[Shorewall-users] Help needed need to restart port redirection and apply configuartion in shorewall for internal clients to see the web pages via squid and dmz

Mahindra Patel Fri, 04 Jan 2008 04:14:20 -0800

I have installed shorewall 3.4.4.4 and squid 2.6 on Mandriva 2008
distribution and using webmin. I am having a i need to resave port
redirection in squid module in webmin and reapplying rules in shorewall
module when the firewall has restarted for the internal clients to be able
to go on the net or see our on web pages on the dmz zone. (using three
interface model). Can some help me so that I need not to do that after
restart or reboot of the firewall. Enclosed a copy of the shorewall start
dump. thanks in advance
Mahindra Patel (BEng Hons CEng MIET)
Network Support Engineer
Caseys Film & Video Ltd
316 - 318 Latimer Road
London. W10 6QN
Tel:  020 8960 0123
Fax: 020 8969 3714
Email: [EMAIL PROTECTED]
Registered in England: 1713597
http://www.caseys.co.uk Standard Definition / High Definition Editing and
Broadcast Duplication  -  Open / Closed Broadcast Subtitling  -  CDRom / DVD
Authoring and Duplication  -  Voiceover Recording and Editing

[EMAIL PROTECTED] default]# shorewall -vv restart
Compiling...
Processing /etc/shorewall/params ...
Loading /usr/share/shorewall/lib.base...
Loading /usr/share/shorewall/lib.config...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...










Loading library /usr/share/shorewall/lib.actions...


Loading library /usr/share/shorewall/lib.nat...
Loading library /usr/share/shorewall/lib.proxyarp...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
Determining Zones...
   IPv4 Zones: net loc dmz
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ..Expanding Macro /usr/share/shorewall/macro.Auth...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.SMB...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   ..End Macro
   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   ..End Macro
   Pre-processing /usr/share/shorewall/action.Reject...
Validating Policy file...
   Policy for loc to net is REJECT using chain loc2net
   Policy for loc to dmz is REJECT using chain loc2dmz
   Policy for loc to fw is ACCEPT using chain loc2fw
   Policy for fw to net is ACCEPT using chain fw2net
   Policy for fw to dmz is ACCEPT using chain fw2dmz
   Policy for fw to loc is REJECT using chain fw2loc
   Policy for dmz to net is ACCEPT using chain dmz2net
   Policy for dmz to fw is ACCEPT using chain dmz2fw
   Policy for dmz to loc is REJECT using chain dmz2loc
   Policy for net to dmz is DROP using chain net2dmz
   Policy for net to fw is DROP using chain net2fw
   Policy for net to loc is DROP using chain net2loc
Determining Hosts in Zones...
   net Zone: eth2:0.0.0.0/0
   loc Zone: eth0:0.0.0.0/0
   dmz Zone: eth1:0.0.0.0/0
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Proxy ARP
   Host 192.168.10.1 connected to eth1 added to ARP on eth2
   Host 192.168.10.1 connected to eth1 added to ARP on eth0
Compiling Common Rules
Adding Anti-smurf Rules
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling IP Forwarding...
Compiling IPSEC...
Compiling /etc/shorewall/rules...
..Expanding Macro /usr/share/shorewall/macro.DNS...
   Rule "ACCEPT fw net udp 53 - - - -" compiled.
   Rule "ACCEPT fw net tcp 53 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DNS...
   Rule "ACCEPT dmz net udp 53 - - - -" compiled.
   Rule "ACCEPT dmz net tcp 53 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SSH...
   Rule "ACCEPT loc fw tcp 22 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SSH...
   Rule "ACCEPT loc dmz tcp 22 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "REJECT net fw icmp 8 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "ACCEPT loc fw icmp 8 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "ACCEPT dmz fw icmp 8 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "ACCEPT loc dmz icmp 8 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "ACCEPT dmz loc icmp 8 - - - -" compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.Ping...
   Rule "ACCEPT dmz net icmp 8 - - - -" compiled.
..End Macro
   Rule "ACCEPT fw net icmp      " compiled.
   Rule "ACCEPT fw loc icmp      " compiled.
   Rule "ACCEPT fw dmz icmp      " compiled.
   Rule "DNAT net dmz:192.168.10.1 tcp 80,25,110,9000,81,21,20 - 62.49.66.106   
" compiled.
   Rule "DNAT loc dmz:192.168.10.1 tcp 80,25,110,9000,81,21,20 - 62.49.66.106   
" compiled.
   Rule "DNAT loc dmz:192.168.10.1 tcp 80 - 192.168.10.1   " compiled.
   Rule "REDIRECT loc 3128 tcp www - !62.49.66.106,192.168.10.1   " compiled.
   Rule "ACCEPT fw net tcp www     " compiled.
Compiling Actions...
   Generating Transitive Closure of Used-action List...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  - " compiled.
..End Macro
   Rule "dropBcast        " compiled.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  - " compiled.
   Rule "ACCEPT - - icmp time-exceeded -  - " compiled.
..End Macro
   Rule "dropInvalid        " compiled.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "DROP - - udp 135,445 -  - " compiled.
   Rule "DROP - - udp 137:139 -  - " compiled.
   Rule "DROP - - udp 1024: 137  - " compiled.
   Rule "DROP - - tcp 135,139,445 -  - " compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  - " compiled.
..End Macro
   Rule "dropNotSyn - - tcp     " compiled.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  - " compiled.
..End Macro
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
   Rule "REJECT - - tcp 113 -  - " compiled.
..End Macro
   Rule "dropBcast        " compiled.
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
   Rule "ACCEPT - - icmp fragmentation-needed -  - " compiled.
   Rule "ACCEPT - - icmp time-exceeded -  - " compiled.
..End Macro
   Rule "dropInvalid        " compiled.
..Expanding Macro /usr/share/shorewall/macro.SMB...
   Rule "REJECT - - udp 135,445 -  - " compiled.
   Rule "REJECT - - udp 137:139 -  - " compiled.
   Rule "REJECT - - udp 1024: 137  - " compiled.
   Rule "REJECT - - tcp 135,139,445 -  - " compiled.
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
   Rule "DROP - - udp 1900 -  - " compiled.
..End Macro
   Rule "dropNotSyn - - tcp     " compiled.
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
   Rule "DROP - - udp - 53  - " compiled.
..End Macro
Compiling /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy REJECT for fw to loc using chain fw2loc
   Policy ACCEPT for fw to dmz using chain fw2dmz
   Policy DROP for net to fw using chain net2fw
   Policy DROP for net to loc using chain net2loc
   Policy DROP for net to dmz using chain net2dmz
   Policy ACCEPT for loc to fw using chain loc2fw
   Policy REJECT for loc to net using chain loc2net
   Policy REJECT for loc to dmz using chain loc2dmz
   Policy ACCEPT for dmz to fw using chain dmz2fw
   Policy ACCEPT for dmz to net using chain dmz2net
   Policy REJECT for dmz to loc using chain dmz2loc
Compiling Masquerading/SNAT
Compiling Traffic Control Rules...
Compiling Rule Activation...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Restarting Shorewall....
Initializing...
Loading Modules...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
Processing /etc/shorewall/continue ...
Enabling Loopback and DNS Lookups
Creating Interface Chains...
Setting up Proxy ARP...
   Host 192.168.10.1 connected to eth1 added to ARP on eth2
   Host 192.168.10.1 connected to eth1 added to ARP on eth0
Setting up SMURF control...
Processing /etc/shorewall/initdone ...
Setting up Black List...
Adding Anti-smurf Jumps...
Setting up TCP Flags checking...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Accept Source Routing...
IP Forwarding Enabled
Setting up SYN Flood Protection...
Setting up Rules...
   Rule "ACCEPT fw net udp 53 - - - -" added.
   Rule "ACCEPT fw net tcp 53 - - - -" added.
   Rule "ACCEPT dmz net udp 53 - - - -" added.
   Rule "ACCEPT dmz net tcp 53 - - - -" added.
   Rule "ACCEPT loc fw tcp 22 - - - -" added.
   Rule "ACCEPT loc dmz tcp 22 - - - -" added.
   Rule "REJECT net fw icmp 8 - - - -" added.
   Rule "ACCEPT loc fw icmp 8 - - - -" added.
   Rule "ACCEPT dmz fw icmp 8 - - - -" added.
   Rule "ACCEPT loc dmz icmp 8 - - - -" added.
   Rule "ACCEPT dmz loc icmp 8 - - - -" added.
   Rule "ACCEPT dmz net icmp 8 - - - -" added.
   Rule "ACCEPT fw net icmp      " added.
   Rule "ACCEPT fw loc icmp      " added.
   Rule "ACCEPT fw dmz icmp      " added.
   Rule "DNAT net dmz:192.168.10.1 tcp 80,25,110,9000,81,21,20 - 62.49.66.106   
" added.
   Rule "DNAT loc dmz:192.168.10.1 tcp 80,25,110,9000,81,21,20 - 62.49.66.106   
" added.
   Rule "DNAT loc dmz:192.168.10.1 tcp 80 - 192.168.10.1   " added.
   Rule "REDIRECT loc 3128 tcp www - !62.49.66.106,192.168.10.1   " added.
   Rule "ACCEPT fw net tcp www     " added.
Setting up Actions...
Creating action chain Drop
   Rule "REJECT - - tcp 113 -  - " added.
   Rule "dropBcast        " added.
   Rule "ACCEPT - - icmp fragmentation-needed -  - " added.
   Rule "ACCEPT - - icmp time-exceeded -  - " added.
   Rule "dropInvalid        " added.
   Rule "DROP - - udp 135,445 -  - " added.
   Rule "DROP - - udp 137:139 -  - " added.
   Rule "DROP - - udp 1024: 137  - " added.
   Rule "DROP - - tcp 135,139,445 -  - " added.
   Rule "DROP - - udp 1900 -  - " added.
   Rule "dropNotSyn - - tcp     " added.
   Rule "DROP - - udp - 53  - " added.
Creating action chain Reject
   Rule "REJECT - - tcp 113 -  - " added.
   Rule "dropBcast        " added.
   Rule "ACCEPT - - icmp fragmentation-needed -  - " added.
   Rule "ACCEPT - - icmp time-exceeded -  - " added.
   Rule "dropInvalid        " added.
   Rule "REJECT - - udp 135,445 -  - " added.
   Rule "REJECT - - udp 137:139 -  - " added.
   Rule "REJECT - - udp 1024: 137  - " added.
   Rule "REJECT - - tcp 135,139,445 -  - " added.
   Rule "DROP - - udp 1900 -  - " added.
   Rule "dropNotSyn - - tcp     " added.
   Rule "DROP - - udp - 53  - " added.
Creating action chain dropBcast
Creating action chain dropInvalid
Creating action chain dropNotSyn
Applying Policies...
Setting up Masquerading/SNAT...
   To 0.0.0.0/0 (all) from 192.168.0.0/22 through eth2 using 62.49.66.106
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2 using 62.49.66.106
   To 0.0.0.0/0 (all) from 192.168.10.1/32 through eth2 using 62.49.66.106
   To 0.0.0.0/0 (all) from 192.168.8.0/21 through eth2 using 62.49.66.106
   To 0.0.0.0/0 (all) from 169.254.0.0/16 through eth2 using 62.49.66.106
Activating Rules...
Adding IP Addresses...
Processing /etc/shorewall/start ...
ipset v2.2.9a: Set already exists
ipset v2.2.9a: Set already exists
Processing /etc/shorewall/started ...
done.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Help needed need to restart port redirection and apply configuartion in shorewall for internal clients to see the web pages via squid and dmz

Reply via email to