# [SOLVED]Shorewall woes: can't block outgoing traffic

## nihilo

I am trying to configure a server with very restrictive policies. I want to allow a few services incoming, and a few outgoing, and deny everything else, but I'm having getting this working with shorewall 3.2.9, which I just installed.

Here are my configs:

```
protempore shorewall # tail -6 zones 

###############################################################################

#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

net     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
```

```
protempore shorewall # tail -4 interfaces 

###############################################################################

#ZONE   INTERFACE       BROADCAST       OPTIONS

net     eth0            detect          norfc1918,routefilter,tcpflags,logmartians,nosmurfs,blacklist

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

```
protempore shorewall # tail -7 policy 

###############################################################################

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

$FW             net             REJECT          info

net             all             DROP            info

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE
```

And the following is the rules that I'm using:

```
SECTION NEW

#############

## INBOUND ##

#############

Ping/ACCEPT  net $FW

SSH/ACCEPT   net $FW 

HTTP/ACCEPT  net $FW

HTTPS/ACCEPT net $FW

SMTP/ACCEPT  net $FW

IMAPS/ACCEPT net $FW

##############

## OUTBOUND ##

##############

# dns to provider

DNS/ACCEPT $FW net:208.78.97.155

DNS/ACCEPT $FW net:208.75.87.250

# smtp to anywhere

SMTP/ACCEPT $FW net

# rsync to any of rsync.us.gentoo.org rsync mirrors:

Rsync/ACCEPT $FW net:141.219.155.230

Rsync/ACCEPT $FW net:129.110.111.9

Rsync/ACCEPT $FW net:128.61.111.9

Rsync/ACCEPT $FW net:128.213.5.35

Rsync/ACCEPT $FW net:128.104.70.17

Rsync/ACCEPT $FW net:128.10.252.13

Rsync/ACCEPT $FW net:216.176.132.235

Rsync/ACCEPT $FW net:209.59.138.21

Rsync/ACCEPT $FW net:209.221.142.124

Rsync/ACCEPT $FW net:209.189.242.21

Rsync/ACCEPT $FW net:198.7.230.249

Rsync/ACCEPT $FW net:156.56.247.193

Rsync/ACCEPT $FW net:150.135.81.231

# download from configured gentoo portage mirrors:

HTTP/ACCEPT $FW net:64.50.236.52    # gentoo.osuosl.org

HTTP/ACCEPT $FW net:64.50.238.52    # gentoo.osuosl.org

HTTP/ACCEPT $FW net:128.61.111.10   # www.gtlib.gatech.edu

HTTP/ACCEPT $FW net:128.61.111.11   # www.gtlib.gatech.edu

HTTP/ACCEPT $FW net:128.61.111.9    # www.gtlib.gatech.edu

HTTP/ACCEPT $FW net:128.111.24.43   # ftp.ucsb.edu

HTTP/ACCEPT $FW net:216.165.129.134 # gentoo.mirrors.tds.net

HTTP/ACCEPT $FW net:128.213.5.34    # mirrors.acm.cs.rpi.edu

HTTP/ACCEPT $FW net:129.123.1.18    # mirror.usu.edu

HTTP/ACCEPT $FW net:69.16.168.244   # gentoo.mirrors.easynews.com

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

All other configs are as gentoo installed them, untouched.

The problem I'm having is that after starting and refreshing shorewall, I'm able to connect to websites using elinks from my server, which I thought would be prevented with the given configuration.

The complete dump from iptables, which only shorewall has touched, is:

```
Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

eth0_in    all  --  anywhere             anywhere            

Reject     all  --  anywhere             anywhere            

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:' 

reject     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)

target     prot opt source               destination         

eth0_fwd   all  --  anywhere             anywhere            

Reject     all  --  anywhere             anywhere            

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:' 

reject     all  --  anywhere             anywhere            

Chain OUTPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

fw2net     all  --  anywhere             anywhere            policy match dir out pol none 

Reject     all  --  anywhere             anywhere            

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:' 

reject     all  --  anywhere             anywhere            

Chain Drop (1 references)

target     prot opt source               destination         

reject     tcp  --  anywhere             anywhere            tcp dpt:auth 

dropBcast  all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed 

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 

dropInvalid  all  --  anywhere             anywhere            

DROP       udp  --  anywhere             anywhere            multiport dports epmap,microsoft-ds 

DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn 

DROP       udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535 

DROP       tcp  --  anywhere             anywhere            multiport dports epmap,netbios-ssn,microsoft-ds 

DROP       udp  --  anywhere             anywhere            udp dpt:1900 

dropNotSyn  tcp  --  anywhere             anywhere            

DROP       udp  --  anywhere             anywhere            udp spt:domain 

Chain Reject (5 references)

target     prot opt source               destination         

reject     tcp  --  anywhere             anywhere            tcp dpt:auth 

dropBcast  all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed 

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 

dropInvalid  all  --  anywhere             anywhere            

reject     udp  --  anywhere             anywhere            multiport dports epmap,microsoft-ds 

reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn 

reject     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535 

reject     tcp  --  anywhere             anywhere            multiport dports epmap,netbios-ssn,microsoft-ds 

DROP       udp  --  anywhere             anywhere            udp dpt:1900 

dropNotSyn  tcp  --  anywhere             anywhere            

DROP       udp  --  anywhere             anywhere            udp spt:domain 

Chain all2all (0 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Reject     all  --  anywhere             anywhere            

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:all2all:REJECT:' 

reject     all  --  anywhere             anywhere            

Chain blacklst (2 references)

target     prot opt source               destination         

Chain dropBcast (2 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast 

DROP       all  --  anywhere             anywhere            PKTTYPE = multicast 

Chain dropInvalid (2 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            state INVALID 

Chain dropNotSyn (2 references)

target     prot opt source               destination         

DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN 

Chain dynamic (2 references)

target     prot opt source               destination         

Chain eth0_fwd (1 references)

target     prot opt source               destination         

dynamic    all  --  anywhere             anywhere            state INVALID,NEW 

blacklst   all  --  anywhere             anywhere            state INVALID,NEW policy match dir in pol none 

smurfs     all  --  anywhere             anywhere            state INVALID,NEW policy match dir in pol none 

norfc1918  all  --  anywhere             anywhere            state NEW policy match dir in pol none 

tcpflags   tcp  --  anywhere             anywhere            policy match dir in pol none 

Chain eth0_in (1 references)

target     prot opt source               destination         

dynamic    all  --  anywhere             anywhere            state INVALID,NEW 

blacklst   all  --  anywhere             anywhere            state INVALID,NEW policy match dir in pol none 

smurfs     all  --  anywhere             anywhere            state INVALID,NEW policy match dir in pol none 

norfc1918  all  --  anywhere             anywhere            state NEW policy match dir in pol none 

tcpflags   tcp  --  anywhere             anywhere            policy match dir in pol none 

net2fw     all  --  anywhere             anywhere            policy match dir in pol none 

Chain fw2net (1 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

ACCEPT     udp  --  anywhere             tick.slicehost.net  udp dpt:domain 

ACCEPT     tcp  --  anywhere             tick.slicehost.net  tcp dpt:domain 

ACCEPT     udp  --  anywhere             tock.slicehost.net  udp dpt:domain 

ACCEPT     tcp  --  anywhere             tock.slicehost.net  tcp dpt:domain 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 

ACCEPT     tcp  --  anywhere             anywhere            

ACCEPT     tcp  --  anywhere             lug.mtu.edu         tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             129.110.111.9       tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             trillian.gtlib.gatech.edu tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             inertia.acm.cs.rpi.edu tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             gentoo3.chem.wisc.edu tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             osmirrors.cerias.purdue.edu tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             squid.nitco.com     tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             gaghiel.genfu.org   tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             gentoo.llarian.net  tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             21.242.189.209.managednetworks.com tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             hydrogen.oshean.org tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             spout.ussg.indiana.edu tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             mirror.espri.arizona.edu tcp dpt:rsync 

ACCEPT     tcp  --  anywhere             ftp-chi.osuosl.org  tcp dpt:http 

ACCEPT     tcp  --  anywhere             ftp-atl.osuosl.org  tcp dpt:http 

ACCEPT     tcp  --  anywhere             tricia.gtlib.gatech.edu tcp dpt:http 

ACCEPT     tcp  --  anywhere             slartybardfast.gtlib.gatech.edu tcp dpt:http 

ACCEPT     tcp  --  anywhere             trillian.gtlib.gatech.edu tcp dpt:http 

ACCEPT     tcp  --  anywhere             ftp.ucsb.edu        tcp dpt:http 

ACCEPT     tcp  --  anywhere             mirror1.mirrors.tds.net tcp dpt:http 

ACCEPT     tcp  --  anywhere             gyroscope.acm.cs.rpi.edu tcp dpt:http 

ACCEPT     tcp  --  anywhere             mirrors.usu.edu     tcp dpt:http 

ACCEPT     tcp  --  anywhere             mirrors.easynews.com tcp dpt:http 

Reject     all  --  anywhere             anywhere            

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:fw2net:REJECT:' 

reject     all  --  anywhere             anywhere            

Chain logdrop (0 references)

target     prot opt source               destination         

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:logdrop:DROP:' 

DROP       all  --  anywhere             anywhere            

Chain logflags (5 references)

target     prot opt source               destination         

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:logflags:DROP:' 

DROP       all  --  anywhere             anywhere            

Chain logreject (0 references)

target     prot opt source               destination         

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:logreject:REJECT:' 

reject     all  --  anywhere             anywhere            

Chain net2all (1 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Drop       all  --  anywhere             anywhere            

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:net2all:DROP:' 

DROP       all  --  anywhere             anywhere            

Chain net2fw (1 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps 

net2all    all  --  anywhere             anywhere            

Chain norfc1918 (2 references)

target     prot opt source               destination         

rfc1918    all  --  172.16.0.0/12        anywhere            

rfc1918    all  --  anywhere             anywhere            ctorigdst 172.16.0.0/12 

rfc1918    all  --  192.168.0.0/16       anywhere            

rfc1918    all  --  anywhere             anywhere            ctorigdst 192.168.0.0/16 

rfc1918    all  --  10.0.0.0/8           anywhere            

rfc1918    all  --  anywhere             anywhere            ctorigdst 10.0.0.0/8 

Chain reject (12 references)

target     prot opt source               destination         

DROP       all  --  255.255.255.255      anywhere            

DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            

DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast 

DROP       all  --  anywhere             anywhere            PKTTYPE = multicast 

DROP       all  --  255.255.255.255      anywhere            

DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            

REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 

REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 

REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable 

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain rfc1918 (6 references)

target     prot opt source               destination         

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:rfc1918:DROP:' 

DROP       all  --  anywhere             anywhere            

Chain shorewall (0 references)

target     prot opt source               destination         

Chain smurfs (2 references)

target     prot opt source               destination         

LOG        all  --  67.207.144.255       anywhere            LOG level info prefix `Shorewall:smurfs:DROP:' 

DROP       all  --  67.207.144.255       anywhere            

LOG        all  --  255.255.255.255      anywhere            LOG level info prefix `Shorewall:smurfs:DROP:' 

DROP       all  --  255.255.255.255      anywhere            

LOG        all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            LOG level info prefix `Shorewall:smurfs:DROP:' 

DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            

Chain tcpflags (2 references)

target     prot opt source               destination         

logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 

logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 

logflags   tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 

logflags   tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 

logflags   tcp  --  anywhere             anywhere            tcp spt:0 flags:FIN,SYN,RST,ACK/SYN 
```

The first line of the OUTPUT chain seems like the reason all HTTP is allowed out, but I don't know why that rule was added by shorewall.

Any help would be very much appreciated!Last edited by nihilo on Sun Aug 26, 2007 12:35 am; edited 1 time in total

----------

## steveb

 *nihilo wrote:*   

> 
> 
> ```
> protempore shorewall # tail -6 zones 
> 
> ...

 This is wrong. You have declared fw for firewall which is okay, you have declared net as ipv4 which is okay, but where is loc (your local network) and where is dmz (demilitarized zone if you have one). When I first read this I had the impression that your server is directly sitting on the network. But down in the configuration I see that you do reference 192.160.x.x and this is a internet non routable address. So I assume you must have at least loc. Please add:

```
###############################################################################

#ZONE TYPE       OPTIONS            IN          OUT

#               OPTIONS             OPTIONS

fw    firewall

net   ipv4

loc   ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
```

And then change your configuration to take care of the new zone loc. Then things should work.

If this does not answer your question then please post some more info about your network. Things like IP addresses (you can obfuscate them) and post the role of the server where Shorewall is installed and post if any other client is accessing the net over that system where Shorewall is installed, post the routing table and the output of ifconfig, etc...

// SteveB

----------

## Stever

 *nihilo wrote:*   

> The first line of the OUTPUT chain seems like the reason all HTTP is allowed out, but I don't know why that rule was added by shorewall.
> 
> 

 

I have a similar (working) shorewall setup that is blocking most outgoing traffic, and it has the same first line in the OUTPUT section.  I don't really know enough about iptables to say what your problem is, but comparing your iptables output to mine, I think maybe it comes from the following line in Chain fw2net 

```
ACCEPT     tcp  --  anywhere             anywhere    
```

I don't see anything obviously wrong in your configs though - maybe you can wade through the output of 

```
# shorewall debug start
```

 and see where it is coming from?

----------

## nihilo

 *steveb wrote:*   

> This is wrong. You have declared fw for firewall which is okay, you have declared net as ipv4 which is okay, but where is loc (your local network) and where is dmz (demilitarized zone if you have one). When I first read this I had the impression that your server is directly sitting on the network. But down in the configuration I see that you do reference 192.160.x.x and this is a internet non routable address. So I assume you must have at least loc.
> 
> ...
> 
> // SteveB

 

Thanks for the response. 

My setup is that I have a single server, with only 1 ip address, 1 interface, on the net, and the documentation says that you don't need a loc in that case. There is no local network at all, just the 1 host which is directly on the internet. I used the documentation that came with my setup, which has examples for a single-interface setup that are exactly the same in interfaces and zones as what I have.

The 192... stuff down below was added by shorewall due to the norfc1918 flag, which I believe rejects packets with source addresses that are the private addresses like 192.168 and friends.

----------

## nihilo

Okay, figured out what was going on.

Stever, you were right that the line you identified was the rule that was causing the problem. I started shorewall in debug mode, as you suggested, and looked through the 80,000 (!) lines of output, and there was nowhere that that rule was being set. Hmmm, that's odd. I check iptables --list again, and it is no longer there. The configs had not changed at all. The only thing that had happened is that I started shorewall manually, rather than via the init.d script, and I didn't use the -f arg when I started it.

That rule was a remnant of some old configuration files, and was the result of a macro I had defined that was not working correctly. It was supposed to limit outgoing to a given user, but was not restricting to the user as intended, which is very strange, since I had done "/etc/init.d/shorewall clear" many times since the macro was last uncommented. Somehow, that rule was remembered from an old config where the macro wasn't commented out.

I instead added a rule directly to my rules file (not using the broken macro) for that user

```
ACCEPT $FW net tcp - - - - asdf
```

and now it works correctly, and the relevant ipfilter rule is

```
ACCEPT     tcp  --  anywhere             anywhere            OWNER UID match asdf
```

which is the offending rule with the "OWNER UID" stuff added. Now everything is working perfectly, and that user can download stuff but no other users (except to gentoo mirrors).

I am still very puzzled how that old rule was maintained after multiple stops/starts/clears. I thought after clearing, stopping, and then starting again, that what would be in iptables was solely a result of the current configuration files, but it had definitely persisted the rules somewhere and remembered the old rule.

Anyway, thanks to both of you for the help.

----------

