> I'm simply trying to get you to think rather than "trying random things".
I appreciate the intent. The "trying random things" is what this has devolved to; it's NOT for lack of trying to think about it. As I said I don't understand this. The clearest evidence of that is that after a week or *working* on it, it doesn't work. > Because ultimately, you are going to have to maintain this configuration. Which is exactly why I'm sticking with this and asking for help. > http://www.shorewall.net/support.html#Guidelines clearly spells out what > we need to help you solve your problems. In the future, you may wish to > refer to it. > In the mean time, I *think* your DNAT rule should be: > > DNAT net vpn1:192.168.1.2 tcp 25 S.S.S.S Still with SERVER (shorewall) eth0: S.S.S.S 192.168.0.1 tun1: 10.0.0.1 | | | CLIENT (shorewall) eth0: C.C.C.C tun1: 10.0.0.2 eth1: 192.168.1.1 | | | SMTP eth0: 192.168.1.2 I've modified zones & rules so that config is now, /zones fw firewall net ipv4 vpn1 ipv4 /interfaces net eth0 tcpflags,nosmurfs,routefilter=1,sourceroute=0 vpn1 tun+ - /rules DNAT net vpn1:192.168.1.2 tcp 25 - S.S.S.S ACCEPT net vpn1:192.168.1.2 tcp 25 and the CLIENT shorewall has /zones fw firewall net ipv4 lan ipv4 vpn1 ipv4 /interfaces net eth0 tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0 lan eth1 routefilter=1 vpn1 tun+ - /rules ACCEPT vpn1 lan:192.168.1.2 tcp 25 /masq eth0 192.168.1.2 S.S.S.S tcp 25 >> 3. If Shorewall is starting successfully and your problem is that some >> set of connections to/from or through your firewall isn't working (examples: >> local systems can't access the Internet, you can't send email through the >> firewall, you can't surf the web from the firewall, connections that you are >> certain should be rejected are mysteriously accepted, etc.) or you are >> having problems with traffic shaping then please perform the following six >> steps: >> >> Be sure that the LOGFILE setting in /etc/shorewall/shorewall.conf >> is correct (that it names the file where 'Shorewall' messages are being >> logged). See shorewall.conf (5) and the Shorewall Logging Article. SERVER: shorewall.conf:LOGFILE=/var/log/shorewall/shorewall CLIENT: shorewall.conf:LOGFILE=/var/log/shorewall/shorewall >> If Shorewall isn't started then /sbin/shorewall start. Otherwise >> /sbin/shorewall reset. >> >> Try making the connection that is failing. >> >> /sbin/shorewall dump > /tmp/shorewall_dump.txt cat /tmp/shorewall_dump.txt Shorewall Lite 4.6.2.1 Dump at server.mydomain.com - Thu Jul 24 18:33:44 PDT 2014 Shorewall Lite is running State:Started (Thu Jul 24 17:35:47 PDT 2014) from /usr/local/etc/shorewall/server.mydomain.com/IPv4/ (/var/lib/shorewall-lite/firewall compiled by Shorewall version 4.6.2.1) Counters reset Thu Jul 24 18:33:33 PDT 2014 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3 423 net2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 vpn12fw all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:INPUT:REJECT " 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 64 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 1 64 net_frwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 vpn1_frwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:FORWARD:REJECT " 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 612 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 fw2vpn1 all -- * tun+ 0.0.0.0/0 0.0.0.0/0 0 0 fw2fw all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:OUTPUT:REJECT " 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain Broadcast (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST Chain Drop (2 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ Chain Reject (5 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ Chain dropNotSyn (1 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 Chain dynamic (4 references) pkts bytes target prot opt in out source destination Chain fw2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 4 612 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * S.S.S.S C.C.C.C udp spt:1194 0 0 ACCEPT tcp -- * * S.S.S.S C.C.C.C tcp spt:1194 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Trcrt */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20,80,443,25,22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123 dpt:123 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ~log3 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp dpt:53 0 0 ~log4 udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2vpn1 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "SW:logdrop:DROP " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "SW:logreject:REJECT " 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED 0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 3 423 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * C.C.C.C/29 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * C.C.C.C S.S.S.S udp dpt:1194 0 0 ACCEPT tcp -- * * C.C.C.C S.S.S.S tcp dpt:1194 0 0 ~log0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 22,23,1194 0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * C.C.C.C/29 0.0.0.0/0 icmptype 8 /* Ping */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 5/sec burst 100 /* Ping */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 S.S.S.S multiport dports 80,443 0 0 ~log2 tcp -- * * X.X.X.X S.S.S.S [goto] multiport dports 25,587 0 0 ACCEPT tcp -- * * C.C.C.C/29 S.S.S.S tcp dpt:53 0 0 ACCEPT udp -- * * C.C.C.C/29 S.S.S.S udp dpt:53 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:net2fw:DROP " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2vpn1 (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ~log1 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 22,23,1194 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 5/sec burst 100 /* Ping */ 1 64 ACCEPT tcp -- * * X.X.X.X 192.168.1.2 multiport dports 25,587 0 0 ACCEPT tcp -- * * X.X.X.X 192.168.1.2 multiport dports 25,587 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:net2vpn1:DROP " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net_frwd (1 references) pkts bytes target prot opt in out source destination 1 64 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED 1 64 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED 1 64 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 1 64 net2vpn1 all -- * tun+ 0.0.0.0/0 0.0.0.0/0 Chain reject (10 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain sfilter (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:sfilter:DROP " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255 Chain smurfs (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 Chain tcpflags (4 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x17/0x02 Chain vpn12fw (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */ 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:vpn12fw:REJECT " 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain vpn12net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:vpn12net:REJECT " 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain vpn1_frwd (1 references) pkts bytes target prot opt in out source destination 0 0 sfilter all -- * tun+ 0.0.0.0/0 0.0.0.0/0 [goto] 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 vpn12net all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain ~log0 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:DROP " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ~log1 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:DROP " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ~log2 (2 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:[TEST]:ACCEPT " 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ~log3 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:ACCEPT " 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ~log4 (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:ACCEPT " 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Log (/var/log/shorewall/shorewall) 2014-07-24T18:33:37.305475-07:00 server SW:[TEST]:DNAT IN=eth0 OUT= SRC=X.X.X.X DST=S.S.S.S LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=TCP SPT=55981 DPT=25 WINDOW=32768 RES=0x00 SYN URGP=0 NAT Table Chain PREROUTING (policy ACCEPT 98 packets, 5725 bytes) pkts bytes target prot opt in out source destination 103 6045 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 61 packets, 3622 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 57 packets, 3476 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 62 packets, 3796 bytes) pkts bytes target prot opt in out source destination 6 404 tun+_masq all -- * tun+ 0.0.0.0/0 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 5 320 ~log0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 25,587 0 0 ~log0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 25,587 Chain tun+_masq (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- * tun1 10.0.0.1 0.0.0.0/0 multiport dports 25,587 to:S.S.S.S Chain ~log0 (2 references) pkts bytes target prot opt in out source destination 5 320 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SW:[TEST]:DNAT " 5 320 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.2 Mangle Table Chain PREROUTING (policy ACCEPT 4 packets, 487 bytes) pkts bytes target prot opt in out source destination 4 487 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 3 packets, 423 bytes) pkts bytes target prot opt in out source destination 3 423 tcin all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 1 packets, 64 bytes) pkts bytes target prot opt in out source destination 1 64 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00 1 64 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 4 packets, 612 bytes) pkts bytes target prot opt in out source destination 4 612 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 5 packets, 676 bytes) pkts bytes target prot opt in out source destination 5 676 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcin (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination Chain tcpost (1 references) pkts bytes target prot opt in out source destination Chain tcpre (1 references) pkts bytes target prot opt in out source destination Raw Table Chain PREROUTING (policy ACCEPT 2000 packets, 343K bytes) pkts bytes target prot opt in out source destination 0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,587 match-set SPAM_NET src CT notrack 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,587 match-set SPAM_NET src Chain OUTPUT (policy ACCEPT 1908 packets, 457K bytes) pkts bytes target prot opt in out source destination Conntrack Table (36 out of 65536) ipv4 2 tcp 6 431921 ESTABLISHED src=C.C.C.C dst=S.S.S.S sport=46051 dport=22 src=S.S.S.S dst=C.C.C.C sport=22 dport=46051 [ASSURED] mark=0 zone=0 use=2 ipv4 2 udp 17 179 src=C.C.C.C dst=S.S.S.S sport=1194 dport=1194 src=S.S.S.S dst=C.C.C.C sport=1194 dport=1194 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 113 SYN_SENT src=X.X.X.X dst=S.S.S.S sport=55981 dport=25 [UNREPLIED] src=192.168.1.2 dst=X.X.X.X sport=25 dport=55981 mark=0 zone=0 use=2 IP Configuration 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default inet 127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000 inet S.S.S.S/24 brd S.S.S.255 scope global eth0 valid_lft forever preferred_lft forever inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 valid_lft forever preferred_lft forever 3: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 100 inet 10.0.0.1/24 brd 10.0.0.255 scope global tun1 valid_lft forever preferred_lft forever IP Stats 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 3239285 10838 0 0 0 0 TX: bytes packets errors dropped carrier collsns 3239285 10838 0 0 0 0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000 link/ether f2:3c:91:70:24:31 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 7338770 65169 0 0 0 0 TX: bytes packets errors dropped carrier collsns 10139797 54330 0 0 0 0 3: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 100 link/none RX: bytes packets errors dropped overrun mcast 9448 116 0 0 0 0 TX: bytes packets errors dropped carrier collsns 8629 122 0 0 0 0 Bridges bridge name bridge id STP enabled interfaces Routing Rules 0: from all lookup local 32766: from all lookup main 32767: from all lookup default Table default: Table local: local S.S.S.95 dev eth0 proto kernel scope host src S.S.S.S local S.S.S.S dev eth0 proto kernel scope host src S.S.S.S local S.S.S.S dev eth0 proto kernel scope host src S.S.S.S local 127.0.0.2 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 10.0.0.1 dev tun1 proto kernel scope host src 10.0.0.1 local 192.168.0.1 dev eth0 proto kernel scope host src 192.168.0.1 broadcast S.S.S.255 dev eth0 proto kernel scope link src S.S.S.S broadcast S.S.S.0 dev eth0 proto kernel scope link src S.S.S.S broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 broadcast 10.0.0.255 dev tun1 proto kernel scope link src 10.0.0.1 broadcast 10.0.0.0 dev tun1 proto kernel scope link src 10.0.0.1 broadcast 192.168.0.255 dev eth0 proto kernel scope link src 192.168.0.1 broadcast 192.168.0.0 dev eth0 proto kernel scope link src 192.168.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: S.S.S.0/24 dev eth0 proto kernel scope link src S.S.S.S 10.0.0.0/24 dev tun1 proto kernel scope link src 10.0.0.1 192.168.1.0/24 via 10.0.0.2 dev tun1 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via S.S.S.1 dev eth0 Per-IP Counters No IP Accounting Tables Defined NF Accounting No NF Accounting defined (nfacct not found) Events /proc /proc/version = Linux version 3.15.6-2.gedc5ddf-xen (geeko@buildhost) (gcc version 4.8.1 20130909 [gcc-4_8-branch revision 202388] (SUSE Linux) ) #1 SMP Mon Jul 21 15:37:46 UTC 2014 (edc5ddf) /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/arp_ignore = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 0 /proc/sys/net/ipv4/conf/all/log_martians = 0 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/arp_ignore = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 0 /proc/sys/net/ipv4/conf/default/log_martians = 1 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth0/rp_filter = 1 /proc/sys/net/ipv4/conf/eth0/log_martians = 1 /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 /proc/sys/net/ipv4/conf/lo/arp_filter = 0 /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 /proc/sys/net/ipv4/conf/lo/rp_filter = 0 /proc/sys/net/ipv4/conf/lo/log_martians = 1 /proc/sys/net/ipv4/conf/tun1/proxy_arp = 0 /proc/sys/net/ipv4/conf/tun1/arp_filter = 0 /proc/sys/net/ipv4/conf/tun1/arp_ignore = 0 /proc/sys/net/ipv4/conf/tun1/rp_filter = 0 /proc/sys/net/ipv4/conf/tun1/log_martians = 1 ARP ? (S.S.S.2) at 92:17:de:1f:18:d3 [ether] on eth0 ? (S.S.S.3) at 92:17:de:1f:c4:52 [ether] on eth0 ? (S.S.S.1) at 00:00:0c:9f:f0:02 [ether] on eth0 Modules ip_set 41059 3 ip_set_hash_net,ip_set_hash_ip,xt_set ip_set_hash_ip 27298 13 ip_set_hash_net 35800 13 iptable_filter 12810 1 iptable_mangle 12695 1 iptable_nat 13011 1 iptable_raw 12678 1 ip_tables 27240 4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw ipt_ah 12806 0 ipt_CLUSTERIP 13633 0 ipt_ECN 12529 0 ipt_MASQUERADE 12880 0 ipt_REJECT 12541 4 ipt_ULOG 14273 0 nf_conntrack 118412 37 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,ipt_MASQUERADE,nf_conntrack_proto_udplite,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,ip6table_nat,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,iptable_nat,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp nf_conntrack_amanda 13041 4 nf_nat_amanda nf_conntrack_broadcast 12589 2 nf_conntrack_netbios_ns,nf_conntrack_snmp nf_conntrack_ftp 18638 4 nf_nat_ftp nf_conntrack_h323 73895 7 nf_nat_h323 nf_conntrack_ipv4 14806 38 nf_conntrack_ipv6 14798 18 nf_conntrack_irc 13518 3 nf_nat_irc nf_conntrack_netbios_ns 12665 2 nf_conntrack_netlink 40281 0 nf_conntrack_pptp 15061 3 nf_nat_pptp nf_conntrack_proto_gre 14216 1 nf_conntrack_pptp nf_conntrack_proto_sctp 18822 0 nf_conntrack_proto_udplite 13281 0 nf_conntrack_sane 13143 3 nf_conntrack_sip 32556 4 nf_nat_sip nf_conntrack_snmp 12857 3 nf_nat_snmp_basic nf_conntrack_tftp 13121 4 nf_nat_tftp nf_defrag_ipv4 12758 2 xt_TPROXY,nf_conntrack_ipv4 nf_defrag_ipv6 34768 2 xt_TPROXY,nf_conntrack_ipv6 nf_nat 21932 14 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,ipt_MASQUERADE,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_nat,ip6table_nat,iptable_nat nf_nat_amanda 12491 0 nf_nat_ftp 12770 0 nf_nat_h323 17720 0 nf_nat_ipv4 13263 1 iptable_nat nf_nat_ipv6 13279 1 ip6table_nat nf_nat_irc 12723 0 nf_nat_pptp 13115 0 nf_nat_proto_gre 13009 1 nf_nat_pptp nf_nat_sip 17186 0 nf_nat_snmp_basic 17302 0 nf_nat_tftp 12489 0 xt_addrtype 12635 5 xt_AUDIT 12678 0 xt_CLASSIFY 12507 0 xt_comment 12504 59 xt_connmark 12755 0 xt_conntrack 12760 25 xt_CT 12956 41 xt_dccp 12606 0 xt_dscp 12597 0 xt_DSCP 12629 0 xt_hashlimit 17618 0 xt_helper 12583 0 xt_iprange 12783 0 xt_length 12536 0 xt_limit 12711 3 xt_LOG 17718 34 xt_mac 12492 0 xt_mark 12563 2 xt_multiport 12798 54 xt_nat 12681 2 xt_NFLOG 12537 0 xt_NFQUEUE 12697 0 xt_owner 12534 0 xt_physdev 12587 0 xt_pkttype 12504 0 xt_policy 12582 0 xt_recent 18498 2 xt_sctp 12853 0 xt_set 13181 24 xt_state 12578 0 xt_tcpmss 12501 0 xt_TCPMSS 12664 2 xt_tcpudp 12884 128 xt_time 12661 0 xt_TPROXY 17356 0 Shorewall Lite has detected the following iptables/netfilter capabilities: ACCOUNT Target (ACCOUNT_TARGET): Not available Address Type Match (ADDRTYPE): Available Amanda Helper: Available Arptables JF: Not available AUDIT Target (AUDIT_TARGET): Available Basic Ematch (BASIC_EMATCH): Available Basic Filter (BASIC_FILTER): Available Capabilities Version (CAPVERSION): 40600 Checksum Target: Available CLASSIFY Target (CLASSIFY_TARGET): Available Comments (COMMENTS): Available Condition Match (CONDITION_MATCH): Not available Connection Tracking Match (CONNTRACK_MATCH): Available Connlimit Match (CONNLIMIT_MATCH): Available Connmark Match (CONNMARK_MATCH): Available CONNMARK Target (CONNMARK): Available CT Target (CT_TARGET): Available DSCP Match (DSCP_MATCH): Available DSCP Target (DSCP_TARGET): Available Enhanced Multi-port Match (EMULIPORT): Available Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available Extended Connmark Match (XCONNMARK_MATCH): Available Extended CONNMARK Target (XCONNMARK): Available Extended MARK Target 2 (EXMARK): Available Extended MARK Target (XMARK): Available Extended Multi-port Match (XMULIPORT): Available Extended REJECT (ENHANCED_REJECT): Available FLOW Classifier (FLOW_FILTER): Available FTP-0 Helper: Not available FTP Helper: Available fwmark route mask (FWMARK_RT_MASK): Available Geo IP match: Not available Goto Support (GOTO_TARGET): Available H323 Helper: Available Hashlimit Match (HASHLIMIT_MATCH): Available Header Match (HEADER_MATCH): Not available Helper Match (HELPER_MATCH): Available IMQ Target (IMQ_TARGET): Not available IPMARK Target (IPMARK_TARGET): Not available IPP2P Match (IPP2P_MATCH): Not available IP range Match(IPRANGE_MATCH): Available Ipset Match Counters (IPSET_MATCH_COUNTERS): Available Ipset Match (IPSET_MATCH): Available Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available ipset V5 (IPSET_V5): Available iptables -S (IPTABLES_S): Available IRC-0 Helper: Not available IRC Helper: Available Kernel Version (KERNELVERSION): 31506 LOGMARK Target (LOGMARK_TARGET): Not available LOG Target (LOG_TARGET): Available Mangle FORWARD Chain (MANGLE_FORWARD): Available Mark in the filter table (MARK_ANYWHERE): Available MARK Target (MARK): Available MASQUERADE Target: Available Multi-port Match (MULTIPORT): Available NAT (NAT_ENABLED): Available Netbios_ns Helper: Available New tos Match: Available NFAcct match: Not available NFLOG Target (NFLOG_TARGET): Available NFQUEUE Target (NFQUEUE_TARGET): Available Owner Match (OWNER_MATCH): Available Owner Name Match (OWNER_NAME_MATCH): Available Packet length Match (LENGTH_MATCH): Available Packet Mangling (MANGLE_ENABLED): Available Packet Type Match (USEPKTTYPE): Available Persistent SNAT (PERSISTENT_SNAT): Available Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available Physdev Match (PHYSDEV_MATCH): Available Policy Match (POLICY_MATCH): Available PPTP Helper: Available Rawpost Table (RAWPOST_TABLE): Not available Raw Table (RAW_TABLE): Available Realm Match (REALM_MATCH): Available Recent Match "--reap" option (REAP_OPTION): Available Recent Match (RECENT_MATCH): Available Repeat match (KLUDGEFREE): Available RPFilter match: Available SANE-0 Helper: Not available SANE Helper: Available SIP-0 Helper: Not available SIP Helper: Available SNMP Helper: Available Statistic Match (STATISTIC_MATCH): Available TCPMSS Match (TCPMSS_MATCH): Available TFTP-0 Helper: Not available TFTP Helper: Available Time Match (TIME_MATCH): Available TPROXY Target (TPROXY_TARGET): Available UDPLITE Port Redirection: Not available ULOG Target (ULOG_TARGET): Available Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 127.0.0.1:53 *:* users:(("dnsmasq",pid=1619,fd=6)) udp UNCONN 0 0 127.0.0.2:53 *:* users:(("dnsmasq",pid=1619,fd=4)) udp UNCONN 0 0 S.S.S.S:123 *:* users:(("ntpd",pid=1570,fd=20)) udp UNCONN 0 0 127.0.0.2:123 *:* users:(("ntpd",pid=1570,fd=19)) udp UNCONN 0 0 127.0.0.1:123 *:* users:(("ntpd",pid=1570,fd=18)) udp UNCONN 0 0 *:123 *:* users:(("ntpd",pid=1570,fd=16)) udp UNCONN 0 0 S.S.S.S:1194 *:* users:(("openvpn",pid=4907,fd=7)) tcp LISTEN 0 128 127.0.0.1:6013 *:* users:(("sshd",pid=5145,fd=7)) tcp LISTEN 0 1 127.0.0.1:1195 *:* users:(("openvpn",pid=4907,fd=3)) tcp LISTEN 0 5 127.0.0.1:53 *:* users:(("dnsmasq",pid=1619,fd=7)) tcp LISTEN 0 5 127.0.0.2:53 *:* users:(("dnsmasq",pid=1619,fd=5)) tcp LISTEN 0 128 S.S.S.S:22 *:* users:(("sshd",pid=30738,fd=5)) tcp LISTEN 0 128 127.0.0.1:22 *:* users:(("sshd",pid=30738,fd=3)) tcp LISTEN 0 100 127.0.0.2:25 *:* users:(("master",pid=2608,fd=14)) tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=2608,fd=13)) tcp LISTEN 0 128 127.0.0.1:6010 *:* users:(("sshd",pid=4674,fd=7)) tcp LISTEN 0 128 127.0.0.1:6011 *:* users:(("sshd",pid=29595,fd=7)) tcp LISTEN 0 128 127.0.0.1:6012 *:* users:(("sshd",pid=30202,fd=7)) tcp ESTAB 0 0 S.S.S.S:22 C.C.C.C:46051 users:(("sshd",pid=4647,fd=3)) Traffic Control Device eth0: qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 10139797 bytes 54330 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 Device tun1: qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 8629 bytes 122 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 TC Filters Device eth0: Device tun1: >> Post the /tmp/status.txt file as an attachment compressed with gzip >> or bzip2. What generates that "status.txt" file? I can find no trace of it. >> Describe where you are trying to make the connection from (IP >> address) and what host (IP address) you are trying to connect to. ... think I got that already. > If everything seems to be correct according to these tests but the connection > doesn't work, it may be that your ISP is blocking SYN,ACK responses. > This technique allows your ISP to detect when you are running a server > (usually in violation of your service agreement) and to stop connections to > that server from being established. Everything's on 'biz class' staticIP. servers are perfectly fine. ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
