Hi Tom -
Thanks for the greased-lightning response again, and here's the dump.
Many thanks - Philip
On 10/01/2017 21:05, Tom Eastep wrote:
> On 01/10/2017 12:50 PM, Philip Le Riche wrote:
> > I'm afraid I'm still struggling with this, though I made a minor
> > breakthrough when I realised I hadn't added a masq rule for the
> > raw interface, and the ppp0 not useable problem has gone away. (It
> > seems I have to connect it with shorewall clear then start
> > shorewall.) Anyway, my home test setup now seems to be working like
> > the school firewall.
>
> > (To recap, Raspberry Pis on zone pinet are accessed by PCs in zone
> > schl using ssh and vnc, and access the Internet via schl and the
> > school gateway. Traceroute traffic (only) from Pis and the firewall
> > is to be routed to a 3rd zone containing a mobile data dongle to
> > give unfiltered Internet access.)
>
> > Traceroute is now routed correctly from the Pis, but on the
> > firewall traceroute reports Send: Operation not permitted. (I have
> > the same rules with pinet and $FW as source to allow traceroute.)
> > Also, web access from both the Pis and the firewall is now broken.
> > However a PC on schl can still access a Pi.
>
> > My providers file is now: #NAME NUMBER MARK DUPLICATE
> > INTERFACE GATEWAY OPTIONS raw 1 1 - ppp0
> > - school 2 - - eno1 192.168.1.1 primary
>
> > If I add option fallback to provider raw, that fixes web from both
> > the Pis and the firewall but breaks traceroute. (I didn't think it
> > was a good idea but tried it anyway.)
>
> > I've read providers(5) and Multiple Internet Connections several
> > times and spent a good few hours trying to get it to work but there
> > seems to be something that I still haven't correctly understood.
> > Any help would be greatly appreciated.
>
> > For reference, my other relevant shorewall files are: mangle:
> > #ACTION SOURCE DEST PROTO PORT(S) SOURCE USER
> > TEST # PORT(S) MARK(1) enx00e04c534458 -
> > udp 33434:33523 - - - MARK(1) enx00e04c534458 -
> > 253 - - - - MARK(1) $FW - udp 33434:33523
> > - - - MARK(1) $FW - 253 - - - -
>
> > rtrules: #SOURCE DEST PROVIDER PRIORITY MARK
> > enx00e04c534458 - raw 11000 1 lo - raw
> > 11000 1
>
> > zones: fw firewall schl ipv4 pinet ipv4 inet ipv4
>
> > interfaces: schl eno1
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet
> > enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians inet
> > ppp0
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
>
> Philip,
>
> Please:
>
> a) Set fallback on the raw provider.
> b) Shorewall reload
> c) Try a traceroute from a Pi
> d) 'shorewall dump > dump'
> e) Send me the 'dump' file.
>
> Thanks,
> -Tom
>
> >
------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors > Access to
Intel Xeon Phi processor-based developer platforms. > With one year of
Intel Parallel Studio XE. > Training and support from Colfax. > Order
your platform today. http://sdm.link/xeonphi >
_______________________________________________ > Shorewall-users
mailing list > Shorewall-users@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >
Shorewall 5.0.4 Dump at Philip-Desktop - Tue 10 Jan 21:48:24 GMT 2017
Shorewall is running
State:Started (Tue 10 Jan 21:47:05 GMT 2017) from /etc/shorewall/
(/var/lib/shorewall/firewall compiled by Shorewall version 5.0.4)
Counters reset Tue 10 Jan 21:47:05 GMT 2017
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
65 4500 schl-fw all -- eno1 * 0.0.0.0/0 0.0.0.0/0
36 3680 pinet-fw all -- enx00e04c534458 * 0.0.0.0/0
0.0.0.0/0
0 0 inet-fw all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
5 404 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
6 612 schl_frwd all -- eno1 * 0.0.0.0/0 0.0.0.0/0
55 3374 pinet_frwd all -- enx00e04c534458 * 0.0.0.0/0
0.0.0.0/0
0 0 inet_frwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
83 6192 fw-schl all -- * eno1 0.0.0.0/0 0.0.0.0/0
64 4348 ACCEPT all -- * enx00e04c534458 0.0.0.0/0
0.0.0.0/0
0 0 fw-inet all -- * ppp0 0.0.0.0/0 0.0.0.0/0
5 404 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
18 1776 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type ANYCAST
Chain Drop (7 references)
pkts bytes target prot opt in out source destination
6 840 all -- * * 0.0.0.0/0 0.0.0.0/0
6 840 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain Reject (6 references)
pkts bytes target prot opt in out source destination
13 996 all -- * * 0.0.0.0/0 0.0.0.0/0
13 996 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain fw-inet (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:33434:33523
0 0 ACCEPT 253 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:fw-inet:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain fw-schl (1 references)
pkts bytes target prot opt in out source destination
65 4901 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 /* Web */
5 295 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:123
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
13 996 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
1 60 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:fw-schl:REJECT:"
1 60 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain inet-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain inet_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * eno1 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * enx00e04c534458 0.0.0.0/0
0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pinet-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
36 3680 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
36 3680 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMBBI */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMBBI */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMBBI */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMBBI */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:pinet-fw:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain pinet-inet (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
48 2880 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:33434:33523
0 0 ACCEPT 253 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pinet-schl (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 /* Web */
4 304 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:123
3 190 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.1
ctorigdst 192.168.2.254 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.1
ctorigdst 192.168.2.254 tcp dpt:53
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain pinet_frwd (1 references)
pkts bytes target prot opt in out source destination
55 3374 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
55 3374 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
7 494 pinet-schl all -- * eno1 0.0.0.0/0 0.0.0.0/0
48 2880 pinet-inet all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
1 60 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain schl-fw (1 references)
pkts bytes target prot opt in out source destination
6 840 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
6 840 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
50 2930 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
59 3660 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 22,80
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
6 840 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:schl-fw:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain schl-inet (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:schl-inet:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain schl-pinet (1 references)
pkts bytes target prot opt in out source destination
6 612 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.1
ctorigdst 192.168.1.31 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
ctorigdst 192.168.1.32 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.3
ctorigdst 192.168.1.33 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.4
ctorigdst 192.168.1.34 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.5
ctorigdst 192.168.1.35 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.6
ctorigdst 192.168.1.36 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.7
ctorigdst 192.168.1.37 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.8
ctorigdst 192.168.1.38 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.9
ctorigdst 192.168.1.39 multiport dports 5900:5909,22,80,8080:8081 /*
Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.10 ctorigdst 192.168.1.40 multiport dports
5900:5909,22,80,8080:8081 /* Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.11 ctorigdst 192.168.1.41 multiport dports
5900:5909,22,80,8080:8081 /* Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.12 ctorigdst 192.168.1.42 multiport dports
5900:5909,22,80,8080:8081 /* Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.13 ctorigdst 192.168.1.43 multiport dports
5900:5909,22,80,8080:8081 /* Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.14 ctorigdst 192.168.1.44 multiport dports
5900:5909,22,80,8080:8081 /* Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.15 ctorigdst 192.168.1.45 multiport dports
5900:5909,22,80,8080:8081 /* Pi */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.16 ctorigdst 192.168.1.46 multiport dports
5900:5909,22,80,8080:8081 /* Pi */
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:schl-pinet:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain schl_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 612 schl-pinet all -- * enx00e04c534458 0.0.0.0/0
0.0.0.0/0
0 0 schl-inet all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain sha-lh-75d25428073b55a933dd (0 references)
pkts bytes target prot opt in out source destination
Chain sha-rh-e2a18a37ef42a594e8aa (0 references)
pkts bytes target prot opt in out source destination
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0
[goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0
[goto]
Chain tcpflags (6 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp spt:0 flags:0x17/0x02
Chain ~comb0 (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Log (/var/log/messages)
Jan 10 21:47:47 Philip-Desktop vmunix: Shorewall:fw-schl:REJECT:IN= OUT=eno1
SRC=192.168.1.2 DST=191.239.213.197 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=47188
PROTO=UDP SPT=43813 DPT=33434 LEN=40 MARK=0x1
NAT Table
Chain PREROUTING (policy ACCEPT 61 packets, 4204 bytes)
pkts bytes target prot opt in out source destination
6 840 schl_dnat all -- eno1 * 0.0.0.0/0 0.0.0.0/0
57 3495 pinet_dnat all -- enx00e04c534458 * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 1291 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 295 bytes)
pkts bytes target prot opt in out source destination
6 435 SNAT all -- * eno1 192.168.2.0/24 0.0.0.0/0
to:192.168.1.2
48 2880 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain pinet_dnat (1 references)
pkts bytes target prot opt in out source destination
2 131 DNAT udp -- * * 0.0.0.0/0
192.168.2.254 udp dpt:53 to:192.168.1.1
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.2.254 tcp dpt:53 to:192.168.1.1
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
48 2880 SNAT all -- * * 192.168.2.0/24 0.0.0.0/0
to:10.172.8.122
Chain schl_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.31 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.1
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.32 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.2
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.33 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.3
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.34 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.4
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.35 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.5
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.36 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.6
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.37 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.7
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.38 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.8
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.39 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.9
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.40 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.10
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.41 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.11
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.42 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.12
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.43 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.13
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.44 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.14
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.45 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.15
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.1.46 multiport dports 5900:5909,22,80,8080:8081 /* Pi */
to:192.168.2.16
Mangle Table
Chain PREROUTING (policy ACCEPT 190 packets, 14822 bytes)
pkts bytes target prot opt in out source destination
190 14822 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0xff
20 2072 routemark all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
13 1536 routemark all -- eno1 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
99 7638 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
Chain INPUT (policy ACCEPT 106 packets, 8584 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 61 packets, 3986 bytes)
pkts bytes target prot opt in out source destination
61 3986 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xffffff00
Chain OUTPUT (policy ACCEPT 152 packets, 10944 bytes)
pkts bytes target prot opt in out source destination
152 10944 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0xff
87 6043 tcout all -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
Chain POSTROUTING (policy ACCEPT 200 packets, 13934 bytes)
pkts bytes target prot opt in out source destination
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
20 2072 MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x1/0xff
13 1536 MARK all -- eno1 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x2/0xff
33 3608 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
mark match ! 0x0/0xff CONNMARK save mask 0xff
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
1 60 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:33434:33523 MARK set 0x1
0 0 MARK 253 -- * * 0.0.0.0/0 0.0.0.0/0
MARK set 0x1
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
51 3060 MARK udp -- enx00e04c534458 * 0.0.0.0/0
0.0.0.0/0 udp dpts:33434:33523 MARK set 0x1
0 0 MARK 253 -- enx00e04c534458 * 0.0.0.0/0
0.0.0.0/0 MARK set 0x1
Raw Table
Chain PREROUTING (policy ACCEPT 190 packets, 14822 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Chain OUTPUT (policy ACCEPT 152 packets, 10944 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
12 936 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Conntrack Table (21 out of 262144)
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global eno1
valid_lft forever preferred_lft forever
inet 192.168.1.30/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.31/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.32/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.33/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.34/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.35/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.36/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.37/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.38/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.39/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
inet 192.168.1.40/24 brd 192.168.1.255 scope global secondary eno1
valid_lft forever preferred_lft forever
3: enx00e04c534458: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
inet 192.168.2.254/24 brd 192.168.2.255 scope global enx00e04c534458
valid_lft forever preferred_lft forever
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN group default qlen 3
inet 10.172.8.122/32 brd 10.172.8.122 scope global ppp0
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
103883 1117 0 0 0 0
TX: bytes packets errors dropped carrier collsns
103883 1117 0 0 0 0
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
mode DEFAULT group default qlen 1000
link/ether 00:22:4d:55:6e:84 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
4781458 6397 0 1 0 45
TX: bytes packets errors dropped carrier collsns
612836 5986 0 0 0 0
3: enx00e04c534458: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP mode DEFAULT group default qlen 1000
link/ether 00:e0:4c:53:44:58 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
45218 475 0 0 0 0
TX: bytes packets errors dropped carrier collsns
59234 580 0 0 0 0
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN mode DEFAULT group default qlen 3
link/ppp
RX: bytes packets errors dropped overrun mcast
3834 47 0 0 0 0
TX: bytes packets errors dropped carrier collsns
5301 103 0 0 0 0
Routing Rules
0: from all lookup local
999: from all lookup main
10000: from all fwmark 0x1/0xff lookup raw
10001: from all fwmark 0x2/0xff lookup school
11000: from all fwmark 0x1/0xff iif enx00e04c534458 lookup raw
11000: from all fwmark 0x1/0xff iif lo lookup raw
20000: from 10.172.8.122 lookup raw
20000: from 192.168.1.2 lookup school
20000: from 192.168.1.30 lookup school
20000: from 192.168.1.31 lookup school
20000: from 192.168.1.32 lookup school
20000: from 192.168.1.33 lookup school
20000: from 192.168.1.34 lookup school
20000: from 192.168.1.35 lookup school
20000: from 192.168.1.36 lookup school
20000: from 192.168.1.37 lookup school
20000: from 192.168.1.38 lookup school
20000: from 192.168.1.39 lookup school
20000: from 192.168.1.40 lookup school
32765: from all lookup balance
32767: from all lookup default
Table balance:
default via 192.168.1.1 dev eno1
Table default:
default dev ppp0 scope link metric 1
Table local:
local 192.168.2.254 dev enx00e04c534458 proto kernel scope host src
192.168.2.254
local 192.168.1.40 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.39 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.38 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.37 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.36 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.35 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.34 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.33 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.32 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.31 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.30 dev eno1 proto kernel scope host src 192.168.1.2
local 192.168.1.2 dev eno1 proto kernel scope host src 192.168.1.2
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.172.8.122 dev ppp0 proto kernel scope host src 10.172.8.122
broadcast 192.168.2.255 dev enx00e04c534458 proto kernel scope link src
192.168.2.254
broadcast 192.168.2.0 dev enx00e04c534458 proto kernel scope link src
192.168.2.254
broadcast 192.168.1.255 dev eno1 proto kernel scope link src 192.168.1.2
broadcast 192.168.1.0 dev eno1 proto kernel scope link src 192.168.1.2
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.172.8.122 dev ppp0 proto kernel scope link src 10.172.8.122
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
192.168.1.1 dev eno1 scope link src 192.168.1.2
192.168.2.0/24 dev enx00e04c534458 proto kernel scope link src 192.168.2.254
metric 100
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.2 metric 100
169.254.0.0/16 dev eno1 scope link metric 1000
Table raw:
default dev ppp0 scope link
Table school:
192.168.1.1 dev eno1 scope link src 192.168.1.2
default via 192.168.1.1 dev eno1 src 192.168.1.2
Per-IP Counters
iptaccount is not installed
NF Accounting
No NF Accounting defined (nfacct not found)
Events
/proc
/proc/version = Linux version 4.4.0-34-generic (buildd@lgw01-20) (gcc
version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2.1) ) #53-Ubuntu SMP Wed Jul 27
16:06:39 UTC 2016
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eno1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eno1/arp_filter = 0
/proc/sys/net/ipv4/conf/eno1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eno1/rp_filter = 1
/proc/sys/net/ipv4/conf/eno1/log_martians = 1
/proc/sys/net/ipv4/conf/enx00e04c534458/proxy_arp = 0
/proc/sys/net/ipv4/conf/enx00e04c534458/arp_filter = 0
/proc/sys/net/ipv4/conf/enx00e04c534458/arp_ignore = 0
/proc/sys/net/ipv4/conf/enx00e04c534458/rp_filter = 1
/proc/sys/net/ipv4/conf/enx00e04c534458/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0
/proc/sys/net/ipv4/conf/ppp0/arp_filter = 0
/proc/sys/net/ipv4/conf/ppp0/arp_ignore = 0
/proc/sys/net/ipv4/conf/ppp0/rp_filter = 1
/proc/sys/net/ipv4/conf/ppp0/log_martians = 1
ARP
? (192.168.1.1) at 00:24:a5:bd:a2:68 [ether] on eno1
? (192.168.1.104) at d8:49:2f:88:2b:d5 [ether] on eno1
? (192.168.2.3) at b8:27:eb:38:33:c2 [ether] on enx00e04c534458
Modules
iptable_filter 16384 1
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
ip_tables 24576 4
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_REJECT 16384 4
nf_conntrack 106496 29
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_conntrack_proto_udplite,nf_nat,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda 16384 3 nf_nat_amanda
nf_conntrack_broadcast 16384 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 20480 3 nf_nat_ftp
nf_conntrack_h323 77824 5 nf_nat_h323
nf_conntrack_ipv4 16384 68
nf_conntrack_irc 16384 3 nf_nat_irc
nf_conntrack_netbios_ns 16384 2
nf_conntrack_netlink 40960 0
nf_conntrack_pptp 20480 3 nf_nat_pptp
nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 20480 0
nf_conntrack_proto_udplite 16384 0
nf_conntrack_sane 16384 2
nf_conntrack_sip 28672 3 nf_nat_sip
nf_conntrack_snmp 16384 3 nf_nat_snmp_basic
nf_conntrack_tftp 16384 3 nf_nat_tftp
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
nf_log_common 16384 1 nf_log_ipv4
nf_log_ipv4 16384 11
nf_nat 24576 10
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat
nf_nat_amanda 16384 0
nf_nat_ftp 16384 0
nf_nat_h323 20480 0
nf_nat_ipv4 16384 1 iptable_nat
nf_nat_irc 16384 0
nf_nat_pptp 16384 0
nf_nat_proto_gre 16384 1 nf_nat_pptp
nf_nat_sip 20480 0
nf_nat_snmp_basic 20480 0
nf_nat_tftp 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
xt_addrtype 16384 5
xt_comment 16384 57
xt_connmark 16384 3
xt_conntrack 16384 42
xt_CT 16384 22
xt_LOG 16384 11
xt_mark 16384 12
xt_multiport 16384 41
xt_nat 16384 20
xt_NFLOG 16384 0
xt_recent 20480 1
xt_TCPMSS 16384 1
xt_tcpudp 16384 54
Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
AUDIT Target (AUDIT_TARGET): Available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
Capabilities Version (CAPVERSION): 50004
Checksum Target (CHECKSUM_TARGET): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Connmark Match (CONNMARK_MATCH): Available
CONNMARK Target (CONNMARK): Available
CT Target (CT_TARGET): Available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Extended CONNMARK Target (XCONNMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended MARK Target (XMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP-0 Helper: Not available
FTP Helper: Available
fwmark route mask (FWMARK_RT_MASK): Available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Available
Iface Match (IFACE_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IP range Match(IPRANGE_MATCH): Available
ipset V5 (IPSET_V5): Not available
iptables -S (IPTABLES_S): Available
iptables --wait option (WAIT_OPTION): Available
IRC-0 Helper: Not available
IRC Helper: Available
Kernel Version (KERNELVERSION): 40400
LOGMARK Target (LOGMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
Netbios_ns Helper: Available
New tos Match (NEW_TOS_MATCH): Available
NFAcct Match: Not available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Packet length Match (LENGTH_MATCH): Available
Packet Mangling (MANGLE_ENABLED): Available
Packet Type Match (USEPKTTYPE): Available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Physdev Match (PHYSDEV_MATCH): Available
Policy Match (POLICY_MATCH): Available
PPTP Helper: Available
Rawpost Table (RAWPOST_TABLE): Not available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Available
Recent Match "--reap" option (REAP_OPTION): Available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Available
RPFilter Match (RPFILTER_MATCH): Available
SANE-0 Helper: Not available
SANE Helper: Available
SIP-0 Helper: Not available
SIP Helper: Available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP-0 Helper: Not available
TFTP Helper: Available
Time Match (TIME_MATCH): Available
TPROXY Target (TPROXY_TARGET): Available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Not available
Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port
udp UNCONN 0 0 *:5353 *:*
users:(("avahi-daemon",pid=796,fd=12))
udp UNCONN 0 0 *:7970 *:*
users:(("dhcpd",pid=3313,fd=20))
udp UNCONN 0 0 127.0.1.1:53 *:*
users:(("dnsmasq",pid=1127,fd=4))
udp UNCONN 0 0 *:67 *:*
users:(("dhcpd",pid=3313,fd=7))
udp UNCONN 0 0 10.172.8.122:123 *:*
users:(("ntpd",pid=4056,fd=32))
udp UNCONN 0 0 192.168.2.254:123 *:*
users:(("ntpd",pid=4056,fd=31))
udp UNCONN 0 0 192.168.1.40:123 *:*
users:(("ntpd",pid=4056,fd=30))
udp UNCONN 0 0 192.168.1.39:123 *:*
users:(("ntpd",pid=4056,fd=29))
udp UNCONN 0 0 192.168.1.38:123 *:*
users:(("ntpd",pid=4056,fd=28))
udp UNCONN 0 0 192.168.1.37:123 *:*
users:(("ntpd",pid=4056,fd=27))
udp UNCONN 0 0 192.168.1.36:123 *:*
users:(("ntpd",pid=4056,fd=26))
udp UNCONN 0 0 192.168.1.35:123 *:*
users:(("ntpd",pid=4056,fd=25))
udp UNCONN 0 0 192.168.1.34:123 *:*
users:(("ntpd",pid=4056,fd=24))
udp UNCONN 0 0 192.168.1.33:123 *:*
users:(("ntpd",pid=4056,fd=23))
udp UNCONN 0 0 192.168.1.32:123 *:*
users:(("ntpd",pid=4056,fd=22))
udp UNCONN 0 0 192.168.1.31:123 *:*
users:(("ntpd",pid=4056,fd=21))
udp UNCONN 0 0 192.168.1.30:123 *:*
users:(("ntpd",pid=4056,fd=20))
udp UNCONN 0 0 192.168.1.2:123 *:*
users:(("ntpd",pid=4056,fd=19))
udp UNCONN 0 0 127.0.0.1:123 *:*
users:(("ntpd",pid=4056,fd=18))
udp UNCONN 0 0 *:123 *:*
users:(("ntpd",pid=4056,fd=17))
udp UNCONN 0 0 192.168.2.255:137 *:*
users:(("nmbd",pid=2037,fd=68))
udp UNCONN 0 0 192.168.2.254:137 *:*
users:(("nmbd",pid=2037,fd=67))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=63))
udp UNCONN 0 0 192.168.1.2:137 *:*
users:(("nmbd",pid=2037,fd=62))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=59))
udp UNCONN 0 0 192.168.1.30:137 *:*
users:(("nmbd",pid=2037,fd=58))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=55))
udp UNCONN 0 0 192.168.1.31:137 *:*
users:(("nmbd",pid=2037,fd=54))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=51))
udp UNCONN 0 0 192.168.1.32:137 *:*
users:(("nmbd",pid=2037,fd=50))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=47))
udp UNCONN 0 0 192.168.1.33:137 *:*
users:(("nmbd",pid=2037,fd=46))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=43))
udp UNCONN 0 0 192.168.1.34:137 *:*
users:(("nmbd",pid=2037,fd=42))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=39))
udp UNCONN 0 0 192.168.1.35:137 *:*
users:(("nmbd",pid=2037,fd=38))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=35))
udp UNCONN 0 0 192.168.1.36:137 *:*
users:(("nmbd",pid=2037,fd=34))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=31))
udp UNCONN 0 0 192.168.1.37:137 *:*
users:(("nmbd",pid=2037,fd=30))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=27))
udp UNCONN 0 0 192.168.1.38:137 *:*
users:(("nmbd",pid=2037,fd=26))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=23))
udp UNCONN 0 0 192.168.1.39:137 *:*
users:(("nmbd",pid=2037,fd=22))
udp UNCONN 0 0 192.168.1.255:137 *:*
users:(("nmbd",pid=2037,fd=19))
udp UNCONN 0 0 192.168.1.40:137 *:*
users:(("nmbd",pid=2037,fd=18))
udp UNCONN 0 0 *:137 *:*
users:(("nmbd",pid=2037,fd=16))
udp UNCONN 0 0 192.168.2.255:138 *:*
users:(("nmbd",pid=2037,fd=70))
udp UNCONN 0 0 192.168.2.254:138 *:*
users:(("nmbd",pid=2037,fd=69))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=65))
udp UNCONN 0 0 192.168.1.2:138 *:*
users:(("nmbd",pid=2037,fd=64))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=61))
udp UNCONN 0 0 192.168.1.30:138 *:*
users:(("nmbd",pid=2037,fd=60))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=57))
udp UNCONN 0 0 192.168.1.31:138 *:*
users:(("nmbd",pid=2037,fd=56))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=53))
udp UNCONN 0 0 192.168.1.32:138 *:*
users:(("nmbd",pid=2037,fd=52))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=49))
udp UNCONN 0 0 192.168.1.33:138 *:*
users:(("nmbd",pid=2037,fd=48))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=45))
udp UNCONN 0 0 192.168.1.34:138 *:*
users:(("nmbd",pid=2037,fd=44))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=41))
udp UNCONN 0 0 192.168.1.35:138 *:*
users:(("nmbd",pid=2037,fd=40))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=37))
udp UNCONN 0 0 192.168.1.36:138 *:*
users:(("nmbd",pid=2037,fd=36))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=33))
udp UNCONN 0 0 192.168.1.37:138 *:*
users:(("nmbd",pid=2037,fd=32))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=29))
udp UNCONN 0 0 192.168.1.38:138 *:*
users:(("nmbd",pid=2037,fd=28))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=25))
udp UNCONN 0 0 192.168.1.39:138 *:*
users:(("nmbd",pid=2037,fd=24))
udp UNCONN 0 0 192.168.1.255:138 *:*
users:(("nmbd",pid=2037,fd=21))
udp UNCONN 0 0 192.168.1.40:138 *:*
users:(("nmbd",pid=2037,fd=20))
udp UNCONN 0 0 *:138 *:*
users:(("nmbd",pid=2037,fd=17))
udp UNCONN 0 0 *:49519 *:*
users:(("avahi-daemon",pid=796,fd=14))
udp UNCONN 0 0 *:631 *:*
users:(("cups-browsed",pid=928,fd=8))
tcp LISTEN 0 50 *:139 *:*
users:(("smbd",pid=2060,fd=37))
tcp LISTEN 0 5 127.0.1.1:53 *:*
users:(("dnsmasq",pid=1127,fd=5))
tcp LISTEN 0 128 *:22 *:*
users:(("sshd",pid=1048,fd=3))
tcp LISTEN 0 50 *:445 *:*
users:(("smbd",pid=2060,fd=36))
tcp ESTAB 0 0 192.168.2.254:52300 192.168.2.3:22
users:(("ssh",pid=3341,fd=3))
tcp ESTAB 16 0 127.0.0.1:57976 127.0.1.1:139
users:(("gvfsd-smb-brows",pid=3566,fd=13))
tcp ESTAB 0 0 127.0.1.1:139 127.0.0.1:57976
users:(("smbd",pid=3586,fd=38))
tcp ESTAB 0 0 127.0.1.1:139 127.0.0.1:57978
users:(("smbd",pid=3592,fd=38))
tcp ESTAB 16 0 127.0.0.1:57978 127.0.1.1:139
users:(("gvfsd-smb-brows",pid=3566,fd=15))
Traffic Control
Device lo:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eno1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 584835 bytes 5986 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device enx00e04c534458:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 57992 bytes 580 pkt (dropped 0, overlimits 0 requeues 1)
backlog 0b 0p requeues 1
Device ppp0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 4740 bytes 79 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
TC Filters
Device lo:
Device eno1:
Device enx00e04c534458:
Device ppp0:
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
