Tom,
I modified the configuration more to match the examples on your
website. I must have missed the policy example on the previous
documentation, because I didn't have anything in there.
Here is the output of shorewall status. I still can't get a Win2K
connection to even show anything that resembles an attempted connection.
�[H�[JShorewall-1.3.10 Status at diablo - Thu Jan 2 14:45:28 UTC 2003
Counters reset Thu Jan 2 14:43:26 UTC 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 eth0_in ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
3 234 eth1_in ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec1_in ah -- ipsec1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec2_in ah -- ipsec2 * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
152 136K eth0_fwd ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
149 26207 eth1_fwd ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_fwd ah -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec1_fwd ah -- ipsec1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec2_fwd ah -- ipsec2 * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT ah -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 fw2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 fw2vpn1 ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 fw2vpn2 ah -- * ipsec1 0.0.0.0/0
0.0.0.0/0
0 0 fw2vpn3 ah -- * ipsec2 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (24 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
3 234 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
3 234 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0
65.114.249.255
0 0 DROP ah -- * * 0.0.0.0/0
10.4.8.255
Chain dynamic (10 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
152 136K dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
152 136K rfc1918 ah -- * * 0.0.0.0/0
0.0.0.0/0
152 136K net2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 net2all ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 net2all ah -- * ipsec1 0.0.0.0/0
0.0.0.0/0
0 0 net2all ah -- * ipsec2 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 rfc1918 ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 net2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
149 26207 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
149 26207 loc2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 loc2vpn1 ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 loc2vpn2 ah -- * ipsec1 0.0.0.0/0
0.0.0.0/0
0 0 loc2vpn3 ah -- * ipsec2 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
3 234 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
3 234 loc2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn1 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn2 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn3 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 vpn12loc ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * ipsec1 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * ipsec2 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 vpn12fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain ipsec1_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 vpn22loc ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * ipsec2 0.0.0.0/0
0.0.0.0/0
Chain ipsec1_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 vpn22fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain ipsec2_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 vpn32loc ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * ipsec1 0.0.0.0/0
0.0.0.0/0
Chain ipsec2_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 vpn32fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
3 234 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
136 25561 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
13 646 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn1 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn2 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn3 (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (27 references)
pkts bytes target prot opt in out source
destination
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'
0 0 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (5 references)
pkts bytes target prot opt in out source
destination
152 136K ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
0 0 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 net2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (18 references)
pkts bytes target prot opt in out source
destination
0 0 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN ah -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP ah -- * * 169.254.0.0/16
0.0.0.0/0
0 0 logdrop ah -- * * 172.16.0.0/12
0.0.0.0/0
0 0 logdrop ah -- * * 192.0.2.0/24
0.0.0.0/0
0 0 logdrop ah -- * * 192.168.0.0/16
0.0.0.0/0
0 0 logdrop ah -- * * 0.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 2.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 5.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 7.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 10.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 23.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 27.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 31.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 36.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 39.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 41.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 42.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 58.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 60.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 70.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 72.0.0.0/5
0.0.0.0/0
0 0 logdrop ah -- * * 82.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 84.0.0.0/6
0.0.0.0/0
0 0 logdrop ah -- * * 88.0.0.0/5
0.0.0.0/0
0 0 logdrop ah -- * * 96.0.0.0/3
0.0.0.0/0
0 0 logdrop ah -- * * 127.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 197.0.0.0/8
0.0.0.0/0
0 0 logdrop ah -- * * 222.0.0.0/7
0.0.0.0/0
0 0 logdrop ah -- * * 240.0.0.0/4
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain vpn12fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn12loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn22fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn22loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn32fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn32loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain PREROUTING (policy ACCEPT 29692 packets, 1784K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 4 packets, 160 bytes)
pkts bytes target prot opt in out source
destination
13 646 eth0_masq ah -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source
destination
13 646 MASQUERADE ah -- * * 10.4.8.0/24
0.0.0.0/0
Chain PREROUTING (policy ACCEPT 143K packets, 35M bytes)
pkts bytes target prot opt in out source
destination
169 137K man1918 ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
321 164K pretos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 13632 packets, 602K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 115K packets, 33M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 251 packets, 20326 bytes)
pkts bytes target prot opt in out source
destination
0 0 outtos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 115K packets, 33M bytes)
pkts bytes target prot opt in out source
destination
Chain logdrop (27 references)
pkts bytes target prot opt in out source
destination
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:'
0 0 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
169.254.0.0/16
0 0 logdrop ah -- * * 0.0.0.0/0
172.16.0.0/12
0 0 logdrop ah -- * * 0.0.0.0/0
192.0.2.0/24
0 0 logdrop ah -- * * 0.0.0.0/0
192.168.0.0/16
0 0 logdrop ah -- * * 0.0.0.0/0
0.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
2.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
5.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
7.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
10.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
23.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
27.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
31.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
36.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
39.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
41.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
42.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
58.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
60.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
70.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
72.0.0.0/5
0 0 logdrop ah -- * * 0.0.0.0/0
82.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
84.0.0.0/6
0 0 logdrop ah -- * * 0.0.0.0/0
88.0.0.0/5
0 0 logdrop ah -- * * 0.0.0.0/0
96.0.0.0/3
0 0 logdrop ah -- * * 0.0.0.0/0
127.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
197.0.0.0/8
0 0 logdrop ah -- * * 0.0.0.0/0
222.0.0.0/7
0 0 logdrop ah -- * * 0.0.0.0/0
240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
3 120 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
3 134 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 94 TIME_WAIT src=10.4.8.143 dst=209.197.104.111 sport=2907
dport=80 src=209.197.104.111 dst=65.114.249.131 sport=80 dport=2907
[ASSURED] use=1
tcp 6 94 TIME_WAIT src=10.4.8.143 dst=216.208.64.13 sport=2901
dport=80 src=216.208.64.13 dst=65.114.249.131 sport=80 dport=2901
[ASSURED] use=1
tcp 6 94 TIME_WAIT src=10.4.8.143 dst=64.12.152.18 sport=2897
dport=80 src=64.12.152.18 dst=65.114.249.131 sport=80 dport=2897
[ASSURED] use=1
tcp 6 79 TIME_WAIT src=10.4.8.143 dst=66.39.116.193 sport=2903
dport=80 src=66.39.116.193 dst=65.114.249.131 sport=80 dport=2903
[ASSURED] use=1
tcp 6 79 TIME_WAIT src=10.4.8.143 dst=209.197.104.111 sport=2906
dport=80 src=209.197.104.111 dst=65.114.249.131 sport=80 dport=2906
[ASSURED] use=1
tcp 6 117 TIME_WAIT src=10.4.8.143 dst=66.39.116.193 sport=2905
dport=80 src=66.39.116.193 dst=65.114.249.131 sport=80 dport=2905
[ASSURED] use=1
tcp 6 79 TIME_WAIT src=10.4.8.143 dst=209.68.36.74 sport=2904
dport=80 src=209.68.36.74 dst=65.114.249.131 sport=80 dport=2904
[ASSURED] use=1
tcp 6 64 TIME_WAIT src=10.4.8.143 dst=207.200.91.216 sport=2898
dport=80 src=207.200.91.216 dst=65.114.249.131 sport=80 dport=2898
[ASSURED] use=1
tcp 6 4 TIME_WAIT src=10.4.8.143 dst=209.197.104.111 sport=2896
dport=80 src=209.197.104.111 dst=65.114.249.131 sport=80 dport=2896
[ASSURED] use=1
udp 17 27 src=10.4.8.143 dst=65.114.248.4 sport=2908 dport=53
[UNREPLIED] src=65.114.248.4 dst=65.114.249.131 sport=53 dport=2908
use=1
udp 17 28 src=10.4.8.143 dst=65.114.248.5 sport=2908 dport=53
[UNREPLIED] src=65.114.248.5 dst=65.114.249.131 sport=53 dport=2908
use=1
tcp 6 109 TIME_WAIT src=10.4.8.143 dst=216.208.64.13 sport=2902
dport=80 src=216.208.64.13 dst=65.114.249.131 sport=80 dport=2902
[ASSURED] use=1
tcp 6 9 TIME_WAIT src=10.4.8.143 dst=129.128.5.191 sport=2862
dport=21 src=129.128.5.191 dst=65.114.249.131 sport=21 dport=2862
[ASSURED] use=1
Thanks!
Steve
On Wed, 2003-01-01 at 16:51, Tom Eastep wrote:
>
>
> --On Wednesday, January 01, 2003 4:27 PM -0700 Steve Fink
> <[EMAIL PROTECTED]> wrote:
>
> > I tried to determine whether or not the ports were
> > open in Shorewall but an iptables -C INPUT -p udp -s 65.114.248.6/24 -d
> > 65.114.249.131:500, only gives me a "Will be implemented real soon ;)"
>
> And it wouldn't have told you anything anyway since Shorewall is a little
> smarter than to place ALL input rules in the INPUT chain where they have to
> be executed sequentially. Nevertheless, from the "iptables -L -n -v" later
> (In the future, please post the output of "shorewall status" -- it's much
> more complete):
>
> Chain net2fw (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT ah -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 1 40 newnotsyn tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
> 0 0 ACCEPT esp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT 51 -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:500 dpt:500 state NEW
> 6459 258K net2all ah -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> So Protocols 50 and 51 are open as is UDP 500. If the remote host is behind
> a NAT firewall however, you should have defined your tunnel type as
> 'ipsecnat' so that Shorewall wouldn't insist on SPT=500.
>
> Similarly:
>
> Chain fw2net (1 references)
> pkts bytes target prot opt in out source
> destination
> 2 80 ACCEPT ah -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 newnotsyn tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW tcp flags:!0x16/0x02
> 0 0 ACCEPT esp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT 51 -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:500 dpt:500 state NEW
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW tcp dpt:53
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW udp dpt:53
> 0 0 all2all ah -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> So UDP port 500 is open on output as are protocols 50 and 51.
>
> I notice though that there are no gw2loc and loc2gw chains -- what kind of
> tunnel are you trying to set up here? Host->Host? If you want Host->Subnet,
> you need to set the gw->loc and loc->gw policies to ACCEPT.
>
> -Tom
> --
> Tom Eastep \ Shorewall - iptables made easy
> Shoreline, \ http://shorewall.sf.net
> Washington USA \ [EMAIL PROTECTED]
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> ------------------------------------------------------------------------
> leaf-user mailing list: [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
>
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
