Shorewall problem on server

lordnewbie · 04-21-2009, 06:04 PM

Hi, I've been using Shorewall to generate iptable scripts all this while, today I came across a newly purchased server that got me stumped. Basically Shorewall refused to compile and start and I get the following error.

Enabling Loopback and DNS Lookups
iptables: Unknown error 4294967295
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 449: 25975 Terminated ${VARDIR}/.start $debugging start

I then decided to try to get around this problem by going to the actual server and saving the iptable rules into a file and then uploading onto my new server to do a iptables-restore to see if that would work however I get:

# iptables-restore < firewall.txt
iptables-restore: line 182 failed

So then here is my entire firewall file, seems like line 182 is the COMMIT statement. I'm stumped. I'm no firewall expert but since it had been working for 6 other servers I'm not sure why this one refuses to accept the rules.

Quote:

# Generated by iptables-save v1.3.5 on Wed Apr 22 00:42:01 2009
*mangle
:PREROUTING ACCEPT [684274:153931454]
:INPUT ACCEPT [684274:153931454]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [854430:194015047]
:POSTROUTING ACCEPT [825162:190692935]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Wed Apr 22 00:42:01 2009
# Generated by iptables-save v1.3.5 on Wed Apr 22 00:42:01 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fire2fire - [0:0]
:fire2net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2all - [0:0]
:net2fire - [0:0]
:norfc1918 - [0:0]
:reject - [0:0]
:rfc1918 - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:venet0_fwd - [0:0]
:venet0_in - [0:0]
:venet0_out - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i venet0 -j venet0_in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Drop
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
-A INPUT -j DROP
-A FORWARD -i venet0 -j venet0_fwd
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j Drop
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:DROP:" --log-level 6
-A FORWARD -j DROP
-A OUTPUT -o venet0 -j venet0_out
-A OUTPUT -o lo -j fire2fire
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j Drop
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:DROP:" --log-level 6
-A OUTPUT -j DROP
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A dropBcast -d 213.175.192.69 -j DROP
-A dropBcast -d 213.175.192.70 -j DROP
-A dropBcast -d 255.255.255.255 -j DROP
-A dropBcast -d 224.0.0.0/240.0.0.0 -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A fire2fire -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fire2fire -p esp -j ACCEPT
-A fire2fire -p esp -j ACCEPT
-A fire2fire -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A fire2fire -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A fire2fire -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A fire2fire -p udp -m udp --dport 4500 -m state --state NEW -j ACCEPT
-A fire2fire -j ACCEPT
-A fire2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fire2net -p icmp -j ACCEPT
-A fire2net -d 80.239.186.21 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.125 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.126 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.127 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.128 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.129 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.130 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.131 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.148.132 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.126 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.127 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.128 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.129 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.130 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.131 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 80.239.178.132 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 72.14.178.86 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -d 72.14.178.86 -p tcp -m tcp --dport 80 -j ACCEPT
-A fire2net -p tcp -m multiport --dports 3724,1119 -j ACCEPT
-A fire2net -d 4.2.2.1 -j ACCEPT
-A fire2net -d 4.2.2.2 -j ACCEPT
-A fire2net -d 77.235.33.160 -j ACCEPT
-A fire2net -d 77.235.35.160 -j ACCEPT
-A fire2net -d 77.235.33.38 -j ACCEPT
-A fire2net -j Reject
-A fire2net -j reject
-A logdrop -j LOG --log-prefix "Shorewall:logdrop:DROP:" --log-level 6
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6
-A logflags -j DROP
-A logreject -j LOG --log-prefix "Shorewall:logreject:REJECT:" --log-level 6
-A logreject -j reject
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A net2fire -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fire -p icmp -j ACCEPT
-A net2fire -p tcp -m multiport --dports 22,11683,80,443,441,5190 -j ACCEPT
-A net2fire -p udp -j DROP
-A net2fire -j net2all
-A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918
-A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918
-A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918
-A reject -d 213.175.192.69 -j DROP
-A reject -d 213.175.192.70 -j DROP
-A reject -d 255.255.255.255 -j DROP
-A reject -d 224.0.0.0/240.0.0.0 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6
-A rfc1918 -j DROP
-A smurfs -s 213.175.192.69 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 213.175.192.69 -j DROP
-A smurfs -s 213.175.192.70 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 213.175.192.70 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags
-A venet0_fwd -m state --state INVALID,NEW -j dynamic
-A venet0_fwd -m state --state NEW -j norfc1918
-A venet0_fwd -p tcp -j tcpflags
-A venet0_in -m state --state INVALID,NEW -j dynamic
-A venet0_in -m state --state NEW -j norfc1918
-A venet0_in -p tcp -j tcpflags
-A venet0_in -j net2fire
-A venet0_out -j fire2net
COMMIT <---- Line 182
# Completed on Wed Apr 22 00:42:01 2009
# Generated by iptables-save v1.3.5 on Wed Apr 22 00:42:01 2009
*nat
:PREROUTING ACCEPT [9675:626016]
:POSTROUTING ACCEPT [195:12598]
:OUTPUT ACCEPT [195:12878]
COMMIT
# Completed on Wed Apr 22 00:42:01 2009

Any help will be most appreciated!

Rome5 · 04-22-2009, 02:14 AM

I'm not sure about the shorewall problem, but perhaps we can get the iptables-restore failure.

If you would post the output of 'lsmod' from the server, that would be helpful.

lordnewbie · 04-22-2009, 05:25 AM

Hi I tried lsmod and nothing came out.

Quote:

Module Size Used by

Rome5 · 04-22-2009, 05:49 PM

Give 'sudo lsmod' a shot instead. What OS are you running on the server?

The 'commit' line only errors out because one or more of your rules has failed or cannot be implemented. We're checking lsmod to verify you have the correct modules in place. Then we look elsewhere.

lordnewbie · 04-22-2009, 06:17 PM

Still same result. I'm on Centos 5 actually.

Rome5 · 04-24-2009, 02:08 AM

You can try 'cat /proc/modules' but I'm guessing you'll get the same response.

You mentioned this is a newly purchased server; did you install CentOS? I'm just wondering about the kernel you're running - whether modules are running with/compiled?

04-22-2009, 02:14 AM	#2 (permalink)
Rome5 Alternative Computing Team Join Date: Nov 2008 Location: Denver.CO Posts: 311 OS: Arch linux	Re: Shorewall problem on server I'm not sure about the shorewall problem, but perhaps we can get the iptables-restore failure. If you would post the output of 'lsmod' from the server, that would be helpful. __________________ Arch64 ~ PekWM

04-22-2009, 05:49 PM	#4 (permalink)
Rome5 Alternative Computing Team Join Date: Nov 2008 Location: Denver.CO Posts: 311 OS: Arch linux	Re: Shorewall problem on server Give 'sudo lsmod' a shot instead. What OS are you running on the server? The 'commit' line only errors out because one or more of your rules has failed or cannot be implemented. We're checking lsmod to verify you have the correct modules in place. Then we look elsewhere. __________________ Arch64 ~ PekWM

04-22-2009, 06:17 PM	#5 (permalink)
lordnewbie Registered User Join Date: Apr 2009 Posts: 3 OS: Windows Vista	Re: Shorewall problem on server Still same result. I'm on Centos 5 actually.

04-24-2009, 02:08 AM	#6 (permalink)
Rome5 Alternative Computing Team Join Date: Nov 2008 Location: Denver.CO Posts: 311 OS: Arch linux	Re: Shorewall problem on server You can try 'cat /proc/modules' but I'm guessing you'll get the same response. You mentioned this is a newly purchased server; did you install CentOS? I'm just wondering about the kernel you're running - whether modules are running with/compiled? __________________ Arch64 ~ PekWM