Hello All, Please be patient with me, I am new to the Linux world and I am not a security expert.
I built a uClibc firewall version 2.0 Linux firewall kernel 2.4.20 from the image Bering-uClibc_2.0_img_bering-uclibc-1680.exe and I have been compromised. I have included a lot of information here because I need to know how the hackers compromised this machine and I want to give you as much information as you need to help me figure it how. For the most part this is a default configuration with no special services needed or running, I setup dropbear (default config) but have not removed the package yet. The Shorewall is set to accept all outbound traffic and paranoid ALL inbound, I have not changed anything in this configuration file. Please see Configuration and rules below for more detail and please let me know if you need any additional information. Thank you in advance to all that will help me. I am learning, and I am sure this is NOT an issue with the shorewall product but with my configuration. Please also remember who you are addressing (dope newbie/wannabie) so please if you could. :) Ken [EMAIL PROTECTED] Issue: ===============-==============-============================================= = My shorewall has been compromised. I need to find out how they are compromising this machine repeatedly and what I need to do to stop it! The hackers have already used the shorewall box to spam others on the internet and god knows what else. I have a CISCO PIX 515 behind the shorewall firewall with eth0 set to 192.168.1.99. As far as I can tell it has not been compromised and I have not noticed any strange events internally on my home network (yet). (I am told the PIX cannot be configured for dhcp so I am using shorewall for this; unfortunately in my area I have a choice between Comcast and dialup). The version of uClibc I am using may need some patches but I am not sure about this as I downloaded this image and set it up less than a month ago, please let me know if there are any critical updates that I need to apply. I have read the installation/user guides and have read hundreds of man pages and I can only hope I did everything right. This clip is from my shorewall.log:0: Note the date on the first entry and the source IP. The problem is that the SRC is my IP and I do not have an IP 192.43.244.18 on my network. I have added 123.1.1.1 to my blacklist. Since this IP has been added to my blacklist it still shows up in my log and looks something like the log from DEC 20 below with Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=123.1.1.1 DST=192.168.1.99. This is bad because this IP is eth0 to my CISCO PIX 515. Jan 1 00:00:00 firewall Shorewall:all2all:REJECT: IN= OUT=eth0 MAC= SRC=12.213.227.185 DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4083 DPT=37 SEQ=3441321937 ACK=0 WINDOW=5840 SYN URGP=0 Dec 21 10:19:38 firewall Shorewall:logdrop:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=123.1.1.1 DST=12.213.227.185 LEN=783 TOS=00 PREC=0x00 TTL=112 ID=28872 PROTO=UDP SPT=14833 DPT=1026 LEN=763 Dec 21 15:13:10 firewall Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:a0:c9:68:18:28:00:01:5c:22:5d:42:08:00 SRC=205.240.153.242 DST=12.213.227.185 LEN=60 TOS=00 PREC=0x00 TTL=49 ID=13109 DF PROTO=TCP SPT=1787 DPT=21 SEQ=3260295433 ACK=0 WINDOW=5840 SYN URGP=0 Also SRC IP 66.218.70.35 has seemingly exploited the uClibc firewall. The IP 192.168.1.99 is eth0 for my CISCO PIX 515. You can see shorewall start and then 66.218.70.35 (v4.vc.scd.yahoo.com [66.218.70.35]) is out eth1, looks bad to me. The hacker is using several boxes from yahoo IP's: v3.vc.scd.yahoo.com [66.218.70.45], v1.vc.scd.yahoo.com [66.218.70.32], v13.vc.scd.yahoo.com [66.218.70.34] Dec 20 14:59:16 firewall dhcpcd.exe: interface eth0 has been configured with new IP=12.213.227.185 Dec 20 14:59:23 firewall root: Shorewall Started Dec 20 15:41:06 firewall kernel: Shorewall:blacklst:DROP:IN=eth0 OUT=eth1 SRC=66.218.70.35 DST=192.168.1.99 LEN=44 TOS=0x00 PREC=0x00 TTL=51 ID=2091 DF PROTO=TCP SPT=5001 DPT=10468 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Configuration: ===============-==============-============================================= = The Shoewall box has two Intel Pro 100 NIC's. Eth0 to internet with dhcp, routefilter, blacklist, rfc1918 and dropunclean set to yes. I had set blacklist logging to 6 (informational) and then changed it to 4 (ergent) just to see if this would show different events in the log. Eth0 pulls dhcp IP 12.213.227.185 from Comcast. Eth1 is configured with default address 192.168.1.254. Incoming ICMP on port 8 set to DROP packets. Ident Port 113 set to DROP packets. Modules Loaded: ===============-==============-============================================= = Modules: softdog 1476 1 ip_nat_irc 2176 0 (unused) ip_nat_ftp 2784 0 (unused) ip_conntrack_irc 2880 1 ip_conntrack_ftp 3648 1 eepro100 17892 2 mii 2092 0 [eepro100] Installed Packages: Name Version Description ===============-==============-============================================= = initrd V2.0 uClibc-0. LEAF Bering initial filesystem root V2.0 uClibc-0. Core LEAF Bering package config 0.1 Core config and backup system package etc V2.0 uClibc-0. local V2.0 uClibc-0. LEAF Bering local package modules V2.0 uClibc-0. Define & contain your LEAF Bering modules iptables 1.2.8 IP packet filter administration tools for 2.4. dhcpcd 1.3.22pl4-7 dhcpcd is a RFC2131 and RFC1541 compliant DHCP keyboard 0.3 Define your keyboard settings shorwall 1.4.5 Shoreline Firewall (Shorewall) ulogd 1.02 The Netfilter Userspace Logging Daemon dnscache 1.05a A fast & secure proxy DNS server, patched for dropbear 0.38 Dropbear SSH 2 server and key generator. weblet 1.2.2-4 LEAF status via a small web server Running Process: ===============-==============-============================================= = PID Uid VmSize Stat Command 1 root 256 S init [2] 2 root SW [keventd] 3 root SWN [ksoftirqd_CPU0] 4 root SW [kswapd] 5 root SW [bdflush] 6 root SW [kupdated] 28918 root 280 S /sbin/syslogd -m 240 12413 root 240 S /sbin/klogd 20139 root 280 S /sbin/dhcpcd-bin -Y -N -D -d eth0 31742 root 308 S /usr/sbin/dropbear -p 22 -r /etc/dropbear/dropbear_rs 15242 root 144 S /usr/sbin/watchdog 5006 root 280 S /usr/sbin/inetd 25734 root 280 S /usr/sbin/ulogd -d 30415 root 1216 S [dnscache] 24224 root 288 S /usr/sbin/cron 30450 root 268 S /sbin/getty 38400 tty1 29007 root 268 S /sbin/getty 38400 tty2 1707 sh-httpd 328 S /bin/sh /usr/sbin/sh-httpd 302 sh-httpd 308 S /bin/sh /var/sh-www/cgi-bin/viewsys 28628 root 196 S [sleep] 15224 root 240 S [cat] 27609 sh-httpd 308 R /bin/sh /var/sh-www/cgi-bin/viewsys 12982 root 288 R [ps] Firewall Rules: ===============-==============-============================================= = Shorewall-1.4.5 Chain at - Mon Dec 22 13:42:32 UTC 2003 Chain INPUT (policy DROP 2 packets, 420 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:' queue_threshold 1 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:' queue_threshold 1 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:OUTPUT:REJECT:' queue_threshold 1 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:all2all:REJECT:' queue_threshold 1 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain badpkt (2 references) pkts bytes target prot opt in out source destination 0 0 ULOG !tcp -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:badpkt:DROP:' queue_threshold 1 0 0 ULOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:badpkt:DROP:' queue_threshold 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain blacklst (2 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 66.218.70.32 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.32 0.0.0.0/0 0 0 LOG all -- * * 66.218.70.46 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.46 0.0.0.0/0 0 0 LOG all -- * * 66.218.70.32 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.32 0.0.0.0/0 0 0 LOG all -- * * 66.218.70.33 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.33 0.0.0.0/0 0 0 LOG all -- * * 66.218.70.34 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.34 0.0.0.0/0 0 0 LOG all -- * * 66.218.70.35 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.35 0.0.0.0/0 0 0 LOG all -- * * 66.218.70.41 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.41 0.0.0.0/0 0 0 LOG all -- * * 66.218.70.45 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.218.70.45 0.0.0.0/0 0 0 LOG all -- * * 66.232.141.16 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 66.232.141.16 0.0.0.0/0 0 0 LOG all -- * * 123.1.1.1 0.0.0.0/0 LOG flags 0 level 4 prefix `Shorewall:blacklst:DROP:' 0 0 DROP all -- * * 123.1.1.1 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255. 255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 255.255.255. 255 0 0 DROP all -- * * 0.0.0.0/0 192.168.1.25 5 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 badpkt all -- * * 0.0.0.0/0 0.0.0.0/0 unclean 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 badpkt all -- * * 0.0.0.0/0 0.0.0.0/0 unclean 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (30 references) pkts bytes target prot opt in out source destination 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:logdrop:DROP:' queue_threshold 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:net2all:DROP:' queue_threshold 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:67 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:68 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:68 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 I have added a lot more ports to DROP but have only included those that specifically were set to allow or open in the default config. Like port 113, I have set to DROP. Chain newnotsyn (6 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (10 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain rfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0 0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0 0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0 0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0 0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0 0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0 0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0 Shorewall-1.4.5 NAT at - Mon Dec 22 13:42:32 UTC 2003 Chain PREROUTING (policy ACCEPT 5 packets, 1186 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0 INTERFACES: ===============-==============-============================================= = 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:c9:68:18:28 brd ff:ff:ff:ff:ff:ff inet 12.213.227.185/24 brd 255.255.255.255 scope global eth0 4: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:d0:b7:75:e8:17 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 ROUTES: ===============-==============-============================================= = 12.213.227.0/24 dev eth0 proto kernel scope link src 12.213.227.185 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 12.213.227.1 dev eth0 ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html