02-22-2008, 07:24 AM
|
|||
|
|||
Quote:
[sudo] password for jon: Compiling... Initializing... Determining Zones... IPv4 Zones: net Firewall Zone: fw Validating interfaces file... Validating hosts file... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Validating Policy file... Determining Hosts in Zones... net Zone: venet0:0.0.0.0/0 Deleting user chains... Compiling /etc/shorewall/routestopped ... Creating Interface Chains... Compiling Common Rules Adding Anti-smurf Rules Adding rules for DHCP Compiling TCP Flags checking... Compiling Martian Logging... Compiling IP Forwarding... Compiling /etc/shorewall/rules... Compiling Actions... Compiling /usr/share/shorewall/action.Drop for Chain Drop... Compiling /usr/share/shorewall/action.Reject for Chain Reject... Compiling /etc/shorewall/policy... Compiling Traffic Control Rules... Compiling Rule Activation... Shorewall configuration compiled to /var/lib/shorewall/.start Starting... Starting Shorewall.... Initializing... Clearing Traffic Control/QOS Deleting user chains... FATAL: Could not load /lib/modules/2.6.18-ovz028stab039.1-smp/modules.dep: No such file or directory ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. FATAL: Could not load /lib/modules/2.6.18-ovz028stab039.1-smp/modules.dep: No such file or directory ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. FATAL: Could not load /lib/modules/2.6.18-ovz028stab039.1-smp/modules.dep: No such file or directory ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. FATAL: Could not load /lib/modules/2.6.18-ovz028stab039.1-smp/modules.dep: No such file or directory ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. FATAL: Could not load /lib/modules/2.6.18-ovz028stab039.1-smp/modules.dep: No such file or directory ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. FATAL: Could not load /lib/modules/2.6.18-ovz028stab039.1-smp/modules.dep: No such file or directory ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. FATAL: Could not load /lib/modules/2.6.18-ovz028stab039.1-smp/modules.dep: No such file or directory ip6tables v1.3.6: can't initialize ip6tables table `filter': iptables who? (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. Enabling Loopback and DNS Lookups Creating Interface Chains... Setting up SMURF control... Setting up Black List... Adding Anti-smurf Jumps... Setting up rules for DHCP... Setting up TCP Flags checking... Setting up ARP filtering... Setting up Martian Logging... Setting up Accept Source Routing... IP Forwarding Enabled Setting up SYN Flood Protection... Setting up Rules... Setting up Actions... Creating action chain Drop Creating action chain Reject Creating action chain dropBcast Creating action chain dropInvalid Creating action chain dropNotSyn Applying Policies... Activating Rules... touch: cannot touch `/var/lock/subsys/shorewall': No such file or directory done. 
|
|
02-22-2008, 05:01 PM
|
|||
|
|||
|
Quote:
You will also want to disable ipv6 support in Shorewall - ip6tables is not loaded because it's useless without an ipv6 network provider.
|
|
02-23-2008, 08:17 PM
|
|||
|
|||
|
Jon,
It appears you're trying to load ipv6 firewall modules (ip6ables). Those are not loaded or supported on our system.
|
|
02-25-2008, 12:33 AM
|
|||
|
|||
|
Quote:
setting : DISABLE_IPV6=No in /etc/shorewall/shorewall.conf this is because in a perversely twisted form of logic the configuration file requires you to have IPV6 support to be able to disable it. If you don't have it then it will error as it will try to disable using ip6tables which we don't have the module for ...so setting it to no fixes any errors
|
|
04-24-2009, 02:59 PM
|
|||
|
|||
|
Quote:
|
|
04-24-2009, 05:46 PM
|
|||
|
|||
|
Quote:
|
|
04-25-2009, 02:51 PM
|
|||
|
|||
|
Big thanx for Your replay! But even when I disable module loading I can't force shorewall to work - when I start firewall I can't ping for example to google, and when I wish to login into ssh, connecting is significant longer. Is there somebody on this forum, that successful install shorewall on OpenVZ platform? Or I have to chose Xen or write iptables ruble by hand? Thanx in advance for help.
|
|
04-25-2009, 06:26 PM
|
|||
|
|||
Quote:
Use this instead - it's a damn text file you can edit in just about any text editor. No "application" to install or configure, just a single text file.. LESS BLOAT h0h0h0 Code:
[vps6 ~]:# cat ~/fw/mainfw *mangle :PREROUTING ACCEPT [15121:16435254] :INPUT ACCEPT [15121:16435254] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [14609:11600858] :POSTROUTING ACCEPT [14599:11600258] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :LOG_DROP - [0:0] :icmp_packets - [0:0] -A INPUT -s MY.PERSONAL/HOME.WAN.IP.WAS.HERE -j ACCEPT #### Cyveillance Office #### -A INPUT -s 63.148.99.0/24 -j DROP -A INPUT -s 65.118.41.0/24 -j DROP -A INPUT -s 38.99.0.0/16 -j DROP -A INPUT -s 38.100.0.0/16 -j DROP -A INPUT -s 38.105.244.0/24 -j DROP -A INPUT -s 38.118.25.0/24 -j DROP -A INPUT -s 38.118.42.0/24 -j DROP -A INPUT -s 216.32.64.0/24 -j DROP -A INPUT -s 38.112.21.0/24 -j DROP -A INPUT -s 207.87.178.0/24 -j DROP -A INPUT -s 65.222.185.0/24 -j DROP -A INPUT -s 65.222.176.0/24 -j DROP -A INPUT -s 63.100.163.0/24 -j DROP -A INPUT -s 151.173.221.0/24 -j DROP -A INPUT -s 68.48.24.0/24 -j DROP -A INPUT -s 4.35.201.0/24 -j DROP #### END Cyveillance #### -A INPUT -s 10.0.0.0/8 -j DROP -A INPUT -s 24.39.1.242 -j DROP -A INPUT -s 38.103.63.0/24 -j DROP -A INPUT -s 60.166.0.0/15 -j DROP -A INPUT -s 60.168.0.0/13 -j DROP -A INPUT -s 60.190.240.64/27 -j DROP -A INPUT -s 61.135.0.0/16 -j DROP -A INPUT -s 61.139.0.0/16 -j DROP -A INPUT -s 62.75.240.0/22 -j DROP -A INPUT -s 62.75.244.0/23 -j DROP -A INPUT -s 64.17.0.0/20 -j DROP -A INPUT -s 64.56.65.0/24 -j DROP -A INPUT -s 64.62.142.0/24 -j DROP -A INPUT -s 64.94.45.0/24 -j DROP -A INPUT -s 66.249.70.0/24 -j DROP -A INPUT -s 66.67.224.0/20 -j DROP -A INPUT -s 66.112.55.168/29 -j DROP -A INPUT -s 66.151.226.0/24 -j DROP -A INPUT -s 70.53.146.0/24 -j DROP -A INPUT -s 72.14.164.0/24 -j DROP -A INPUT -s 72.55.128.0/18 -j DROP -A INPUT -s 74.12.218.0/24 -j DROP -A INPUT -s 74.86.0.0/16 -j DROP -A INPUT -s 74.222.0.0/19 -j DROP -A INPUT -s 76.69.95.0/24 -j DROP -A INPUT -s 76.73.4.0/24 -j DROP -A INPUT -s 77.37.205.0/24 -j DROP -A INPUT -s 77.73.8.64/26 -j DROP -A INPUT -s 77.221.131.0/24 -j DROP -A INPUT -s 82.99.30.0/24 -j DROP -A INPUT -s 83.233.30.0/24 -j DROP -A INPUT -s 89.143.13.0/24 -j DROP -A INPUT -s 91.121.96.0/24 -j DROP -A INPUT -s 91.121.139.0/24 -j DROP -A INPUT -s 91.209.70.0/24 -j DROP -A INPUT -s 94.75.192.0/24 -j DROP -A INPUT -s 94.142.128.0/24 -j DROP -A INPUT -s 94.222.0.0/16 -j DROP -A INPUT -s 94.223.0.0/16 -j DROP -A INPUT -s 118.160.0.0/13 -j DROP -A INPUT -s 118.168.0.0/14 -j DROP -A INPUT -s 119.0.0.0/8 -j DROP -A INPUT -s 120.29.209.0/24 -j DROP -A INPUT -s 121.8.0.0/13 -j DROP -A INPUT -s 121.32.0.0/14 -j DROP -A INPUT -s 123.128.0.0/13 -j DROP -A INPUT -s 149.32.192.0/24 -j DROP -A INPUT -s 167.1.146.0/24 -j DROP -A INPUT -s 169.254.0.0/16 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 193.226.83.0/24 -j DROP -A INPUT -s 194.8.74.0/23 -j DROP -A INPUT -s 200.63.40.0/22 -j DROP -A INPUT -s 202.108.0.0/16 -j DROP -A INPUT -s 202.126.96.0/20 -j DROP -A INPUT -s 202.59.164.0/24 -j DROP -A INPUT -s 202.67.220.0/24 -j DROP -A INPUT -s 202.114.0.0/19 -j DROP -A INPUT -s 207.36.117.0/24 -j DROP -A INPUT -s 208.96.54.0/24 -j DROP -A INPUT -s 211.143.48.0/20 -j DROP -A INPUT -s 211.143.64.0/18 -j DROP -A INPUT -s 211.143.128.0/20 -j DROP -A INPUT -s 212.100.250.0/24 -j DROP -A INPUT -s 213.186.59.0/24 -j DROP -A INPUT -s 213.248.158.0/24 -j DROP -A INPUT -s 213.253.92.0/24 -j DROP -A INPUT -s 216.147.0.0/17 -j DROP -A INPUT -s 216.183.93.160/27 -j DROP -A INPUT -s 219.232.240.0/24 -j DROP -A INPUT -s 220.181.0.0/16 -j DROP -A INPUT -s 222.32.0.0/11 -j DROP -A INPUT -s 222.208.0.0/13 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -d 224.0.0.0/4 -j DROP -A INPUT -d 239.255.255.0/24 -j DROP -A INPUT -s 240.0.0.0/5 -j DROP -A INPUT -d 240.0.0.0/5 -j DROP -A INPUT -d 255.255.255.255 -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # comcrap addr -A INPUT -s MY.PERSONAL/HOME.WAN.IP.WAS.HERE -p icmp -m icmp -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s 127.0.0.1/32 -j ACCEPT -A INPUT -p icmp -j icmp_packets -A INPUT -j LOG_DROP -A OUTPUT -d MY.PERSONAL/HOME.WAN.IP.WAS.HERE -j ACCEPT # comcrap addr -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # comcrap addr -A OUTPUT -d MY.PERSONAL/HOME.WAN.IP.WAS.HERE -p icmp -m icmp -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT -A OUTPUT -d 127.0.0.1/32 -j ACCEPT -A OUTPUT -p icmp -j icmp_packets -A OUTPUT -j LOG_DROP -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " # --log-tcp-options --log-ip-options -A LOG_DROP -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp_packets -s 40.xxx.xxx.xxx/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT # PUT YER VPS IP IN THE LINE ABOVE THIS LINE. -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [9849:572796] :POSTROUTING ACCEPT [27110:1646113] :OUTPUT ACCEPT [27120:1646713] COMMIT [vps6 ~]:#
__________________
| Technology Made Simple | Outlook Email Encryption | Blackberry Email Encryption | Dell Beep Codes |
|
 |
| Bookmarks |
| Thread Tools | |
| Display Modes | |
|
|
Copyright © 2008 - 2009 VPSLink, a subsidiary of Spry
Linear Mode
