I have shorewall working perfectly on my little home LAN,
using the two-interfaces configuration
(from <http://www.shorewall.net/two-interface.htm>).
Now I'd like to allow access to a web-server (httpd)
on my shorewall machine - a desktop computer
connected to the internet through an ADSL modem.
I'm finding this surprisingly difficult;
I've added the two lines
DNAT net loc:192.168.1.1 tcp 80 - 86.43.71.228
DNAT net loc:192.168.1.1 tcp www
to the shorewall rules (and re-started shorewall and httpd)
but when I try to access the web-server from outside
I get many warnings in /var/log/messages of the form
Dec 26 10:13:47 alfred kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=
MAC= SRC=80.231.0.106 DST=86.43.71.228 LEN=48 TOS=0x00 PREC=0x00
TTL=117 ID=58867 DF PROTO=TCP SPT=3849 DPT=1433
WINDOW=16384 RES=0x00 SYN URGP=0
I attach the output of iptables -L .
Any advice or suggestions gratefully received;
in particular if anyone is running shorewall in a similar setup
I should be most grateful to see their /etc/shorewall/rules file.
--
Timothy Murphy
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
Chain AllowICMPs (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
Chain Drop (1 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
DropSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain DropDNSrep (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp spt:domain
Chain DropSMB (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:135
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp dpt:135
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds
Chain DropUPnP (2 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:1900
Chain FORWARD (policy DROP)
target prot opt source destination
DROP !icmp -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ppp0_fwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
eth2_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
ppp0_in all -- anywhere anywhere
eth1_in all -- anywhere anywhere
eth2_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP !icmp -- anywhere anywhere state INVALID
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
fw2loc all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere
Chain Reject (4 references)
target prot opt source destination
RejectAuth all -- anywhere anywhere
dropBcast all -- anywhere anywhere
AllowICMPs icmp -- anywhere anywhere
dropInvalid all -- anywhere anywhere
RejectSMB all -- anywhere anywhere
DropUPnP all -- anywhere anywhere
dropNotSyn tcp -- anywhere anywhere
DropDNSrep all -- anywhere anywhere
Chain RejectAuth (2 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
Chain RejectSMB (1 references)
target prot opt source destination
reject udp -- anywhere anywhere udp dpt:135
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp dpt:microsoft-ds
reject tcp -- anywhere anywhere tcp dpt:135
reject tcp -- anywhere anywhere tcp dpt:netbios-ssn
reject tcp -- anywhere anywhere tcp dpt:microsoft-ds
Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere 192.168.1.255
DROP all -- anywhere 192.168.3.255
DROP all -- anywhere 127.0.0.0
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN
Chain dynamic (6 references)
target prot opt source destination
Chain eth1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2fw all -- anywhere anywhere
Chain eth2_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain eth2_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2fw all -- anywhere anywhere
Chain fw2loc (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain loc2fw (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
Chain loc2net (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere
Chain net2all (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'
DROP all -- anywhere anywhere
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT icmp -- anywhere anywhere icmp echo-request
net2all all -- anywhere anywhere
Chain net2loc (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere alfred tcp dpt:http ctorigdst 86.43.71.228
ACCEPT tcp -- anywhere alfred tcp dpt:http
net2all all -- anywhere anywhere
Chain newnotsyn (8 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:newnotsyn:DROP:'
DROP all -- anywhere anywhere
Chain ppp0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2loc all -- anywhere anywhere
net2loc all -- anywhere anywhere
Chain ppp0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2fw all -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere 192.168.1.255
DROP all -- anywhere 192.168.3.255
DROP all -- anywhere 127.0.0.0
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4
DROP all -- 192.168.1.255 anywhere
DROP all -- 192.168.3.255 anywhere
DROP all -- 127.0.0.0 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (0 references)
target prot opt source destination
DROP all -- 192.168.1.255 anywhere
DROP all -- 192.168.3.255 anywhere
DROP all -- 127.0.0.0 anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere