I recently upgraded to iptables 1.4.2 and now shorewall won't start. I'm
using shorewall-perl 4.2.5.2 and the output is:
defiant shorewall # shorewall debug start
Compiling...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling /etc/shorewall/routestopped for critical hosts...
Compiling /etc/shorewall/routestopped...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
$doing UPnP
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/proxyarp...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /etc/shorewall/tcdevices...
Compiling /etc/shorewall/tcclasses...
Compiling /etc/shorewall/tcrules...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chains blacklst,mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.start
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running debug_restore_input...
iptables v1.4.2: host/network `!' not found
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables -A loc2fw -p 6 --dport 3128 -m
conntrack --ctorigdst ! 192.168.1.0/24 -m conntrack --ctorigdstport 80
-s ! 192.168.1.10 -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 435: 24192 Terminated
${VARDIR}/.start $debugging start
defiant shorewall #
The relevant line from the trace output is this:
-A loc2fw -p 6 --dport 3128 -m conntrack --ctorigdst ! 192.168.1.0/24 -m
conntrack --ctorigdstport 80 -s ! 192.168.1.10 -j ACCEPT
It is obvious that this rule:
# Squid transparent proxy
REDIRECT loc:!192.168.1.10 3128 tcp www
- !192.168.1.0/24
That I have in my /etc/shorewall/rules is causing the problem, if I
comment out the rule everything is fine. My kernel version is 2.6.27.
By experimenting a little, I found that problem is cause by the last
part of the rule, the original destination "!192.168.1.0/24", if I
remove it shorewall start ups fine.
It used to work with iptables 1.4.0, should I change something or is
this a bug?
Thank you for any help.
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
