# Adding a macro rule for Shorewall [solved]

## at

I am trying to open port 80 in the firewall using Shorewall, but the rule doesn't seem to stay in iptables.

I added the following line in my '/etc/shorewall/rules' file:

```
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/

#                                               PORT    PORT(S)         DEST            LIMIT           GROUP

#SECTION ESTABLISHED

#SECTION RELATED

SECTION NEW

IPP/ACCEPT      eth0    $FW

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
```

Then when I restart Shorewall, I can see that the macro is processed:

```
# shorewall restart

Loading /usr/share/shorewall/functions...

Processing /etc/shorewall/params ...

Processing /etc/shorewall/shorewall.conf...

Loading Modules...

Restarting Shorewall...

Initializing...

Shorewall has detected the following iptables/netfilter capabilities:

   NAT: Not available

   Packet Mangling: Available

   Multi-port Match: Available

   Extended Multi-port Match: Available

   Connection Tracking Match: Available

   Packet Type Match: Available

   Policy Match: Available

   Physdev Match: Not available

   IP range Match: Available

   Recent Match: Not available

   Owner Match: Available

   Ipset Match: Not available

   CONNMARK Target: Not available

   Connmark Match: Available

   Raw Table: Not available

   CLASSIFY Target: Available

   FORWARD Mangle Chain: Available

Determining Zones...

   IPv4 Zones: eth0

   IPSEC Zones: vpn

   Firewall Zone: fw

Validating interfaces file...

Validating hosts file...

Validating Policy file...

Determining Hosts in Zones...

   eth0 Zone: eth0:0.0.0.0/0

   vpn Zone: eth0:0.0.0.0/0

Processing /etc/shorewall/init ...

Pre-processing Actions...

   Pre-processing /usr/share/shorewall/action.Drop...

   ..Expanding Macro /usr/share/shorewall/macro.Auth...

   ..End Macro

   ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...

   ..End Macro

   ..Expanding Macro /usr/share/shorewall/macro.SMB...

   ..End Macro

   ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...

   ..End Macro

   ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...

   ..End Macro

   Pre-processing /usr/share/shorewall/action.Reject...

   Pre-processing /usr/share/shorewall/action.Limit...

Deleting user chains...

Processing /etc/shorewall/continue ...

Processing /etc/shorewall/routestopped ...

Setting up Accounting...

Creating Interface Chains...

Configuring Proxy ARP

Setting up NAT...

Setting up NETMAP...

Adding Common Rules

Processing /etc/shorewall/initdone ...

Adding rules for DHCP

IP Forwarding Disabled!

Setting up IPSEC...

Processing /etc/shorewall/rules...

..Expanding Macro /usr/share/shorewall/macro.Web...

   Rule "ACCEPT eth0 fw tcp 80 - - - -" added.

   Rule "ACCEPT eth0 fw tcp 443 - - - -" added.

..End Macro

Processing /etc/shorewall/tunnels...

   IPSEC tunnel to 0.0.0.0/0 defined.

Processing Actions...

   Generating Transitive Closure of Used-action List...

Processing /usr/share/shorewall/action.Drop for Chain Drop...

..Expanding Macro /usr/share/shorewall/macro.Auth...

   Rule "REJECT - - tcp 113 -  -" added.

..End Macro

   Rule "dropBcast       " added.

..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...

   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.

   Rule "ACCEPT - - icmp time-exceeded -  -" added.

..End Macro

   Rule "dropInvalid       " added.

..Expanding Macro /usr/share/shorewall/macro.SMB...

   Rule "DROP - - udp 135,445 -  -" added.

   Rule "DROP - - udp 137:139 -  -" added.

   Rule "DROP - - udp 1024: 137  -" added.

   Rule "DROP - - tcp 135,139,445 -  -" added.

..End Macro

..Expanding Macro /usr/share/shorewall/macro.DropUPnP...

   Rule "DROP - - udp 1900 -  -" added.

..End Macro

   Rule "dropNotSyn - - tcp    " added.

..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...

   Rule "DROP - - udp - 53  -" added.

..End Macro

Processing /usr/share/shorewall/action.Reject for Chain Reject...

..Expanding Macro /usr/share/shorewall/macro.Auth...

   Rule "REJECT - - tcp 113 -  -" added.

..End Macro

   Rule "dropBcast       " added.

..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...

   Rule "ACCEPT - - icmp fragmentation-needed -  -" added.

   Rule "ACCEPT - - icmp time-exceeded -  -" added.

..End Macro

   Rule "dropInvalid       " added.

..Expanding Macro /usr/share/shorewall/macro.SMB...

   Rule "REJECT - - udp 135,445 -  -" added.

   Rule "REJECT - - udp 137:139 -  -" added.

   Rule "REJECT - - udp 1024: 137  -" added.

   Rule "REJECT - - tcp 135,139,445 -  -" added.

..End Macro

..Expanding Macro /usr/share/shorewall/macro.DropUPnP...

   Rule "DROP - - udp 1900 -  -" added.

..End Macro

   Rule "dropNotSyn - - tcp    " added.

..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...

   Rule "DROP - - udp - 53  -" added.

..End Macro

Processing /etc/shorewall/policy...

   Policy ACCEPT for fw to eth0 using chain fw2eth0

   Policy REJECT for fw to vpn using chain all2all

   Policy DROP for eth0 to fw using chain eth02all

   Policy REJECT for vpn to fw using chain all2all

Processing /etc/shorewall/tos...

Processing /etc/shorewall/ecn...

Setting up Traffic Control Rules...

Validating /etc/shorewall/tcdevices...

Validating /etc/shorewall/tcclasses...

Activating Rules...

Processing /etc/shorewall/start ...

Shorewall Restarted

Processing /etc/shorewall/started ...
```

But when I check if the rules are actually in iptables, they are not there!

```
# iptables -L | grep 80
```

or

```
# iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

eth0_in    all  --  anywhere             anywhere

Reject     all  --  anywhere             anywhere

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:INPUT:REJECT:'

reject     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)

target     prot opt source               destination

eth0_fwd   all  --  anywhere             anywhere

Reject     all  --  anywhere             anywhere

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:FORWARD:REJECT:'

reject     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc

fw2eth0    all  --  anywhere             anywhere            policy match dir out pol none

fw2vpn     all  --  anywhere             anywhere            policy match dir out pol ipsec

Reject     all  --  anywhere             anywhere

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:OUTPUT:REJECT:'

reject     all  --  anywhere             anywhere

Chain Drop (1 references)

target     prot opt source               destination

reject     tcp  --  anywhere             anywhere            tcp dpt:auth

dropBcast  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

dropInvalid  all  --  anywhere             anywhere

DROP       udp  --  anywhere             anywhere            multiport dports epmap,microsoft-ds

DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

DROP       udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535

DROP       tcp  --  anywhere             anywhere            multiport dports epmap,netbios-ssn,microsoft-ds

DROP       udp  --  anywhere             anywhere            udp dpt:1900

dropNotSyn  tcp  --  anywhere             anywhere

DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain Reject (4 references)

target     prot opt source               destination

reject     tcp  --  anywhere             anywhere            tcp dpt:auth

dropBcast  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded

dropInvalid  all  --  anywhere             anywhere

reject     udp  --  anywhere             anywhere            multiport dports epmap,microsoft-ds

reject     udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn

reject     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535

reject     tcp  --  anywhere             anywhere            multiport dports epmap,netbios-ssn,microsoft-ds

DROP       udp  --  anywhere             anywhere            udp dpt:1900

dropNotSyn  tcp  --  anywhere             anywhere

DROP       udp  --  anywhere             anywhere            udp spt:domain

Chain all2all (3 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Reject     all  --  anywhere             anywhere

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:all2all:REJECT:'

reject     all  --  anywhere             anywhere

Chain dropBcast (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast

DROP       all  --  anywhere             anywhere            PKTTYPE = multicast

Chain dropInvalid (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere            state INVALID

Chain dropNotSyn (2 references)

target     prot opt source               destination

DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (2 references)

target     prot opt source               destination

Chain eth02all (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Drop       all  --  anywhere             anywhere

LOG        all  --  anywhere             anywhere            LOG level info prefix `Shorewall:eth02all:DROP:'

DROP       all  --  anywhere             anywhere

Chain eth02fw (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https

ACCEPT     esp  --  anywhere             anywhere

ACCEPT     ah   --  anywhere             anywhere

ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp state NEW

eth02all   all  --  anywhere             anywhere

Chain eth0_fwd (1 references)

target     prot opt source               destination

dynamic    all  --  anywhere             anywhere            state INVALID,NEW

vpn_frwd   all  --  anywhere             anywhere            policy match dir in pol ipsec

Chain eth0_in (1 references)

target     prot opt source               destination

dynamic    all  --  anywhere             anywhere            state INVALID,NEW

ACCEPT     udp  --  anywhere             anywhere            udp dpts:bootps:bootpc

eth02fw    all  --  anywhere             anywhere            policy match dir in pol none

vpn2fw     all  --  anywhere             anywhere            policy match dir in pol ipsec

Chain fw2eth0 (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     esp  --  anywhere             anywhere

ACCEPT     ah   --  anywhere             anywhere

ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp state NEW

ACCEPT     all  --  anywhere             anywhere

Chain fw2vpn (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp state NEW

all2all    all  --  anywhere             anywhere

Chain reject (10 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast

DROP       all  --  anywhere             anywhere            PKTTYPE = multicast

DROP       all  --  192.168.1.255        anywhere

DROP       all  --  255.255.255.255      anywhere

DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere

REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset

REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable

REJECT     icmp --  anywhere             anywhere            reject-with icmp-host-unreachable

REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain shorewall (0 references)

target     prot opt source               destination

Chain smurfs (0 references)

target     prot opt source               destination

LOG        all  --  192.168.1.255        anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'

DROP       all  --  192.168.1.255        anywhere

LOG        all  --  255.255.255.255      anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'

DROP       all  --  255.255.255.255      anywhere

LOG        all  --  BASE-ADDRESS.MCAST.NET/4  anywhere            LOG level info prefix `Shorewall:smurfs:DROP:'

DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere

Chain vpn2fw (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp state NEW

all2all    all  --  anywhere             anywhere

Chain vpn_frwd (1 references)

target     prot opt source               destination

all2all    all  --  anywhere             anywhere            policy match dir out pol none
```

Thank you for the help!

----------

## at

Actually, everything works fine even though I cannot see the expected rule in the listing. Not sure how, but the correct port is open.

----------

