Hi,
DNS(ACCEPT) $FW net
This is superfluous given your policy '$FW net ACCEPT".
I corrected this in /etc/shorewall/rules by commenting this line.
From:
http://shorewall.org/manpages/shorewall-rules.html
"Warning
If you masquerade or use SNAT from a local system to the internet, you cannot use an
ACCEPT rule to allow traffic from the internet to that system. You must use a DNAT
rule instead."
EG:
DNAT net $FW tcp 22
Unfortunately it doesn't work for me.
It seems like my shorewall version (5.0.15.6 on newest Ubuntu) accept only
'ACCEPT' in the /etc/shorewall/rules file.
When I use 'DNAT' instead I receive an error:
ela@akacja:~$ sudo shorewall check
Checking using Shorewall 5.0.15.6...
Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed
through in regex; marked by <-- HERE in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/
at /usr/share/shorewall/Shorewall/Config.pm line 2340.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed
through in regex; marked by <-- HERE in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}\s*$/
at /usr/share/shorewall/Shorewall/Config.pm line 2356.
Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed
through in regex; marked by <-- HERE in m/^(\s*|.*[^&@%]){ <-- HERE (.*)}$/ at
/usr/share/shorewall/Shorewall/Config.pm line 2370.
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/snat...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
ERROR: Invalid or missing server IP address /etc/shorewall/rules (line 53)
Regards,
B
W dniu 2018-01-30 o 18:38, Matt Darfeuille pisze:
On 1/30/2018 5:22 PM, Matt Darfeuille wrote:
On 1/30/2018 1:34 PM, Bernard Drozd wrote:
It refers here to your wan interface.
Is your wan interface configured by dhcp (does it get an dinamic IP)?
No. My wan interface has static 192.168.15.145 address (which is seen
from outside/internet as public 46.xxx.xxx.xxx address).
So I've changed content of /etc/shorewall/snat to:
SNAT(192.168.15.145) 10.10.10.0/24 enp1s0
Then SNAT is correct in that case.
but still cannot connect to the Internet from LAN.
Clearly your two-interface setup is not working.So I will ignore the
wireless part of this question.
Ok. I removed wifi configuration from /etc/shorewall files
What is the content of the following files?:
/etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
/etc/shorewall/interfaces
?FORMAT 1
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net enp1s0 detect tcpflags,logmartians,nosmurfs
loc enp3s0f1 detect dhcp
/etc/shorewall/policy
loc net ACCEPT
$FW net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
# PORT PORT(S) DEST
LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all tcp
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
This is superfluous given your policy '$FW net ACCEPT".
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#
ACCEPT net $FW tcp 6535
ACCEPT net $FW udp 6534
ACCEPT net $FW tcp 22
From:
http://shorewall.org/manpages/shorewall-rules.html
"Warning
If you masquerade or use SNAT from a local system to the internet, you
cannot use an ACCEPT rule to allow traffic from the internet to that
system. You must use a DNAT rule instead."
EG:
DNAT net $FW tcp 22
As Bill Shirley pointed out you can forget this.
/etc/shorewall/stoppedrules
ACCEPT enp3s0f1 -
ACCEPT - enp3s0f1
I asume that no other firewalls are started.
And that 'IP_FORWARDING' is set to 'Yes' in /etc/shorewall/shorewall.conf.
-Matt
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
