Mageia forum

[jiml8]

The version of shorewall provided on Mageia 6 has broken a lot of things on my system. Literally every script I employ to manipulate iptables (and there are many of those) no longer functions. I have 3 physical NICs and 5 virtual LANs in this workstation, and I really have to be able to manipulate iptables to reconfigure for the problem in front of me at a given time.

Now, I can spend many hours sorting out WTF is happening here, or I can (maybe) revert to the shorewall from Mageia 5, which was trouble-free.

Reverting makes more sense to me, if it can be conveniently done. I certainly don't want to disappear down the rabbit hole trying to do it.

So, can I? And how best to go about that?

[doktor5000]

If you only want to be able to manipulate iptables directly, why not simply remove shorewall ?

[jiml8]

Because a firewall is an essential component of security, of course.

[doktor5000]

Well, as shorewall is only a frontend to iptables, you're not removing the packet filter, but the frontend which you seem to have issues with. I believe there's a misunderstanding here ...

[jiml8]

After giving the matter some thought, I did disable shorewall and wrote my own firewall. This removes the over-complexity of shorewall, and I am now sure that the problems I have are not due to shorewall.

After doing this, roughly half of my scripts are working. That the other half does not work indicates that iptables behavior has changed in recent kernels. I find this to be more than a bit annoying, but at least I can now separate the shorewall issues from the iptables issues.

I presently have most of the firewall issues sorted out, though I still don't seem to be able to properly do ip forwarding without using masquerading (which I don't want to do). I do have things working with SNAT, to some extent anyway, but I am missing a rule someplace and don't yet know where, or why.