Hi,
I see you hard coded your external & internal interface public IP
address. Is there any chance your public IP got changed ( I mean if you
are a DHCP client to your router ? ).
Based on your situation if you haven't touched any rule and all of
a sudden things stopped working. I would validate your IP information of
both the interfaces first.
Chakri
Maciej wrote:
> Hello,
>
> I am using shorewall for 2 years, few days ago my rules file stopped
> working. My rules: f.e. ports redirection, accepts are no working. First
> idea was shorewall restart: don't solve problem, so i have upgraded
> shorewall to version 4.2 and also it doesn't solve the problem :(
>
> When I do shorewall restart i can see all my rules starting, but is
> is not working, what is going on ?
>
> Few important rules from rules file:
>
> REJECT net $FW tcp 901
> DROP net fw icmp 8
> REJECT net fw tcp 139
> DNAT net loc:192.168.0.22:3389 tcp 3389
> DNAT net loc:192.168.0.22:3389 udp 3389
> ACCEPT loc:192.168.0.22 net tcp 3389
> ACCEPT loc:192.168.0.22 net udp 3389
> DNAT net loc:192.168.0.22:13393 tcp 13393
> DNAT net loc:192.168.0.22:13393 udp 13393
> DNAT net loc:192.168.0.22:5671 tcp 5671
> DNAT net loc:192.168.0.22:5671 udp 5671
> ACCEPT loc:192.168.0.22 net tcp 5671
> ACCEPT loc:192.168.0.22 net udp 5671
> DNAT net loc:192.168.0.22:5681 tcp 5681
> DNAT net loc:192.168.0.22:5681 udp 5681
> DNAT net loc:192.168.0.22:5681 tcp 5691
> DNAT net loc:192.168.0.22:5681 udp 5691
> ACCEPT loc:192.168.0.22 net tcp 5681
> ACCEPT loc:192.168.0.22 net udp 5681
> ACCEPT loc:192.168.0.22 net tcp 5691
> ACCEPT loc:192.168.0.22 net udp 5691
> REJECT loc net tcp 8074 -
> REJECT net loc tcp 8074 -
> REJECT loc net udp 8074 -
> REJECT net loc udp 8074 -
> REJECT loc net tcp 1000:8073
> REJECT loc net tcp 8073:60000
> REJECT loc net udp 1000:8073
> REJECT loc net udp 8073:60000
>
> Rules are not working on all local computers in office (also on my
> 192.168.0.22), shorewall is on a linux gateway to internet, for example I
> can't login from other network to my remote desktop on local IP
> 192.168.0.22 (poort:3389), it was also working for 2 years time, I was
> loging from my home to office local comp:192.168.0.22 and working.
>
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> [EMAIL PROTECTED]:/etc/shorewall# cat tcdevices | grep -v ^#
> eth1 4000kbit 500kbit
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> [EMAIL PROTECTED]:/etc/shorewall# cat interfaces | grep -v ^#
> net eth1 83.14.53.15 #blacklist ## adres sieci .8
> loc eth0 192.168.0.255 #maclist
> #dhcp,maclist#,routeback
>
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> [EMAIL PROTECTED]:/etc/shorewall# cat masq | grep -v ^#
> eth1 eth0
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
>
> [EMAIL PROTECTED]:/etc/shorewall# cat policy | grep -v ^#
> loc net ACCEPT ###
> net loc ACCEPT ###
> loc fw ACCEPT
> fw loc ACCEPT
> net fw ACCEPT ###
> fw net ACCEPT ###
> fw fw ACCEPT info
> net all DROP info
> all all REJECT info
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
> [EMAIL PROTECTED]:/etc/shorewall# cat zones | grep -v ^#
> net net
> loc loc
> dmz dmz
>
> --------------------------------------------------------------------
> --------------------------------------------------------------------
> Some parts of shorewall.conf file:
>
> LOGTAGONLY=No
> IPTABLES=
> PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
> SHOREWALL_SHELL=/bin/sh
> SUBSYSLOCK=/var/lock/subsys/shorewall
> STATEDIR=/var/lib/shorewall
> CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
> FW=fw
> IP_FORWARDING=On
> ADD_IP_ALIASES=Yes
> ADD_SNAT_ALIASES=No
> RETAIN_ALIASES=No
> TC_ENABLED=Internal
> CLEAR_TC=Yes
> MARK_IN_FORWARD_CHAIN=Yes
> CLAMPMSS=No
> ROUTE_FILTER=No
> DETECT_DNAT_IPADDRS=No
> MUTEX_TIMEOUT=60
> NEWNOTSYN=Yes
> ADMINISABSENTMINDED=Yes
> BLACKLISTNEWONLY=Yes
> DELAYBLACKLISTLOAD=No
> DISABLE_IPV6=Yes
> BRIDGING=No
> DYNAMIC_ZONES=No
> PKTTYPE=Yes
> DROPINVALID=No
> RFC1918_STRICT=No
> MACLIST_TTL=60
> SAVE_IPSETS=No
> CROSSBEAM=No
> CROSSBEAM_BACKBONE=eth0
> BLACKLIST_DISPOSITION=DROP
> MACLIST_DISPOSITION=REJECT
> TCP_FLAGS_DISPOSITION=DROP
>
> That rules was working for a long time, but no more from few
> days/week. Maybe it is a problem with iptables ?
>
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
