Tom,
First, I want to say thank you for your patients.
Second, It worked!
(I followed your instructions with a few modifications because I
could not get the commands to work on my OS Linux Mint 9 'Isadora').
I put what I did after each of your instructions 'a,b,c',etc
(SEE EMAIL BELOW).
I am not sure I know how to allow/deny IP Addressess or Ports.
I want to allow access to the IP Addressess and Ports needed to
access the internet:
computer ==> Wireless Router ==> Internet
Internet ==> Wireless Router ==> Computer
or
computer ==> ADSL Modem ==> Internet
Internet ==> ADSL Modem ==> Computer
I think these are the protocols I want to allow access to and from my
computer:
a. http
b. https
c. ftp
d. smtp
e. pop3
f etc.
I think you can allow access to the above with MACROS. However, I am not
sure
I am using the correct format (SEE attached file Shorewall Working.gz
--
etc/shorewall/rules)
I want to deny access to the other ports on my Wireless Router/ADSL
Modem/Computer.
Since, I am a novice at using linux I do not know which file to edit to
accomplish
what I want to do: Blacklist, Host, Params, policy, etc.
I appreciate all the help you have given me and I am waiting for your
instruction/advice.
Horace
-----ORIGINAL MESSAGE -----
From: Tom Eastep <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: [Shorewall-users] Cannot connect to the internet
Date: 03/30/2011 06:26:12 PM
Please do me a favor.
a) Uninstall Shorewall (however your distribution allows you to do
that)
b) rm -rf /etc/shorewall
What I did.
$ sudo rm -rf /etc/shorewall
[sudo] password for *****N_****:
$
NOTE -- NO more /ETC/SHOREWALL directory
c) rm -rf /etc/default/shorewall
What I did.
$ sudo rm -rf /etc/default/shorewall
$
NOTE -- No more /ETC/SHOREWALL/SHOREWALL
d) Install the shorewall package
What I did.
Clicked MENU --> Clicked PACKAGE MANAGER --> Typed SHOREWALL in
the
QUICK SEARCH window --> Right Clicked SHOREWALL -->
clicked MARK FOR INSTALATTION --> Clicked APPLY
NOTES -- 1. OS Linux Mint 9 Isadora'
2. Shorewall version:
$ shorewall version
4.4.6
$
-- DO NOTHING ELSE other than what I tell you below.
e) cd /etc/shorewall
What I did.
$ cd /etc/shorewall
$
f) if you are running Debian or Ubuntu and installed the .deb:
cp /usr/share/doc/shorewall/examples/one-interface/* .
What I did.
$ cp /usr/share/doc/shorewall/examples/one-interface/*
cp: target
`/usr/share/doc/shorewall/examples/one-interface/shorewall.conf~' is not
a directory
$
$ sudo cp /usr/share/doc/shorewall/examples/one-interface/*
[sudo] password for ******_****:
cp: target
`/usr/share/doc/shorewall/examples/one-interface/zones' is
not a directory
NOTE -- I could not get the above command to work so this is
what I
did.
$ cd /usr/share/doc/shorewall/examples/one-interface
$
$ sudo cp * etc/shorewall
$
$ ls
. .. interfaces policy README.txt rules
shorewall.conf zones
$
otherwise
cp /usr/share/shorewall/Samples/one-interface/* .
g) Edit /etc/shorewall/shorewall.conf and be sure that
STARTUP_ENABLED=Yes; if not change it.
What I did.
I open FILE BROWSER navigated to /ETC/SHOREWALL/SHOREWALL.CONF
Right Clicked the file SHOREWALL.CONF --> Clicked OPEN AS
ADMINISTRATOR and changed STARTUP ENABLED=No to STARTUP ENABLED=Yes
SAVED the FILE
h) If you are running Debian or Ubuntu, edit /etc/default/shorewall
and set startup=1.
What I did.
I open FILE BROWSER navigated to /ETC/DEFAULT/SHOREWALL
Right Clicked the file SHOREWALL --> Clicked OPEN AS
ADMINISTRATOR and
changed STARTUP=0 to STARTUP=1
SAVED the FILE
i) At a root console, type 'shorewall start'.
What I did.
$ sudo shorewall start
Compiling...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
Compiling ...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain
Reject...
Compiling ...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chain mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
IPv4 Forwarding Disabled!
done.
$
This configuration will allow you unfettered access from your computer
to the internet.
Now
a) cd /etc
What I did.
$ cd /etc
$
b) cp -a shorewall shorewall.good
What I did.
$ sudo cp -a shorewall shorewall.good
[sudo] password for ******_****`:
$
NOTE: ect/shorewall.good directory/folder is present
c) Now make changes to /etc/shorewall to try to allow the incoming
traffic that you want. If you suddenly find that is has all gone to
hell, then
d) cd /etc
f) rm -rf /etc/shorewall
g) cp -a /etc/shorewall.save /etc/shorewall
h) shorewall restart
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Signature exists, but need public key
My OS is Linux Mint 9 'Isadora'
My installed firewall is Shorewall 4.4.6-1
My system is wired as follows:
*********************************************
**** MY SYSTEM WITH WIRELESS ROUTER ****
*********************************************
Ethernet Cbl 1
----------------------------------
| |
------------------------- | --------------------- |
---------------- -------------- -------------
| ------->| | |-------|
| | | | Telephone |
| | | |
| | | | Wall |
STAND ALONE COMPUTER |<------------ | WIRELESS ROUTER | | ADSL
MODEM | | DSL Filter |------->| Jack |
|Ethernet Cbl 2| (192.168.2.1) | -----------|
| ----------->| | | |
| | | | |
| | | | |(To Inernet)|
------------------------- -------------------- |
---------------- | --------------- --------------
|
|
|
Telephone Line |
----------------------------------------
$ IFCONFIG
eth0 Link encap:Ethernet HWaddr 00:21:97:45:29:5f
inet addr:192.168.2.101 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::221:97ff:fe45:295f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1599 errors:0 dropped:0 overruns:0 frame:0
TX packets:842 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1060863 (1.0 MB) TX bytes:80056 (80.0 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:110 errors:0 dropped:0 overruns:0 frame:0
TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11737 (11.7 KB) TX bytes:11737 (11.7 KB)
$ IP ROUTE SHOW
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.101
metric 1
169.254.0.0/16 dev eth0 scope link metric 1000
default via 192.168.2.1 dev eth0 proto static
************************************************
**** MY SYSTEM WITHOUT WIRELESS ROUTER ****
************************************************
------------------------- ----------------
-------------- --------------
| | | |
| | Telephone |
| Ethernet Cbl | | |
| | Wall |
STAND ALONE COMPUTER |<--------------| ADSL MODEM | | DSL Filter
|------->| Jack |
| | | ------>|
| | |
| ------| | | |
| |(To Inernet)|
------------------------- | ---------------- |
--------------- --------------
| |
| Telephone Line |
---------------------------
$ IFCONFIG
eth0 Link encap:Ethernet HWaddr 00:21:97:45:29:5f
inet6 addr: fe80::221:97ff:fe45:295f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1545 errors:0 dropped:0 overruns:0 frame:0
TX packets:777 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1043442 (1.0 MB) TX bytes:72828 (72.8 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:102 errors:0 dropped:0 overruns:0 frame:0
TX packets:102 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11073 (11.0 KB) TX bytes:11073 (11.0 KB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:71.146.141.86 P-t-P:71.146.143.254 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:15 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:1209 (1.2 KB) TX bytes:785 (785.0 B)
$ IP ROUTE SHOW
71.146.143.254 dev ppp0 proto kernel scope link src 71.146.141.86
169.254.0.0/16 dev ppp0 scope link metric 1000
default via 71.146.143.254 dev ppp0 proto static
$ sudo shorewall start
Compiling...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chain mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.start
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.
MY SHOREWALL SETTINGS
/etc/default/shorewall
startup = 1
/etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN
OUT
# OPTIONS
OPTIONS
fw firewall
net ipv4
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
dhcp,tcpflags,logmartians,nosmurfs
net ppp0 detect
dhcp,tcpflags,logmartians,nosmurfs
net wan0 detect
dhcp,tcpflags,logmartians,nosmurfs
/etc/shorewall/policy
#SOURCE DEST POLICY -LOG
BURST :LIMIT CONNLIMIT:MASK:
$FW net ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/ MARK
# PORT PORT(S)
DEST LIMIT GROUP
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
Ping(DROP) net $FW
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
# Use Macros
HTTP(ACCEPT) net $FW
HTTP(ACCEPT) loc $FW
HTTPS(ACCEPT) net $FW
HTTPS(ACCEPT) loc $FW
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
