Re: [Shorewall-users] Shorewall config for Mailserver-on-LAN , over a VPN to staticIPs on a VPS?

surfer Fri, 25 Jul 2014 11:29:37 -0700


On Fri, Jul 25, 2014, at 07:40 AM, Tom Eastep wrote:
> ...


Watching that example of stepping through the flow was quite useful; Something 
to study.

> The configuration on the SERVER is now correct and the issue is on the CLIENT.

OK

> What is the shorewall.conf setting for ROUTE_FILTER on the CLIENT? If it
> is 'Yes' then set it to 'No' and restart Shorewall. If it doesn't work
> after that change, then please run the test again but this time forward
> a dump taken on the CLIENT.

> What is the shorewall.conf setting for ROUTE_FILTER on the CLIENT? If it
> is 'Yes' then set it to 'No' and restart Shorewall.

already

        ROUTE_FILTER=No

> If it doesn't work after that change, then please run the test again
> but this time forward a dump taken on the CLIENT.

at CLIENT

        shorewall reset

from external

        telnet S.S.S.S 25

at CLIENT

        shorewall dump

        Shorewall Lite 4.6.2.1 Dump at client - Fri Jul 25 10:52:23 PDT 2014

        Shorewall Lite is running
        State:Started (Fri Jul 25 10:51:33 PDT 2014) from 
/usr/local/etc/shorewall/client/ (/var/lib/shorewall-lite/firewall compiled by 
Shorewall version 4.6.2.1)

        Counters reset Fri Jul 25 10:51:57 PDT 2014

        Chain INPUT (policy DROP 0 packets, 0 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           24  3022 net2fw     all  --  eth0   *       0.0.0.0/0            
0.0.0.0/0
            1    32 lan2fw     all  --  eth1   *       0.0.0.0/0            
0.0.0.0/0
            0     0 vpn12fw    all  --  tun1   *       0.0.0.0/0            
0.0.0.0/0
            0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            
0.0.0.0/0
            0     0 Reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:INPUT:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           [goto]

        Chain FORWARD (policy DROP 0 packets, 0 bytes)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
           13  1417 net_frwd   all  --  eth0   *       0.0.0.0/0            
0.0.0.0/0
           19  1683 lan_frwd   all  --  eth1   *       0.0.0.0/0            
0.0.0.0/0
            0     0 vpn1_frwd  all  --  tun1   *       0.0.0.0/0            
0.0.0.0/0
            0     0 Reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:FORWARD:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           [goto]

        Chain OUTPUT (policy DROP 0 packets, 0 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           20  2328 fw2net     all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0
            0     0 fw2lan     all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0
            0     0 fw2vpn1    all  --  *      tun1    0.0.0.0/0            
0.0.0.0/0
            0     0 fw2fw      all  --  *      lo      0.0.0.0/0            
0.0.0.0/0
            0     0 Reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:OUTPUT:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           [goto]

        Chain Broadcast (2 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
            1    32 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ADDRTYPE match dst-type ANYCAST

        Chain Drop (3 references)
         pkts bytes target     prot opt in     out     source               
destination
            2    96            all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            2    96 Broadcast  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 3 code 4 /* Needed ICMP types */
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 11 /* Needed ICMP types */
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:!0x17/0x02
            1    64 DROP       udp  --  *      *       0.0.0.0/0            
0.0.0.0/0            udp spt:53 /* Late DNS Replies */

        Chain Reject (7 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0            all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 Broadcast  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 3 code 4 /* Needed ICMP types */
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 11 /* Needed ICMP types */
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:!0x17/0x02
            0     0 DROP       udp  --  *      *       0.0.0.0/0            
0.0.0.0/0            udp spt:53 /* Late DNS Replies */

        Chain dropNotSyn (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:!0x17/0x02

        Chain dynamic (6 references)
         pkts bytes target     prot opt in     out     source               
destination

        Chain fw2fw (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain fw2lan (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain fw2net (1 references)
         pkts bytes target     prot opt in     out     source               
destination
           20  2328 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     udp  --  *      *       C.C.C.C              
S.S.S.S              udp spt:1194
            0     0 ACCEPT     tcp  --  *      *       C.C.C.C              
S.S.S.S              tcp spt:1194
            0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0            udp dpts:33434:33524 /* Trcrt */
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 /* Trcrt */
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp dpt:53
            0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0            udp dpt:53
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain fw2vpn1 (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain lan2fw (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            1    32 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
            0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            1    32 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain lan2net (1 references)
         pkts bytes target     prot opt in     out     source               
destination
           19  1683 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0            udp dpts:33434:33524 /* Trcrt */
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 /* Trcrt */
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain lan2vpn1 (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 /* Ping */
            0     0 Reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:lan2vpn1:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           [goto]

        Chain lan_frwd (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 sfilter    all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0           [goto]
            0     0 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
           18  1155 tcpflags   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
           19  1683 lan2net    all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0
            0     0 lan2vpn1   all  --  *      tun1    0.0.0.0/0            
0.0.0.0/0

        Chain logdrop (0 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 7 prefix "SW:logdrop:DROP "
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain logreject (0 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 7 prefix "SW:logreject:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain net2fw (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            9   928 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
            9   928 smurfs     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
            0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
           15  2094 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     udp  --  *      *       S.S.S.S              
C.C.C.C              udp dpt:1194
            0     0 ACCEPT     tcp  --  *      *       S.S.S.S              
C.C.C.C              tcp dpt:1194
            0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
            7   832 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 limit: avg 5/sec burst 100 /* Ping */
            2    96 Drop       all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:net2fw:DROP "
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain net2lan (1 references)
         pkts bytes target     prot opt in     out     source               
destination
           13  1417 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 limit: avg 5/sec burst 100 /* Ping */
            0     0 Drop       all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:net2lan:DROP "
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain net2vpn1 (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 limit: avg 5/sec burst 100 /* Ping */
            0     0 Drop       all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:net2vpn1:DROP "
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain net_frwd (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 sfilter    all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0           [goto]
            0     0 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
            0     0 smurfs     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
           12  1091 tcpflags   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
           13  1417 net2lan    all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0
            0     0 net2vpn1   all  --  *      tun1    0.0.0.0/0            
0.0.0.0/0

        Chain reject (12 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ADDRTYPE match src-type BROADCAST
            0     0 DROP       all  --  *      *       224.0.0.0/4          
0.0.0.0/0
            0     0 DROP       2    --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 REJECT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            reject-with tcp-reset
            0     0 REJECT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0            reject-with icmp-port-unreachable
            0     0 REJECT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            reject-with icmp-host-unreachable
            0     0 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            reject-with icmp-host-prohibited

        Chain sfilter (3 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:sfilter:DROP "
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain shorewall (0 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0            all  --  *      *       0.0.0.0/0            
0.0.0.0/0            recent: SET name: %CURRENTTIME side: source mask: 
255.255.255.255

        Chain smurfs (2 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 RETURN     all  --  *      *       0.0.0.0              
0.0.0.0/0
            0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ADDRTYPE match src-type BROADCAST
            0     0 DROP       all  --  *      *       224.0.0.0/4          
0.0.0.0/0

        Chain tcpflags (6 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:0x3F/0x29
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:0x3F/0x00
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:0x06/0x06
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp flags:0x03/0x03
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp spt:0 flags:0x17/0x02

        Chain vpn12fw (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
            0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 /* Ping */
            0     0 Reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:vpn12fw:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           [goto]

        Chain vpn12lan (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0            icmptype 8 /* Ping */
            0     0 Reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:vpn12lan:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           [goto]

        Chain vpn12net (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate RELATED,ESTABLISHED
            0     0 Reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0            LOG flags 0 level 6 prefix "SW:vpn12net:REJECT "
            0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           [goto]

        Chain vpn1_frwd (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 sfilter    all  --  *      tun1    0.0.0.0/0            
0.0.0.0/0           [goto]
            0     0 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
            0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0
            0     0 vpn12net   all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0
            0     0 vpn12lan   all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0

        ARP rules

        Chain INPUT (policy ACCEPT 1378 packets, 38584 bytes)

        Chain OUTPUT (policy ACCEPT 1322 packets, 37016 bytes)

        Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

        Log (/var/log/shorewall/shorewall)


        NAT Table

        Chain PREROUTING (policy ACCEPT 13 packets, 1248 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           10  1056 net_dnat   all  --  eth0   *       0.0.0.0/0            
0.0.0.0/0

        Chain INPUT (policy ACCEPT 8 packets, 960 bytes)
         pkts bytes target     prot opt in     out     source               
destination

        Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
         pkts bytes target     prot opt in     out     source               
destination

        Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 EXT_IF_masq  all  --  *      eth0    0.0.0.0/0            
0.0.0.0/0

        Chain EXT_IF_masq (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 SNAT       all  --  *      *       192.168.1.0/22        
0.0.0.0/0            to:C.C.C.C

        Chain net_dnat (1 references)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 DNAT       tcp  --  *      *       0.0.0.0/0            
10.0.0.2             multiport dports 25,587 to:192.168.1.2

        Mangle Table

        Chain PREROUTING (policy ACCEPT 60 packets, 6346 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           60  6346 tcpre      all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain INPUT (policy ACCEPT 25 packets, 3054 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           25  3054 tcin       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain FORWARD (policy ACCEPT 32 packets, 3100 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           32  3100 MARK       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            MARK and 0xffffff00
           32  3100 tcfor      all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain OUTPUT (policy ACCEPT 20 packets, 2328 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           20  2328 tcout      all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain POSTROUTING (policy ACCEPT 52 packets, 5428 bytes)
         pkts bytes target     prot opt in     out     source               
destination
           52  5428 tcpost     all  --  *      *       0.0.0.0/0            
0.0.0.0/0

        Chain tcfor (1 references)
         pkts bytes target     prot opt in     out     source               
destination

        Chain tcin (1 references)
         pkts bytes target     prot opt in     out     source               
destination

        Chain tcout (1 references)
         pkts bytes target     prot opt in     out     source               
destination

        Chain tcpost (1 references)
         pkts bytes target     prot opt in     out     source               
destination

        Chain tcpre (1 references)
         pkts bytes target     prot opt in     out     source               
destination

        Raw Table

        Chain PREROUTING (policy ACCEPT 113 packets, 12047 bytes)
         pkts bytes target     prot opt in     out     source               
destination
            0     0 CT         tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            multiport dports 25,587 match-set SPAM_NET src CT notrack
            0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            multiport dports 25,587 match-set SPAM_NET src

        Chain OUTPUT (policy ACCEPT 46 packets, 5491 bytes)
         pkts bytes target     prot opt in     out     source               
destination

        Conntrack Table (70 out of 65536)

        ipv4     2 udp      17 179 src=C.C.C.C dst=S.S.S.S sport=1194 
dport=1194 src=S.S.S.S dst=C.C.C.C sport=1194 dport=1194 [ASSURED] mark=0 
zone=0 use=2
        ipv4     2 unknown  2 585 src=0.0.0.0 dst=224.0.0.1 [UNREPLIED] 
src=224.0.0.1 dst=0.0.0.0 mark=0 zone=0 use=2

        IP Configuration

        1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default
            inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
               valid_lft forever preferred_lft forever
        2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
            inet C.C.C.C/24 brd C.C.C.255 scope global eth0
               valid_lft forever preferred_lft forever
        6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
            inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
               valid_lft forever preferred_lft forever
        12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc 
pfifo_fast state UP group default qlen 100
            inet 10.0.0.2/24 brd 10.0.0.255 scope global tun1
               valid_lft forever preferred_lft forever

        IP Stats

        1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
mode DEFAULT group default
            link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
            RX: bytes  packets  errors  dropped overrun mcast
            166849     1560     0       0       0       0
            TX: bytes  packets  errors  dropped carrier collsns
            166849     1560     0       0       0       0
        2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP mode DEFAULT group default qlen 1000
            link/ether 6c:f0:49:de:d7:a6 brd ff:ff:ff:ff:ff:ff
            RX: bytes  packets  errors  dropped overrun mcast
            120121417  112651   0       0       0       0
            TX: bytes  packets  errors  dropped carrier collsns
            10042166   81470    0       0       0       0
        3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP mode DEFAULT group default qlen 1000
            link/ether d8:eb:97:b0:a2:f0 brd ff:ff:ff:ff:ff:ff
            RX: bytes  packets  errors  dropped overrun mcast
            8904681    72484    0       1       0       0
            TX: bytes  packets  errors  dropped carrier collsns
            44520424   76676    0       0       0       0
        12: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc 
pfifo_fast state UP mode DEFAULT group default qlen 100
            link/none
            RX: bytes  packets  errors  dropped overrun mcast
            5120       88       0       0       0       0
            TX: bytes  packets  errors  dropped carrier collsns
            1201       20       0       0       0       0

        Bridges

        bridge name     bridge id               STP enabled     interfaces

        Routing Rules

        0:      from all lookup local
        32766:  from all lookup main
        32767:  from all lookup default

        Table default:


        Table local:

        local C.C.C.C dev eth0 proto kernel scope host src C.C.C.C
        local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
        local 10.0.0.2 dev tun1 proto kernel scope host src 10.0.0.2
        broadcast C.C.C.255 dev eth0 proto kernel scope link src C.C.C.C
        broadcast C.C.C.0 dev eth0 proto kernel scope link src C.C.C.C
        broadcast 192.168.1.255 dev eth1 proto kernel scope link src 192.168.1.1
        broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
        broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
        broadcast 10.0.0.255 dev tun1 proto kernel scope link src 10.0.0.2
        broadcast 10.0.0.0 dev tun1 proto kernel scope link src 10.0.0.2
        local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

        Table main:

        C.C.C.0/24 dev eth0 proto kernel scope link src C.C.C.C
        10.0.0.0/24 dev tun1 proto kernel scope link src 10.0.0.2
        192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
        192.168.0.0/24 via 10.0.0.1 dev tun1
        192.168.1.0/22 dev eth1 proto kernel scope link src 192.168.1.1
        169.254.0.0/16 dev eth0 scope link
        127.0.0.0/8 dev lo scope link
        default via C.C.C.1 dev eth0
        default via 192.168.1.1 dev eth1

        Per-IP Counters

           No IP Accounting Tables Defined


        NF Accounting

        No NF Accounting defined (nfacct not found)

        Events


        PFKEY SPD

        No SPD entries.

        PFKEY SAD

        No SAD entries.

        /proc

           /proc/version = Linux version 3.15.6-2.gedc5ddf-default 
(geeko@buildhost) (gcc version 4.8.1 20130909 [gcc-4_8-branch revision 202388] 
(SUSE Linux) ) #1 SMP Mon Jul 21 15:37:46 UTC 2014 (edc5ddf)
           /proc/sys/net/ipv4/ip_forward = 1
           /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
           /proc/sys/net/ipv4/conf/all/proxy_arp = 0
           /proc/sys/net/ipv4/conf/all/arp_filter = 0
           /proc/sys/net/ipv4/conf/all/arp_ignore = 0
           /proc/sys/net/ipv4/conf/all/rp_filter = 1
           /proc/sys/net/ipv4/conf/all/log_martians = 0
           /proc/sys/net/ipv4/conf/default/proxy_arp = 0
           /proc/sys/net/ipv4/conf/default/arp_filter = 0
           /proc/sys/net/ipv4/conf/default/arp_ignore = 0
           /proc/sys/net/ipv4/conf/default/rp_filter = 0
           /proc/sys/net/ipv4/conf/default/log_martians = 1
           /proc/sys/net/ipv4/conf/dummy0/proxy_arp = 0
           /proc/sys/net/ipv4/conf/dummy0/arp_filter = 0
           /proc/sys/net/ipv4/conf/dummy0/arp_ignore = 0
           /proc/sys/net/ipv4/conf/dummy0/rp_filter = 0
           /proc/sys/net/ipv4/conf/dummy0/log_martians = 1
           /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
           /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
           /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
           /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
           /proc/sys/net/ipv4/conf/eth0/log_martians = 1
           /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
           /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
           /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
           /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
           /proc/sys/net/ipv4/conf/eth1/log_martians = 1
           /proc/sys/net/ipv4/conf/ip6tnl0/proxy_arp = 0
           /proc/sys/net/ipv4/conf/ip6tnl0/arp_filter = 0
           /proc/sys/net/ipv4/conf/ip6tnl0/arp_ignore = 0
           /proc/sys/net/ipv4/conf/ip6tnl0/rp_filter = 0
           /proc/sys/net/ipv4/conf/ip6tnl0/log_martians = 1
           /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
           /proc/sys/net/ipv4/conf/lo/arp_filter = 0
           /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
           /proc/sys/net/ipv4/conf/lo/rp_filter = 0
           /proc/sys/net/ipv4/conf/lo/log_martians = 1
           /proc/sys/net/ipv4/conf/sit0/proxy_arp = 0
           /proc/sys/net/ipv4/conf/sit0/arp_filter = 0
           /proc/sys/net/ipv4/conf/sit0/arp_ignore = 0
           /proc/sys/net/ipv4/conf/sit0/rp_filter = 0
           /proc/sys/net/ipv4/conf/sit0/log_martians = 1
           /proc/sys/net/ipv4/conf/sit1/proxy_arp = 0
           /proc/sys/net/ipv4/conf/sit1/arp_filter = 0
           /proc/sys/net/ipv4/conf/sit1/arp_ignore = 0
           /proc/sys/net/ipv4/conf/sit1/rp_filter = 0
           /proc/sys/net/ipv4/conf/sit1/log_martians = 1
           /proc/sys/net/ipv4/conf/tun1/proxy_arp = 0
           /proc/sys/net/ipv4/conf/tun1/arp_filter = 0
           /proc/sys/net/ipv4/conf/tun1/arp_ignore = 0
           /proc/sys/net/ipv4/conf/tun1/rp_filter = 0
           /proc/sys/net/ipv4/conf/tun1/log_martians = 1
           /proc/sys/net/ipv4/conf/vlan002/proxy_arp = 0
           /proc/sys/net/ipv4/conf/vlan002/arp_filter = 0
           /proc/sys/net/ipv4/conf/vlan002/arp_ignore = 0
           /proc/sys/net/ipv4/conf/vlan002/rp_filter = 0
           /proc/sys/net/ipv4/conf/vlan002/log_martians = 1

        ARP

        ? (C.C.C.1) at 00:10:67:00:7a:82 [ether] on eth0
        ? (192.168.1.2) at 00:26:f2:ac:bf:c2 [ether] on eth1
        ? (S.S.S.S) at <incomplete> on eth1
        ? (C.C.C.C) at <incomplete> on eth0

        Modules

        ip_set                 41059  3 ip_set_hash_net,ip_set_hash_ip,xt_set
        ip_set_hash_ip         27298  15
        ip_set_hash_net        35800  13
        iptable_filter         12810  1
        iptable_mangle         12695  1
        iptable_nat            13011  1
        iptable_raw            12678  1
        ip_tables              27240  4 
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
        ipt_ah                 12806  0
        ipt_CLUSTERIP          13633  0
        ipt_ECN                12529  0
        ipt_MASQUERADE         12880  0
        ipt_REJECT             12541  4
        ipt_rpfilter           12546  0
        ipt_ULOG               14273  0
        ip_tunnel              23809  1 sit
        nf_conntrack          114222  38 
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,ipt_MASQUERADE,nf_conntrack_proto_udplite,nf_nat,xt_state,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,ip6table_nat,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,iptable_nat,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
        nf_conntrack_amanda    13041  3 nf_nat_amanda
        nf_conntrack_broadcast    12589  2 
nf_conntrack_netbios_ns,nf_conntrack_snmp
        nf_conntrack_ftp       18638  3 nf_nat_ftp
        nf_conntrack_h323      73895  5 nf_nat_h323
        nf_conntrack_ipv4      14806  48
        nf_conntrack_ipv6      14798  1
        nf_conntrack_irc       13518  3 nf_nat_irc
        nf_conntrack_netbios_ns    12665  2
        nf_conntrack_netlink    40281  0
        nf_conntrack_pptp      15061  3 nf_nat_pptp
        nf_conntrack_proto_gre    14216  1 nf_conntrack_pptp
        nf_conntrack_proto_sctp    18822  0
        nf_conntrack_proto_udplite    13281  0
        nf_conntrack_sane      13143  2
        nf_conntrack_sip       32556  3 nf_nat_sip
        nf_conntrack_snmp      12857  3 nf_nat_snmp_basic
        nf_conntrack_tftp      13121  3 nf_nat_tftp
        nf_defrag_ipv4         12758  2 xt_TPROXY,nf_conntrack_ipv4
        nf_defrag_ipv6         34768  2 xt_TPROXY,nf_conntrack_ipv6
        nf_nat                 21932  14 
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,ipt_MASQUERADE,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_nat,ip6table_nat,iptable_nat
        nf_nat_amanda          12491  0
        nf_nat_ftp             12770  0
        nf_nat_h323            17720  0
        nf_nat_ipv4            13263  1 iptable_nat
        nf_nat_ipv6            13279  1 ip6table_nat
        nf_nat_irc             12723  0
        nf_nat_pptp            13115  0
        nf_nat_proto_gre       13009  1 nf_nat_pptp
        nf_nat_sip             17186  0
        nf_nat_snmp_basic      17302  0
        nf_nat_tftp            12489  0
        xt_addrtype            12635  5
        xt_AUDIT               12678  0
        xt_CHECKSUM            12549  0
        xt_CLASSIFY            12507  0
        xt_comment             12504  26
        xt_connlimit           12917  0
        xt_connmark            12755  0
        xt_conntrack           12760  25
        xt_CT                  12956  32
        xt_dccp                12606  0
        xt_dscp                12597  0
        xt_DSCP                12629  0
        xt_hashlimit           17618  0
        xt_helper              12583  0
        xt_iprange             12783  0
        xt_length              12536  0
        xt_limit               12711  3
        xt_LOG                 17718  13
        xt_mac                 12492  0
        xt_mark                12563  1
        xt_multiport           12798  12
        xt_nat                 12681  3
        xt_NFLOG               12537  0
        xt_NFQUEUE             12697  0
        xt_owner               12534  0
        xt_physdev             12587  0
        xt_pkttype             12504  0
        xt_policy              12582  0
        xt_realm               12498  0
        xt_recent              18498  1
        xt_sctp                12853  0
        xt_set                 13181  20
        xt_state               12578  0
        xt_statistic           12601  0
        xt_tcpmss              12501  0
        xt_TCPMSS              12664  1
        xt_tcpudp              12884  47
        xt_time                12661  0
        xt_TPROXY              17356  0

        Shorewall Lite has detected the following iptables/netfilter 
capabilities:
           ACCOUNT Target (ACCOUNT_TARGET): Not available
           Address Type Match (ADDRTYPE): Available
           Amanda Helper: Available
           Arptables JF: Not available
           AUDIT Target (AUDIT_TARGET): Available
           Basic Ematch (BASIC_EMATCH): Available
           Basic Filter (BASIC_FILTER): Available
           Capabilities Version (CAPVERSION): 40600
           Checksum Target: Available
           CLASSIFY Target (CLASSIFY_TARGET): Available
           Comments (COMMENTS): Available
           Condition Match (CONDITION_MATCH): Not available
           Connection Tracking Match (CONNTRACK_MATCH): Available
           Connlimit Match (CONNLIMIT_MATCH): Available
           Connmark Match (CONNMARK_MATCH): Available
           CONNMARK Target (CONNMARK): Available
           CT Target (CT_TARGET): Available
           DSCP Match (DSCP_MATCH): Available
           DSCP Target (DSCP_TARGET): Available
           Enhanced Multi-port Match (EMULIPORT): Available
           Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): 
Available
           Extended Connmark Match (XCONNMARK_MATCH): Available
           Extended CONNMARK Target (XCONNMARK): Available
           Extended MARK Target 2 (EXMARK): Available
           Extended MARK Target (XMARK): Available
           Extended Multi-port Match (XMULIPORT): Available
           Extended REJECT (ENHANCED_REJECT): Available
           FLOW Classifier (FLOW_FILTER): Available
           FTP-0 Helper: Not available
           FTP Helper: Available
           fwmark route mask (FWMARK_RT_MASK): Available
           Geo IP match: Not available
           Goto Support (GOTO_TARGET): Available
           H323 Helper: Available
           Hashlimit Match (HASHLIMIT_MATCH): Available
           Header Match (HEADER_MATCH): Not available
           Helper Match (HELPER_MATCH): Available
           IMQ Target (IMQ_TARGET): Not available
           IPMARK Target (IPMARK_TARGET): Not available
           IPP2P Match (IPP2P_MATCH): Not available
           IP range Match(IPRANGE_MATCH): Available
           Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
           Ipset Match (IPSET_MATCH): Available
           Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
           ipset V5 (IPSET_V5): Available
           iptables -S (IPTABLES_S): Available
           IRC-0 Helper: Not available
           IRC Helper: Available
           Kernel Version (KERNELVERSION): 31506
           LOGMARK Target (LOGMARK_TARGET): Not available
           LOG Target (LOG_TARGET): Available
           Mangle FORWARD Chain (MANGLE_FORWARD): Available
           Mark in the filter table (MARK_ANYWHERE): Available
           MARK Target (MARK): Available
           MASQUERADE Target: Available
           Multi-port Match (MULTIPORT): Available
           NAT (NAT_ENABLED): Available
           Netbios_ns Helper: Available
           New tos Match: Available
           NFAcct match: Not available
           NFLOG Target (NFLOG_TARGET): Available
           NFQUEUE Target (NFQUEUE_TARGET): Available
           Owner Match (OWNER_MATCH): Available
           Owner Name Match (OWNER_NAME_MATCH): Available
           Packet length Match (LENGTH_MATCH): Available
           Packet Mangling (MANGLE_ENABLED): Available
           Packet Type Match (USEPKTTYPE): Available
           Persistent SNAT (PERSISTENT_SNAT): Available
           Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
           Physdev Match (PHYSDEV_MATCH): Available
           Policy Match (POLICY_MATCH): Available
           PPTP Helper: Available
           Rawpost Table (RAWPOST_TABLE): Not available
           Raw Table (RAW_TABLE): Available
           Realm Match (REALM_MATCH): Available
           Recent Match "--reap" option (REAP_OPTION): Available
           Recent Match (RECENT_MATCH): Available
           Repeat match (KLUDGEFREE): Available
           RPFilter match: Available
           SANE-0 Helper: Not available
           SANE Helper: Available
           SIP-0 Helper: Not available
           SIP Helper: Available
           SNMP Helper: Available
           Statistic Match (STATISTIC_MATCH): Available
           TCPMSS Match (TCPMSS_MATCH): Available
           TFTP-0 Helper: Not available
           TFTP Helper: Available
           Time Match (TIME_MATCH): Available
           TPROXY Target (TPROXY_TARGET): Available
           UDPLITE Port Redirection: Not available
           ULOG Target (ULOG_TARGET): Available

        Netid  State      Recv-Q Send-Q     Local Address:Port       Peer 
Address:Port
        udp    UNCONN     0      0                C.C.C.C:1194                  
*:*      users:(("openvpn",pid=5548,fd=5))
        tcp    LISTEN     0      128            127.0.0.1:6010                  
*:*      users:(("sshd",pid=19274,fd=7))
        tcp    LISTEN     0      128            127.0.0.1:6011                  
*:*      users:(("sshd",pid=15396,fd=7))
        tcp    LISTEN     0      128            127.0.0.1:6012                  
*:*      users:(("sshd",pid=16873,fd=7))
        tcp    LISTEN     0      128            127.0.0.1:6013                  
*:*      users:(("sshd",pid=19384,fd=7))
        tcp    LISTEN     0      1              127.0.0.1:1195                  
*:*      users:(("openvpn",pid=5548,fd=3))
        tcp    LISTEN     0      128          192.168.1.1:22                    
*:*      users:(("sshd",pid=4233,fd=5))
        tcp    LISTEN     0      128            127.0.0.1:22                    
*:*      users:(("sshd",pid=4233,fd=4))

        Traffic Control

        Device eth0:
        qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 
1 1 1 1 1 1
         Sent 10042321 bytes 81471 pkt (dropped 0, overlimits 0 requeues 0)
         backlog 0b 0p requeues 0


        Device eth1:
        qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 
1 1 1 1 1 1
         Sent 43907078 bytes 76677 pkt (dropped 0, overlimits 0 requeues 1)
         backlog 0b 0p requeues 1


        Device tun1:
        qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 
1 1 1 1 1 1
         Sent 1201 bytes 20 pkt (dropped 0, overlimits 0 requeues 0)
         backlog 0b 0p requeues 0



        TC Filters

        Device eth0:

        Device eth1:

        Device tun1:


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Shorewall config for Mailserver-on-LAN , over a VPN to staticIPs on a VPS?

Reply via email to