Hi,
current status is that the systemd service for iptables is working (with no complex rule).
But when I activate shorewall with the configuration for two network interfaces (+ masq). I get following error.
$this->bbcode_second_pass_code('', 'xt_conntrack: cannot load conntrack support for proto=2
xt_conntrack: cannot load conntrack support for proto=2
Job for shorewall.service failed because the control process exited with error code. See "systemctl status shorewall.service" and "journalctl -xe" for details.')
journal output with "journalctl -xe" after "systemctl restart shorewall"
$this->bbcode_second_pass_code('', 'Jun 03 20:31:54 homeproxy shorewall[2586]: Compiling using Shorewall 5.0.4...
Jun 03 20:31:55 homeproxy shorewall[2586]: Processing /etc/shorewall/params ...
Jun 03 20:31:55 homeproxy shorewall[2586]: Processing /etc/shorewall/shorewall.conf...
Jun 03 20:31:55 homeproxy shorewall[2586]: Loading Modules...
Jun 03 20:31:55 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=2
Jun 03 20:31:55 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=2
Jun 03 20:31:55 homeproxy shorewall[2586]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Jun 03 20:31:55 homeproxy root[2647]: ERROR:Shorewall start failed
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Main process exited, code=exited, status=255/n/a
Jun 03 20:31:55 homeproxy systemd[1]: Failed to start Shorewall IPv4 firewall.
-- Subject: Unit shorewall.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit shorewall.service has failed.
--
-- The result is failed.
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Unit entered failed state.
Jun 03 20:31:55 homeproxy systemd[1]: shorewall.service: Failed with result 'exit-code'.')
The same problem for "systemctl restart shorewall6"
$this->bbcode_second_pass_code('', 'Jun 03 20:39:33 homeproxy kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Jun 03 20:39:33 homeproxy shorewall6[2677]: Compiling using Shorewall6 5.0.4...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Processing /etc/shorewall6/params ...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Processing /etc/shorewall6/shorewall6.conf...
Jun 03 20:39:34 homeproxy shorewall6[2677]: Loading Modules...
Jun 03 20:39:34 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=10
Jun 03 20:39:34 homeproxy kernel: xt_conntrack: cannot load conntrack support for proto=10
Jun 03 20:39:34 homeproxy shorewall6[2677]: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
Jun 03 20:39:34 homeproxy root[2745]: ERROR:Shorewall6 start failed
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Main process exited, code=exited, status=255/n/a
Jun 03 20:39:34 homeproxy systemd[1]: Failed to start Shorewall IPv6 firewall.
-- Subject: Unit shorewall6.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit shorewall6.service has failed.
--
-- The result is failed.
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Unit entered failed state.
Jun 03 20:39:34 homeproxy systemd[1]: shorewall6.service: Failed with result 'exit-code'.
')
Here the output of "lsmod"
$this->bbcode_second_pass_code('', 'lsmod :(
Module Size Used by
xt_conntrack 2587 0
nf_conntrack 57841 1 xt_conntrack
iptable_filter 1061 0
ip_tables 10459 1 iptable_filter
x_tables 11076 3 ip_tables,xt_conntrack,iptable_filter
autofs4 21248 0')
After some search in the
world wide net, I think two lines in the config need to be changed.
$this->bbcode_second_pass_code('', '# CONFIG_NF_CONNTRACK_IPV4 is not set')
to
$this->bbcode_second_pass_code('', 'CONFIG_NF_CONNTRACK_IPV4=m')
and
$this->bbcode_second_pass_code('', '# CONFIG_NF_CONNTRACK_IPV6 is not set')
to
$this->bbcode_second_pass_code('', 'CONFIG_NF_CONNTRACK_IPV6=m')
When you need more info, please call.