Re: [Shorewall-users] Problem starting shorewall on Debian Sid

Tue, 30 Jul 2019 10:51:55 -0700 

On 7/30/19 10:47 AM, Mahashakti89 wrote:
> Le Tue, 30 Jul 2019 10:21:09 -0700,
> Tom Eastep <teas...@shorewall.net> a �crit :
> 
>> On 7/29/19 10:20 AM, Mahashakti89 wrote:
>>> Hi,
>>>
>>> I already tried the trick with the update-alternatives --config
>>> iptables command. Shorewall is indeed starting but I have no
>>> internet access.In /var/log/syslog  I find following errors :
>>>
>>> loc-fw REJECT IN=eth1 OUT=
>>> MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53
>>> DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16711 DF
>>> PROTO=TCP SPT=443 DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 Jul
>>> 29 19:12:06 ishwara kernel: [  207.392482] fw-loc REJECT IN=
>>> OUT=eth1 SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00
>>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50430 DPT=443 WINDOW=0
>>> RES=0x00 RST URGP=0 Jul 29 19:12:06 ishwara kernel: [  207.798926]
>>> loc-fw REJECT IN=eth1 OUT=
>>> MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53
>>> DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16712 DF
>>> PROTO=TCP SPT=443 DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 Jul
>>> 29 19:12:06 ishwara kernel: [  207.798938] fw-loc REJECT IN=
>>> OUT=eth1 SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00
>>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50430 DPT=443 WINDOW=0
>>> RES=0x00 RST URGP=0 Jul 29 19:12:07 ishwara kernel: [  208.213091]
>>> loc-fw REJECT IN=eth1 OUT=
>>> MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53
>>> DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16713 DF
>>> PROTO=TCP SPT=443 DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 Jul
>>> 29 19:12:07 ishwara kernel: [  208.213135] fw-loc REJECT IN=
>>> OUT=eth1 SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00
>>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50430 DPT=443 WINDOW=0
>>> RES=0x00 RST URGP=0 Jul 29 19:12:08 ishwara kernel: [  209.045584]
>>> loc-fw REJECT IN=eth1 OUT=
>>> MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53
>>> DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16714 DF
>>> PROTO=TCP SPT=443 DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 Jul
>>> 29 19:12:08 ishwara kernel: [  209.045629] fw-loc REJECT IN=
>>> OUT=eth1 SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00
>>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50430 DPT=443 WINDOW=0
>>> RES=0x00 RST URGP=0 Jul 29 19:12:08 ishwara kernel: [  209.345187]
>>> fw-loc REJECT IN= OUT=eth1 SRC=192.168.1.16 DST=192.168.1.1 LEN=67
>>> TOS=0x00 PREC=0x00 TTL=64 ID=56117 DF PROTO=UDP SPT=58742 DPT=53
>>> LEN=47 Jul 29 19:12:08 ishwara kernel: [  209.345319] fw-loc REJECT
>>> IN= OUT=eth1 SRC=192.168.1.16 DST=192.168.1.1 LEN=67 TOS=0x00
>>> PREC=0x00 TTL=64 ID=56118 DF PROTO=UDP SPT=43055 DPT=53 LEN=47 Jul
>>> 29 19:12:08 ishwara kernel: [  209.345477] fw-loc REJECT IN=
>>> OUT=eth1 SRC=192.168.1.16 DST=192.168.1.1 LEN=72 TOS=0x00 PREC=0x00
>>> TTL=64 ID=56119 DF PROTO=UDP SPT=49654 DPT=53 LEN=52 Jul 29
>>> 19:12:08 ishwara kernel: [  209.345616] fw-loc REJECT IN= OUT=eth1
>>> SRC=192.168.1.16 DST=192.168.1.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64
>>> ID=56120 DF PROTO=UDP SPT=59124 DPT=53 LEN=52 Jul 29 19:12:08
>>> ishwara kernel: [  209.346288] fw-loc REJECT IN= OUT=eth1
>>> SRC=192.168.1.16 DST=192.168.1.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64
>>> ID=56121 DF PROTO=UDP SPT=44769 DPT=53 LEN=47 Jul 29 19:12:08
>>> ishwara kernel: [  209.346466] fw-loc REJECT IN= OUT=eth1
>>> SRC=192.168.1.16 DST=192.168.1.1 LEN=67 TOS=0x00 PREC=0x00 TTL=64
>>> ID=56122 DF PROTO=UDP SPT=50842 DPT=53 LEN=47 Jul 29 19:12:08
>>> ishwara kernel: [  209.346598] fw-loc REJECT IN= OUT=eth1
>>> SRC=192.168.1.16 DST=192.168.1.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64
>>> ID=56123 DF PROTO=UDP SPT=33377 DPT=53 LEN=52 Jul 29 19:12:09
>>> ishwara kernel: [  210.673458] loc-fw REJECT IN=eth1 OUT=
>>> MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53
>>> DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16715 DF
>>> PROTO=TCP SPT=443 DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 Jul
>>> 29 19:12:09 ishwara kernel: [  210.673502] fw-loc REJECT IN=
>>> OUT=eth1 SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00
>>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50430 DPT=443 WINDOW=0
>>> RES=0x00 RST URGP=0 Jul 29 19:12:13 ishwara kernel: [  214.065616]
>>> loc-fw REJECT IN=eth1 OUT=
>>> MAC=78:24:af:47:80:12:2c:e4:12:dd:51:d4:08:00 SRC=94.124.134.53
>>> DST=192.168.1.16 LEN=98 TOS=0x00 PREC=0x00 TTL=53 ID=16716 DF
>>> PROTO=TCP SPT=443 DPT=50430 WINDOW=531 RES=0x00 ACK FIN URGP=0 Jul
>>> 29 19:12:13 ishwara kernel: [  214.065661] fw-loc REJECT IN=
>>> OUT=eth1 SRC=192.168.1.16 DST=94.124.134.53 LEN=40 TOS=0x00
>>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50430 DPT=443 WINDOW=0
>>> RES=0x00 RST URGP=0 
>>>
>>> I will send you privately the tarball of /etc/shorewall.  
> 
>> Please send me the output of 'shorewall dump' taken while the above is
>> happening.
> 
>> Thanks!
>> -Tom
> 
> 
> Works now using iptables-legacy. I had to purge the interfaces
> configuration issued from network-manager ......

Yes -- from the messages, it looked like the interfaces may have been
reversed.

> 
> But why it doesn't work with nft-tables I do not know.
> 

I'll have to install Sid somewhere to try to understand that. But the
version of Shorewall in Sid is the same as that in Buster, so it is
likely not an issue in Shorewall itself.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to