Re: RV: OT Consulta sobre mi bridge con shorewall...! Por favor..!

To: German Jimenez Leal <gjimenezl@villagroup.com>, debian-user-es <debian-user-spanish@lists.debian.org>
Subject: Re: RV: OT Consulta sobre mi bridge con shorewall...! Por favor..!
From: Antonio Trujillo Carmona <trujo@dti2.net>
Date: Tue, 09 May 2006 02:05:53 +0200
Message-id: <[🔎] 1147133154.16365.7.camel@abajo>
In-reply-to: <018a01c672e8$bd074ff0$0b40a8c0@gjimenez>
References: <018a01c672e8$bd074ff0$0b40a8c0@gjimenez>
El lun, 08-05-2006 a las 16:45 -0500, German Jimenez Leal escribió:

> -------------------------------------------------------------------------------------------------------
> 
> Mira aqui por fas:
> 
> 
> May  8 15:50:58 localhost shorewall: Masqueraded Networks and Hosts:
> May  8 15:50:58 localhost shorewall:    To 0.0.0.0/0 (all) from
> 0.0.0.0/0 throug h vdpf0
> May  8 15:50:58 localhost shorewall: Processing /etc/shorewall/tos...
> May  8 15:50:58 localhost shorewall: Processing /etc/shorewall/ecn...
> May  8 15:50:58 localhost shorewall: Setting up Traffic Control
> Rules...
> May  8 15:50:58 localhost shorewall:
> Validating /etc/shorewall/tcdevices...
> May  8 15:50:58 localhost shorewall:
> Validating /etc/shorewall/tcclasses...
> May  8 15:50:58 localhost shorewall: Activating Rules...
> May  8 15:50:58 localhost shorewall: iptables v1.2.11: host/network
> `eth0' not f ound
> May  8 15:50:58 localhost shorewall: Try `iptables -h' or 'iptables
> --help' for more information.
> May  8 15:50:58 localhost shorewall:    ERROR: Command "/sbin/iptables
> -A OUTPUT  -o vdpf0 -d eth0 -j all2all" Failed
> May  8 15:50:58 localhost shorewall:
> Processing /etc/shorewall/stop ...
> May  8 15:50:58 localhost shorewall: IP Forwarding Enabled
> May  8 15:50:58 localhost shorewall:
> Processing /etc/shorewall/stopped ...
> May  8 15:50:58 localhost root: Shorewall Stopped
> May  8 15:50:58 localhost shorewall: IniciaciÃ³n de shorewall failed
> 
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> Al final corri el mandato que me dijiste:
> 
> 
> [root@localhost shorewall]# shorewall check
> Loading /usr/share/shorewall/functions...
> Processing /etc/shorewall/params ...
> Processing /etc/shorewall/shorewall.conf...
> Loading Modules...
> Shorewall has detected the following iptables/netfilter capabilities:
>    NAT: Available
>    Packet Mangling: Available
>    Multi-port Match: Available
>    Extended Multi-port Match: Not available
>    Connection Tracking Match: Available
>    Packet Type Match: Available
>    Policy Match: Not available
>    Physdev Match: Available
>    IP range Match: Available
>    Recent Match: Available
>    Owner Match: Available
>    Ipset Match: Not available
>    CONNMARK Target: Not available
>    Connmark Match: Not available
>    Raw Table: Available
>    CLASSIFY Target: Available
> Verifying Configuration...
> Determining Zones...
>    IPv4_Zones: net loc
>    Firewall Zone: fw
> Setting up IPSEC...
> Validating interfaces file...
> Validating hosts file...
> Determining Hosts in Zones...
>    net Zone: vdpf0:eth0
>    loc Zone: vdpf0:eth1
> Validating policy file...
>    Policy for loc to net is ACCEPT using chain loc2net
>    Policy for net to loc is DROP using chain net2all
>    Policy for net to fw is DROP using chain net2all
>    Policy for loc to fw is REJECT using chain all2all
>    Policy for fw to net is REJECT using chain all2all
>    Policy for fw to loc is REJECT using chain all2all
> Checking Black List...
> Validating Proxy ARP
> Validating NAT...
> Pre-validating Actions...
>    Pre-processing /usr/share/shorewall/action.Drop...
>    ..Expanding Macro /usr/share/shorewall/macro.Auth...
>    ..End Macro
>    ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
>    ..End Macro
>    ..Expanding Macro /usr/share/shorewall/macro.SMB...
>    ..End Macro
>    ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
>    ..End Macro
>    ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
>    ..End Macro
>    Pre-processing /usr/share/shorewall/action.Reject...
>    Pre-processing /usr/share/shorewall/action.Limit...
> Validating rules file...
>    Rule "ACCEPT net fw TCP 20,21,22,25,80,110,143,443,995,465    "
> checked.
>    Rule "ACCEPT loc net TCP 20,21,22,25,80,110,143,443,995,465    "
> checked.
>    Rule "ACCEPT loc net UDP 20,21,22,25,80,110,143,443,995,465    "
> checked.
> Validating Actions...
>    Generating Transitive Closure of Used-action List...
> Processing /usr/share/shorewall/action.Drop for Chain Drop...
> ..Expanding Macro /usr/share/shorewall/macro.Auth...
>    Rule "REJECT - - tcp 113 -  -" checked.
> ..End Macro
>    Rule "dropBcast       " checked.
> ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
>    Rule "ACCEPT - - icmp fragmentation-needed -  -" checked.
>    Rule "ACCEPT - - icmp time-exceeded -  -" checked.
> ..End Macro
>    Rule "dropInvalid       " checked.
> ..Expanding Macro /usr/share/shorewall/macro.SMB...
>    Rule "DROP - - udp 135,445 -  -" checked.
>    Rule "DROP - - udp 137:139 -  -" checked.
>    Rule "DROP - - udp 1024: 137  -" checked.
>    Rule "DROP - - tcp 135,139,445 -  -" checked.
> ..End Macro
> ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
>    Rule "DROP - - udp 1900 -  -" checked.
> ..End Macro
>    Rule "dropNotSyn - - tcp    " checked.
> ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
>    Rule "DROP - - udp - 53  -" checked.
> ..End Macro
> Processing /usr/share/shorewall/action.Reject for Chain Reject...
> ..Expanding Macro /usr/share/shorewall/macro.Auth...
>    Rule "REJECT - - tcp 113 -  -" checked.
> ..End Macro
>    Rule "dropBcast       " checked.
> ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
>    Rule "ACCEPT - - icmp fragmentation-needed -  -" checked.
>    Rule "ACCEPT - - icmp time-exceeded -  -" checked.
> ..End Macro
>    Rule "dropInvalid       " checked.
> ..Expanding Macro /usr/share/shorewall/macro.SMB...
>    Rule "REJECT - - udp 135,445 -  -" checked.
>    Rule "REJECT - - udp 137:139 -  -" checked.
>    Rule "REJECT - - udp 1024: 137  -" checked.
>    Rule "REJECT - - tcp 135,139,445 -  -" checked.
> ..End Macro
> ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
>    Rule "DROP - - udp 1900 -  -" checked.
> ..End Macro
>    Rule "dropNotSyn - - tcp    " checked.
> ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
>    Rule "DROP - - udp - 53  -" checked.
> ..End Macro
> Masqueraded Networks and Hosts:
>    To 0.0.0.0/0 (all) from 0.0.0.0/0 through vdpf0
> Validating /etc/shorewall/tcdevices...
> Validating /etc/shorewall/tcclasses...
> Configuration Validated
> 
> Notice:  The 'check' command is provided to catch
>          obvious errors in a Shorewall configuration.
>          It is not designed to catch all possible errors
>          so please don't submit problem reports about
>          error conditions that 'check' doesn't find
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
Si el check da que esta bien, es raro que falle (es fácil que no haga lo
que uno quiere pero no que falle).
Quizas tienes el comando iptables muy desactualizado yo tengo el:
dpkg -l |grep iptables | grep ii
iptables   1.3.3-2   Linux kernel 2.4+ iptables administration to
y tu parece que tienes el:
iptables v1.2.11: host/network
El fallo ha sido al aplicar las "rules" y hay no se menciona para nada a
eth0, por lo que el debe de cogerlo de la definición que hay en el hosts
que parece correcta, quizás el iptables no sepa como manejar bien las
ordenes en un puente.
voy a acostarme que aquí son las 2 AM
Reply to:
Prev by Date: Hard Work
Next by Date: [ot] procesador para servidor
Previous by thread: Hard Work
Next by thread: [ot] procesador para servidor
Index(es):
- Date
- Thread