Conversation
precedente ou
suivante
Je dois redemarrer shorewall après le reboot du pc
Envoyé par:
Raph
Bonjour à tous,
j'ai un pc avec Mandriva LE 2005 et Shorewall 2.0.17. J'ai ouvert les ports necessaires au serveur vpn pptpd et à aMule dans le fichier "rules". Le problème, c'est que ceux ci ne sont réellement ouvert qu'après un shorewall restart, même après le démarrage du pc.
C'est comme ci les règles shorewall n'était pas appliquées au boot du pc.
Quelqu'un a une idée ?
Merci
j'ai un pc avec Mandriva LE 2005 et Shorewall 2.0.17. J'ai ouvert les ports necessaires au serveur vpn pptpd et à aMule dans le fichier "rules". Le problème, c'est que ceux ci ne sont réellement ouvert qu'après un shorewall restart, même après le démarrage du pc.
C'est comme ci les règles shorewall n'était pas appliquées au boot du pc.
Quelqu'un a une idée ?
Merci
Poste le Tuesday 28 February 2006 15:55:00
Re: Je dois redemarrer shorewall après le reboot du pc
Envoyé par:
lolotux
Peux-tu nous faire un : ls /etc/rc5.d/
simplement pour voir dans quel ordre se font tes scripts de démarrage, et si shorewall se lance bien ?
Software is like sex !
It's better when it's Free !
simplement pour voir dans quel ordre se font tes scripts de démarrage, et si shorewall se lance bien ?
Software is like sex !
It's better when it's Free !
Poste le Wednesday 1 March 2006 07:02:14
Re: Je dois redemarrer shorewall après le reboot du pc
Envoyé par:
Raph
ls /etc/rc5.d/ K35vncserver@ S05harddrake@ S18sound@ S50shorewall@ S75keytable@ K55routed@ S10network@ S20xfs@ S55ez-ipupdate@ S90crond@ K59dund@ S12syslog@ S24messagebus@ S55sshd@ S95kheader@ K59hidd@ S13partmon@ S25haldaemon@ S56ntpd@ S99local@ K59pand@ S14nfslock@ S30dm@ S56rawdevices@ S01udev@ S15cups@ S40atd@ S56xinetd@ S03iptables@ S17alsa@ S40smartd@ S61xprint@
Et voila ! Merci pour ton aide.
Poste le Wednesday 1 March 2006 14:11:29
Re: Je dois redemarrer shorewall après le reboot du pc
Envoyé par:
lolotux
Peux-tu nous donner la version : shorewall version
Et faire un : /etc/init.d/shorewall check
Ensuite mis dans l'ordre que fait le script ez-ipupdate ?
Software is like sex !
It's better when it's Free !
Et faire un : /etc/init.d/shorewall check
Ensuite mis dans l'ordre que fait le script ez-ipupdate ?
S50shorewall@ S55ez-ipupdate@ <----- S55sshd@ S56ntpd@ S95kheader@ S99local@ S56rawdevices@ S56xinetd@ S61xprint@ S75keytable@ S90crond@
Software is like sex !
It's better when it's Free !
Poste le Thursday 2 March 2006 00:33:40
Re: Je dois redemarrer shorewall après le reboot du pc
Envoyé par:
lolotux
Tiens ? moi aussi !
#shorewall version
2.0.17
Je pense à une bétise... est-ce que /etc/rc5.d/S**shorewall est executable ?
Si oui, peux-tu alors nous montrer tes scripts, /etc/shorewall/rules,interfaces,zone,start,stop,stopped,init..
Software is like sex !
It's better when it's Free !
#shorewall version
2.0.17
Je pense à une bétise... est-ce que /etc/rc5.d/S**shorewall est executable ?
Si oui, peux-tu alors nous montrer tes scripts, /etc/shorewall/rules,interfaces,zone,start,stop,stopped,init..
Software is like sex !
It's better when it's Free !
Poste le Thursday 2 March 2006 17:57:03
Re: Je dois redemarrer shorewall après le reboot du pc
Envoyé par:
Raph
Le fichier /etc/rc5.d/S**shorewall est bien executable.
Voici mes scripts :
Et voila ! Pas mal de trucs qui servent à rien dans le rules, faut que je fasse le ménage....
Qu'en dis tu ?
Voici mes scripts :
cat init ############################################################################ # Shorewall 2.0 -- /etc/shorewall/init # # Add commands below that you want to be executed at the beginning of # a "shorewall start" or "shorewall restart" command. #
cat stopped ############################################################################ # Shorewall 2.0 -- /etc/shorewall/stopped # # Add commands below that you want to be executed at the completion of a # "shorewall stop" command. #
############################################################################ # Shorewall 2.0 -- /etc/shorewall/stop # # Add commands below that you want to be executed at the beginning of a # "shorewall stop" command. #
cat start ############################################################################ # Shorewall 2.0 -- /etc/shorewall/start # # Add commands below that you want to be executed after shorewall has # been started or restarted. #
cat zones # # Shorewall 2.0 /etc/shorewall/zones # # This file determines your network zones. Columns are: # # ZONE Short name of the zone (5 Characters or less in length). # DISPLAY Display name of the zone # COMMENTS Comments about the zone # # THE ORDER OF THE ENTRIES IN THIS FILE IS IMPORTANT IF YOU HAVE NESTED OR # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts. # # See [www.shorewall.net] # #ZONE DISPLAY COMMENTS net Net Internet zone loc Local Local vpn Vpnpptp Vpn avec protocole pptp #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
cat interfaces # # Shorewall 2.0 -- Interfaces File # # /etc/shorewall/interfaces # # You must add an entry in this file for each network interface on your # firewall system. # # Columns are: # # ZONE Zone for this interface. Must match the short name # of a zone defined in /etc/shorewall/zones. # # If the interface serves multiple zones that will be # defined in the /etc/shorewall/hosts file, you should # place "-" in this column. # # INTERFACE Name of interface. Each interface may be listed only # once in this file. You may NOT specify the name of # an alias (e.g., eth0:0) here; see # [www.shorewall.net] # # You may specify wildcards here. For example, if you # want to make an entry that applies to all PPP # interfaces, use 'ppp+'. # # There is no need to define the loopback interface (lo) # in this file. # # BROADCAST The broadcast address for the subnetwork to which the # interface belongs. For P-T-P interfaces, this # column is left black.If the interface has multiple # addresses on multiple subnets then list the broadcast # addresses as a comma-separated list. # # If you use the special value "detect", the firewall # will detect the broadcast address for you. If you # select this option, the interface must be up before # the firewall is started, you must have iproute # installed. # # If you don't want to give a value for this column but # you want to enter a value in the OPTIONS column, enter # "-" in this column. # # OPTIONS A comma-separated list of options including the # following: # # dhcp - Specify this option when any of # the following are true: # 1. the interface gets its IP address # via DHCP # 2. the interface is used by # a DHCP server running on the firewall # 3. you have a static IP but are on a LAN # segment with lots of Laptop DHCP # clients. # 4. the interface is a bridge with # a DHCP server on one port and DHCP # clients on another port. # # norfc1918 - This interface should not receive # any packets whose source is in one # of the ranges reserved by RFC 1918 # (i.e., private or "non-routable" # addresses. If packet mangling or # connection-tracking match is enabled in # your kernel, packets whose destination # addresses are reserved by RFC 1918 are # also rejected. # # nobogons - This interface should not receive # any packets whose source is in one # of the ranges reserved by IANA (this # option does not cover those ranges # reserved by RFC 1918 -- see above). # # routefilter - turn on kernel route filtering for this # interface (anti-spoofing measure). This # option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. # # . . blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. # # maclist - Connection requests from this interface # are compared against the contents of # /etc/shorewall/maclist. If this option # is specified, the interface must be # an ethernet NIC and must be up before # Shorewall is started. # # tcpflags - Packets arriving on this interface are # checked for certain illegal combinations # of TCP flags. Packets found to have # such a combination of flags are handled # according to the setting of # TCP_FLAGS_DISPOSITION after having been # logged according to the setting of # TCP_FLAGS_LOG_LEVEL. # # proxyarp - # Sets # /proc/sys/net/ipv4/conf/<interface>/proxy_arp. # Do NOT use this option if you are # employing Proxy ARP through entries in # /etc/shorewall/proxyarp. This option is # intended soley for use with Proxy ARP # sub-networking as described at: # [www.tldp.org] # # newnotsyn - TCP packets that don't have the SYN # flag set and which are not part of an # established connection will be accepted # from this interface, even if # NEWNOTSYN=No has been specified in # /etc/shorewall/shorewall.conf. In other # words, packets coming in on this interface # are processed as if NEWNOTSYN=Yes had been # specified in /etc/shorewall/shorewall.conf. # # This option has no effect if # NEWNOTSYN=Yes. # # It is the opinion of the author that # NEWNOTSYN=No creates more problems than # it solves and I recommend against using # that setting in shorewall.conf (hence # making the use of the 'newnotsyn' # interface option unnecessary). # # routeback - If specified, indicates that Shorewall # should include rules that allow filtering # traffic arriving on this interface back # out that same interface. # # arp_filter - If specified, this interface will only # respond to ARP who-has requests for IP # addresses configured on the interface. # If not specified, the interface can # respond to ARP who-has requests for # IP addresses on any of the firewall's # interface. The interface must be up # when Shorewall is started. # # nosmurfs - Filter packets for smurfs # (packets with a broadcast # address as the source). # # Smurfs will be optionally logged based # on the setting of SMURF_LOG_LEVEL in # shorewall.conf. After logging, the # packets are dropped. # # detectnets - Automatically taylors the zone named # in the ZONE column to include only those # hosts routed through the interface. # # WARNING: DO NOT SET THE detectnets OPTION ON YOUR # INTERNET INTERFACE. # # The order in which you list the options is not # significant but the list should have no embedded white # space. # # Example 1: Suppose you have eth0 connected to a DSL modem and # eth1 connected to your local network and that your # local subnet is 192.168.1.0/24. The interface gets # it's IP address via DHCP from subnet # 206.191.149.192/27. You have a DMZ with subnet # 192.168.2.0/24 using eth2. # # Your entries for this setup would look like: # # net eth0 206.191.149.223 dhcp # local eth1 192.168.1.255 # dmz eth2 192.168.2.255 # # Example 2: The same configuration without specifying broadcast # addresses is: # # net eth0 detect dhcp # loc eth1 detect # dmz eth2 detect # # Example 3: You have a simple dial-in system with no ethernet # connections. # # net ppp0 - ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS # net eth0 detect loc eth1 detect vpn ppp+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
cat rules
#
# Shorewall version 2.0 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking. For any
# particular (source,dest) pair of zones, the rules are evaluated in the
# order in which they appear in this file and the first match is the one
# that determines the disposition of the request.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the internet,
# you cannot use an ACCEPT rule to allow traffic from the internet to
# that system. You *must* use a DNAT rule instead.
#-------------------------------------------------------------------------------#
# Columns are:
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
# LOG, QUEUE or an <action>.
#
# ACCEPT -- allow the connection request
# ACCEPT+ -- like ACCEPT but also excludes the
# connection from any subsequent
# DNAT[-] or REDIRECT[-] rules
# NONAT -- Excludes the connection from any
# subsequent DNAT[-] or REDIRECT[-]
# rules but doesn't generate a rule
# to accept the traffic.
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
#
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as ftwall
# (http://p2pwall.sf.net).
# <action> -- The name of an action defined in
# /etc/shorewall/actions or in
# /usr/share/shorewall/actions.std.
#
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g, REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# Actions specifying logging may be followed by a
# log tag (a string of alphanumeric characters)
# are appended to the string generated by the
# LOGPREFIX (in /etc/shorewall/shorewall.conf).
#
# Example: ACCEPT:info:ftp would include 'ftp '
# at the end of the log prefix generated by the
# LOGPREFIX setting.
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!' and a comma-separated list of sub-zone names.
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# When "all" is used either in the SOURCE or DEST column
# intra-zone traffic is not affected. You must add
# separate rules to handle that traffic.
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to addresses in the
# range in a round-robin fashion.
#
# The port that the server is listening on may be
# included and separated from the server's IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don't want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
# REDIRECT[-]) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# The address (list) may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in
# this colume:
#
# <rate>/<interval>[:<burst>]
#
# where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is the
# largest burst permitted. If no <burst> is given,
# a value of 5 is assumed. There may be no
# no whitespace embedded in the specification.
#
# Example: 10/sec:20
#
# USER/GROUP This column may only be non-empty if the SOURCE is
# the firewall itself.
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
# the effective <user> and/or <group> specified (or is
# NOT running under that id if "!" is given).
#
# Examples:
#
# joe #program must be run by joe
# :kids #program must be run by a member of
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Forward all http connection requests from the internet
# to local system 192.168.1.3 with a limit of 3 per second and
# a maximum burst of 10
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT<3/sec:10> net loc:192.168.1.3 tcp http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
#
# Example: You want to accept SSH connections to your firewall only
# from internet IP addresses 130.252.100.69 and 130.252.100.70
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net:130.252.100.69,130.252.100.70 fw \
# tcp 22
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
####################################################################################################
# OUVERTURE DES PORTS SUR LE RESEAU LOCAL
####################################################################################################
# Ouverture des ports FTP
#ACCEPT loc fw tcp 20,21 -
# Ouverture des ports SSH
#ACCEPT loc fw tcp 22 -
# Ouverture des port VNC
#ACCEPT loc fw tcp 5901,5902 -
# Ouverture des ports Webmin
#ACCEPT loc fw tcp 10000 -
# Ouverture des port amuleCMD
#ACCEPT loc fw tcp 4712 -
# Autorisation de ping
#ACCEPT loc fw icmp 8 -
####################################################################################################
# OUVERTURE DES PORTS SUR INTERNET
####################################################################################################
# Ouverture des ports pour serveur VPN PPTP
ACCEPT net fw tcp 1723 -
ACCEPT net fw udp 1723 -
ACCEPT net fw udp 500 -
# Ouverture des ports pour eMule
#ACCEPT net fw tcp 4242 -
#ACCEPT net fw udp 4241 -
#ACCEPT fw net tcp 4241 -
#ACCEPT fw net udp 4245 -
#ACCEPT net fw tcp 4291 -
# Ouverture des ports FTP
#ACCEPT net fw tcp 20,21 -
# Ouverture des ports SSH
ACCEPT net fw tcp 22 -
# AMSN
#ACCEPT net fw tcp 1863 -
# Ouverture des port VNC
#ACCEPT net fw tcp 5901 -
# Ouverture des ports Webmin
#ACCEPT net fw tcp 10000 -
####################################################################################################
# OUVERTURE DES PORTS SUR LE VPNPPTP
####################################################################################################
# Ouverture des ports FTP
ACCEPT vpn fw tcp 20,21 -
# Ouverture des ports SSH
ACCEPT vpn fw tcp 22 -
# Ouverture des ports VNC
ACCEPT vpn fw tcp 5901 -
# Ouverture des ports Webmin
ACCEPT vpn fw tcp 10000 -
# Autorisation de ping
ACCEPT vpn fw icmp 8 -
# Web Filemanager
ACCEPT vpn fw tcp 19002 -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Et voila ! Pas mal de trucs qui servent à rien dans le rules, faut que je fasse le ménage....
Qu'en dis tu ?
Poste le Thursday 2 March 2006 21:46:14
Ce forum !
Je dois redemarrer shorewall après le reboot du pc
Un problème avec une commande du shell ? Comment utiliser la crontab ? Vous avez des soucis pour la gestion réseau sous Linux ? Pour vous la gestion des utilisateurs/groupes est du chinois ? Etc... Posez donc vos questions ici.
Sauf mention contraire, les documentations publiées sont sous licence Creative-Commons