Re: [Shorewall-users] Shorewall Disobeying rules?

Wed, 05 Aug 2020 09:17:26 -0700 

On 8/5/20 8:03 AM, colony.three--- via Shorewall-users wrote:
> I have struggled for days to make this work but admit I am soundly defeated.
> 
> My goal is to dnat two cameras through an Odroid N2+.  But I can't even
> get a basic ACCEPT to work on ports 80 or 443.  I can't understand what
> is wrong.  Dump is attached.  Sure hope the boss is still around.
> 
> [Tue Jan 30 17:39:29 2018] net-fw DROP IN=eth0 OUT=
> MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=8197 DF PROTO=TCP
> SPT=28086 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> [Tue Jan 30 17:39:30 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=10986 DF PROTO=UDP
> SPT=53625 DPT=53 LEN=45
> [Tue Jan 30 17:39:30 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=10987 DF PROTO=UDP
> SPT=57493 DPT=53 LEN=45
> [Tue Jan 30 17:39:30 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=10988 DF PROTO=UDP
> SPT=40352 DPT=53 LEN=45
> [Tue Jan 30 17:39:31 2018] net-fw DROP IN=eth0 OUT=
> MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10546 DF PROTO=TCP
> SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> [Tue Jan 30 17:39:32 2018] net-fw DROP IN=eth0 OUT=
> MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10547 DF PROTO=TCP
> SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44808 DF PROTO=UDP
> SPT=48844 DPT=53 LEN=52
> [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44809 DF PROTO=UDP
> SPT=60419 DPT=53 LEN=52
> [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44810 DF PROTO=UDP
> SPT=45791 DPT=53 LEN=52
> [Tue Jan 30 17:39:32 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44811 DF PROTO=UDP
> SPT=32787 DPT=53 LEN=52
> [Tue Jan 30 17:39:34 2018] net-fw DROP IN=eth0 OUT=
> MAC=01:00:5e:00:00:01:00:eb:d5:61:fb:60:08:00 SRC=0.0.0.0 DST=224.0.0.1
> LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
> [Tue Jan 30 17:39:34 2018] net-fw DROP IN=eth0 OUT=
> MAC=01:00:5e:00:00:01:00:eb:d5:61:fb:60:08:00 SRC=0.0.0.0 DST=224.0.0.1
> LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
> [Tue Jan 30 17:39:34 2018] net-fw DROP IN=eth0 OUT=
> MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10548 DF PROTO=TCP
> SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> [Tue Jan 30 17:39:38 2018] net-fw DROP IN=eth0 OUT=
> MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10549 DF PROTO=TCP
> SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44884 DF PROTO=UDP
> SPT=56118 DPT=53 LEN=52
> [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44885 DF PROTO=UDP
> SPT=47795 DPT=53 LEN=52
> [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44886 DF PROTO=UDP
> SPT=60806 DPT=53 LEN=52
> [Tue Jan 30 17:39:39 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=44887 DF PROTO=UDP
> SPT=53807 DPT=53 LEN=52
> [Tue Jan 30 17:39:45 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=25988 DF PROTO=UDP
> SPT=60181 DPT=53 LEN=45
> [Tue Jan 30 17:39:45 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=25989 DF PROTO=UDP
> SPT=51672 DPT=53 LEN=45
> [Tue Jan 30 17:39:45 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:dc:9f:db:1a:a0:1a:08:00 SRC=10.2.20.31
> DST=10.2.20.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=25990 DF PROTO=UDP
> SPT=54680 DPT=53 LEN=45
> [Tue Jan 30 17:39:46 2018] net-fw DROP IN=eth0 OUT=
> MAC=00:1e:06:42:5b:57:fc:aa:14:71:ef:47:08:00 SRC=10.2.1.4
> DST=10.2.1.106 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=10550 DF PROTO=TCP
> SPT=28190 DPT=51554 WINDOW=29200 RES=0x00 SYN URGP=0
> [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45506 DF PROTO=UDP
> SPT=38509 DPT=53 LEN=52
> [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45507 DF PROTO=UDP
> SPT=35424 DPT=53 LEN=52
> [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45508 DF PROTO=UDP
> SPT=38172 DPT=53 LEN=52
> [Tue Jan 30 17:39:49 2018] local-fw REJECT IN=eth1 OUT=
> MAC=00:e0:4c:68:00:9e:00:1f:54:45:be:07:08:00 SRC=10.2.20.51
> DST=10.2.20.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=45509 DF PROTO=UDP
> SPT=60454 DPT=53 LEN=52
> 
> 

The messages above (with the exception of the first one) are the result
of there being no DNS ACCEPT rule from local to fw. There is a DNAT rule
from net->local -- I assume that is the camera rule, but there has been
no traffic incoming to TCP port 5180 since the firewall was reloaded.
The dates in the dump are not credible since the firewall script was
just compiled (Aug 2 13:56:35 PDT 2020), but the current date is shown
as January 30, 2018 (also shown in the messages above). I am guessing
that this box is running Shorewall-lite and the firewall script was
created on another system? If so, it looks like the firewall has been up
for 18+ minutes but the packet counter on the DNAT rule is still at
zero. The firewall can't route packets that are not sent to it.

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to