Thank you Falko the following values are with Shorewall started... Code: iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere eth0_in 0 -- anywhere anywhere Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:' reject 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination eth0_fwd 0 -- anywhere anywhere Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:' reject 0 -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere eth0_out 0 -- anywhere anywhere Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:' reject 0 -- anywhere anywhere Chain Drop (2 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast 0 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid 0 -- anywhere anywhere DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere udp dpt:1900 dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain Reject (4 references) target prot opt source destination reject tcp -- anywhere anywhere tcp dpt:auth dropBcast 0 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp time-exceeded dropInvalid 0 -- anywhere anywhere reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere udp dpt:1900 dropNotSyn tcp -- anywhere anywhere DROP udp -- anywhere anywhere udp spt:domain Chain all2all (0 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED Reject 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:' reject 0 -- anywhere anywhere Chain dropBcast (2 references) target prot opt source destination DROP 0 -- anywhere anywhere PKTTYPE = broadcast DROP 0 -- anywhere anywhere PKTTYPE = multicast Chain dropInvalid (2 references) target prot opt source destination DROP 0 -- anywhere anywhere state INVALID Chain dropNotSyn (2 references) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN Chain dynamic (2 references) target prot opt source destination Chain eth0_fwd (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW smurfs 0 -- anywhere anywhere state INVALID,NEW norfc1918 0 -- anywhere anywhere state NEW tcpflags tcp -- anywhere anywhere Chain eth0_in (1 references) target prot opt source destination dynamic 0 -- anywhere anywhere state INVALID,NEW smurfs 0 -- anywhere anywhere state INVALID,NEW norfc1918 0 -- anywhere anywhere state NEW tcpflags tcp -- anywhere anywhere net2fw 0 -- anywhere anywhere Chain eth0_out (1 references) target prot opt source destination fw2net 0 -- anywhere anywhere Chain fw2net (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT icmp -- anywhere anywhere ACCEPT 0 -- anywhere anywhere Chain logdrop (0 references) target prot opt source destination LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:logdrop:DROP:' DROP 0 -- anywhere anywhere Chain logflags (5 references) target prot opt source destination LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:logflags:DROP:' DROP 0 -- anywhere anywhere Chain logreject (0 references) target prot opt source destination LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:logreject:REJECT:' reject 0 -- anywhere anywhere Chain net2all (0 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED Drop 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:' DROP 0 -- anywhere anywhere Chain net2fw (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere ACCEPT tcp -- giganetwireless.net anywhere tcp dpt:www limit: avg 20/sec burst 24 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:telnet ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- 65.197.209.0 anywhere tcp dpt:69 ACCEPT udp -- 65.197.209.0 anywhere udp dpt:tftp ACCEPT tcp -- anywhere anywhere tcp dpt:www limit: avg 20/sec burst 24 ACCEPT tcp -- anywhere anywhere tcp dpt:81 limit: avg 20/sec burst 24 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT udp -- anywhere anywhere udp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:snmp ACCEPT udp -- anywhere anywhere udp dpt:snmp ACCEPT tcp -- anywhere anywhere tcp dpt:https limit: avg 20/sec burst 24 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 5/sec burst 8 ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT tcp -- 65.197.209.0/24 anywhere tcp dpt:54000 ACCEPT tcp -- anywhere anywhere MAC 00:03:25:21:FA:23 tcp dpt:54000 ACCEPT tcp -- anywhere giganetwireless.net tcp dpt:www ACCEPT tcp -- anywhere giganetwireless.net tcp dpt:https Drop 0 -- anywhere anywhere LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:net2fw:DROP:' DROP 0 -- anywhere anywhere Chain norfc1918 (2 references) target prot opt source destination rfc1918 0 -- 172.16.0.0/12 anywhere rfc1918 0 -- anywhere anywhere ctorigdst 172.16.0.0/12 rfc1918 0 -- 192.168.0.0/16 anywhere rfc1918 0 -- anywhere anywhere ctorigdst 192.168.0.0/16 rfc1918 0 -- 10.0.0.0/8 anywhere rfc1918 0 -- anywhere anywhere ctorigdst 10.0.0.0/8 Chain reject (11 references) target prot opt source destination DROP 0 -- anywhere anywhere PKTTYPE = broadcast DROP 0 -- anywhere anywhere PKTTYPE = multicast DROP 0 -- 65.197.209.128 anywhere DROP 0 -- 255.255.255.255 anywhere DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited Chain rfc1918 (6 references) target prot opt source destination LOG 0 -- anywhere anywhere LOG level info prefix `Shorewall:rfc1918:DROP:' DROP 0 -- anywhere anywhere Chain shorewall (0 references) target prot opt source destination Chain smurfs (2 references) target prot opt source destination LOG 0 -- 65.197.209.128 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- 65.197.209.128 anywhere LOG 0 -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- 255.255.255.255 anywhere LOG 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:' DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere Chain tcpflags (2 references) target prot opt source destination logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN Code: netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost.localdo:mysql *:* LISTEN 19507/mysqld tcp 0 0 *:54000 *:* LISTEN 3458/sshd tcp 0 0 *:www *:* LISTEN 12605/apache2 tcp 0 0 *:81 *:* LISTEN 32013/ispconfig_htt tcp 0 0 *:ftp *:* LISTEN 4087/proftpd: (acce tcp 0 0 65.197.209.20:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.19:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.18:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.17:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.16:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.15:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.14:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.13:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.12:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.11:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.9:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.8:domain *:* LISTEN 32313/named tcp 0 0 65.197.209.7:domain *:* LISTEN 32313/named tcp 0 0 mail.webmail.gig:domain *:* LISTEN 32313/named tcp 0 0 mail.giganetwire:domain *:* LISTEN 32313/named tcp 0 0 giganetwireless.:domain *:* LISTEN 32313/named tcp 0 0 localhost.locald:domain *:* LISTEN 32313/named tcp 0 0 *:smtp *:* LISTEN 4002/master tcp 0 0 localhost.localdoma:953 *:* LISTEN 32313/named tcp 0 0 *:https *:* LISTEN 12605/apache2 tcp 0 0 giganetwireless.n:54000 65.197.209.112:1048 ESTABLISHED2183/sshd: bender [ tcp6 0 0 *:imaps *:* LISTEN 6845/couriertcpd tcp6 0 0 *:pop3s *:* LISTEN 6884/couriertcpd tcp6 0 0 *:pop3 *:* LISTEN 6860/couriertcpd tcp6 0 0 *:imap2 *:* LISTEN 6821/couriertcpd tcp6 0 0 *:smtp *:* LISTEN 4002/master tcp6 0 0 ip6-localhost:953 *:* LISTEN 32313/named Regards
Thank you Falko... With Shorewall stopped the server returns the following values: iptables -L Code: Chain INPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED ACCEPT 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination netstat -tap Code: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost.localdo:mysql *:* LISTEN 1 9507/mysqld tcp 0 0 *:54000 *:* LISTEN 3 458/sshd tcp 0 0 *:www *:* LISTEN 1 2605/apache2 tcp 0 0 *:81 *:* LISTEN 3 2013/ispconfig_htt tcp 0 0 *:ftp *:* LISTEN 5 952/proftpd: (acce tcp 0 0 65.197.209.20:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.19:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.18:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.17:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.16:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.15:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.14:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.13:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.12:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.11:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.9:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.8:domain *:* LISTEN 3 2313/named tcp 0 0 65.197.209.7:domain *:* LISTEN 3 2313/named tcp 0 0 mail.webmail.gig:domain *:* LISTEN 3 2313/named tcp 0 0 mail.giganetwire:domain *:* LISTEN 3 2313/named tcp 0 0 giganetwireless.:domain *:* LISTEN 3 2313/named tcp 0 0 localhost.locald:domain *:* LISTEN 3 2313/named tcp 0 0 *:smtp *:* LISTEN 5 913/master tcp 0 0 localhost.localdoma:953 *:* LISTEN 3 2313/named tcp 0 0 *:https *:* LISTEN 1 2605/apache2 tcp 0 0 giganetwireless.n:54000 65.197.209.112:3956 ESTABLISHED2 2438/sshd: bender tcp6 0 0 *:imaps *:* LISTEN 6 845/couriertcpd tcp6 0 0 *:pop3s *:* LISTEN 6 884/couriertcpd tcp6 0 0 *:pop3 *:* LISTEN 6 860/couriertcpd tcp6 0 0 *:imap2 *:* LISTEN 6 821/couriertcpd tcp6 0 0 *:smtp *:* LISTEN 5 913/master tcp6 0 0 ip6-localhost:953 *:* LISTEN 3 2313/named Regards
This means that there still some active firewall rules. Are you maybe using an additional firewall that interferes with Shorewall?
Thank you Falko... Hmm, I have only Shorewall on the server itself. My DS1' routers have firewall rules within them that specifically allows :81 to each respective servers IP. In /etc/network/interfaces I have the following lines: Code: pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-save > /etc/iptables.up.rules Regards
Thank you Falko I commented out the two lines: Code: pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-save > /etc/iptables.up.rules then I issued /etc/init.d/networking restart. After that I stopped Shorewall the issued iptables -L and the server still returns the following: Code: Chain INPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT 0 -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT) target prot opt source destination Regards
Thank you Falko I have a question of ignorance here; the command Code: update-rc.d -f shorewall remove isn't going to remove Shorewall is it? Thank you Regards
No, it just removes the startup links for Shorewall so that Shorewall isn't started automatically when the system boots.
Thank you, Thank you, Thank you Falko Thank you, Thank you, Thank you Falko... I am sorry for the huge delay in replying to you, I just today had time to try your last suggestion out. That did it! I appreciate your stick-to-it'ness attitude and I sincerely appreciate all the help you have provided me with. Regards
Firewall problem Hehe, yeah it was a firewall problem. Falko's on top of his game! Helped me out more than once. I'm self educated on this stuff but out of curiosity....where'd u go to schoool falko?
