Shorewall for web server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have shorewall working perfectly on my little home LAN,
using the two-interfaces configuration
(from <http://www.shorewall.net/two-interface.htm>).

Now I'd like to allow access to a web-server (httpd)
on my shorewall machine - a desktop computer 
connected to the internet through an ADSL modem.

I'm finding this surprisingly difficult;
I've added the two lines

DNAT    net    loc:192.168.1.1 tcp     80   -   86.43.71.228
DNAT     net     loc:192.168.1.1  tcp    www

to the shorewall rules (and re-started shorewall and httpd)
but when I try to access the web-server from outside
I get many warnings in /var/log/messages of the form

Dec 26 10:13:47 alfred kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= 
MAC= SRC=80.231.0.106 DST=86.43.71.228 LEN=48 TOS=0x00 PREC=0x00 
TTL=117 ID=58867 DF PROTO=TCP SPT=3849 DPT=1433 
WINDOW=16384 RES=0x00 SYN URGP=0

I attach the output of iptables -L .

Any advice or suggestions gratefully received;
in particular if anyone is running shorewall in a similar setup
I should be most grateful to see their /etc/shorewall/rules file.


-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
Chain AllowICMPs (2 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 

Chain Drop (1 references)
target     prot opt source               destination         
RejectAuth  all  --  anywhere             anywhere            
dropBcast  all  --  anywhere             anywhere            
AllowICMPs  icmp --  anywhere             anywhere            
dropInvalid  all  --  anywhere             anywhere            
DropSMB    all  --  anywhere             anywhere            
DropUPnP   all  --  anywhere             anywhere            
dropNotSyn  tcp  --  anywhere             anywhere            
DropDNSrep  all  --  anywhere             anywhere            

Chain DropDNSrep (2 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp spt:domain 

Chain DropSMB (1 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp dpt:135 
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn 
DROP       udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
DROP       tcp  --  anywhere             anywhere            tcp dpt:135 
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
DROP       tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 

Chain DropUPnP (2 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere            udp dpt:1900 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP      !icmp --  anywhere             anywhere            state INVALID 
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
ppp0_fwd   all  --  anywhere             anywhere            
eth1_fwd   all  --  anywhere             anywhere            
eth2_fwd   all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP      !icmp --  anywhere             anywhere            state INVALID 
ppp0_in    all  --  anywhere             anywhere            
eth1_in    all  --  anywhere             anywhere            
eth2_in    all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP      !icmp --  anywhere             anywhere            state INVALID 
fw2net     all  --  anywhere             anywhere            
fw2loc     all  --  anywhere             anywhere            
fw2loc     all  --  anywhere             anywhere            
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain Reject (4 references)
target     prot opt source               destination         
RejectAuth  all  --  anywhere             anywhere            
dropBcast  all  --  anywhere             anywhere            
AllowICMPs  icmp --  anywhere             anywhere            
dropInvalid  all  --  anywhere             anywhere            
RejectSMB  all  --  anywhere             anywhere            
DropUPnP   all  --  anywhere             anywhere            
dropNotSyn  tcp  --  anywhere             anywhere            
DropDNSrep  all  --  anywhere             anywhere            

Chain RejectAuth (2 references)
target     prot opt source               destination         
reject     tcp  --  anywhere             anywhere            tcp dpt:auth 

Chain RejectSMB (1 references)
target     prot opt source               destination         
reject     udp  --  anywhere             anywhere            udp dpt:135 
reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn 
reject     udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
reject     tcp  --  anywhere             anywhere            tcp dpt:135 
reject     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
reject     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 

Chain all2all (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
Reject     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:all2all:REJECT:' 
reject     all  --  anywhere             anywhere            

Chain dropBcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             192.168.1.255       
DROP       all  --  anywhere             192.168.3.255       
DROP       all  --  anywhere             127.0.0.0           
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4 

Chain dropInvalid (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            state INVALID 

Chain dropNotSyn (2 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp flags:!SYN,RST,ACK/SYN 

Chain dynamic (6 references)
target     prot opt source               destination         

Chain eth1_fwd (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state INVALID,NEW 
loc2net    all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain eth1_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state INVALID,NEW 
loc2fw     all  --  anywhere             anywhere            

Chain eth2_fwd (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state INVALID,NEW 
loc2net    all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain eth2_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state INVALID,NEW 
loc2fw     all  --  anywhere             anywhere            

Chain fw2loc (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     all  --  anywhere             anywhere            

Chain fw2net (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     all  --  anywhere             anywhere            

Chain loc2fw (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     all  --  anywhere             anywhere            

Chain loc2net (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     all  --  anywhere             anywhere            

Chain net2all (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
Drop       all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:net2all:DROP:' 
DROP       all  --  anywhere             anywhere            

Chain net2fw (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
net2all    all  --  anywhere             anywhere            

Chain net2loc (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
newnotsyn  tcp  --  anywhere             anywhere            state NEW tcp flags:!SYN,RST,ACK/SYN 
ACCEPT     tcp  --  anywhere             alfred              tcp dpt:http ctorigdst 86.43.71.228 
ACCEPT     tcp  --  anywhere             alfred              tcp dpt:http 
net2all    all  --  anywhere             anywhere            

Chain newnotsyn (8 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:newnotsyn:DROP:' 
DROP       all  --  anywhere             anywhere            

Chain ppp0_fwd (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state INVALID,NEW 
net2loc    all  --  anywhere             anywhere            
net2loc    all  --  anywhere             anywhere            

Chain ppp0_in (1 references)
target     prot opt source               destination         
dynamic    all  --  anywhere             anywhere            state INVALID,NEW 
net2fw     all  --  anywhere             anywhere            

Chain reject (11 references)
target     prot opt source               destination         
DROP       all  --  anywhere             192.168.1.255       
DROP       all  --  anywhere             192.168.3.255       
DROP       all  --  anywhere             127.0.0.0           
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/4 
DROP       all  --  192.168.1.255        anywhere            
DROP       all  --  192.168.3.255        anywhere            
DROP       all  --  127.0.0.0            anywhere            
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain shorewall (0 references)
target     prot opt source               destination         

Chain smurfs (0 references)
target     prot opt source               destination         
DROP       all  --  192.168.1.255        anywhere            
DROP       all  --  192.168.3.255        anywhere            
DROP       all  --  127.0.0.0            anywhere            
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux