Hi Erich
>If you reset the counters before testing it is easier to read.
>Try to minimize all other traffic durng your tests, it will become clear
>what is happening
>
>If you want us to understand your test, please note _exactly_ what
>test1,2,3 is. Please conduct only one test at a time.
I tried to folow your advice:
So i did a shorwall reset.
Than I did a ping from my local pc (located in loc, etc1) to my server (in DMZ
eth2)
Pingen naar 192.168.3.2 met 32 byte gegevens:
Time-out bij opdracht.
Time-out bij opdracht.
Time-out bij opdracht.
Time-out bij opdracht.
Ping-statistieken voor 192.168.3.2:
Pakketten: verzonden = 4, ontvangen = 0, verloren = 4
(100% verlies).
And than I made as fast as I could: iptables -nvL > tst1.txt
The result is tst1.txt:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 485 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
91 6042 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 tun_in all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
4 240 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 tun_fwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT udp -- * eth2 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
51 4208 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 fw2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:OUTPUT:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
1 485 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
1 485 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
3 234 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain all2all (11 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3 234 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:all2all:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
3 234 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (8 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
1 485 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
1 485 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
1 485 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
4 240 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc2vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0
4 240 loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
3 234 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
91 6042 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 dmz2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 dmz2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
51 4208 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:1194
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
4 240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2
tcp dpt:443
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
88 5808 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
3 234 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 485 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
1 485 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:net2all:DROP:'
queue_threshold 1
1 485 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2
tcp spt:8080 dpt:80
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1194
1 485 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain rfc1918 (3 references)
pkts bytes target prot opt in out source destination
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:rfc1918:DROP:'
queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 ULOG all -- * * 213.118.207.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 213.118.207.255 0.0.0.0/0
0 0 ULOG all -- * * 192.168.1.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 192.168.1.255 0.0.0.0/0
0 0 ULOG all -- * * 192.168.3.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 192.168.3.255 0.0.0.0/0
0 0 ULOG all -- * * 255.255.255.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 ULOG all -- * * 224.0.0.0/4 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Chain tun_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 vpn2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain tun_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 vpn2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
The second thing I did (to see how the packets should look like when a ping
works, and if the server is replying.)
Shorewall reset
ping from my router to my server in dmz:
RouterJan# ping 192.168.3.2
PING 192.168.3.2 (192.168.3.2): 56 data bytes
64 bytes from 192.168.3.2: icmp_seq=0 ttl=64 time=1.7 ms
64 bytes from 192.168.3.2: icmp_seq=1 ttl=64 time=1.3 ms
64 bytes from 192.168.3.2: icmp_seq=2 ttl=64 time=0.2 ms
64 bytes from 192.168.3.2: icmp_seq=3 ttl=64 time=1.3 ms
--- 192.168.3.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.2/1.1/1.7 ms
And then as fast as I could do it: iptables -nvL > tst2.txt
The result is tst2.txt:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
84 5252 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4 336 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 tun_in all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 tun_fwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT udp -- * eth1 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT udp -- * eth2 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
51 4732 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
4 336 fw2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:OUTPUT:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain all2all (11 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:all2all:REJECT:'
queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source destination
4 336 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (8 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc2vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
84 5252 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 dmz2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
4 336 dmz2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
4 336 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
51 4732 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:1194
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2
tcp dpt:443
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
84 5252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:net2all:DROP:'
queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.3.2
tcp spt:8080 dpt:80
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1194
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain rfc1918 (3 references)
pkts bytes target prot opt in out source destination
0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:rfc1918:DROP:'
queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 ULOG all -- * * 213.118.207.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 213.118.207.255 0.0.0.0/0
0 0 ULOG all -- * * 192.168.1.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 192.168.1.255 0.0.0.0/0
0 0 ULOG all -- * * 192.168.3.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 192.168.3.255 0.0.0.0/0
0 0 ULOG all -- * * 255.255.255.255 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 ULOG all -- * * 224.0.0.0/4 0.0.0.0/0
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:smurfs:DROP:'
queue_threshold 1
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Chain tun_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 vpn2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain tun_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 vpn2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
My conclusion is that my router forwards the packets to my server. And my
server is capable of replying a ping packet (see tst2). But for some reason he
doesn't reply a packet from my loc zone. Because I don't see a packet returning
on eth2. There is no sign of a packet entering eth2 (dmz).
I think my router is routing packets between loc and dmz. (chain from loc2dmz)
My server can respond to ping. And firewall isn't blocking packets from dmz to
loc. Why aren't there packet's entering my eth2 heading for my laptop? :o)
The situation is somewhat a blur for me.
Thanks for your help and patience sofare.
Jan
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
