# Shorewall issue

## serrix

Hi there, 

I've been having a fair bit of trouble with shorewall but I suspect someone here who knows abit more about it might spot the problem instantly. 

The second issue is I need shorewall to use my subinterfaces as seperate networks - however it dosn't accept eth1:0 and eth1:1

I've made the subinterface with the following:

/etc/conf.d/net

onfig_eth1=( "192.168.2.1 broadcast 192.168.2.255 netmask 255.255.255.0"

              "169.254.1.1 broadcast 169.254.1.255 netmask 255.255.255.0")

When I start shorewall I get:

 /etc/init.d/shorewall start

 * Starting firewall ...

iptables: No chain/target/match by that name

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

iptables: No chain/target/match by that name

iptables: No chain/target/match by that name

/sbin/shorewall: line 375: 10640 Terminated              ${VARDIR}/.start $debugging start

My configs follow:

/etc/shorewall/interfaces:

#ZONE   INTERFACE       BROADCAST       OPTIONS

wan     eth0            192.168.1.255   blacklist,dhcp,tcpflags,routefilter

lan     eth1         192.168.2.255

dmz     vmnet1          169.254.1.255

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST

#                                               LEVEL

#$FW            wan             ACCEPT

lan             wan             ACCEPT

wan             all             DROP            info

all             all             REJECT          info

#LAST LINE -- DO NOT REMOVE

/etc/shorewall/zones:

#ZONE   TYPE            OPTIONS         IN                      OUT

#                                       OPTIONS                 OPTIONS

fw      firewall

lan     ipv4

dmz     ipv4

wan     ipv4

#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/rules:

SECTION NEW

#Unfortunately need to connect more things from the wan as the "Wan" includes the home network

#All lan -> wan connections are already allowed through the policy, but CHECK

DNS/ACCEPT      all     all

SSH/ACCEPT      all     all

Rsync/ACCEPT    all     all

SMB/ACCEPT      all     all

#VMware

ACCEPT          lan     $FW     TCP     902

ACCEPT          dmz     $FW     TCP     902

ACCEPT          $FW     lan     TCP     902

ACCEPT          $FW     dmz     TCP     902

ACCEPT          $FW     dmz     TCP     8080

ACCEPT          dmz     $FW     TCP     8080

ACCEPT          $FW     lan     TCP     8080

ACCEPT          lan     $FW     TCP     8080

VNC/ACCEPT      lan     dmz

VNC/ACCEPT      wan     dmz

HTTP/ACCEPT     wan     dmz

HTTP/ACCEPT     dmz     wan

HTTP/ACCEPT     dmz     lan

HTTP/ACCEPT     lan     dmz

MySQL/ACCEPT    dmz     lan

MySQL/ACCEPT    lan     dmz

NTP/ACCEPT      $FW     dmz

NTP/ACCEPT      dmz     $FW

NTP/ACCEPT      lan     $FW

NTP/ACCEPT      $FW     lan

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Kernel config: 

#

# Networking options

#

CONFIG_PACKET=y

CONFIG_PACKET_MMAP=y

CONFIG_UNIX=y

CONFIG_XFRM=y

# CONFIG_XFRM_USER is not set

# CONFIG_XFRM_SUB_POLICY is not set

# CONFIG_XFRM_MIGRATE is not set

# CONFIG_NET_KEY is not set

CONFIG_INET=y

# CONFIG_IP_MULTICAST is not set

CONFIG_IP_ADVANCED_ROUTER=y

CONFIG_ASK_IP_FIB_HASH=y

# CONFIG_IP_FIB_TRIE is not set

CONFIG_IP_FIB_HASH=y

# CONFIG_IP_MULTIPLE_TABLES is not set

# CONFIG_IP_ROUTE_MULTIPATH is not set

# CONFIG_IP_ROUTE_VERBOSE is not set

# CONFIG_IP_PNP is not set

# CONFIG_NET_IPIP is not set

# CONFIG_NET_IPGRE is not set

# CONFIG_ARPD is not set

# CONFIG_SYN_COOKIES is not set

# CONFIG_INET_AH is not set

# CONFIG_INET_ESP is not set

# CONFIG_INET_IPCOMP is not set

# CONFIG_INET_XFRM_TUNNEL is not set

# CONFIG_INET_TUNNEL is not set

CONFIG_INET_XFRM_MODE_TRANSPORT=y

CONFIG_INET_XFRM_MODE_TUNNEL=y

CONFIG_INET_XFRM_MODE_BEET=y

# CONFIG_INET_DIAG is not set

# CONFIG_TCP_CONG_ADVANCED is not set

CONFIG_TCP_CONG_CUBIC=y

CONFIG_DEFAULT_TCP_CONG="cubic"

# CONFIG_TCP_MD5SIG is not set

# CONFIG_IP_VS is not set

# CONFIG_IPV6 is not set

# CONFIG_INET6_XFRM_TUNNEL is not set

# CONFIG_INET6_TUNNEL is not set

# CONFIG_NETLABEL is not set

# CONFIG_NETWORK_SECMARK is not set

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

#

# Core Netfilter Configuration

#

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_QUEUE=y

CONFIG_NETFILTER_NETLINK_LOG=y

# CONFIG_NF_CONNTRACK_ENABLED is not set

# CONFIG_NF_CONNTRACK is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_DSCP=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_TARGET_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=y

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_POLICY=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

#

# IP: Netfilter Configuration

#

# CONFIG_IP_NF_QUEUE is not set

CONFIG_IP_NF_IPTABLES=y

CONFIG_IP_NF_MATCH_IPRANGE=y

# CONFIG_IP_NF_MATCH_TOS is not set

# CONFIG_IP_NF_MATCH_RECENT is not set

# CONFIG_IP_NF_MATCH_ECN is not set

# CONFIG_IP_NF_MATCH_AH is not set

# CONFIG_IP_NF_MATCH_TTL is not set

# CONFIG_IP_NF_MATCH_OWNER is not set

# CONFIG_IP_NF_MATCH_ADDRTYPE is not set

CONFIG_IP_NF_FILTER=y

# CONFIG_IP_NF_TARGET_REJECT is not set

# CONFIG_IP_NF_TARGET_LOG is not set

# CONFIG_IP_NF_TARGET_ULOG is not set

CONFIG_IP_NF_MANGLE=y

# CONFIG_IP_NF_TARGET_TOS is not set

# CONFIG_IP_NF_TARGET_ECN is not set

# CONFIG_IP_NF_TARGET_TTL is not set

# CONFIG_IP_NF_RAW is not set

# CONFIG_IP_NF_ARPTABLES is not set

# CONFIG_IP_DCCP is not set

# CONFIG_IP_SCTP is not set

# CONFIG_TIPC is not set

# CONFIG_ATM is not set

# CONFIG_BRIDGE is not set

# CONFIG_VLAN_8021Q is not set

# CONFIG_DECNET is not set

# CONFIG_LLC2 is not set

# CONFIG_IPX is not set

# CONFIG_ATALK is not set

# CONFIG_X25 is not set

# CONFIG_LAPB is not set

# CONFIG_ECONET is not set

# CONFIG_WAN_ROUTER is not set

#

# QoS and/or fair queueing

#

# CONFIG_NET_SCHED is not set

CONFIG_NET_CLS_ROUTE=y

#

# Network testing

#

# CONFIG_NET_PKTGEN is not set

# CONFIG_HAMRADIO is not set

# CONFIG_IRDA is not set

# CONFIG_BT is not set

# CONFIG_AF_RXRPC is not set

#

# Wireless

#

# CONFIG_CFG80211 is not set

# CONFIG_WIRELESS_EXT is not set

# CONFIG_MAC80211 is not set

# CONFIG_IEEE80211 is not set

# CONFIG_RFKILL is not set

I'd really appreciate any help you can give me.

----------

## snakehsu

I would guess that you did not compile some modules into the kernel, which are needed by shorewall.

I think you need to enable some options under "IP: Netfilter Configuration".  There should be a piece of document on the shorewall website describing a minimum kernel config for shorewall to work.  If in doubt just compile CONFIG_IP_NF_* as modules.  I haven't tried using subinterface as different networks myself but I think this should at least give you a working iptable for one of your interface  :Wink: .

----------

## serrix

Thanks for that, i've gotten alittle further...

Now i get the following, though apart from the obvious problem:

iptables: No chain/target/match by that name

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

I also think my configuration is wrong as it says:

  lan Zone: eth1:0.0.0.0/0

   dmz Zone: vmnet1:0.0.0.0/0

   wan Zone: eth0:0.0.0.0/0

Thanks again for your reply, any more ideas?

--------------------------------------------------------------

shorewall start

Compiling...

Initializing...

Determining Zones...

   IPv4 Zones: lan dmz wan

   Firewall Zone: fw

Validating interfaces file...

Validating hosts file...

Pre-processing Actions...

   Pre-processing /usr/share/shorewall/action.Drop...

   Pre-processing /usr/share/shorewall/action.Reject...

Validating Policy file...

Determining Hosts in Zones...

   lan Zone: eth1:0.0.0.0/0

   dmz Zone: vmnet1:0.0.0.0/0

   wan Zone: eth0:0.0.0.0/0

Deleting user chains...

Compiling /etc/shorewall/routestopped ...

Creating Interface Chains...

Compiling Common Rules

Adding rules for DHCP

Compiling TCP Flags checking...

Compiling Kernel Route Filtering...

Compiling IP Forwarding...

Compiling /etc/shorewall/rules...

Compiling Actions...

Compiling /usr/share/shorewall/action.Drop for Chain Drop...

Compiling /usr/share/shorewall/action.Reject for Chain Reject...

Compiling /etc/shorewall/policy...

Compiling Traffic Control Rules...

Compiling Rule Activation...

Shorewall configuration compiled to /var/lib/shorewall/.start

Processing /etc/shorewall/params ...

Starting Shorewall....

Initializing...

Processing /etc/shorewall/init ...

Clearing Traffic Control/QOS

Deleting user chains...

iptables: No chain/target/match by that name

   ERROR: Command "/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" Failed

Processing /etc/shorewall/stop ...

iptables: No chain/target/match by that name

----------

## snakehsu

Seems that shorewall is still trying to do something not supported by the kernel.

Maybe you can cancel some options in your /etc/shorewall/interfaces and see if shorewall starts.

Try VERBOSITY=2 in /etc/shorewall/shorewall.conf as it may give more information.

----------

## snakehsu

I checked my blog for what I wrote after successfully configured shorewall.  And I find this difference:

NETFILTER_XT_MATCH_STATE [=m]

if you are using kernel 2.6.22 or similar you should compile this to add "state" match support.  I almost am convinced that this module will solve your problem.

 Location:      (in make menuconfig)                                                                

  │     -> Networking                                                                 

  │       -> Networking support (NET [=y])                                             

  │         -> Networking options                                                     

  │           -> Network packet filtering framework (Netfilter) (NETFILTER [=y])     

  │             -> Core Netfilter Configuration                                      

  │               -> Netfilter Xtables support (required for ip_tables) (NETFILTER_X

----------

