[Shorewall-users] 2 interface firewall router

jamby Mon, 11 Dec 2017 19:05:37 -0800

Hi

I am trying to replace my old version 4.5.1 on centos 6.9 with anewer computer running centos 7 up to date with shorewall 5.0.14.1


  I tied to follow the two-card sample but have done something wrong.

Currently the old machine is still working but the hard drive is on itslast legs. Smart errors!



Problem:

enp3s0: interface on MB ip 192.168.2.1  local network  (lan)

enp4s0: interface on card ip 192.168.1.2 internet (wan) ---192.168.1.1 wireless router --- cable network router.

With the new 5. shorewall in place I can't ping the DNS servers oranything else on the internet. Thunderbird & Firefox can't connect.

In Centos the SYSLOG is /var/log/messages and while I've tried toredefine the log as /var/log/shorewall it doesn't write to the file Icreated but that name.

Below is the "shorewall-init.log" for the 5. vers. and below that area few of the packet messages from /var/log/messages.


See attached file..


Any other files you would like let me know...  Thanks Jim

Dec 11 17:33:23 done.
Dec 11 17:42:58 Processing /etc/shorewall/shorewall.conf...
Dec 11 17:42:58 Loading Modules...
Dec 11 17:42:58 Compiling /etc/shorewall/zones...
Dec 11 17:42:58 Compiling /etc/shorewall/interfaces...
Dec 11 17:42:58    Interface "wan enp4s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0" Validated
Dec 11 17:42:58    Interface "lan enp3s0 tcpflags,nosmurfs,routefilter,logmartians,dhcp" Validated
Dec 11 17:42:58 Determining Hosts in Zones...
Dec 11 17:42:58    fw (firewall)
Dec 11 17:42:58    wan (ipv4)
Dec 11 17:42:58       enp4s0:0.0.0.0/0
Dec 11 17:42:58    lan (ipv4)
Dec 11 17:42:58       enp3s0:0.0.0.0/0
Dec 11 17:42:58 Locating Action Files...
Dec 11 17:42:58 Compiling /etc/shorewall/policy...
Dec 11 17:42:58    Policy for lan to wan is ACCEPT using chain lan-wan
Dec 11 17:42:58    Policy for wan to fw is DROP using chain wan-all
Dec 11 17:42:58    Policy for wan to lan is DROP using chain wan-all
Dec 11 17:42:58    Policy for fw to wan is REJECT using chain all-all
Dec 11 17:42:58    Policy for fw to lan is REJECT using chain all-all
Dec 11 17:42:58    Policy for wan to fw is REJECT using chain all-all
Dec 11 17:42:58    Policy for wan to lan is REJECT using chain all-all
Dec 11 17:42:58    Policy for lan to fw is REJECT using chain all-all
Dec 11 17:42:58    Policy for lan to wan is REJECT using chain all-all
Dec 11 17:42:58 Adding Anti-smurf Rules
Dec 11 17:42:58 Adding rules for DHCP
Dec 11 17:42:58 Compiling TCP Flags filtering...
Dec 11 17:42:58 Compiling Kernel Route Filtering...
Dec 11 17:42:58 Compiling Martian Logging...
Dec 11 17:42:58 Compiling Accept Source Routing...
Dec 11 17:42:58 Compiling MAC Filtration -- Phase 1...
Dec 11 17:42:58    Chain enp4s0_iop deleted
Dec 11 17:42:58    Chain enp4s0_fop deleted
Dec 11 17:42:58    Chain enp4s0_oop deleted
Dec 11 17:42:58    Chain enp3s0_iop deleted
Dec 11 17:42:58    Chain enp3s0_fop deleted
Dec 11 17:42:58    Chain enp3s0_oop deleted
Dec 11 17:42:58 Compiling /etc/shorewall/rules...
Dec 11 17:42:58 ..Expanding inline action /usr/share/shorewall/action.Invalid...
Dec 11 17:42:58 ..End inline action /usr/share/shorewall/action.Invalid
Dec 11 17:42:58 ..Expanding inline action /usr/share/shorewall/action.Invalid...
Dec 11 17:42:58 ..End inline action /usr/share/shorewall/action.Invalid
Dec 11 17:42:58     Rule "Invalid(DROP) wan all tcp" Compiled
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.DNS...
Dec 11 17:42:58     Rule "PARAM - - udp 53" Compiled
Dec 11 17:42:58     Rule "PARAM - - tcp 53" Compiled
Dec 11 17:42:58 ..End Macro /usr/share/shorewall/macro.DNS
Dec 11 17:42:58     Rule "DNS(ACCEPT) fw wan" Compiled
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.SSH...
Dec 11 17:42:58     Rule "PARAM - - tcp 22" Compiled
Dec 11 17:42:58 ..End Macro /usr/share/shorewall/macro.SSH
Dec 11 17:42:58     Rule "SSH(ACCEPT) lan fw" Compiled
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.Ping...
Dec 11 17:42:58     Rule "PARAM - - icmp 8" Compiled
Dec 11 17:42:58 ..End Macro /usr/share/shorewall/macro.Ping
Dec 11 17:42:58     Rule "Ping(ACCEPT) lan fw" Compiled
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.Ping...
Dec 11 17:42:58     Rule "PARAM - - icmp 8" Compiled
Dec 11 17:42:58 ..End Macro /usr/share/shorewall/macro.Ping
Dec 11 17:42:58     Rule "Ping(ACCEPT) lan wan" Compiled
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.Ping...
Dec 11 17:42:58     Rule "PARAM - - icmp 8" Compiled
Dec 11 17:42:58 ..End Macro /usr/share/shorewall/macro.Ping
Dec 11 17:42:58     Rule "Ping(DROP) wan fw" Compiled
Dec 11 17:42:58     Rule "ACCEPT fw lan icmp" Compiled
Dec 11 17:42:58     Rule "ACCEPT fw wan icmp" Compiled
Dec 11 17:42:58     Rule "ACCEPT lan fw tcp smtp" Compiled
Dec 11 17:42:58     Rule "ACCEPT fw lan tcp smtp" Compiled
Dec 11 17:42:58     Rule "ACCEPT lan fw tcp http" Compiled
Dec 11 17:42:58     Rule "ACCEPT fw lan tcp http" Compiled
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.NTP...
Dec 11 17:42:58     Rule "PARAM - - udp 123" Compiled
Dec 11 17:42:58 ..End Macro /usr/share/shorewall/macro.NTP
Dec 11 17:42:58     Rule "NTP(ACCEPT) lan fw" Compiled
Dec 11 17:42:58 Compiling MAC Filtration -- Phase 2...
Dec 11 17:42:58 Applying Policies...
Dec 11 17:42:58 Compiling /usr/share/shorewall/action.Reject for chain Reject...
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Dec 11 17:42:58     Rule "PARAM - - icmp fragmentation-needed" Compiled
Dec 11 17:42:58     Rule "PARAM - - icmp time-exceeded" Compiled
Dec 11 17:42:58 ..End Macro /usr/share/shorewall/macro.AllowICMPs
Dec 11 17:42:58 Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Dec 11 17:42:58 ..Expanding inline action /usr/share/shorewall/action.Invalid...
Dec 11 17:42:58 ..End inline action /usr/share/shorewall/action.Invalid
Dec 11 17:42:58 ..Expanding Macro /usr/share/shorewall/macro.SMB...
Dec 11 17:42:59     Rule "PARAM - - udp 135,445" Compiled
Dec 11 17:42:59     Rule " PARAM - - udp 137:139" Compiled
Dec 11 17:42:59     Rule "PARAM - - udp 1024: 137" Compiled
Dec 11 17:42:59     Rule "PARAM - - tcp 135,139,445" Compiled
Dec 11 17:42:59 ..End Macro /usr/share/shorewall/macro.SMB
Dec 11 17:42:59 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Dec 11 17:42:59     Rule "PARAM - - udp 1900" Compiled
Dec 11 17:42:59 ..End Macro /usr/share/shorewall/macro.DropUPnP
Dec 11 17:42:59 ..Expanding inline action /usr/share/shorewall/action.NotSyn...
Dec 11 17:42:59     Rule "DROP - - ;;+ -p 6 ! --syn" Compiled
Dec 11 17:42:59 ..End inline action /usr/share/shorewall/action.NotSyn
Dec 11 17:42:59 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Dec 11 17:42:59     Rule "PARAM - - udp - 53" Compiled
Dec 11 17:42:59 ..End Macro /usr/share/shorewall/macro.DropDNSrep
Dec 11 17:42:59    Policy REJECT from fw to wan using chain fw-wan
Dec 11 17:42:59    Policy REJECT from fw to lan using chain fw-lan
Dec 11 17:42:59 Compiling /usr/share/shorewall/action.Drop for chain Drop...
Dec 11 17:42:59 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Dec 11 17:42:59     Rule "PARAM - - icmp fragmentation-needed" Compiled
Dec 11 17:42:59     Rule "PARAM - - icmp time-exceeded" Compiled
Dec 11 17:42:59 ..End Macro /usr/share/shorewall/macro.AllowICMPs
Dec 11 17:42:59 ..Expanding inline action /usr/share/shorewall/action.Invalid...
Dec 11 17:42:59 ..End inline action /usr/share/shorewall/action.Invalid
Dec 11 17:42:59 ..Expanding Macro /usr/share/shorewall/macro.SMB...
Dec 11 17:42:59     Rule "PARAM - - udp 135,445" Compiled
Dec 11 17:42:59     Rule " PARAM - - udp 137:139" Compiled
Dec 11 17:42:59     Rule "PARAM - - udp 1024: 137" Compiled
Dec 11 17:42:59     Rule "PARAM - - tcp 135,139,445" Compiled
Dec 11 17:42:59 ..End Macro /usr/share/shorewall/macro.SMB
Dec 11 17:42:59 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Dec 11 17:42:59     Rule "PARAM - - udp 1900" Compiled
Dec 11 17:42:59 ..End Macro /usr/share/shorewall/macro.DropUPnP
Dec 11 17:42:59 ..Expanding inline action /usr/share/shorewall/action.NotSyn...
Dec 11 17:42:59     Rule "DROP - - ;;+ -p 6 ! --syn" Compiled
Dec 11 17:42:59 ..End inline action /usr/share/shorewall/action.NotSyn
Dec 11 17:42:59 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Dec 11 17:42:59     Rule "PARAM - - udp - 53" Compiled
Dec 11 17:42:59 ..End Macro /usr/share/shorewall/macro.DropDNSrep
Dec 11 17:42:59    Policy DROP from wan to fw using chain wan-fw
Dec 11 17:42:59    Policy DROP from wan to lan using chain wan-lan
Dec 11 17:42:59    Policy REJECT from lan to fw using chain lan-fw
Dec 11 17:42:59    Policy ACCEPT from lan to wan using chain lan-wan
Dec 11 17:42:59 Generating Rule Matrix...
Dec 11 17:42:59    Handling complex zones...
Dec 11 17:42:59    Entering main matrix-generation loop...
Dec 11 17:42:59    Chain enp4s0_out deleted
Dec 11 17:42:59    Chain enp4s0_in deleted
Dec 11 17:42:59    Chain enp4s0_fwd deleted
Dec 11 17:42:59    Chain enp3s0_out deleted
Dec 11 17:42:59    Chain enp3s0_in deleted
Dec 11 17:42:59    Chain enp3s0_fwd deleted
Dec 11 17:42:59    Finishing matrix...
Dec 11 17:42:59 Optimizing Ruleset...
Dec 11 17:42:59
  Table raw pass 1, 2 referenced chains, level 4a...
Dec 11 17:42:59
  Table raw pass 2, 2 referenced chains, level 4b...
Dec 11 17:42:59
  Table raw pass 2, 0 referenced user chains, level 8...
Dec 11 17:42:59
  Table raw pass 3, 2 referenced user chains, level 16...
Dec 11 17:42:59    Table raw Optimized -- Passes =
Dec 11 17:42:59
Dec 11 17:42:59
  Table nat pass 1, 3 referenced chains, level 4a...
Dec 11 17:42:59
  Table nat pass 2, 3 referenced chains, level 4b...
Dec 11 17:42:59
  Table nat pass 2, 0 referenced user chains, level 8...
Dec 11 17:42:59
  Table nat pass 3, 3 referenced user chains, level 16...
Dec 11 17:42:59    Table raw Optimized -- Passes =
Dec 11 17:42:59
Dec 11 17:42:59
  Table nat pass 1, 3 referenced chains, level 4a...
Dec 11 17:42:59
  Table nat pass 2, 3 referenced chains, level 4b...
Dec 11 17:42:59
  Table nat pass 2, 0 referenced user chains, level 8...
Dec 11 17:42:59
  Table nat pass 3, 3 referenced user chains, level 16...
Dec 11 17:42:59    Table nat Optimized -- Passes =
Dec 11 17:42:59
Dec 11 17:42:59
  Table mangle pass 1, 10 referenced chains, level 4a...
Dec 11 17:42:59    Chain tcin deleted
Dec 11 17:42:59    Chain tcout deleted
Dec 11 17:42:59    Chain tcpost deleted
Dec 11 17:42:59    Chain tcpre deleted
Dec 11 17:42:59    Empty chain tcfor deleted
Dec 11 17:42:59
  Table mangle pass 2, 5 referenced chains, level 4a...
Dec 11 17:42:59
  Table mangle pass 3, 5 referenced chains, level 4b...
Dec 11 17:42:59
  Table mangle pass 3, 0 referenced user chains, level 8...
Dec 11 17:42:59
  Table mangle pass 4, 5 referenced user chains, level 16...
Dec 11 17:42:59    Table mangle Optimized -- Passes =
Dec 11 17:42:59
Dec 11 17:42:59
  Table filter pass 1, 22 referenced chains, level 4a...
Dec 11 17:42:59     2 ACCEPT rules deleted from chain lan-wan
Dec 11 17:42:59
  Table filter pass 2, 22 referenced chains, level 4a...
Dec 11 17:42:59    1 references to chain lan-wan replaced
Dec 11 17:42:59    Chain lan-wan deleted
Dec 11 17:42:59
  Table filter pass 3, 21 referenced chains, level 4a...
Dec 11 17:42:59
  Table filter pass 4, 21 referenced chains, level 4b...
Dec 11 17:42:59
  Table filter pass 5, 2 short chains, level 4b...
Dec 11 17:42:59
  Table filter pass 5, 18 referenced user chains, level 8...
Dec 11 17:42:59
  Table filter pass 6, 21 referenced user chains, level 16...
Dec 11 17:42:59    Table filter Optimized -- Passes =
Dec 11 17:42:59
Dec 11 17:42:59 Creating iptables-restore input...
Dec 11 17:42:59 Compiling /etc/shorewall/stoppedrules...
Dec 11 17:42:59 Shorewall configuration compiled to /var/lib/shorewall/.restart
Dec 11 17:42:59 Stopping Shorewall....
Dec 11 17:42:59 Preparing iptables-restore input...
Dec 11 17:42:59 Running /sbin/iptables-restore...
Dec 11 17:42:59 IPv4 Forwarding Enabled
Dec 11 17:42:59 done.
Dec 11 17:42:59 Starting Shorewall....
Dec 11 17:42:59 Initializing...
Dec 11 17:42:59 Setting up Route Filtering...
Dec 11 17:42:59 Setting up Martian Logging...
Dec 11 17:42:59 Setting up Accept Source Routing...
Dec 11 17:42:59 Disabling Kernel Automatic Helper Association
Dec 11 17:42:59 Preparing iptables-restore input...
Dec 11 17:42:59 Running /sbin/iptables-restore ...
Dec 11 17:42:59 IPv4 Forwarding Enabled
Dec 11 17:42:59 done.
Dec 11 17:45:34 Stopping Shorewall....
Dec 11 17:45:34 Preparing iptables-restore input...
Dec 11 17:45:34 Running /sbin/iptables-restore...
Dec 11 17:45:34 IPv4 Forwarding Enabled
Dec 11 17:45:34 done.

################

Dec 11 18:49:48 nub kernel: Shorewall:fw-lan:REJECT:IN= OUT=enp3s0 SRC=192.168.2.3 DST=216.235.100.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=43171 DF PROTO=UDP SPT=34131 DPT=53 LEN=47
Dec 11 18:49:48 nub kernel: Shorewall:fw-lan:REJECT:IN= OUT=enp3s0 SRC=192.168.2.3 DST=192.168.2.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=25835 DF PROTO=UDP SPT=42993 DPT=53 LEN=47
Dec 11 18:49:48 nub kernel: Shorewall:fw-lan:REJECT:IN= OUT=enp3s0 SRC=192.168.2.3 DST=216.235.96.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=19264 DF PROTO=UDP SPT=55991 DPT=53 LEN=47
Dec 11 18:49:48 nub kernel: Shorewall:fw-lan:REJECT:IN= OUT=enp3s0 SRC=192.168.2.3 DST=216.235.100.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=43172 DF PROTO=UDP SPT=48695 DPT=53 LEN=47
Dec 11 18:49:48 nub kernel: Shorewall:fw-lan:REJECT:IN= OUT=enp3s0 SRC=192.168.2.3 DST=192.168.2.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=25836 DF PROTO=UDP SPT=46119 DPT=53 LEN=47


Dec 11 18:50:55 nub nmbd[1132]:  Packet send failed to 192.168.2.255(138) ERRNO=Operation not permitted
Dec 11 18:52:45 nub nmbd[1132]: [2017/12/11 18:52:45.346454,  0] ../source3/libsmb/nmblib.c:873(send_udp)
Dec 11 18:52:45 nub nmbd[1132]:  Packet send failed to 192.168.2.255(137) ERRNO=Operation not permitted
Dec 11 18:52:45 nub nmbd[1132]: [2017/12/11 18:52:45.346566,  0] ../source3/nmbd/nmbd_packets.c:179(send_netbios_packet)
Dec 11 18:52:45 nub nmbd[1132]:  send_netbios_packet: send_packet() to IP 192.168.2.255 port 137 failed
Dec 11 18:52:45 nub nmbd[1132]: [2017/12/11 18:52:45.346610,  0] ../source3/nmbd/nmbd_namequery.c:245(query_name)
Dec 11 18:52:45 nub nmbd[1132]:  query_name: Failed to send packet trying to query name LIGHT<1d>



Dec 11 17:49:13 nub kernel: Shorewall:fw-wan:REJECT:IN= OUT=enp4s0 SRC=192.168.1.2 DST=204.2.134.164 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=61436 DF PROTO=UDP SPT=47626 DPT=123 LEN=56
Dec 11 17:49:13 nub dbus-daemon: dbus[729]: [system] Activating via systemd: service name='org.freedesktop.GeoClue2' unit='geoclue.service'
Dec 11 17:49:13 nub dbus[729]: [system] Activating via systemd: service name='org.freedesktop.GeoClue2' unit='geoclue.service'
Dec 11 17:49:13 nub kernel: Shorewall:lan-fw:REJECT:IN=enp3s0 OUT= MAC=00:1a:a0:c8:63:e9:00:1d:09:0f:c6:11:08:00 SRC=192.168.2.8 DST=192.168.2.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=61272 DF PROTO=UDP SPT=52725 DPT=53 LEN=43
Dec 11 17:49:13 nub kernel: Shorewall:lan-fw:REJECT:IN=enp3s0 OUT= MAC=00:1a:a0:c8:63:e9:00:1d:09:0f:c6:11:08:00 SRC=192.168.2.8 DST=192.168.2.1 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=61273 DF PROTO=UDP SPT=52725 DPT=53 LEN=43

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] 2 interface firewall router

Reply via email to