Hello Tom and you all, I have a problem with my Shorewall 4.4.11.6,
it's the opposite to the FAQ 33, I mean, connections to the net from
clients behind the firewall work fine but connections (direct, without
a proxy) from the firewall itself fail. What's wrong? I had attached
the status.txt. Thanks.
Augusto.
2011/12/23, Augusto Vázquez Vázquez <[email protected]>:
> Thanks a lot Tom, that was my error, now my Shorewall started OK, thanks.
>
> August.
>
>
> 2011/12/22 Tom Eastep <[email protected]>
>
>> On Wed, 2011-12-21 at 22:32 -0500, Augusto Vázquez Vázquez wrote:
>> > Hi, I'm using Shorewall version 4.4.11.6 it's configured and when I
>> > use the command shorewall check the result is OK, but bellow is the
>> > error when I try to start shorewall.
>> > There are some attachments to help you understand my problem. Thanks a
>> lot.
>> >
>> > Augusto.
>> >
>> > Starting Shorewall....
>> > Initializing...
>> > /var/lib/shorewall/.start: 2476: /bin: Permission denied
>> > ERROR: Command "/bin -4 link list" Failed
>> > /var/lib/shorewall/.start: 2476: /bin: Permission denied
>> > ERROR: Command "/bin -4 link list" Failed
>> > Terminated
>>
>> It looks like you have this in shorewall.conf:
>>
>> IP=/bin
>>
>> Either leave it blank or set it as
>>
>> IP=/sbin/ip
>>
>> -Tom
>> --
>> Tom Eastep \ When I die, I want to go like my Grandfather who
>> Shoreline, \ died peacefully in his sleep. Not screaming like
>> Washington, USA \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Write once. Port to many.
>> Get the SDK and tools to simplify cross-platform app development. Create
>> new or port existing apps to sell to consumers worldwide. Explore the
>> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
>> http://p.sf.net/sfu/intel-appdev
>> _______________________________________________
>> Shorewall-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>
Shorewall 4.4.11.6 Dump at alumec - Thu Mar 29 15:46:05 CDT 2012
Counters reset Thu Mar 22 13:46:46 CDT 2012
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
129K 12M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
663K 457M net2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0
530K 75M lan2fw all -- eth1 * 0.0.0.0/0 0.0.0.0/0
99025 11M dmz2fw all -- eth2 * 0.0.0.0/0 0.0.0.0/0
35217 5949K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
118K 5895K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
144K 102M net_frwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
315K 80M lan_frwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
436K 326M dmz_frwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
983K 125M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
651K 528M fw2lan all -- * eth1 0.0.0.0/0 0.0.0.0/0
78036 101M fw2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
35217 5949K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain Drop (3 references)
pkts bytes target prot opt in out source destination
8809 1365K all -- * * 0.0.0.0/0 0.0.0.0/0
63 3780 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113 /* Auth */
8746 1361K dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4 /* Needed ICMP types */
11 734 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11 /* Needed ICMP types */
8735 1360K dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
136 6528 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
2411 1028K dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
422 36396 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain Reject (11 references)
pkts bytes target prot opt in out source destination
151K 14M all -- * * 0.0.0.0/0 0.0.0.0/0
1280 76800 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113 /* Auth */
150K 14M dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11 /* Needed ICMP types */
108K 8944K dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
107K 8876K dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
5 1284 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source destination
76082 9442K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
48 2880 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
20973 1469K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3128 ctorigdstport 80 ! ctorigdst 192.168.2.2
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
1919 115K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3128
2 120 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
2 120 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz2lan (1 references)
pkts bytes target prot opt in out source destination
282K 268M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
83 4660 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
3 180 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz2net (1 references)
pkts bytes target prot opt in out source destination
151K 57M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1470 89644 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25
1223 73696 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz_frwd (1 references)
pkts bytes target prot opt in out source destination
154K 58M dmz2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
283K 268M dmz2lan all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
41828 5052K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
4268 222K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
4122 4656K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (2 references)
pkts bytes target prot opt in out source destination
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source destination
77864 101M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
tcp dpt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
172 123K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
78 4680 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain fw2lan (1 references)
pkts bytes target prot opt in out source destination
647K 524M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
3446 3618K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
3 200 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
502K 91M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
33538 2029K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
448K 33M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain lan2dmz (1 references)
pkts bytes target prot opt in out source destination
201K 75M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
7319 354K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 192.168.1.9 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 192.168.1.9 0.0.0.0/0
tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:143
64 3072 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25
1917 92016 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:110
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain lan2fw (1 references)
pkts bytes target prot opt in out source destination
444K 67M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
14775 1258K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
2 104 ACCEPT tcp -- * * 192.168.1.9 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 192.168.1.9 0.0.0.0/0
tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
29363 1423K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3128
41860 5053K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
32 1536 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain lan2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
104K 5199K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
104K 5199K reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain lan_frwd (1 references)
pkts bytes target prot opt in out source destination
104K 5199K lan2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
211K 75M lan2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source destination
143K 102M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1249 71468 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
tcp dpt:25 ctorigdst 190.6.69.66
134 7248 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
tcp dpt:80 ctorigdst 190.6.69.66
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
644K 455M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
5 200 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
9805 715K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
8809 1365K Drop all -- * * 0.0.0.0/0 0.0.0.0/0
3342 175K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2lan (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 net2lan all -- * eth1 0.0.0.0/0 0.0.0.0/0
144K 102M net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain reject (18 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
106K 5285K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
21 1178 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Log (/var/log/messages)
NAT Table
Chain PREROUTING (policy ACCEPT 225K packets, 16M bytes)
pkts bytes target prot opt in out source destination
226K 16M dnat all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 585K packets, 39M bytes)
pkts bytes target prot opt in out source destination
468K 34M eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 471K packets, 38M bytes)
pkts bytes target prot opt in out source destination
Chain dmz_dnat (1 references)
pkts bytes target prot opt in out source destination
1 60 REDIRECT tcp -- * * 0.0.0.0/0 !192.168.2.2
tcp dpt:80 redir ports 3128
Chain dnat (1 references)
pkts bytes target prot opt in out source destination
16741 2001K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
11530 727K dmz_dnat all -- eth2 * 0.0.0.0/0 0.0.0.0/0
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
931 57300 MASQUERADE all -- * * 192.168.2.0/24 0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
1249 71468 DNAT tcp -- * * 0.0.0.0/0 190.6.69.66
tcp dpt:25 to:192.168.2.2
134 7248 DNAT tcp -- * * 0.0.0.0/0 190.6.69.66
tcp dpt:80 to:192.168.2.2
Mangle Table
Chain PREROUTING (policy ACCEPT 2223K packets, 1057M bytes)
pkts bytes target prot opt in out source destination
2223K 1057M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1327K packets, 549M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 895K packets, 508M bytes)
pkts bytes target prot opt in out source destination
895K 508M MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xffffff00
895K 508M tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1747K packets, 761M bytes)
pkts bytes target prot opt in out source destination
1747K 761M tcout all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 2533K packets, 1260M bytes)
pkts bytes target prot opt in out source destination
2533K 1260M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
Raw Table
Chain PREROUTING (policy ACCEPT 2223K packets, 1057M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1747K packets, 761M bytes)
pkts bytes target prot opt in out source destination
Conntrack Table (24 out of 46196)
tcp 6 167604 ESTABLISHED src=190.6.69.66 dst=208.100.14.23 sport=57007
dport=80 packets=1 bytes=821 src=208.100.14.23 dst=190.6.69.66 sport=80
dport=57007 packets=1 bytes=52 mark=0 secmark=0 use=2
tcp 6 7 TIME_WAIT src=192.168.1.26 dst=192.168.1.1 sport=1695 dport=3128
packets=25 bytes=4079 src=192.168.1.1 dst=192.168.1.26 sport=3128 dport=1695
packets=31 bytes=23869 [ASSURED] mark=0 secmark=0 use=2
tcp 6 7 TIME_WAIT src=192.168.1.26 dst=192.168.1.1 sport=1697 dport=3128
packets=13 bytes=3284 src=192.168.1.1 dst=192.168.1.26 sport=3128 dport=1697
packets=16 bytes=6175 [ASSURED] mark=0 secmark=0 use=2
tcp 6 168468 ESTABLISHED src=190.6.69.66 dst=208.100.14.23 sport=36525
dport=80 packets=1 bytes=767 src=208.100.14.23 dst=190.6.69.66 sport=80
dport=36525 packets=1 bytes=52 mark=0 secmark=0 use=2
tcp 6 7 TIME_WAIT src=192.168.1.26 dst=192.168.1.1 sport=1689 dport=3128
packets=44 bytes=8176 src=192.168.1.1 dst=192.168.1.26 sport=3128 dport=1689
packets=54 bytes=47639 [ASSURED] mark=0 secmark=0 use=2
tcp 6 431638 ESTABLISHED src=190.6.69.66 dst=208.80.152.211 sport=43456
dport=80 packets=17 bytes=3220 src=208.80.152.211 dst=190.6.69.66 sport=80
dport=43456 packets=15 bytes=12727 [ASSURED] mark=0 secmark=0 use=2
tcp 6 174250 ESTABLISHED src=190.6.69.66 dst=69.171.242.39 sport=57994
dport=443 packets=1 bytes=75 [UNREPLIED] src=69.171.242.39 dst=190.6.69.66
sport=443 dport=57994 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 348917 ESTABLISHED src=190.6.69.66 dst=69.171.247.80 sport=34805
dport=443 packets=1 bytes=445 [UNREPLIED] src=69.171.247.80 dst=190.6.69.66
sport=443 dport=34805 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 161664 ESTABLISHED src=190.6.69.66 dst=190.6.81.134 sport=60888
dport=80 packets=2 bytes=1712 [UNREPLIED] src=190.6.81.134 dst=190.6.69.66
sport=80 dport=60888 packets=0 bytes=0 mark=0 secmark=0 use=2
udp 17 46 src=192.168.2.2 dst=192.168.2.1 sport=26646 dport=53 packets=31
bytes=2306 src=192.168.2.1 dst=192.168.2.2 sport=53 dport=26646 packets=31
bytes=4430 [ASSURED] mark=0 secmark=0 use=2
tcp 6 174280 ESTABLISHED src=190.6.69.66 dst=66.220.156.16 sport=43202
dport=443 packets=1 bytes=75 [UNREPLIED] src=66.220.156.16 dst=190.6.69.66
sport=443 dport=43202 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 348917 ESTABLISHED src=190.6.69.66 dst=69.171.247.80 sport=55120
dport=443 packets=1 bytes=445 [UNREPLIED] src=69.171.247.80 dst=190.6.69.66
sport=443 dport=55120 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 30 TIME_WAIT src=192.168.1.38 dst=192.168.2.2 sport=2398 dport=80
packets=8 bytes=1460 src=192.168.2.2 dst=192.168.1.38 sport=80 dport=2398
packets=7 bytes=2412 [ASSURED] mark=0 secmark=0 use=2
tcp 6 148510 ESTABLISHED src=190.6.69.66 dst=69.171.242.14 sport=35718
dport=443 packets=1 bytes=75 [UNREPLIED] src=69.171.242.14 dst=190.6.69.66
sport=443 dport=35718 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 161270 ESTABLISHED src=190.6.69.66 dst=50.28.18.239 sport=60604
dport=80 packets=2 bytes=1450 [UNREPLIED] src=50.28.18.239 dst=190.6.69.66
sport=80 dport=60604 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 431993 ESTABLISHED src=192.168.1.37 dst=192.168.2.2 sport=3131
dport=80 packets=24 bytes=5577 src=192.168.2.2 dst=192.168.1.37 sport=80
dport=3131 packets=37 bytes=34663 [ASSURED] mark=0 secmark=0 use=2
tcp 6 173701 ESTABLISHED src=190.6.69.66 dst=64.212.172.138 sport=41375
dport=443 packets=2 bytes=1148 [UNREPLIED] src=64.212.172.138 dst=190.6.69.66
sport=443 dport=41375 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 11 TIME_WAIT src=190.6.69.66 dst=190.6.81.15 sport=59382 dport=80
packets=22 bytes=2004 src=190.6.81.15 dst=190.6.69.66 sport=80 dport=59382
packets=11 bytes=10172 [ASSURED] mark=0 secmark=0 use=2
udp 17 152 src=192.168.1.23 dst=192.168.1.1 sport=51677 dport=53 packets=3
bytes=231 src=192.168.1.1 dst=192.168.1.23 sport=53 dport=51677 packets=3
bytes=427 [ASSURED] mark=0 secmark=0 use=2
tcp 6 168473 ESTABLISHED src=190.6.69.66 dst=208.100.14.23 sport=57271
dport=80 packets=1 bytes=766 src=208.100.14.23 dst=190.6.69.66 sport=80
dport=57271 packets=1 bytes=52 mark=0 secmark=0 use=2
tcp 6 344841 ESTABLISHED src=190.6.69.66 dst=69.171.227.66 sport=45715
dport=443 packets=1 bytes=231 [UNREPLIED] src=69.171.227.66 dst=190.6.69.66
sport=443 dport=45715 packets=0 bytes=0 mark=0 secmark=0 use=2
tcp 6 7 TIME_WAIT src=192.168.1.26 dst=192.168.1.1 sport=1673 dport=3128
packets=18 bytes=2914 src=192.168.1.1 dst=192.168.1.26 sport=3128 dport=1673
packets=19 bytes=16251 [ASSURED] mark=0 secmark=0 use=2
tcp 6 431638 ESTABLISHED src=192.168.1.26 dst=192.168.1.1 sport=1668
dport=3128 packets=11 bytes=1011 src=192.168.1.1 dst=192.168.1.26 sport=3128
dport=1668 packets=10 bytes=10611 [ASSURED] mark=0 secmark=0 use=2
tcp 6 161254 ESTABLISHED src=190.6.69.66 dst=190.6.81.134 sport=52288
dport=80 packets=2 bytes=1760 [UNREPLIED] src=190.6.81.134 dst=190.6.69.66
sport=80 dport=52288 packets=0 bytes=0 mark=0 secmark=0 use=2
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
inet 190.6.69.66/29 brd 190.6.69.71 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global eth2
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
16646655 102869 0 0 0 0
TX: bytes packets errors dropped carrier collsns
16646655 102869 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 48:5b:39:ba:f1:8d brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
2107530129 2682173 1 0 0 0
TX: bytes packets errors dropped carrier collsns
603984610 3638713 0 0 18 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:48:54:1d:ce:c5 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
493152439 2815708 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2563354214 2982397 0 0 0 0
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 00:40:f4:2d:42:72 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
927305791 1425092 0 0 0 0
TX: bytes packets errors dropped carrier collsns
789747848 1266624 0 0 0 0
/proc
/proc/version = Linux version 2.6.32-5-686 (Debian 2.6.32-35)
([email protected]) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Mon Jun 13
04:13:06 UTC 2011
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 1
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 1
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 1
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 1
/proc/sys/net/ipv4/conf/eth2/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 1
/proc/sys/net/ipv4/conf/lo/log_martians = 1
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
local 192.168.1.1 dev eth1 proto kernel scope host src 192.168.1.1
broadcast 192.168.2.255 dev eth2 proto kernel scope link src 192.168.2.1
broadcast 192.168.1.0 dev eth1 proto kernel scope link src 192.168.1.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.2.1 dev eth2 proto kernel scope host src 192.168.2.1
local 190.6.69.66 dev eth0 proto kernel scope host src 190.6.69.66
broadcast 192.168.2.0 dev eth2 proto kernel scope link src 192.168.2.1
broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.1
broadcast 190.6.69.64 dev eth0 proto kernel scope link src 190.6.69.66
broadcast 190.6.69.71 dev eth0 proto kernel scope link src 190.6.69.66
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
190.6.69.64/29 dev eth0 proto kernel scope link src 190.6.69.66
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
default via 190.6.69.65 dev eth0
ARP
? (190.6.69.65) at 00:0e:50:9c:ab:b0 [ether] on eth0
? (192.168.1.37) at 00:1c:c0:1b:77:40 [ether] on eth1
? (192.168.1.43) at 00:1c:c0:22:71:21 [ether] on eth1
? (192.168.1.23) at 00:1c:c4:c8:83:eb [ether] on eth1
? (192.168.1.36) at 00:26:6c:b8:f2:65 [ether] on eth1
? (192.168.2.2) at 00:1c:c0:22:76:6e [ether] on eth2
? (192.168.1.26) at 00:13:20:b1:29:57 [ether] on eth1
? (192.168.1.25) at 00:1c:c0:22:75:c7 [ether] on eth1
? (192.168.1.38) at 00:1c:c0:1b:78:84 [ether] on eth1
? (192.168.1.22) at 00:1c:c0:22:71:50 [ether] on eth1
Modules
iptable_filter 1790 1
iptable_mangle 2325 1
iptable_nat 3519 1
iptable_raw 1471 0
ip_tables 7706 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype 1345 2
ipt_MASQUERADE 1134 2
ipt_REDIRECT 803 1
ipt_REJECT 1517 4
nf_conntrack 37871 5
ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_conntrack
nf_conntrack_ipv4 7597 25 iptable_nat,nf_nat
nf_defrag_ipv4 779 1 nf_conntrack_ipv4
nf_nat 10468 3 ipt_REDIRECT,ipt_MASQUERADE,iptable_nat
xt_comment 599 18
xt_conntrack 1955 22
xt_MARK 617 1
xt_multiport 1775 4
xt_tcpudp 1743 38
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Extended Connection Tracking Match Support: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Extended MARK Target 2: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Realm Match: Available
Helper Match: Available
Connlimit Match: Available
Time Match: Available
Goto Support: Available
LOGMARK Target: Not available
IPMARK Target: Not available
LOG Target: Available
Persistent SNAT: Available
TPROXY Target: Available
FLOW Classifier: Available
fwmark route mask: Available
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
949/portmap
tcp 0 0 0.0.0.0:57812 0.0.0.0:* LISTEN
961/rpc.statd
tcp 0 0 192.168.2.1:53 0.0.0.0:* LISTEN
2593/named
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN
2593/named
tcp 0 0 190.6.69.66:53 0.0.0.0:* LISTEN
2593/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
2593/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1749/sshd
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
1733/(squid)
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
2593/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
1702/exim4
tcp 0 0 192.168.1.1:3128 192.168.1.26:1668 ESTABLISHED
1733/(squid)
tcp 0 0 190.6.69.66:43456 208.80.152.211:80 ESTABLISHED
1733/(squid)
tcp6 0 0 :::22 :::* LISTEN
1749/sshd
tcp6 0 0 ::1:953 :::* LISTEN
2593/named
tcp6 0 0 ::1:25 :::* LISTEN
1702/exim4
udp 0 0 192.168.2.1:53 0.0.0.0:*
2593/named
udp 0 0 192.168.1.1:53 0.0.0.0:*
2593/named
udp 0 0 190.6.69.66:53 0.0.0.0:*
2593/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
2593/named
udp 0 0 0.0.0.0:3130 0.0.0.0:*
1733/(squid)
udp 0 0 0.0.0.0:713 0.0.0.0:*
961/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:*
949/portmap
udp 0 0 0.0.0.0:46460 0.0.0.0:*
961/rpc.statd
udp 0 0 0.0.0.0:32798 0.0.0.0:*
1733/(squid)
Traffic Control
Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 602529654 bytes 3636306 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 2551296112 bytes 2858537 pkt (dropped 0, overlimits 0 requeues 68622)
rate 0bit 0pps backlog 0b 0p requeues 68622
Device eth2:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 779396432 bytes 1146158 pkt (dropped 0, overlimits 0 requeues 120939)
rate 0bit 0pps backlog 0b 0p requeues 120939
TC Filters
Device eth0:
Device eth1:
Device eth2:
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
