Hi all,
I finally got my IPSec tunnel from my Fedora firewall system (running
Shorewall 4.0.6) to a remote Draytek Router up-and-running, but I'm having
difficulties directing traffic through the tunnel. From the output of
"racoon -F -f racoon.conf" and the connection status page of the Draytek I
can tell the tunnel is UP, but ping and traceroute requests to several hosts
from and to both directions fail and also tcpdump reveals no traffic going
through. Maybe that's because of my limited knowledge of tcpdump or because
of some missing routing entries (or both), but I sure could use someone
helping me in the right direction.
SHOREWALL SHOW output is attached; IP ADRR SHOW and IP ROUTE SHOW output
are:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:10:18:30:53:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.254/24 brd 192.168.0.255 scope global eth2
inet6 fe80::210:18ff:fe30:531c/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:19:b9:f2:f9:62 brd ff:ff:ff:ff:ff:ff
inet 192.168.6.254/24 brd 192.168.6.255 scope global eth1
inet6 fe80::219:b9ff:fef2:f962/64 scope link
valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:19:b9:f2:f9:60 brd ff:ff:ff:ff:ff:ff
inet 212.115.197.253/29 brd 212.115.197.255 scope global eth0
inet6 fe80::219:b9ff:fef2:f960/64 scope link
valid_lft forever preferred_lft forever
212.115.197.248/29 dev eth0 proto kernel scope link src 212.115.197.253
192.168.6.0/24 dev eth1 proto kernel scope link src 192.168.6.254
192.168.21.0/24 dev eth0 scope link
192.168.0.0/24 dev eth2 proto kernel scope link src 192.168.0.254
169.254.0.0/16 dev eth2 scope link
default via 212.115.197.254 dev eth0
TIA
Wouter
Shorewall 4.0.6 filter Table at omilia.zesgoes.local - Mon Jul 7 12:28:02 CEST
2008
Counters reset Mon Jul 7 11:05:49 CEST 2008
Chain INPUT (policy DROP 2 packets, 156 bytes)
pkts bytes target prot opt in out source destination
120 10946 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3121 3035K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1886 370K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
15664 1537K eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
6 468 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
6 468 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
6 468 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
80687 40M eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
775K 676M eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
509K 215M eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
1 60 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
120 10946 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2660 460K eth0_out all -- * eth0 0.0.0.0/0 0.0.0.0/0
2960 2861K eth1_out all -- * eth1 0.0.0.0/0 0.0.0.0/0
2496 1037K eth2_out all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 ipsec0_out all -- * ipsec0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
3 180 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
86 10498 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
77 6763 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
10 540 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
348 303K dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
348 303K dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
197 287K dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain all2all (8 references)
pkts bytes target prot opt in out source destination
5114 3596K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
342 302K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
151 15894 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
151 15894 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
9 3735 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
38 3817 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
193 287K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (8 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
1810 94480 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 inet2all all -- * ipsec0 0.0.0.0/0 10.0.0.0/24
policy match dir out pol ipsec mode tunnel
0 0 inet2all all -- * ipsec0 0.0.0.0/0
192.168.21.0/24 policy match dir out pol ipsec mode tunnel
80679 40M inet2loc6 all -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
7 5676 inet2all all -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
153 22830 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
3115 3034K inet2fw all -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain eth0_out (1 references)
pkts bytes target prot opt in out source destination
2660 460K fw2inet all -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
3878 262K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 loc62vpn1 all -- * ipsec0 0.0.0.0/0 10.0.0.0/24
policy match dir out pol ipsec mode tunnel
0 0 loc62vpn21 all -- * ipsec0 0.0.0.0/0
192.168.21.0/24 policy match dir out pol ipsec mode tunnel
94711 72M loc62inet all -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
681K 604M loc62loc7 all -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
130 10360 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
1886 370K loc62fw all -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain eth1_out (1 references)
pkts bytes target prot opt in out source destination
2960 2861K all2all all -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
3353 170K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 loc72vpn1 all -- * ipsec0 0.0.0.0/0 10.0.0.0/24
policy match dir out pol ipsec mode tunnel
0 0 loc72vpn21 all -- * ipsec0 0.0.0.0/0
192.168.21.0/24 policy match dir out pol ipsec mode tunnel
10 1608 loc72inet all -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
509K 215M loc72loc6 all -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
13538 1351K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
15664 1537K loc72fw all -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol none
Chain eth2_out (1 references)
pkts bytes target prot opt in out source destination
2496 1037K all2all all -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain fw2inet (1 references)
pkts bytes target prot opt in out source destination
2429 442K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
120 7200 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT esp -- * * 0.0.0.0/0
86.82.197.197
0 0 ACCEPT udp -- * * 0.0.0.0/0
86.82.197.197 udp dpt:500 state NEW
0 0 ACCEPT esp -- * * 0.0.0.0/0 92.64.158.73
0 0 ACCEPT udp -- * * 0.0.0.0/0
92.64.158.73 udp dpt:500 state NEW
0 0 ACCEPT esp -- * * 0.0.0.0/0
82.176.160.188
0 0 ACCEPT udp -- * * 0.0.0.0/0
82.176.160.188 udp dpt:500 state NEW
111 11252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2vpn1 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain inet2all (5 references)
pkts bytes target prot opt in out source destination
7 5676 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
89 10678 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
37 2842 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:inet2all:DROP:'
37 2842 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain inet2fw (1 references)
pkts bytes target prot opt in out source destination
2968 3012K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 86.82.197.197 0.0.0.0/0
0 0 ACCEPT udp -- * * 86.82.197.197 0.0.0.0/0
udp dpt:500 state NEW
15 1880 ACCEPT esp -- * * 92.64.158.73 0.0.0.0/0
43 9804 ACCEPT udp -- * * 92.64.158.73 0.0.0.0/0
udp dpt:500 state NEW
0 0 ACCEPT esp -- * * 82.176.160.188 0.0.0.0/0
0 0 ACCEPT udp -- * * 82.176.160.188 0.0.0.0/0
udp dpt:500 state NEW
89 10678 inet2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain inet2loc6 (1 references)
pkts bytes target prot opt in out source destination
78869 40M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
784 41968 ACCEPT tcp -- * * 0.0.0.0/0 192.168.6.1
tcp dpt:25
614 29712 ACCEPT tcp -- * * 0.0.0.0/0 192.168.6.1
tcp dpt:143
412 22800 ACCEPT tcp -- * * 0.0.0.0/0 192.168.6.1
tcp dpt:110
0 0 inet2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 vpn1_frwd all -- * * 10.0.0.0/24 0.0.0.0/0
policy match dir in pol ipsec mode tunnel
0 0 vpn21_frwd all -- * * 192.168.21.0/24 0.0.0.0/0
policy match dir in pol ipsec mode tunnel
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 vpn12fw all -- * * 10.0.0.0/24 0.0.0.0/0
policy match dir in pol ipsec mode tunnel
0 0 vpn212fw all -- * * 192.168.21.0/24 0.0.0.0/0
policy match dir in pol ipsec mode tunnel
Chain ipsec0_out (1 references)
pkts bytes target prot opt in out source destination
0 0 fw2vpn1 all -- * * 0.0.0.0/0 10.0.0.0/24
policy match dir out pol ipsec mode tunnel
0 0 all2all all -- * * 0.0.0.0/0
192.168.21.0/24 policy match dir out pol ipsec mode tunnel
Chain loc62fw (1 references)
pkts bytes target prot opt in out source destination
1756 360K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
103 5428 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3128
27 4932 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc62inet (1 references)
pkts bytes target prot opt in out source destination
93861 72M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
850 55764 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc62loc7 (1 references)
pkts bytes target prot opt in out source destination
678K 604M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3028 206K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc62vpn1 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc62vpn21 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc72fw (1 references)
pkts bytes target prot opt in out source destination
2126 187K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
31 1500 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3128
13507 1349K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc72inet (1 references)
pkts bytes target prot opt in out source destination
9 1560 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 48 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc72loc6 (1 references)
pkts bytes target prot opt in out source destination
506K 215M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3352 170K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc72vpn1 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc72vpn21 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
0 0 DROP all -- * * 212.115.197.247 0.0.0.0/0
0 0 DROP all -- * * 192.168.6.255 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.255 0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
9 540 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
144 15754 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
7 248 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 212.115.197.247 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 212.115.197.247 0.0.0.0/0
0 0 LOG all -- * * 192.168.6.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 192.168.6.255 0.0.0.0/0
0 0 LOG all -- * * 192.168.0.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 192.168.0.255 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Chain vpn12fw (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn12inet (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn12loc6 (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn12loc7 (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn12vpn1 (0 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn12vpn21 (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn1_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 vpn12vpn21 all -- * ipsec0 0.0.0.0/0
192.168.21.0/24 policy match dir out pol ipsec mode tunnel
0 0 vpn12inet all -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 vpn12loc6 all -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 vpn12loc7 all -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
Chain vpn212fw (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn212inet (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn212loc6 (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn212loc7 (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn212vpn1 (1 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn212vpn21 (0 references)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 tcpmss match 1440:65535 TCPMSS set 1440
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn21_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 vpn212vpn1 all -- * ipsec0 0.0.0.0/0
10.0.0.0/24 policy match dir out pol ipsec mode tunnel
0 0 vpn212inet all -- * eth0 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 vpn212loc6 all -- * eth1 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
0 0 vpn212loc7 all -- * eth2 0.0.0.0/0 0.0.0.0/0
policy match dir out pol none
-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users