Well I spoke too soon. The patch got me past 'shorewall check' but now a 'shorewall start' gives: Jan 22 05:02:03 apinetstore2 shorewall: Preparing iptables-restore input... Jan 22 05:02:03 apinetstore2 shorewall: Running /sbin/iptables-restore ... Jan 22 05:02:03 apinetstore2 shorewall: Bad argument `state=NEW' Jan 22 05:02:03 apinetstore2 shorewall: Error occurred at line: 136 Jan 22 05:02:03 apinetstore2 shorewall: Try `iptables-restore -h' or 'iptables-restore --help' for more information. Jan 22 05:02:03 apinetstore2 shorewall: cat: write error: Broken pipe Jan 22 05:02:03 apinetstore2 shorewall: ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input Jan 22 05:02:03 apinetstore2 logger: ERROR:Shorewall start failed Just got my 3rd NIC installed so I can actually do a 'shorewall start'.
The line (136) the kernel doesn't like is: -A tcfor -s 192.168.64.0/23 -d 10.0.0.0/8 ! -p 50 state=NEW test=0x3f00/0xff00 -j CONNMARK --save-mark --mask 0xff00 -m comment --comment "-vpn- decrypted" which is (2nd line) in mangle: ?COMMENT -vpn- decrypted SAVE($CONNMASK) $mem_net $FW !esp ; state=NEW test=$MEM_VPN1_FWMARK/$CONNMASK Looks like it's putting the rule in 'tcfor' instead of 'tcin'. Also, seems out of order because I have two rules before the mangle SAVE rule: MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp domain MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp domain ; test=$SFN_VPN2_FWMARK/$CONNMASK that come after the erroring line (136) which are lines 146 & 147: -A tcin -s 192.168.4.1 -p 6 --dport 53 -j MARK --set-mark 0x400000/0x400000 -A tcin -s 192.168.4.1 -p 6 --dport 53 test=0x2c00/0xff00 -j MARK --set-mark 0x400000/0x400000 And it's choking on 'state=NEW'. Any help appreciated. Bill Shirley On 1/20/2015 9:32 AM, Bill Shirley wrote: > That fixes it. > > Thanks for all your hard work. > > Bill > > On 1/19/2015 11:51 AM, Tom Eastep wrote: >> On 1/18/2015 6:40 PM, Bill Shirley wrote: >>> I'm setting up a new server to be a backup of the production server. >>> >>> Production is running Fedora 19: shorewall-4.5.15-1.fc19.noarch >>> >>> New server is running Fedora 21: shorewall-4.6.5.3-1.fc21.noarch >>> >>> I've copied over my Shorewall configuration files and when I run 'shorewall >>> check' I get: >>> Checking /etc/shorewall/tcrules... >>> ERROR: SAVE rules are not allowed in the INPUT chain >>> /etc/shorewall/tcrules (line 198) >>> >>> The relevant rules are: >>> ?COMMENT -vpn- decrypted >>> SAVE/$CONNMASK $mem_net $FW !esp ; state=NEW >>> test=$MEM_VPN1_FWMARK/$CONNMASK >>> SAVE/$CONNMASK $mem_net $FW !esp ; state=NEW >>> test=$MEM_VPN2_FWMARK/$CONNMASK >>> SAVE/$CONNMASK $phx_net $FW !esp ; state=NEW >>> test=$PHX_VPN_FWMARK/$CONNMASK >>> SAVE/$CONNMASK $sfn_net $FW !esp ; state=NEW >>> test=$SFN_VPN1_FWMARK/$CONNMASK >>> SAVE/$CONNMASK $sfn_net $FW !esp ; state=NEW >>> test=$SFN_VPN2_FWMARK/$CONNMASK >>> >>> My question is: Why can't I do a SAVE in the INPUT chain? Am I doing >>> something stupid? >> No -- I did. Patch attached. >> >> -Tom >> >> >> ------------------------------------------------------------------------------ >> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. >> GigeNET is offering a free month of service with a new server in Ashburn. >> Choose from 2 high performing configs, both with 100TB of bandwidth. >> Higher redundancy.Lower latency.Increased capacity.Completely compliant. >> http://p.sf.net/sfu/gigenet >> >> >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
