Tom Eastep <[EMAIL PROTECTED]> wrote:
| mess-mate wrote:
| > Tom Eastep <[EMAIL PROTECTED]> wrote:
| > | mess-mate wrote:
| > ...snip...
| But 'loc' is eth1! are you trying to browse from the DMZ? You have only set
up DNAT from the 'loc' zone (eth1).
No problem accessing loc from dmz.
| > Trying both http://86.192.32.248 and http://www.mywebsite.fr from a
| > desktop behind the firewall/router give me 'Connection to
| > 86.192.32.248 Failed'
| >
| > | > Shorewall-3.2.6 Dump at router - Mon Mar 26 11:00:29 CEST 2007
| > |
| > | > Counters reset Sat Mar 24 17:15:49 CET 2007
| > | > Chain loc2dmz (1 references)
| > | > pkts bytes target prot opt in out source
destination
| > | > 0 0 ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
| > | > 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
| > | > 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
| > | > 0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.1 tcp dpt:80 ctorigdst 86.192.32.248
| > |
| > | When you try to browse http://86.192.32.248/, you should see the 'pkts'
and
| > | 'bytes' counts above incrementing.
| >
| > Didn't change.
|
| Then are you seeing a reject message in your log?
Several of this :
Mar 27 10:13:46 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=
63 ID=0 DF PROTO=UDP SPT=1107 DPT=53 LEN=38
and this :
tcp 6 114 TIME_WAIT src=192.168.10.2 dst=80.12.242.5 sport=4970
dport=110 packets=6 bytes=326 src=80.12.242.
5 dst=86.192.32.248 sport=110 dport=4970 packets=6 bytes=374
[ASSURED] mark=0 use=1
udp 17 23 src=192.168.10.2 dst=80.10.246.2 sport=1222 dport=53
packets=1 bytes=84 src=80.10.246.2 dst=86.192
.32.248 sport=53 dport=1222 packets=1 bytes=137 mark=0 use=1
tcp 6 5 CLOSE src=192.168.10.2 dst=70.42.39.14 sport=3394
dport=2703 packets=7 bytes=506 src=70.42.39.14 dst
=86.192.32.248 sport=2703 dport=3394 packets=6 bytes=396 [ASSURED]
mark=0 use=1
udp 17 154 src=192.168.10.2 dst=80.10.246.2 sport=1190 dport=53
packets=2 bytes=132 src=80.10.246.2 dst=86.1
92.32.248 sport=53 dport=1190 packets=2 bytes=164 [ASSURED] mark=0
use=1
|
| Ok -- so to make sure that I understand -- the rule in 'loc_dnat' increments
but the one in loc2dmz does not?
| That doesn't make much sense unless something is broken in your system.
192.168.20.1 is in the DMZ
Yes, it is.
|
| Please:
|
| a) shorewall reset (this clears the counters).
| b) start a browser (don't use one that is already running) and try to connect
to http://86.192.32.248.
| c) shorewall dump > dump.txt
|
| Forward the 'dump.txt' file.
|
Ok, is attached .
Thanks
mess-mate
--
Shorewall-3.2.6 Dump at router - Tue Mar 27 10:56:22 CEST 2007
Counters reset Tue Mar 27 10:54:37 CEST 2007
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 300 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
1 131 ppp0_in 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
5 720 eth1_in 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_in 0 -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 4 prefix `Shorewall:INPUT:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ppp0_fwd 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_fwd 0 -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_fwd 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 4 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 300 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
1 68 fw2net 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
5 1690 fw2loc 0 -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 fw2dmz 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 fw2modem 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain Reject (9 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain all2all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 4 prefix `Shorewall:all2all:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:dmz2all:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:dmz2loc:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (8 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2all 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 all2all 0 -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 all2all 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 loc2net 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 loc2dmz 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 loc2modem 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
1 60 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
5 720 loc2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 dmz2net 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 dmz2loc 0 -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 dmz2all 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 dmz2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain fw2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:fw2all:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
5 1690 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2modem (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 fw2all 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 68 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:loc2all:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.1 tcp dpt:80 ctorigdst 86.192.32.248
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
4 660 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3128
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2modem (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 loc2all 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Drop 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 4 prefix `Shorewall:net2all:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.1 tcp dpt:80 ctorigdst 86.192.32.248
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.1 tcp dpt:443 ctorigdst 86.192.32.248
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.1 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.1 tcp dpt:25
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
1 131 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 reject icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2loc:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 net2loc 0 -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 net2dmz 0 -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 net2all 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
1 131 net2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain reject (19 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 192.168.1.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 192.168.1.255 0.0.0.0/0
0 0 LOG 0 -- * * 255.255.255.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG 0 -- * * 224.0.0.0/4 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
Log (/var/log/messages)
Mar 27 08:49:45 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=8837 DF PROTO=UDP
SPT=1102 DPT=53 LEN=38
Mar 27 08:49:45 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=8852 DF PROTO=UDP
SPT=1102 DPT=53 LEN=38
Mar 27 08:49:45 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=63 TOS=0x00 PREC=0x00 TTL=63 ID=8867 DF PROTO=UDP
SPT=1103 DPT=53 LEN=43
Mar 27 08:49:45 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=63 TOS=0x00 PREC=0x00 TTL=63 ID=8881 DF PROTO=UDP
SPT=1103 DPT=53 LEN=43
Mar 27 08:51:19 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1104
DPT=53 LEN=38
Mar 27 08:51:20 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1104
DPT=53 LEN=38
Mar 27 08:51:24 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1104
DPT=53 LEN=38
Mar 27 08:51:29 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1104
DPT=53 LEN=38
Mar 27 08:59:17 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1105
DPT=53 LEN=38
Mar 27 08:59:18 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1105
DPT=53 LEN=38
Mar 27 08:59:21 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1105
DPT=53 LEN=38
Mar 27 08:59:26 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1105
DPT=53 LEN=38
Mar 27 09:27:09 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1106
DPT=53 LEN=38
Mar 27 09:27:10 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1106
DPT=53 LEN=38
Mar 27 09:27:14 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1106
DPT=53 LEN=38
Mar 27 09:27:18 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1106
DPT=53 LEN=38
Mar 27 10:13:37 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1107
DPT=53 LEN=38
Mar 27 10:13:38 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1107
DPT=53 LEN=38
Mar 27 10:13:42 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1107
DPT=53 LEN=38
Mar 27 10:13:46 loc2all:REJECT:IN=eth1 OUT=eth0 SRC=192.168.10.4
DST=192.168.1.250 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=1107
DPT=53 LEN=38
NAT Table
Chain PREROUTING (policy ACCEPT 66 packets, 20745 bytes)
pkts bytes target prot opt in out source destination
0 0 net_dnat 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
66 20745 loc_dnat 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain POSTROUTING (policy ACCEPT 4 packets, 248 bytes)
pkts bytes target prot opt in out source destination
1 68 ppp0_masq 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4 packets, 248 bytes)
pkts bytes target prot opt in out source destination
Chain loc_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0
86.192.32.248 tcp dpt:80 to:192.168.20.1
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 redir ports 3128
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0
86.192.32.248 tcp dpt:80 to:192.168.20.1
0 0 DNAT tcp -- * * 0.0.0.0/0
86.192.32.248 tcp dpt:443 to:192.168.20.1
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 -- * * 192.168.10.0/24 0.0.0.0/0
policy match dir out pol none
0 0 MASQUERADE 0 -- * * 192.168.20.0/24 0.0.0.0/0
policy match dir out pol none
0 0 MASQUERADE 0 -- * * 192.168.1.0/24 0.0.0.0/0
policy match dir out pol none
Mangle Table
Chain PREROUTING (policy ACCEPT 77 packets, 21836 bytes)
pkts bytes target prot opt in out source destination
77 21836 tcpre 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 12 packets, 1151 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 tcfor 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 12 packets, 2058 bytes)
pkts bytes target prot opt in out source destination
12 2058 tcout 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 12 packets, 2058 bytes)
pkts bytes target prot opt in out source destination
12 2058 tcpost 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
Conntrack Table
tcp 6 255447 ESTABLISHED src=192.168.10.4 dst=87.248.165.105 sport=4614
dport=22700 packets=20 bytes=1249 src=87.248.165.105 dst=86.192.32.248
sport=22700 dport=4614 packets=28 bytes=1839 [ASSURED] mark=0 use=1
tcp 6 255671 ESTABLISHED src=192.168.10.4 dst=86.69.159.53 sport=2078
dport=13604 packets=17 bytes=1206 src=86.69.159.53 dst=86.192.32.248
sport=13604 dport=2078 packets=19 bytes=1460 [ASSURED] mark=0 use=1
tcp 6 431009 ESTABLISHED src=192.168.10.2 dst=192.168.1.1 sport=2269
dport=22 packets=2428 bytes=185993 src=192.168.1.1 dst=192.168.10.2 sport=22
dport=2269 packets=1282 bytes=322967 [ASSURED] mark=0 use=1
udp 17 23 src=86.192.32.248 dst=80.10.246.1 sport=1029 dport=53 packets=1
bytes=68 src=80.10.246.1 dst=86.192.32.248 sport=53 dport=1029 packets=1
bytes=131 mark=0 use=1
tcp 6 66 TIME_WAIT src=192.168.10.2 dst=192.168.1.1 sport=2756 dport=3128
packets=5 bytes=720 src=192.168.1.1 dst=192.168.10.2 sport=3128 dport=2756
packets=5 bytes=1690 [ASSURED] mark=0 use=1
tcp 6 370688 ESTABLISHED src=192.168.10.4 dst=69.140.123.246 sport=4793
dport=44623 packets=582 bytes=38736 src=69.140.123.246 dst=86.192.32.248
sport=44623 dport=4793 packets=600 bytes=57254 [ASSURED] mark=0 use=1
IP Configuration
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:76:12:3e:75 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.254/24 brd 192.168.20.255 scope global eth2
inet6 fe80::204:76ff:fe12:3e75/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:29:3c:34:bd brd ff:ff:ff:ff:ff:ff
inet 192.168.10.254/24 brd 192.168.10.255 scope global eth1
inet6 fe80::2e0:29ff:fe3c:34bd/64 scope link
valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:80:c8:ec:92:b5 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
inet6 fe80::280:c8ff:feec:92b5/64 scope link
valid_lft forever preferred_lft forever
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet 86.192.32.248 peer 193.253.160.3/32 scope global ppp0
IP Stats
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
67640 407 0 0 0 0
TX: bytes packets errors dropped carrier collsns
67640 407 0 0 0 0
2: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:76:12:3e:75 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
6314850 13490 0 0 0 0
TX: bytes packets errors dropped carrier collsns
18148090 17782 0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:29:3c:34:bd brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
290029766 1564365 1 0 0 0
TX: bytes packets errors dropped carrier collsns
338341536 1327650 0 0 0 8820
4: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:80:c8:ec:92:b5 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
361554375 1390290 0 0 0 0
TX: bytes packets errors dropped carrier collsns
210661996 1327112 0 0 0 0
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
RX: bytes packets errors dropped overrun mcast
237009916 1089626 0 0 0 0
TX: bytes packets errors dropped carrier collsns
158198824 1059527 0 0 0 0
/proc
/proc/version = Linux version 2.6.20.1 ([EMAIL PROTECTED]) (gcc version
4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 PREEMPT Thu Feb 22 18:29:25
CET 2007
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 1
/proc/sys/net/ipv4/conf/default/log_martians = 0
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 0
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/log_martians = 0
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 0
/proc/sys/net/ipv4/conf/eth2/log_martians = 0
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 0
/proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0
/proc/sys/net/ipv4/conf/ppp0/arp_filter = 0
/proc/sys/net/ipv4/conf/ppp0/arp_ignore = 0
/proc/sys/net/ipv4/conf/ppp0/rp_filter = 0
/proc/sys/net/ipv4/conf/ppp0/log_martians = 0
Routing Rules
0: from all lookup 255
32766: from all lookup main
32767: from all lookup default
Table 255:
local 192.168.1.1 dev eth0 proto kernel scope host src 192.168.1.1
local 86.192.32.248 dev ppp0 proto kernel scope host src 86.192.32.248
broadcast 192.168.1.0 dev eth0 proto kernel scope link src 192.168.1.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.10.254 dev eth1 proto kernel scope host src 192.168.10.254
broadcast 192.168.10.255 dev eth1 proto kernel scope link src 192.168.10.254
broadcast 192.168.20.255 dev eth2 proto kernel scope link src 192.168.20.254
local 192.168.20.254 dev eth2 proto kernel scope host src 192.168.20.254
broadcast 192.168.1.255 dev eth0 proto kernel scope link src 192.168.1.1
broadcast 192.168.10.0 dev eth1 proto kernel scope link src 192.168.10.254
broadcast 192.168.20.0 dev eth2 proto kernel scope link src 192.168.20.254
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table default:
Table main:
193.253.160.3 dev ppp0 proto kernel scope link src 86.192.32.248
192.168.20.0/24 dev eth2 proto kernel scope link src 192.168.20.254
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.254
default dev ppp0 scope link
ARP
? (192.168.1.254) at 00:0E:50:AA:B5:8A [ether] on eth0
? (192.168.10.4) at 00:13:46:E8:55:83 [ether] on eth1
? (192.168.10.2) at 00:80:C8:EC:94:29 [ether] on eth1
Modules
iptable_raw 1920 0
ipt_ULOG 8036 0
ipt_TTL 2272 0
ipt_ttl 1792 0
ipt_TOS 2144 0
ipt_tos 1536 0
ipt_SAME 2208 0
ipt_REJECT 4480 4
ipt_REDIRECT 2272 1
ipt_recent 9560 0
ipt_owner 1888 0
ipt_NETMAP 1888 0
ipt_MASQUERADE 3552 3
ipt_LOG 6688 15
ipt_iprange 1728 0
ipt_ECN 2912 0
ipt_ecn 2176 0
ipt_CLUSTERIP 8772 0
ipt_ah 1856 0
ipt_addrtype 1760 0
iptable_nat 7396 1
ipt_TCPMSS 3872 1
iptable_mangle 2720 1
iptable_filter 2880 1
ip_tables 12552 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Traffic Control
Device eth2:
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 18135196 bytes 17782 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device eth1:
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 338174598 bytes 1327650 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device eth0:
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 210661996 bytes 1327112 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device ppp0:
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 158198770 bytes 1059524 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
TC Filters
Device eth2:
Device eth1:
Device eth0:
Device ppp0:
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
