aphelion Posted April 8, 2008 Report Share Posted April 8, 2008 I have my 2 PC's (lets call them tux1 and tux2) both connected to my ADSL Router/Modem, Both PC's are running MDV 2008.1, I have them set up so as tux1 can access tux2's shares and tux2 can access tux1's shares. Everything works fine, so things must be set up OK, accept, after I shut down for the day, and then boot up again tomorrow, I no longer have the access I did the day before. To fix the problem, all I have to do is turn off the firewall on both PC's, and then I can have access again, I can then turn both firewalls back on and I still have access, no other changes are made. What do I have to do, so as I don't have to turn the firewalls on and off everyday? [moved from Networking by spinynorman] Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 8, 2008 Report Share Posted April 8, 2008 What are you using as firewall, and what are the rules? Also note that if you have shorewall and iptables one could be blocking the other. Post: chkconfig --list | grep :on so we can see what services are enabled, and also which firewall you have been restarting to fix the problem. Also, what are your firewall rules? Post them here also if you can so we can see what might be blocking, but I reckon it's a combo of iptables/shorewall causing the issue maybe. Quote Link to comment Share on other sites More sharing options...
aphelion Posted April 8, 2008 Author Report Share Posted April 8, 2008 (edited) Here is the output of the command you asked acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off alsa 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off avahi-daemon 0:off 1:off 2:off 3:on 4:off 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off dkms 0:off 1:off 2:off 3:on 4:on 5:on 6:off dm 0:off 1:off 2:off 3:off 4:off 5:on 6:off fuse 0:off 1:off 2:off 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off harddrake 0:off 1:off 2:off 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off kheader 0:off 1:off 2:on 3:on 4:off 5:on 6:off lisa 0:off 1:off 2:off 3:on 4:on 5:on 6:off mandi 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off network-up 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs-common 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs-server 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off numlock 0:off 1:off 2:off 3:on 4:on 5:on 6:off partmon 0:off 1:off 2:off 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off resolvconf 0:off 1:off 2:on 3:on 4:on 5:on 6:off shorewall 0:off 1:off 2:on 3:on 4:on 5:on 6:off sound 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off The firewall is just Shorewall, the one that comes standard with Mandriva I guess. As for rules, well I just have Echo Request (Ping) selected, and the ports 2049/udp 2049/tcp open, I believe these are for NFS. Edited April 8, 2008 by aphelion Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 8, 2008 Report Share Posted April 8, 2008 I see iptables in that list as well. What's the contents of /etc/sysconfig/iptables (I'm assuming it's using this). Alternatively, you can give me: iptables -L to list what rules are loaded. A conflict between this and shorewall is I think your problem. If we see anything in /etc/sysconfig/iptables or the rule list that is blocking all incoming, then we can safely do: chkconfig iptables off service iptables stop to fix the problem. At least that's what I would try anyway. I'm not completely sure whether shorewall needs iptables or not. You can also use: shorewall show I think to list shorewall rules, so once iptables was stopped, check this to see if all your rules are active, based on what you set up. Quote Link to comment Share on other sites More sharing options...
aphelion Posted April 8, 2008 Author Report Share Posted April 8, 2008 (edited) [Edit] I'll have to get back to you on this, I'm running late, and rushing everything, I'll get back this afternoon. Thanks Edited April 8, 2008 by aphelion Quote Link to comment Share on other sites More sharing options...
aphelion Posted April 9, 2008 Author Report Share Posted April 9, 2008 Right ee oh, here we go, What's the contents of /etc/sysconfig/iptables There is no such file on either PC. The output of iptables -L is as follows, it is exactly the same for both PC's Chain INPUT (policy DROP) target prot opt source destination Ifw all -- anywhere anywhere eth0_in all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:' reject all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination eth0_fwd all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:' reject all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination eth0_out all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:' reject all -- anywhere anywhere Chain Drop (1 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid all -- anywhere anywhere DROP udp -- anywhere anywhere multiport dports 135,microsoft-ds DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 DROP tcp -- anywhere anywhere multiport dports 135,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere udp dpt:1900 dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain Ifw (1 references) target prot opt source destination RETURN all -- anywhere anywhere set ifw_wl src DROP all -- anywhere anywhere set ifw_bl src IFWLOG all -- anywhere anywhere state INVALID,NEW psd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 2 hi-ports-weight: 1 IFWLOG prefix 'SCAN' IFWLOG udp -- anywhere anywhere state NEW udp dpt:nfs IFWLOG prefix 'NEW' IFWLOG tcp -- anywhere anywhere state NEW tcp dpt:nfs IFWLOG prefix 'NEW' Chain Reject (6 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid all -- anywhere anywhere reject udp -- anywhere anywhere multiport dports 135,microsoft-ds reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 reject tcp -- anywhere anywhere multiport dports 135,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere udp dpt:1900 dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain all2fw (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2fw:REJECT:' reject all -- anywhere anywhere Chain all2net (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2net:REJECT:' reject all -- anywhere anywhere Chain dropBcast (2 references) target prot opt source destination DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4 Chain dropInvalid (2 references) target prot opt source destination DROP all -- anywhere anywhere state INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN Chain dynamic (2 references) target prot opt source destination Chain eth0_fwd (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW Chain eth0_in (1 references) target prot opt source destination dynamic all -- anywhere anywhere state INVALID,NEW net2fw all -- anywhere anywhere Chain eth0_out (1 references) target prot opt source destination fw2net all -- anywhere anywhere Chain fw2all (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Reject all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:fw2all:REJECT:' reject all -- anywhere anywhere Chain fw2net (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain logdrop (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain logreject (0 references) target prot opt source destination reject all -- anywhere anywhere Chain net2fw (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:nfs ACCEPT tcp -- anywhere anywhere tcp dpt:nfs ACCEPT icmp -- anywhere anywhere icmp echo-request Drop all -- anywhere anywhere LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2fw:DROP:' DROP all -- anywhere anywhere Chain reject (13 references) target prot opt source destination DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain shorewall (0 references) target prot opt source destination Chain smurfs (0 references) target prot opt source destination RETURN all -- default anywhere LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere I ran the 2 commands, chkconfig iptables off and service iptables stop, but I still could not get access. After running the 2 commands, iptables -L shows the following, Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination and the output of chkconfig --list | grep :on no longer lists iptables. After a reboot, chkconfig --list | grep :on still doesn't list iptables, and it shows as not running in MCC, however the output of iptables -L, is back to the long list above, and shorewall still needs to be stopped to get access, and can be started again, while still having access. iptables is not selected by default on installation of Mandriva, I actually select it, I don't know why, I don't actually do anything with it, I guess I just heard it was a good thing, should I perhaps just uninstall it? I await your reply, thanks Quote Link to comment Share on other sites More sharing options...
viking777 Posted April 9, 2008 Report Share Posted April 9, 2008 I have always understood that Shorewall is just a front end for iptables/ipchains and that if you don't have iptables then Shorewall won't work. I could have misunderstood this but I don't think so. Sorry I can't help with the original problem though. Quote Link to comment Share on other sites More sharing options...
aphelion Posted April 9, 2008 Author Report Share Posted April 9, 2008 This is from the Shorewall site The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode; as a consequence, Shorewall can take advantage of Netfilter's connection state tracking capabilities to create a stateful firewall. I'm glad you indirectly got me to go take a look at the site ;) Shorewall is not the easiest to use of the available iptables configuration tools but I believe that it is the most flexible and powerful. So if you are looking for a simple point-and-click set-and-forget Linux firewall solution that requires a minimum of networking knowledge, I would encourage you to check out the following alternatives: Firestarter Firestarter seems to be something that is more to my liking, I may check it out a bit later. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 9, 2008 Report Share Posted April 9, 2008 You can get iptables back with: chkconfig iptables on and then: service iptables start the grep command filters for services that are on, from the example, therefore when it was turned to off, filtering by on, stopped it appearing. Quote Link to comment Share on other sites More sharing options...
aphelion Posted April 9, 2008 Author Report Share Posted April 9, 2008 Yeah, I had already worked that out, thanks. I will be installing 2008.1 PowerPack shortly, so I'll see how I go, but I imagine I'll run into the same problem. Quote Link to comment Share on other sites More sharing options...
aphelion Posted April 10, 2008 Author Report Share Posted April 10, 2008 (edited) Well, I uninstalled Shorewall, then install Firestarter, wasn't that a bust. It wouldn't start. Whether you tried to start it from the menu entry or the CLI, you got the same thing, just a little window popped up and said 'unknown error'. So I just uninstalled that also. Now everything works fine (touch wood), both PC's can access each others shares, and it holds over reboots. But I wouldn't mind having a firewall/shorewall working, but I am not to worried not having one, I would rather not have one and have my 2 PC's talking to each other, than have a firewall, and having to jump through hoops every boot to get things working. Now to install 2008 Spring PowerPack . . . Edited April 10, 2008 by aphelion Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 10, 2008 Report Share Posted April 10, 2008 You really only need a firewall between your internal network and the internet. The machines inside don't need to have one. Some people do it for extra security, or for routing some things to machines that may not be directly connected to the internet. I have a firewall at home between my LAN and internet, and all my machines don't have iptables/shorewall or anything else on them. Quote Link to comment Share on other sites More sharing options...
aphelion Posted April 10, 2008 Author Report Share Posted April 10, 2008 You really only need a firewall between your internal network and the internet. The machines inside don't need to have one. Some people do it for extra security, or for routing some things to machines that may not be directly connected to the internet. I'm just set up with each PC plugged into a 4 port ADSL Modem/Router, so they are sought of connected directly to the net, but there is some sort of firewall in the Router, but I just had a look, and it looks like I have never set it up/turned it on, and I don't really understand the settings available in the quick perusal I just had, nor do I really want to spend the time researching. Anyway, I have now installed 2008 Spring PowerPack on both machines, while shorewall is installed, during installation, I disabled it from starting up, and I fear to start it up to see what happens, because as it is, everything is working how I want it to. The shares on both PC's remain accessible after reboots, I don't have to jump through any hoops to make it happen. :) iptables is not selected by default on installation of Mandriva, I actually select it, While what I said here is kind of true, I took note during the 2 installs of PowerPack I just done, iptables is not selected by default, and I made a point not to select it, however it appears that somewhere along the line it must come in as a dependency with something else, as it does actually get installed. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 10, 2008 Report Share Posted April 10, 2008 It's simple really, just let everything from the inside go out, and block all incoming connections on the firewall. That will mean your machines have complete access to the internet, but you blocked the internet connecting to your machines. Just make sure all inbound stuff is blocked. Then you're done :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.