Hi [EMAIL PROTECTED] wrote: > Hi Erich > >> shorewall status _used_to_display_ the iptables with counters and active >> connections. But you can use the iptables command just as well. > > Tried this one. But don't understand all the headers in it. I ran it 4 times. > The first time just before I begane to test the pings (test1) > The second time just after I pinged from my local pc to my server in dmz > (test2) This one failed ofcourse. > The third time just before I begane to test the working ping(test3) > The fourt time just after I pinged from my router to my server in dmz (test3) > This succeeded.
Let me try to comment a few lines, Test1 is probably of no much importance, so I skip it here. You can use shorewall reset to reset the counters ... > > Test2 > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > > 46 13550 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > 2444 164K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0 > > 0 0 tun_in all -- tun+ * 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 > ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:' > queue_threshold 1 > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > Here it starts bein interesting in your case, packets forwarded show up in the FORWARD chain, now I _believe your local network is on eth1, so eth1_fwd is the one to look at. > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 26 24385 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > > 36 4607 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > We have only 36 packets to look at. > 0 0 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 > We would expect a number of packets here too, nut none are visible :-( > 0 0 tun_fwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0 > > 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 > ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:' > queue_threshold 1 > 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 > > ... > > Chain eth1_fwd (1 references) > pkts bytes target prot opt in out source > destination > 13 744 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 > state INVALID,NEW > 26 4007 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > 10 600 loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 > OK 10 packets from local to dmz let's go to that chain.... > 0 0 loc2vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0 > > .... > > Chain loc2dmz (1 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > state RELATED,ESTABLISHED > 10 600 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > icmp type 8 It looks like 10 icmp requests have been accepted, now back to the FORWARD chain... > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > .... If you reset the counters before testing it is easier to read. Try to minimize all other traffic durng your tests, it will become clear what is happening If you want us to understand your test, please note _exactly_ what test1,2,3 is. Please conduct only one test at a time. cheers Erich ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
