Re: [Shorewall-users] Zone based connection tracking

Naveen Neelakanta Mon, 16 Jul 2018 14:23:15 -0700

Hi Tom ,

I tried adding the command, however, my Shorewall is unable to recognize
the iptables command. I get the below error, I am using the version
*4.6.0.3.*


*IPTABLES(CT --zone 1)   eth3            -*

# shorewall restart

Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Compiling /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
   *ERROR: Invalid conntrack ACTION ( IPTABLES(CT --zone 1) )
/etc/shorewall/conntrack (line 24)*

Thanks,
Naveen

On Wed, Jul 11, 2018 at 11:29 AM, Tom Eastep <teas...@shorewall.net> wrote:

> On 07/10/2018 12:32 PM, Naveen Neelakanta wrote:
> > Hi All,
> >
> > How can I achieve, the below zone based connection tracking, using
> > Shorewall so that a new connection entry gets created when the traffic
> > is routed to another internet interface.
> >
> > These are manually added command :
> > iptables -A PREROUTING -i eth3 -j CT --zone 1 -t raw
> > iptables -A OUTPUT -o eth3 -j CT --zone 1 -t raw
> >
> > cat /proc/net/nf_conntrack | grep zone=| grep 192.168.103.1 | grep
> > 192.168.55.1
> > ipv4     2 icmp     1 29 src=192.168.55.1 dst=192.168.103.1 type=8
> > code=0 id=4391 src=192.168.103.1 dst=192.168.103.2 type=0 code=0 id=4391
> > mark=0 zone=1
> >
> >
> > I have the existing below-configured zones.
> >
> > # cat /etc/shorewall/zones
> > #ZONE   TYPE        OPTIONS     IN          OUT
> > #                   OPTIONS         OPTIONS
> > fw     firewall
> > lan    ipv4
> > vpn    ipsec
> > inet   ipv4
> >
> > # cat /etc/shorewall/interfaces
> > #ZONE     INTERFACE       OPTIONS
> > lan     eth4            detect          tcpflags,nosmurfs,logmartians
> > inet     eth5            detect          tcpflags,nosmurfs,logmartians
> > inet     eth3            detect          tcpflags,nosmurfs,logmartians
> > lan     eth0            detect          tcpflags,nosmurfs,logmartians
> >
>
> In /etc/shorewall/conntrack:
>
> IPTABLES(CT --zone 1)   eth3            -
> IPTABLES(CT --zone 1):O 0.0.0.0/0       eth3
>
> -Tom
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Zone based connection tracking

Reply via email to