Am 07.01.2017 um 18:38 schrieb Tom Eastep: >>> Did you add DNPT as a nat builtin action in >>> /etc/shorewall6/actions? > > I meant 'mangle' rather than 'nat'.
sure # shorewall6 show actions A_AllowICMPs # Audited Accept needed ICMP6 types A_Drop # Audited Default Action for DROP policy allowBcasts # Accept multicast and anycast packets AllowICMPs # Accept needed ICMP6 types allowInvalid inline # Accepts packets in the INVALID conntrack state A_Reject # Audited Default Action for REJECT policy AutoBLL noinline # Helper for AutoBL AutoBL noinline # Auto-blacklist IPs that exceed thesholds Broadcast noinline # Handles Broadcast/Multicast/Anycast DNPT builtin,mangle,terminating dropBcasts # Silently Drop multicast and anycast packets Drop # Default Action for DROP policy dropInvalid inline # Drops packets in the INVALID conntrack state dropNotSyn # Silently Drop Non-syn TCP packets DropSmurfs noinline # Handles packets with a broadcast source address Established inline,\ # Handles packets in the ESTABLISHED state IfEvent noinline # Perform an action based on an event Invalid inline,audit,\ # Handles packets in the INVALID conntrack state New inline,state=NEW # Handles packets in the NEW conntrack state NotSyn inline # Handles TCP packets that do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy rejNotSyn # Silently Reject Non-syn TCP packets Related inline,\ # Handles packets in the RELATED conntrack state ResetEvent inline # Reset an Event RST inline # Handle packets with RST set SetEvent inline # Initialize an event SNPT builtin,mangle,terminating TCPFlags # Handles bad flags combinations Untracked inline,\ # Handles packets in the UNTRACKED conntrack state >> Nevermind -- it is a bug in the IP6TABLES parser -- it doesn't >> expect IPv6 addresses in the action parameters :-( > > > You can work around the problem by fully expressing the IP addresses > (e.g., 2001:XXXX:YYYY:100:0:0:0:0/64). this workaround show a new problem: # shorewall6 start [...] Preparing ip6tables-restore input... Running /sbin/ip6tables-restore ... ip6tables-restore: line 34 failed ERROR: iptables-restore Failed. Input is in /var/lib/shorewall6/.ip6tables-restore-input Preparing ip6tables-restore input... Running /sbin/ip6tables-restore... Terminated line 32 is "COMMIT" # cat /var/lib/shorewall6/.ip6tables-restore-input # # Generated by Shorewall 5.0.14.1 - Sa 7. Jan 19:13:28 CET 2017 # *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :tcfor - [0:0] :tcin - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A INPUT -j tcin -A FORWARD -j MARK --set-mark 0/0xff00 -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost -A tcpre -p 6 -m multiport --dports 22,47238,52486 -i eth0 -j MARK --set-mark 768 -A tcpre -i eth0 -j MARK --set-mark 512 -A tcpre -i eth0 -j DNPT --src-pfx 2001:XXXX:YYYY:100:0:0:0:0/64 --dst-pfx fdae:fa7:dead:beef:0:0:0:0/64 -A tcpre -i eth0 -j SNPT --src-pfx fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx 2001:XXXX:YYYY:100:0:0:0:0/64 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :AllowICMPs - [0:0] :Broadcast - [0:0] :Reject - [0:0] :cbl-dsl - [0:0] :cbl-fw - [0:0] :cbl-int - [0:0] :cbl_frwd - [0:0] :dsl-cbl - [0:0] :dsl-fw - [0:0] :dsl-int - [0:0] :dsl_frwd - [0:0] :dynamic - [0:0] :fw-cbl - [0:0] :fw-dsl - [0:0] :fw-int - [0:0] :int-cbl - [0:0] :int-dsl - [0:0] :int-fw - [0:0] :int_frwd - [0:0] :logdrop - [0:0] :logflags - [0:0] :logreject - [0:0] :reject - [0:0] :sfilter - [0:0] :tcpflags - [0:0] :sha-lh-780b52025322fe413b49 - [0:0] :sha-rh-88253ba662f5e71f112e - [0:0] -A INPUT -i eth1 -j dsl-fw -A INPUT -i eth2 -j cbl-fw -A INPUT -i eth0 -j int-fw -A INPUT -i lo -j ACCEPT -A INPUT -j Reject -A INPUT -j LOG --log-level 6 --log-prefix "Shorewall:INPUT:REJECT:" -A INPUT -g reject -A FORWARD -i eth1 -j dsl_frwd -A FORWARD -i eth2 -j cbl_frwd -A FORWARD -i eth0 -j int_frwd -A FORWARD -j Reject -A FORWARD -j LOG --log-level 6 --log-prefix "Shorewall:FORWARD:REJECT:" -A FORWARD -g reject -A OUTPUT -o eth1 -j fw-dsl -A OUTPUT -o eth2 -j fw-cbl -A OUTPUT -o eth0 -j fw-int -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j Reject -A OUTPUT -j LOG --log-level 6 --log-prefix "Shorewall:OUTPUT:REJECT:" -A OUTPUT -g reject -A AllowICMPs -p 58 --icmpv6-type 1 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 2 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 3 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 4 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 133 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 134 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 135 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 136 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 137 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 141 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 142 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 130 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 131 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 132 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 143 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 148 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -p 58 --icmpv6-type 149 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 151 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 152 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A AllowICMPs -s fe80::/10 -p 58 --icmpv6-type 153 -j ACCEPT -m comment --comment "Needed ICMP types (RFC4890)" -A Broadcast -d 2001:XXXX:YYYY:0:: -j DROP -A Broadcast -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j DROP -A Broadcast -d 2a02:XXXX:YYYY:f972:: -j DROP -A Broadcast -d 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A Broadcast -d ff00::/8 -j DROP -A Reject -A Reject -p 58 -j AllowICMPs -A Reject -j Broadcast -A Reject -m conntrack --ctstate INVALID -j DROP -A Reject -p 17 -m multiport --dports 135,445 -g reject -m comment --comment "SMB" -A Reject -p 17 --dport 137:139 -g reject -m comment --comment "SMB" -A Reject -p 17 --dport 1024:65535 --sport 137 -g reject -m comment --comment "SMB" -A Reject -p 6 -m multiport --dports 135,139,445 -g reject -m comment --comment "SMB" -A Reject -p 17 --dport 1900 -j DROP -m comment --comment "UPnP" -A Reject -p 6 ! --syn -j DROP -A Reject -p 17 --sport 53 -j DROP -m comment --comment "Late DNS Replies" -A cbl-dsl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A cbl-dsl -j Reject -A cbl-dsl -j LOG --log-level 6 --log-prefix "Shorewall:cbl-dsl:REJECT:" -A cbl-dsl -g reject -A cbl-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A cbl-fw -p tcp -j tcpflags -A cbl-fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A cbl-fw -j Reject -A cbl-fw -j LOG --log-level 6 --log-prefix "Shorewall:cbl-fw:REJECT:" -A cbl-fw -g reject -A cbl-int -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A cbl-int -j Reject -A cbl-int -j LOG --log-level 6 --log-prefix "Shorewall:cbl-int:REJECT:" -A cbl-int -g reject -A cbl_frwd -o eth2 -g sfilter -A cbl_frwd -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A cbl_frwd -p tcp -j tcpflags -A cbl_frwd -o eth1 -j cbl-dsl -A cbl_frwd -o eth0 -j cbl-int -A dsl-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A dsl-cbl -j Reject -A dsl-cbl -j LOG --log-level 6 --log-prefix "Shorewall:dsl-cbl:REJECT:" -A dsl-cbl -g reject -A dsl-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A dsl-fw -p tcp -j tcpflags -A dsl-fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A dsl-fw -p 58 -j ACCEPT -A dsl-fw -j Reject -A dsl-fw -j LOG --log-level 6 --log-prefix "Shorewall:dsl-fw:REJECT:" -A dsl-fw -g reject -A dsl-int -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A dsl-int -j Reject -A dsl-int -j LOG --log-level 6 --log-prefix "Shorewall:dsl-int:REJECT:" -A dsl-int -g reject -A dsl_frwd -o eth1 -g sfilter -A dsl_frwd -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A dsl_frwd -p tcp -j tcpflags -A dsl_frwd -o eth2 -j dsl-cbl -A dsl_frwd -o eth0 -j dsl-int -A fw-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw-cbl -j LOG --log-level 6 --log-prefix "Shorewall:fw-cbl:ACCEPT:" -A fw-cbl -j ACCEPT -A fw-dsl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw-dsl -j LOG --log-level 6 --log-prefix "Shorewall:fw-dsl:ACCEPT:" -A fw-dsl -j ACCEPT -A fw-int -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A fw-int -p 58 -j ACCEPT -A fw-int -j LOG --log-level 6 --log-prefix "Shorewall:fw-int:ACCEPT:" -A fw-int -j ACCEPT -A int-cbl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-cbl -j LOG --log-level 6 --log-prefix "Shorewall:int-cbl:ACCEPT:" -A int-cbl -j ACCEPT -A int-dsl -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-dsl -j LOG --log-level 6 --log-prefix "Shorewall:int-dsl:ACCEPT:" -A int-dsl -j ACCEPT -A int-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A int-fw -p tcp -j tcpflags -A int-fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A int-fw -j LOG --log-level 6 --log-prefix "Shorewall:int-fw:ACCEPT:" -A int-fw -j ACCEPT -A int_frwd -o eth0 -g sfilter -A int_frwd -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic -A int_frwd -p tcp -j tcpflags -A int_frwd -o eth1 -j int-dsl -A int_frwd -o eth2 -j int-cbl -A logdrop -j DROP -A logflags -j LOG --log-ip-options --log-level 6 --log-prefix "Shorewall:logflags:DROP:" -A logflags -j DROP -A logreject -j reject -A reject -d 2001:XXXX:YYYY:0:: -j DROP -A reject -d 2001:XXXX:YYYY:0:ffff:ffff:ffff:ffff/121 -j DROP -A reject -d 2a02:XXXX:YYYY:f972:: -j DROP -A reject -d 2a02:XXXX:YYYY:f972:ffff:ffff:ffff:ffff/121 -j DROP -A reject -s ff00::/8 -j DROP -A reject -p 2 -j DROP -A reject -p 6 -j REJECT --reject-with tcp-reset -A reject -p 17 -j REJECT -A reject -p 58 -j REJECT --reject-with icmp6-addr-unreachable -A reject -j REJECT --reject-with icmp6-adm-prohibited -A sfilter -j LOG --log-level 6 --log-prefix "Shorewall:sfilter:DROP:" -A sfilter -j DROP -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -g logflags -A tcpflags -p tcp --tcp-flags ALL NONE -g logflags -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST -g logflags -A tcpflags -p tcp --tcp-flags FIN,RST FIN,RST -g logflags -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN -g logflags -A tcpflags -p tcp --tcp-flags ACK,PSH,FIN PSH,FIN -g logflags -A tcpflags -p tcp --syn --sport 0 -g logflags COMMIT # dmesg [...] [5944577.629325] xt_addrtype: ipv6 does not support BROADCAST matching [5944579.777435] x_tables: ip6_tables: SNPT target: used from hooks PREROUTING, but only usable from INPUT/POSTROUTING the problem is the following line in /etc/shorewall6/mangle: IP6TABLES(SNPT --src-pfx fdae:fa7:dead:beef:0:0:0:0/64 --dst-pfx 2001:XXXX:YYYY:100:0:0:0:0/64 ):P ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
