using 10.10.10.1 for their gateway? Since you been through many revisions of your Shorewall configuration, it would be helpful to list the following files again: params rules zones interfaces hosts policy I noticed in your messages: Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled You're blocking all incoming TCP from the internet so your SSH ACCEPT rule will never be reached. Your policy: Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all so you don't need the "Invalid(DROP)" rule. I don't see anything wrong with your IP addresses or routes. Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
Hi, >When you say that the LAN can't connect to the internet, are the LAN devices using 10.10.10.1 for their gateway? Yes, see below: ela@akacja:~$ arp Address HWtype HWaddress Flags Mask Iface 10.10.10.13 ether f4:6d:04:63:aa:64 C enp3s0f1 10.10.11.10 ether 34:23:ba:c4:3c:78 C wlp4s0 10.10.10.12 ether 7c:2f:80:0f:b7:b9 C enp3s0f1 10.10.10.11 ether 6c:62:6d:2c:fc:9f C enp3s0f1 192.168.15.1 ether 00:27:22:35:40:df C enp1s0 10.10.11.12 ether e0:b9:a5:34:57:83 C wlp4s0 Seethe fragment of the /etc/dhcp/dhcpd.conf file . subnet 10.10.10.0 netmask 255.255.255.0 { range 10.10.10.10 10.10.10.50; option routers 10.10.10.1; option broadcast-address 10.10.10.255; option domain-name-servers 10.10.10.1; option ntp-servers 10.10.10.1; option netbios-name-servers 10.10.10.1; option netbios-node-type 2; default-lease-time 600; max-lease-time 7200; } '' and /etc/netplan/03-netcfg.yaml file network: version: 2 renderer: networkd ethernets: enp3s0f1: addresses: - 10.10.10.1/24 dhcp4: no Since you been through many revisions of your Shorewall configuration, it would be helpful to list the following files again: params file empty rules ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network # #DNS(ACCEPT)$FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT)loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # # ACCEPT net $FW tcp 6535 ACCEPT net $FW udp 6534 ACCEPT net $FW tcp 1007 ACCEPT net $FW tcp 22 zones fw firewall net ipv4 loc ipv4 interfaces net enp1s0 detect tcpflags,logmartians,nosmurfs loc enp3s0f1detect dhcp hosts I don't use maclist option policy loc net ACCEPT $FW net ACCEPT net all DROPinfo # THE FOLLOWING POLICY MUST BE LAST all all REJECT info >I noticed in your messages: >Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid >Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled >Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... >Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled >You're blocking all incoming TCP from the internet so your SSH ACCEPT rule will never be reached. ACCEPT net $FW tcp 22 is the last line of 'rules' file and port 22 can be reached from outside (I've checked this) >I don't see anything wrong with your IP addresses or routes. I now that it should works. It is probably my small configuration mistake... Regards, B W dniu 2018-01-31 o 15:38, Bill Shirley pisze: When you say that the LAN can't connect to the internet, are the LAN devices using 10.10.10.1 for their gateway? Since you been through many revisions of your Shorewall configuration, it would be helpful to list the following files again: params rules zones interfaces hosts policy I noticed in your messages: Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled You're blocking all incoming TCP from the internet so your SSH ACCEPT rule will never be reached. Your policy: Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all so you don't need the "Invalid(DROP)" rule. I don't see anything wrong with your IP addresses or routes. Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
When you say that the LAN can't connect to the internet, are the LAN devices using 10.10.10.1 for their gateway? Since you been through many revisions of your Shorewall configuration, it would be helpful to list the following files again: params rules zones interfaces hosts policy I noticed in your messages: Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled You're blocking all incoming TCP from the internet so your SSH ACCEPT rule will never be reached. Your policy: Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all so you don't need the "Invalid(DROP)" rule. I don't see anything wrong with your IP addresses or routes. Bill On 1/31/2018 9:02 AM, Bernard Drozd wrote: >What is the contents of /etc/shorewall/snat? SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 I receive private address 192.168.15.145 (configured as static) from my ISP which is seen as public 46.xxx.xxx.xxx >Also show the output of these two commands run on the Shorewall/gateway machine: >ip -o -4 addr >ip -o -4 route ela@akacja:~$ ip -o -4 addr 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: enp1s0 inet 192.168.15.145/24 brd 192.168.15.255 scope global enp1s0\ valid_lft forever preferred_lft forever 4: enp3s0f1 inet 10.10.10.1/24 brd 10.10.10.255 scope global enp3s0f1\ valid_lft forever preferred_lft forever 5: wlp4s0 inet 10.10.11.1/24 brd 10.10.11.255 scope global wlp4s0\ valid_lft forever preferred_lft forever ela@akacja:~$ ip -o -4 route default via 192.168.15.1 dev enp1s0 proto static 10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1 10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1 192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145 >Are there any messages in the log? Jan 31 14:43:23 Processing /etc/shorewall/params ... Jan 31 14:43:23 Processing /etc/shorewall/shorewall.conf... Jan 31 14:43:23 Loading Modules... Jan 31 14:43:23 Compiling /etc/shorewall/zones... Jan 31 14:43:23 Compiling /etc/shorewall/interfaces... Jan 31 14:43:23 Interface "net enp1s0 detect tcpflags,logmartians,nosmurfs" Validated Jan 31 14:43:23 Interface "loc enp3s0f1 detect dhcp" Validated Jan 31 14:43:23 Interface "loc wlp4s0 detect dhcp" Validated Jan 31 14:43:23 Determining Hosts in Zones... Jan 31 14:43:23 fw (firewall) Jan 31 14:43:23 net (ipv4) Jan 31 14:43:23 enp1s0:0.0.0.0/0 Jan 31 14:43:23 loc (ipv4) Jan 31 14:43:23 enp3s0f1:0.0.0.0/0 Jan 31 14:43:23 wlp4s0:0.0.0.0/0 Jan 31 14:43:23 Locating Action Files... Jan 31 14:43:23 Compiling /etc/shorewall/policy... Jan 31 14:43:23 Policy for loc to net is ACCEPT using chain loc-net Jan 31 14:43:23 Policy for fw to net is ACCEPT using chain fw-net Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all Jan 31 14:43:23 Policy for net to loc is DROP using chain net-all Jan 31 14:43:23 Policy for fw to net is REJECT using chain all-all Jan 31 14:43:23 Policy for fw to loc is REJECT using chain all-all Jan 31 14:43:23 Policy for net to fw is REJECT using chain all-all Jan 31 14:43:23 Policy for net to loc is REJECT using chain all-all Jan 31 14:43:23 Policy for loc to fw is REJECT using chain all-all Jan 31 14:43:23 Policy for loc to net is REJECT using chain all-all Jan 31 14:43:23 Adding Anti-smurf Rules Jan 31 14:43:23 Adding rules for DHCP Jan 31 14:43:23 Compiling TCP Flags filtering... Jan 31 14:43:23 Compiling Kernel Route Filtering... Jan 31 14:43:23 Compiling Martian Logging... Jan 31 14:43:23 Compiling /etc/shorewall/snat... Jan 31 14:43:23 Snat record "SNAT(192.168.15.145) 10.10.10.0/24 enp1s0" Compiled Jan 31 14:43:23 Compiling MAC Filtration -- Phase 1... Jan 31 14:43:23 Chain enp1s0_iop deleted Jan 31 14:43:23 Chain enp1s0_fop deleted Jan 31 14:43:23 Chain enp3s0f1_iop deleted Jan 31 14:43:23 Chain enp3s0f1_fop deleted Jan 31 14:43:23 Chain enp3s0f1_oop deleted Jan 31 14:43:23 Chain wlp4s0_iop deleted Jan 31 14:43:23 Chain wlp4s0_fop deleted Jan 31 14:43:23 Chain wlp4s0_oop deleted Jan 31 14:43:23 Compiling /etc/shorewall/rules... Jan 31 14:43:23 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.SSH Jan 31 14:43:23 Rule "SSH(ACCEPT) loc fw" Compiled Jan 31 14:43:23 ..Expanding
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
>What is the contents of /etc/shorewall/snat? SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 I receive private address 192.168.15.145 (configured as static) from my ISP which is seen as public 46.xxx.xxx.xxx >Also show the output of these two commands run on the Shorewall/gateway machine: >ip -o -4 addr >ip -o -4 route ela@akacja:~$ ip -o -4 addr 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: enp1s0 inet 192.168.15.145/24 brd 192.168.15.255 scope global enp1s0\ valid_lft forever preferred_lft forever 4: enp3s0f1 inet 10.10.10.1/24 brd 10.10.10.255 scope global enp3s0f1\ valid_lft forever preferred_lft forever 5: wlp4s0 inet 10.10.11.1/24 brd 10.10.11.255 scope global wlp4s0\ valid_lft forever preferred_lft forever ela@akacja:~$ ip -o -4 route default via 192.168.15.1 dev enp1s0 proto static 10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1 10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1 192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145 >Are there any messages in the log? Jan 31 14:43:23 Processing /etc/shorewall/params ... Jan 31 14:43:23 Processing /etc/shorewall/shorewall.conf... Jan 31 14:43:23 Loading Modules... Jan 31 14:43:23 Compiling /etc/shorewall/zones... Jan 31 14:43:23 Compiling /etc/shorewall/interfaces... Jan 31 14:43:23 Interface "net enp1s0 detect tcpflags,logmartians,nosmurfs" Validated Jan 31 14:43:23 Interface "loc enp3s0f1 detect dhcp" Validated Jan 31 14:43:23 Interface "loc wlp4s0 detect dhcp" Validated Jan 31 14:43:23 Determining Hosts in Zones... Jan 31 14:43:23 fw (firewall) Jan 31 14:43:23 net (ipv4) Jan 31 14:43:23 enp1s0:0.0.0.0/0 Jan 31 14:43:23 loc (ipv4) Jan 31 14:43:23 enp3s0f1:0.0.0.0/0 Jan 31 14:43:23 wlp4s0:0.0.0.0/0 Jan 31 14:43:23 Locating Action Files... Jan 31 14:43:23 Compiling /etc/shorewall/policy... Jan 31 14:43:23 Policy for loc to net is ACCEPT using chain loc-net Jan 31 14:43:23 Policy for fw to net is ACCEPT using chain fw-net Jan 31 14:43:23 Policy for net to fw is DROP using chain net-all Jan 31 14:43:23 Policy for net to loc is DROP using chain net-all Jan 31 14:43:23 Policy for fw to net is REJECT using chain all-all Jan 31 14:43:23 Policy for fw to loc is REJECT using chain all-all Jan 31 14:43:23 Policy for net to fw is REJECT using chain all-all Jan 31 14:43:23 Policy for net to loc is REJECT using chain all-all Jan 31 14:43:23 Policy for loc to fw is REJECT using chain all-all Jan 31 14:43:23 Policy for loc to net is REJECT using chain all-all Jan 31 14:43:23 Adding Anti-smurf Rules Jan 31 14:43:23 Adding rules for DHCP Jan 31 14:43:23 Compiling TCP Flags filtering... Jan 31 14:43:23 Compiling Kernel Route Filtering... Jan 31 14:43:23 Compiling Martian Logging... Jan 31 14:43:23 Compiling /etc/shorewall/snat... Jan 31 14:43:23 Snat record "SNAT(192.168.15.145) 10.10.10.0/24 enp1s0" Compiled Jan 31 14:43:23 Compiling MAC Filtration -- Phase 1... Jan 31 14:43:23 Chain enp1s0_iop deleted Jan 31 14:43:23 Chain enp1s0_fop deleted Jan 31 14:43:23 Chain enp3s0f1_iop deleted Jan 31 14:43:23 Chain enp3s0f1_fop deleted Jan 31 14:43:23 Chain enp3s0f1_oop deleted Jan 31 14:43:23 Chain wlp4s0_iop deleted Jan 31 14:43:23 Chain wlp4s0_fop deleted Jan 31 14:43:23 Chain wlp4s0_oop deleted Jan 31 14:43:23 Compiling /etc/shorewall/rules... Jan 31 14:43:23 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 ..Expanding inline action /usr/share/shorewall/action.Invalid... Jan 31 14:43:23 ..End inline action /usr/share/shorewall/action.Invalid Jan 31 14:43:23 Rule "Invalid(DROP) net all tcp" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.SSH... Jan 31 14:43:23 Rule "PARAM - - tcp 22" Compiled Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.SSH Jan 31 14:43:23 Rule "SSH(ACCEPT) loc fw" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.Ping... Jan 31 14:43:23 Rule "PARAM - - icmp 8" Compiled Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.Ping Jan 31 14:43:23 Rule "Ping(ACCEPT) loc fw" Compiled Jan 31 14:43:23 ..Expanding Macro /usr/share/shorewall/macro.Ping... Jan 31 14:43:23 Rule "PARAM - - icmp 8" Compiled Jan 31 14:43:23 ..End Macro /usr/share/shorewall/macro.Ping Jan 31 14:43:23 Rule "Ping(DROP) net fw" Compiled Jan 31 14:43:23 Rule "ACCEPT fw loc icmp" Compiled Jan 31 14:43:23 Rule "ACCEPT fw net icmp" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw tcp 6535" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw udp 6534" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw tcp 1007" Compiled Jan 31 14:43:24 Rule "ACCEPT net fw tcp 22" Compiled Jan 31 14:43:24 Compiling /etc/shorewall/conntrack... Jan 31 14:43:24 Conntrack rule "CT:helper:amanda:P
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
If a device on the LAN can't get to the internet through the Shorewall/gateway, it points the finger at /etc/shorewall/snat not being correct. What is the contents of /etc/shorewall/snat? Also show the output of these two commands run on the Shorewall/gateway machine: ip -o -4 addr ip -o -4 route Are there any messages in the log? Bill On 1/31/2018 7:19 AM, Bernard Drozd wrote: So I guess that after checking and correcting the shorewall's configuration files routing (eg connecting from LAN to the internet) should work. But in fact it doesn't. Please log on my testing machine and check what could disable/block shorewall : http://drive.google.com/uc?export=view&id=1GMRU8w0EoZpfah9xiet4u-4Xhj5O4nJi Currently I'm runing on simple configuration (/etc/network/if-up.d/firewall -see below) and routing for LAN and WLAN working just fine. I'd like to try shorewall but I don't know why it doesn't work on my machine. #!/bin/sh WAN=enp1s0 /sbin/modprobe iptables > /dev/null 2>&1 /sbin/modprobe nf_conntrack > /dev/null 2>&1 /sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1 /sbin/modprobe ip_nat_ftp > /dev/null 2>&1 iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -F -t nat iptables -F -t mangle iptables -P INPUT DROP iptables -A INPUT ! -i ${WAN} -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE iptables -I INPUT -p tcp --dport 22 -i ${WAN} -j ACCEPT exit 0 Regards, B -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
So I guess that after checking and correcting the shorewall's configuration files routing (eg connecting from LAN to the internet) should work. But in fact it doesn't. Please log on my testing machine and check what could disable/block shorewall : http://drive.google.com/uc?export=view&id=1GMRU8w0EoZpfah9xiet4u-4Xhj5O4nJi Currently I'm runing on simple configuration (/etc/network/if-up.d/firewall -see below) and routing for LAN and WLAN working just fine. I'd like to try shorewall but I don't know why it doesn't work on my machine. #!/bin/sh WAN=enp1s0 /sbin/modprobe iptables > /dev/null 2>&1 /sbin/modprobe nf_conntrack > /dev/null 2>&1 /sbin/modprobe nf_conntrack_ftp > /dev/null 2>&1 /sbin/modprobe ip_nat_ftp > /dev/null 2>&1 iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -F -t nat iptables -F -t mangle iptables -P INPUT DROP iptables -A INPUT ! -i ${WAN} -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE iptables -I INPUT -p tcp --dport 22 -i ${WAN} -j ACCEPT exit 0 Regards, B -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/31/2018 8:24 AM, Bernard Drozd wrote: > Hi, > >>> DNS(ACCEPT) $FW net >> This is superfluous given your policy '$FW net ACCEPT". > I corrected this in /etc/shorewall/rules by commenting this line. > Good. >> From: >> http://shorewall.org/manpages/shorewall-rules.html >> "Warning >> If you masquerade or use SNAT from a local system to the internet, you >> cannot use an ACCEPT rule to allow traffic from the internet to that >> system. You must use a DNAT rule instead." >> EG: >> DNAT net $FW tcp 22 As pointed out by Bill Shirley this is irrelevent to your issue. Thus you don't need to DNAT from the net zone to the firewall zone. What you had originally written is correct and shouldn't be change! :) > Unfortunately it doesn't work for me. > It seems like my shorewall version (5.0.15.6 on newest Ubuntu) accept > only 'ACCEPT' in the /etc/shorewall/rules file. > When I use 'DNAT' instead I receive an error: > ela@akacja:~$ sudo shorewall check > Checking using Shorewall 5.0.15.6... > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.30), passed through in regex; marked by <-- HERE in > m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at > /usr/share/shorewall/Shorewall/Config.pm line 2340. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.30), passed through in regex; marked by <-- HERE in > m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at > /usr/share/shorewall/Shorewall/Config.pm line 2356. > Unescaped left brace in regex is deprecated here (and will be fatal in > Perl 5.30), passed through in regex; marked by <-- HERE in > m/^(\s*|.*[^&@%]){ <-- HERE (.*)}$/ at > /usr/share/shorewall/Shorewall/Config.pm line 2370. The warning is corrected in a later version of Shorewall! :) > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Loading Modules... > Checking /etc/shorewall/zones... > Checking /etc/shorewall/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Checking /etc/shorewall/policy... > Adding Anti-smurf Rules > Adding rules for DHCP > Checking TCP Flags filtering... > Checking Kernel Route Filtering... > Checking Martian Logging... > Checking /etc/shorewall/snat... > Checking MAC Filtration -- Phase 1... > Checking /etc/shorewall/rules... > ERROR: Invalid or missing server IP address /etc/shorewall/rules > (line 53) > This error is expected and you can safely revert to using "ACCEPT net $FW ...". -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
Hi, DNS(ACCEPT) $FW net This is superfluous given your policy '$FW net ACCEPT". I corrected this in /etc/shorewall/rules by commenting this line. From: http://shorewall.org/manpages/shorewall-rules.html "Warning If you masquerade or use SNAT from a local system to the internet, you cannot use an ACCEPT rule to allow traffic from the internet to that system. You must use a DNAT rule instead." EG: DNAT net $FW tcp 22 Unfortunately it doesn't work for me. It seems like my shorewall version (5.0.15.6 on newest Ubuntu) accept only 'ACCEPT' in the /etc/shorewall/rules file. When I use 'DNAT' instead I receive an error: ela@akacja:~$ sudo shorewall check Checking using Shorewall 5.0.15.6... Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <-- HERE in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at /usr/share/shorewall/Shorewall/Config.pm line 2340. Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <-- HERE in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/ at /usr/share/shorewall/Shorewall/Config.pm line 2356. Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <-- HERE in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}$/ at /usr/share/shorewall/Shorewall/Config.pm line 2370. Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Checking /etc/shorewall/zones... Checking /etc/shorewall/interfaces... Determining Hosts in Zones... Locating Action Files... Checking /etc/shorewall/policy... Adding Anti-smurf Rules Adding rules for DHCP Checking TCP Flags filtering... Checking Kernel Route Filtering... Checking Martian Logging... Checking /etc/shorewall/snat... Checking MAC Filtration -- Phase 1... Checking /etc/shorewall/rules... ERROR: Invalid or missing server IP address /etc/shorewall/rules (line 53) Regards, B W dniu 2018-01-30 o 18:38, Matt Darfeuille pisze: On 1/30/2018 5:22 PM, Matt Darfeuille wrote: On 1/30/2018 1:34 PM, Bernard Drozd wrote: It refers here to your wan interface. Is your wan interface configured by dhcp (does it get an dinamic IP)? No. My wan interface has static 192.168.15.145 address (which is seen from outside/internet as public 46.xxx.xxx.xxx address). So I've changed content of /etc/shorewall/snat to: SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 Then SNAT is correct in that case. but still cannot connect to the Internet from LAN. Clearly your two-interface setup is not working.So I will ignore the wireless part of this question. Ok. I removed wifi configuration from /etc/shorewall files What is the content of the following files?: /etc/shorewall/zones fw firewall net ipv4 loc ipv4 /etc/shorewall/interfaces ?FORMAT 1 ### #ZONE INTERFACE BROADCAST OPTIONS net enp1s0 detect tcpflags,logmartians,nosmurfs loc enp3s0f1 detect dhcp /etc/shorewall/policy loc net ACCEPT $FW net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info /etc/shorewall/rules # PORT PORT(S) DEST LIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net This is superfluous given your policy '$FW net ACCEPT". # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # # ACCEPT net $FW tcp 6535 ACCEPT net $FW udp 6534 ACCEPT net $FW tcp 22 From: http://shorewall.org/manpages/shorewall-rules.html "Warning If you masquerade or use SNAT from a local system to the internet, you cannot use an ACCEPT rule to allow traffic from the internet to that system. You must use a DNAT rule instead." EG: DNAT net $FW tcp 22 As Bill Shirley pointed out you can forget this. /etc/shorewall/stoppedrules ACCEPT enp3s0f1 - ACCEPT - enp3s0f1 I asume that no other firewalls are started. And that 'IP_FORWARDING' is set to 'Yes' in /etc/shorewall/shorewall.conf. -Matt -- Check out the vibrant tech community on one of the world's most engaging tech s
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/30/2018 5:22 PM, Matt Darfeuille wrote: > On 1/30/2018 1:34 PM, Bernard Drozd wrote: >>> It refers here to your wan interface. >>> Is your wan interface configured by dhcp (does it get an dinamic IP)? >> No. My wan interface has static 192.168.15.145 address (which is seen >> from outside/internet as public 46.xxx.xxx.xxx address). >> So I've changed content of /etc/shorewall/snat to: >> SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 > > Then SNAT is correct in that case. > >> but still cannot connect to the Internet from LAN. >> >>> Clearly your two-interface setup is not working.So I will ignore the >>> wireless part of this question. >> Ok. I removed wifi configuration from /etc/shorewall files >>> What is the content of the following files?: >>> /etc/shorewall/zones >> fw firewall >> net ipv4 >> loc ipv4 >>> /etc/shorewall/interfaces >> ?FORMAT 1 >> ### >> >> #ZONE INTERFACE BROADCAST OPTIONS >> net enp1s0 detect tcpflags,logmartians,nosmurfs >> loc enp3s0f1 detect dhcp >>> /etc/shorewall/policy >> loc net ACCEPT >> $FW net ACCEPT >> net all DROP info >> # THE FOLLOWING POLICY MUST BE LAST >> all all REJECT info >>> /etc/shorewall/rules >> # PORT PORT(S) DEST >> LIMIT GROUP >> >> ?SECTION ALL >> ?SECTION ESTABLISHED >> ?SECTION RELATED >> ?SECTION INVALID >> ?SECTION UNTRACKED >> ?SECTION NEW >> >> # Don't allow connection pickup from the net >> # >> Invalid(DROP) net all tcp >> # >> # Accept DNS connections from the firewall to the network >> # >> DNS(ACCEPT) $FW net > > This is superfluous given your policy '$FW net ACCEPT". > >> # >> # Accept SSH connections from the local network for administration >> # >> SSH(ACCEPT) loc $FW >> # >> # Allow Ping from the local network >> # >> Ping(ACCEPT) loc $FW >> >> # >> # Drop Ping from the "bad" net zone.. and prevent your log from being >> flooded.. >> # >> >> Ping(DROP) net $FW >> >> ACCEPT $FW loc icmp >> ACCEPT $FW net icmp >> # >> # >> ACCEPT net $FW tcp 6535 >> ACCEPT net $FW udp 6534 >> ACCEPT net $FW tcp 22 > > From: > > http://shorewall.org/manpages/shorewall-rules.html > > "Warning > If you masquerade or use SNAT from a local system to the internet, you > cannot use an ACCEPT rule to allow traffic from the internet to that > system. You must use a DNAT rule instead." > > EG: > > DNAT net $FW tcp 22 > As Bill Shirley pointed out you can forget this. >>> /etc/shorewall/stoppedrules >> ACCEPT enp3s0f1 - >> ACCEPT - enp3s0f1 >> > > I asume that no other firewalls are started. > And that 'IP_FORWARDING' is set to 'Yes' in /etc/shorewall/shorewall.conf. -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/30/2018 11:22 AM, Matt Darfeuille wrote: ACCEPT net $FW tcp 6535 ACCEPT net $FW udp 6534 ACCEPT net $FW tcp 22 From: http://shorewall.org/manpages/shorewall-rules.html "Warning If you masquerade or use SNAT from a local system to the internet, you cannot use an ACCEPT rule to allow traffic from the internet to that system. You must use a DNAT rule instead." EG: DNAT net $FW tcp 22 This warning does not apply to the firewall. It's saying you have to DNAT to devices _behind_ the firewall. Bil -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/30/2018 1:34 PM, Bernard Drozd wrote: >> It refers here to your wan interface. >> Is your wan interface configured by dhcp (does it get an dinamic IP)? > No. My wan interface has static 192.168.15.145 address (which is seen > from outside/internet as public 46.xxx.xxx.xxx address). > So I've changed content of /etc/shorewall/snat to: > SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 Then SNAT is correct in that case. > but still cannot connect to the Internet from LAN. > >> Clearly your two-interface setup is not working.So I will ignore the >> wireless part of this question. > Ok. I removed wifi configuration from /etc/shorewall files >> What is the content of the following files?: >> /etc/shorewall/zones > fw firewall > net ipv4 > loc ipv4 >> /etc/shorewall/interfaces > ?FORMAT 1 > ### > > #ZONE INTERFACE BROADCAST OPTIONS > net enp1s0 detect tcpflags,logmartians,nosmurfs > loc enp3s0f1 detect dhcp >> /etc/shorewall/policy > loc net ACCEPT > $FW net ACCEPT > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info >> /etc/shorewall/rules > # PORT PORT(S) DEST > LIMIT GROUP > > ?SECTION ALL > ?SECTION ESTABLISHED > ?SECTION RELATED > ?SECTION INVALID > ?SECTION UNTRACKED > ?SECTION NEW > > # Don't allow connection pickup from the net > # > Invalid(DROP) net all tcp > # > # Accept DNS connections from the firewall to the network > # > DNS(ACCEPT) $FW net This is superfluous given your policy '$FW net ACCEPT". > # > # Accept SSH connections from the local network for administration > # > SSH(ACCEPT) loc $FW > # > # Allow Ping from the local network > # > Ping(ACCEPT) loc $FW > > # > # Drop Ping from the "bad" net zone.. and prevent your log from being > flooded.. > # > > Ping(DROP) net $FW > > ACCEPT $FW loc icmp > ACCEPT $FW net icmp > # > # > ACCEPT net $FW tcp 6535 > ACCEPT net $FW udp 6534 > ACCEPT net $FW tcp 22 From: http://shorewall.org/manpages/shorewall-rules.html "Warning If you masquerade or use SNAT from a local system to the internet, you cannot use an ACCEPT rule to allow traffic from the internet to that system. You must use a DNAT rule instead." EG: DNAT net $FW tcp 22 >> /etc/shorewall/stoppedrules > ACCEPT enp3s0f1 - > ACCEPT - enp3s0f1 > I asume that no other firewall are started. -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/30/2018 7:34 AM, Bernard Drozd wrote: It refers here to your wan interface. Is your wan interface configured by dhcp (does it get an dinamic IP)? No. My wan interface has static 192.168.15.145 address (which is seen from outside/internet as public 46.xxx.xxx.xxx address). So I've changed content of /etc/shorewall/snat to: SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 but still cannot connect to the Internet from LAN. Where are you trying to "connect" from? Please post the output of 'ip -4 -o -addr' run on the Shorewall/gateway machine. Also, 'ip -4 -o route'. Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
It refers here to your wan interface. Is your wan interface configured by dhcp (does it get an dinamic IP)? No. My wan interface has static 192.168.15.145 address (which is seen from outside/internet as public 46.xxx.xxx.xxx address). So I've changed content of /etc/shorewall/snat to: SNAT(192.168.15.145)10.10.10.0/24 enp1s0 but still cannot connect to the Internet from LAN. Clearly your two-interface setup is not working.So I will ignore the wireless part of this question. Ok. I removed wifi configuration from /etc/shorewall files What is the content of the following files?: /etc/shorewall/zones fw firewall net ipv4 loc ipv4 /etc/shorewall/interfaces ?FORMAT 1 ### #ZONE INTERFACE BROADCAST OPTIONS net enp1s0 detect tcpflags,logmartians,nosmurfs loc enp3s0f1detect dhcp /etc/shorewall/policy loc net ACCEPT $FW net ACCEPT net all DROPinfo # THE FOLLOWING POLICY MUST BE LAST all all REJECT info /etc/shorewall/rules # PORTPORT(S) DESTLIMIT GROUP ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW # Don't allow connection pickup from the net # Invalid(DROP) net all tcp # # Accept DNS connections from the firewall to the network # DNS(ACCEPT) $FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT)loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp # # ACCEPT net $FW tcp 6535 ACCEPT net $FW udp 6534 ACCEPT net $FW tcp 22 /etc/shorewall/stoppedrules ACCEPT enp3s0f1- ACCEPT - enp3s0f1 Regards, B W dniu 2018-01-30 o 11:59, Matt Darfeuille pisze: On 1/30/2018 10:54 AM, Bernard Drozd wrote: "MASQUERADE should only be used when the DEST interface has a dynamic IP address. Otherwise, SNAT should be used and should specify the interface's static address." So my (/etc/shorewall/snat) configuration should work: MASQUERADE 10.10.10.0/24 enp1s0 MASQUERADE 10.10.11.0/24 enp1s0 It refers here to your wan interface. Is your wan interface configured by dhcp (does it get an dinamic IP)? Note that this has nothing to do with your local network. since LAN (10.10.10.0/24) and WLAN (10.10.11.0/24) addresses are dynamically assigned by DHCP. But it doesn't. I can't connect to the internet from LAN and WLAN. I don't know where a mistake is. As said on: http://shorewall.org/two-interface.htm#Wireless "Once you have the two-interface setup working ..." Clearly your two-interface setup is not working. So I will ignore the wireless part of this question. What is the content of the following files?: /etc/shorewall/zones /etc/shorewall/interfaces /etc/shorewall/policy /etc/shorewall/rules /etc/shorewall/stoppedrules P.S. Please send through the list. -Matt -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/30/2018 10:54 AM, Bernard Drozd wrote: >>"MASQUERADE should only be used when the DEST interface has a dynamic > IP address. Otherwise, SNAT should be used and should specify the > interface's static address." > So my (/etc/shorewall/snat) configuration should work: > > MASQUERADE 10.10.10.0/24 enp1s0 > MASQUERADE 10.10.11.0/24 enp1s0 > It refers here to your wan interface. Is your wan interface configured by dhcp (does it get an dinamic IP)? Note that this has nothing to do with your local network. > since LAN (10.10.10.0/24) and WLAN (10.10.11.0/24) addresses are > dynamically assigned by DHCP. > But it doesn't. I can't connect to the internet from LAN and WLAN. I > don't know where a mistake is. > As said on: http://shorewall.org/two-interface.htm#Wireless "Once you have the two-interface setup working ..." Clearly your two-interface setup is not working. So I will ignore the wireless part of this question. What is the content of the following files?: /etc/shorewall/zones /etc/shorewall/interfaces /etc/shorewall/policy /etc/shorewall/rules /etc/shorewall/stoppedrules P.S. Please send through the list. -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/29/2018 7:49 PM, Bernard Drozd wrote: >> From what you describe below you should maybe use: >> http://shorewall.org/three-interface.htm > > I guess I need the guidance from: > http://shorewall.org/two-interface.htm#Wireless > LAN and WLAN works in the same zone > >> What did you try... > I tried (/etc/shorewall/snat) > MASQUERADE 10.10.10.0/24 enp1s0 > MASQUERADE 10.10.11.0/24 enp1s0 > "MASQUERADE should only be used when the DEST interface has a dynamic IP address. Otherwise, SNAT should be used and should specify the interface's static address." > and > SNAT(192.168.15.145) 10.10.10.0/24 enp1s0 > SNAT(192.168.15.145) 10.10.11.0/24 enp1s0 > http://shorewall.org/manpages/shorewall-snat.html >>...and what do you want? > I would like to connect to the internet from LAN (10.10.10.0/2) and WLAN > ((10.10.11.0/2)) > Try to set 'IP_FORWARDING=Yes' in /etc/shorewall/shorewall.conf. -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
Thanks, Please find information below: ela@akacja:~$ sudo shorewall show Shorewall 5.0.15.6 filter Table at akacja - Mon Jan 29 19:04:46 CET 2018 Counters reset Fri Jan 12 12:07:20 CET 2018 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 34291 2298K ACCEPT tcp -- enp1s0 * 0.0.0.0/00.0.0.0/0 tcp dpt:100 7 2 1272 ACCEPT udp -- enp1s0 * 0.0.0.0/00.0.0.0/0 udp dpt:653 4 6700K 2174M ACCEPT tcp -- enp1s0 * 0.0.0.0/00.0.0.0/0 tcp dpt:653 5 208K 26M ACCEPT tcp -- enp1s0 * 0.0.0.0/00.0.0.0/0 tcp dpt:22 2251K 4181M ACCEPT all -- !enp1s0 * 0.0.0.0/00.0.0.0/0 5936K 2569M ACCEPT all -- * * 0.0.0.0/00.0.0.0/0 state RELAT ED,ESTABLISHED 17494 922K REJECT tcp -- * * 0.0.0.0/00.0.0.0/0 reject-with tcp-reset 39124 2811K REJECT udp -- * * 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 159 packets, 29160 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 517 packets, 125K bytes) pkts bytes target prot opt in out source destination ela@akacja:~$ sudo ip route show default via 192.168.15.1 dev enp1s0 proto static 10.10.10.0/24 dev enp3s0f1 proto kernel scope link src 10.10.10.1 10.10.11.0/24 dev wlp4s0 proto kernel scope link src 10.10.11.1 192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.145 From: c.mo...@web.de Sent: Monday, January 29, 2018 6:07 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration? Hello Bernard, please read the reporting guidelines documented here http://shorewall.net/support.htm and provide the requested information for further analysis. Regards Thomas Gesendet: Montag, 29. Januar 2018 um 17:36 Uhr Von: "Bernard Drozd" An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Ubuntu 17.10 Shorewall configuration? Hi, I'm new in the firewalls. I'm trying to set up Shorewall on the newest testing ubuntu server 17.10 in the most common configuration as firewall with two interfaces (and WIFI). http://shorewall.org/two-interface.htm Unfortunately routing doesn't work... I've tried several different settings in my /etc/shorewall/snat configuration file unfortunately without success. I receive 192.168.15.145 IP address from my ISP (which is seen from the Internet/outside as 46.xxx.xxx.xxx public address. I use tree network interfaces defined as static in the /etc/netplan directory. WAN: enp1s0 LAN: enp3s0f1 WLAN: wlp4s0 I use isc-dhcp-server for LAN and WLAN and unbound package for WAN. Currently Shorewall service is disabled (and firewall/routing rules are defined in the /etc/network/if-up.d/firewall file) but I would like to try Shorewall. Please help me to set up routing in the Sharewall. Using SSH please log on my testing machine and correct Shorewall settings. Here are the SSH login details: http://drive.google.com/uc?export=view&id=1GMRU8w0EoZpfah9xiet4u-4Xhj5O4nJi Thanks in advance, Bernard -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
On 1/29/2018 5:36 PM, Bernard Drozd wrote: > Hi, > I'm new in the firewalls. > I'm trying to set up Shorewall on the newest testing ubuntu server 17.10 > in the most common configuration as firewall with two interfaces (and > WIFI). > http://shorewall.org/two-interface.htm From what you describe below you should maybe use: http://shorewall.org/three-interface.htm > Unfortunately routing doesn't work... > Shorewall in it self does not do routing: http://shorewall.org/Shorewall_and_Routing.html#Routing > I've tried several different settings in my /etc/shorewall/snat > configuration file unfortunately without success. What did you try and what do you want? > I receive 192.168.15.145 IP address from my ISP (which is seen from the Is 192.168.15.145 the ip on the wan interface? > Internet/outside as 46.xxx.xxx.xxx public address. > I use tree network interfaces defined as static in the /etc/netplan > directory. > WAN: enp1s0 > LAN: enp3s0f1 > WLAN: wlp4s0 > I use isc-dhcp-server for LAN and WLAN and unbound package for WAN. > > Currently Shorewall service is disabled (and firewall/routing rules are j> defined in the /etc/network/if-up.d/firewall file) but I would like to > try Shorewall. See above for Shorewall and routing. You may want to disable any other firewall before starting Shorewall. > Please help me to set up routing in the Sharewall. > Using SSH please log on my testing machine and correct Shorewall settings. Setting up Shorewall for the first time requires local access incase you lose ssh access. -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Ubuntu 17.10 Shorewall configuration?
Hello Bernard, please read the reporting guidelines documented here http://shorewall.net/support.htm and provide the requested information for further analysis. Regards Thomas Gesendet: Montag, 29. Januar 2018 um 17:36 Uhr Von: "Bernard Drozd" An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Ubuntu 17.10 Shorewall configuration? Hi, I'm new in the firewalls. I'm trying to set up Shorewall on the newest testing ubuntu server 17.10 in the most common configuration as firewall with two interfaces (and WIFI). http://shorewall.org/two-interface.htm Unfortunately routing doesn't work... I've tried several different settings in my /etc/shorewall/snat configuration file unfortunately without success. I receive 192.168.15.145 IP address from my ISP (which is seen from the Internet/outside as 46.xxx.xxx.xxx public address. I use tree network interfaces defined as static in the /etc/netplan directory. WAN: enp1s0 LAN: enp3s0f1 WLAN: wlp4s0 I use isc-dhcp-server for LAN and WLAN and unbound package for WAN. Currently Shorewall service is disabled (and firewall/routing rules are defined in the /etc/network/if-up.d/firewall file) but I would like to try Shorewall. Please help me to set up routing in the Sharewall. Using SSH please log on my testing machine and correct Shorewall settings. Here are the SSH login details: http://drive.google.com/uc?export=view&id=1GMRU8w0EoZpfah9xiet4u-4Xhj5O4nJi Thanks in advance, Bernard -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users