Hello, I'm doing the most simple firewall setup on CentOS 6 using Shorewall
5.1.2.4-1. It is two cards, eth0 and eth1. I'm using the two-interface sample
file for snat and it seems like snat is not working. The firewall has open
access to the internet and that is working fine, just PC's behind it can't get
out. I've been using shorewall for over 10 years and this one has me stumped!
Also, I had setup a firewall last weekend on CentOS7 using Shorewall 5.1.2.3-1
and had this same exact issue. I downgraded to 5.0.1.4, same exact config, and
everything worked perfectly. Maybe I missed something that changed since then?
Firewall IP's
eth0 is 192.168.122.195/24
eth1 is 192.168.20.1/24
eth2 exists but is off and not being used FYI.
Device on network trying to get to internet is 192.168.20.2/24
Attached is dump.
Thank you!
Shorewall 5.1.2.4 Dump at localhost.localdomain - Wed Mar 15 17:13:34 MST 2017
Shorewall is running
State:Started Wed Mar 15 17:05:03 MST 2017 from /etc/shorewall/
(/var/lib/shorewall/firewall compiled Wed Mar 15 17:05:03 MST 2017 by Shorewall
version 5.1.2.4)
Counters reset Wed Mar 15 17:05:03 MST 2017
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1060 93792 net-fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1 238 loc-fw all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 dmz-fw all -- eth2 * 0.0.0.0/0 0.0.0.0/0
657 62091 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 net_frwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 loc_frwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 dmz_frwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
744 145K fw-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fw-loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 fw-dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
657 62091 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`OUTPUT ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Broadcast (5 references)
pkts bytes target prot opt in out source destination
245 26338 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type ANYCAST
Chain dmz-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth2 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain fw-dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`fw-dmz ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw-loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`fw-loc ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw-net (1 references)
pkts bytes target prot opt in out source destination
715 143K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
29 2204 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`fw-net ACCEPT '
29 2204 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc-dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`loc-dmz ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc-fw (1 references)
pkts bytes target prot opt in out source destination
1 238 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1 238 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`loc-fw ACCEPT '
1 238 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc-net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`loc-net ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth1 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc-dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 4 level 6 prefix
`logflags DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain net-fw (1 references)
pkts bytes target prot opt in out source destination
292 32564 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
229 16184 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
768 61228 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 22,443,10000
292 32564 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
47 6226 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.20.2 tcp dpt:3389
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`net-loc ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net-loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain sfilter (3 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix
`sfilter DROP '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain sha-lh-b6dd114c18fc143eccb4 (0 references)
pkts bytes target prot opt in out source destination
Chain sha-rh-eae8426d0c57f0e996e2 (0 references)
pkts bytes target prot opt in out source destination
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
recent: SET name: %CURRENTTIME side: source
Chain tcpflags (6 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp spt:0 flags:0x17/0x02
Chain ~comb0 (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Log (/var/log/messages)
Mar 15 17:08:13 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=108.61.73.244 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:08:16 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195 DST=108.61.56.35
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Mar 15 17:08:26 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=128.138.141.172 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:09:19 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=69.197.191.252 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:09:20 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=108.61.73.244 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:09:25 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195 DST=108.61.56.35
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Mar 15 17:09:34 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=128.138.141.172 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:10:26 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=69.197.191.252 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:10:27 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=108.61.73.244 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:10:32 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195 DST=108.61.56.35
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Mar 15 17:10:43 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=128.138.141.172 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:11:35 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=69.197.191.252 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:11:36 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=108.61.73.244 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:11:39 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195 DST=108.61.56.35
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Mar 15 17:11:51 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=128.138.141.172 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:12:42 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=69.197.191.252 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:12:45 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=108.61.73.244 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:12:47 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195 DST=108.61.56.35
LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Mar 15 17:13:00 fw-net ACCEPT IN= OUT=eth0 SRC=192.168.122.195
DST=128.138.141.172 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Mar 15 17:13:06 loc-fw ACCEPT IN=eth1 OUT= SRC=192.168.20.2 DST=192.168.20.255
LEN=238 TOS=0x00 PREC=0x00 TTL=128 ID=271 PROTO=UDP SPT=138 DPT=138 LEN=218
NAT Table
Chain PREROUTING (policy ACCEPT 13 packets, 1395 bytes)
pkts bytes target prot opt in out source destination
3 152 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3389 to:192.168.20.2
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
29 2204 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 MASQUERADE all -- * * 92.168.0.0/16 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 55 packets, 4521 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 49 packets, 4141 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xffffff00
Chain OUTPUT (policy ACCEPT 28 packets, 2928 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 28 packets, 2928 bytes)
pkts bytes target prot opt in out source destination
Raw Table
Chain PREROUTING (policy ACCEPT 55 packets, 4521 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 28 packets, 2928 bytes)
pkts bytes target prot opt in out source destination
Conntrack Table (10 out of 65536)
ipv4 2 icmp 1 29 src=192.168.122.195 dst=192.168.122.254 type=8 code=0
id=2587 src=192.168.122.254 dst=192.168.122.195 type=0 code=0 id=2587 mark=0
secmark=0 use=2
ipv4 2 tcp 6 88 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=51668
dport=5038 src=127.0.0.1 dst=127.0.0.1 sport=5038 dport=51668 [ASSURED] mark=0
secmark=0 use=2
ipv4 2 tcp 6 299 ESTABLISHED src=192.168.122.195 dst=192.168.122.221
sport=22 dport=59951 src=192.168.122.221 dst=192.168.122.195 sport=59951
dport=22 [ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 45 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=51648
dport=5038 src=127.0.0.1 dst=127.0.0.1 sport=5038 dport=51648 [ASSURED] mark=0
secmark=0 use=2
ipv4 2 tcp 6 28 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=51656
dport=5038 src=127.0.0.1 dst=127.0.0.1 sport=5038 dport=51656 [ASSURED] mark=0
secmark=0 use=2
ipv4 2 udp 17 2 src=192.168.20.2 dst=192.168.20.255 sport=138
dport=138 [UNREPLIED] src=192.168.20.255 dst=192.168.20.2 sport=138 dport=138
mark=0 secmark=0 use=2
ipv4 2 tcp 6 431971 ESTABLISHED src=127.0.0.1 dst=127.0.0.1
sport=51086 dport=5038 src=127.0.0.1 dst=127.0.0.1 sport=5038 dport=51086
[ASSURED] mark=0 secmark=0 use=2
ipv4 2 tcp 6 28 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=51652
dport=5038 src=127.0.0.1 dst=127.0.0.1 sport=5038 dport=51652 [ASSURED] mark=0
secmark=0 use=2
ipv4 2 tcp 6 101 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=51660
dport=5038 src=127.0.0.1 dst=127.0.0.1 sport=5038 dport=51660 [ASSURED] mark=0
secmark=0 use=2
ipv4 2 tcp 6 88 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=51664
dport=5038 src=127.0.0.1 dst=127.0.0.1 sport=5038 dport=51664 [ASSURED] mark=0
secmark=0 use=2
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.122.195/24 brd 192.168.122.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.20.1/24 brd 192.168.20.255 scope global eth1
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
31704635 12502 0 0 0 0
TX: bytes packets errors dropped carrier collsns
31704635 12502 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:15:5d:f7:43:01 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
2104483 11284 0 0 0 0
TX: bytes packets errors dropped carrier collsns
835633 5284 0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:15:5d:f7:43:02 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
153022 1341 0 0 0 0
TX: bytes packets errors dropped carrier collsns
7524 96 0 0 0 0
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 00:15:5d:f7:43:03 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
58478 261 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1844 15 0 0 0 0
Bridges
bridge name bridge id STP enabled interfaces
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
local 192.168.122.195 dev eth0 proto kernel scope host src 192.168.122.195
local 192.168.20.1 dev eth1 proto kernel scope host src 192.168.20.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 192.168.122.255 dev eth0 proto kernel scope link src 192.168.122.195
broadcast 192.168.122.0 dev eth0 proto kernel scope link src 192.168.122.195
broadcast 192.168.20.255 dev eth1 proto kernel scope link src 192.168.20.1
broadcast 192.168.20.0 dev eth1 proto kernel scope link src 192.168.20.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.195
192.168.20.0/24 dev eth1 proto kernel scope link src 192.168.20.1
169.254.0.0/16 dev eth1 scope link metric 1003
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.122.254 dev eth0
Per-IP Counters
iptaccount is not installed
NF Accounting
No NF Accounting defined (nfacct not found)
Events
PFKEY SPD
PFKEY SAD
/proc
/proc/version = Linux version 2.6.32-642.6.2.el6.x86_64
([email protected]) (gcc version 4.4.7 20120313 (Red Hat
4.4.7-17) (GCC) ) #1 SMP Wed Oct 26 06:52:09 UTC 2016
/proc/sys/net/ipv4/ip_forward = 0
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 1
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 0
/proc/sys/net/ipv4/conf/eth2/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
ARP
? (192.168.122.2) at 90:b1:1c:0c:03:40 [ether] on eth0
? (192.168.122.221) at f4:8e:38:a6:5c:5d [ether] on eth0
? (192.168.122.254) at e8:de:27:a6:e2:0c [ether] on eth0
? (192.168.20.2) at 84:16:f9:03:40:6a [ether] on eth1
Modules
iptable_filter 2793 1
iptable_mangle 3349 1
iptable_nat 5923 1
iptable_raw 2264 0
ip_tables 17831 4
iptable_mangle,iptable_nat,iptable_raw,iptable_filter
ipt_addrtype 2153 3
ipt_LOG 7854 10
ipt_MASQUERADE 2338 4
ipt_NETMAP 1736 0
ipt_REJECT 2351 4
ipt_ULOG 10349 0
nf_conntrack 79537 33
xt_connlimit,xt_CONNMARK,xt_connmark,xt_state,xt_helper,ipt_MASQUERADE,nf_nat_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_conntrack,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 2979 1 nf_nat_amanda
nf_conntrack_broadcast 1471 2 nf_conntrack_snmp,nf_conntrack_netbios_ns
nf_conntrack_ftp 12049 1 nf_nat_ftp
nf_conntrack_h323 65424 1 nf_nat_h323
nf_conntrack_ipv4 9186 19 iptable_nat,nf_nat
nf_conntrack_irc 5306 1 nf_nat_irc
nf_conntrack_netbios_ns 1323 0
nf_conntrack_netlink 16976 0
nf_conntrack_pptp 11430 1 nf_nat_pptp
nf_conntrack_proto_gre 6619 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 12975 0
nf_conntrack_proto_udplite 3380 0
nf_conntrack_sane 5364 0
nf_conntrack_sip 19683 1 nf_nat_sip
nf_conntrack_snmp 1651 1 nf_nat_snmp_basic
nf_conntrack_tftp 4814 1 nf_nat_tftp
nf_defrag_ipv4 1483 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 26468 1 xt_TPROXY
nf_nat 22676 11
ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda 1277 0
nf_nat_ftp 3443 0
nf_nat_h323 8414 0
nf_nat_irc 1819 0
nf_nat_pptp 4365 0
nf_nat_proto_gre 2772 1 nf_nat_pptp
nf_nat_sip 6171 0
nf_nat_snmp_basic 8553 0
nf_nat_tftp 987 0
nf_tproxy_core 1332 1 xt_TPROXY,[permanent]
xt_AUDIT 3064 0
xt_CHECKSUM 1303 0
xt_CLASSIFY 1069 0
xt_comment 1034 0
xt_connlimit 3238 0
xt_connmark 1347 0
xt_CONNMARK 1507 0
xt_conntrack 2776 16
xt_dscp 1831 0
xt_DSCP 2279 0
xt_hashlimit 9685 10
xt_helper 1497 0
xt_iprange 2216 0
xt_length 1322 0
xt_MARK 1057 1
xt_multiport 2764 1
xt_NFLOG 1195 0
xt_NFQUEUE 2213 0
xt_owner 1252 0
xt_physdev 1741 0
xt_pkttype 1194 0
xt_policy 2616 0
xt_realm 1060 0
xt_recent 8060 1
xt_state 1492 0
xt_statistic 1524 0
xt_tcpmss 1607 0
xt_TCPMSS 3541 0
xt_time 2183 0
xt_TPROXY 8801 0
Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
AUDIT Target (AUDIT_TARGET): Available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
Capabilities Version (CAPVERSION): 50100
Checksum Target (CHECKSUM_TARGET): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Connmark Match (CONNMARK_MATCH): Available
CONNMARK Target (CONNMARK): Available
CT Target (CT_TARGET): Not available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Extended CONNMARK Target (XCONNMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended MARK Target (XMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP-0 Helper: Not available
FTP Helper: Available
fwmark route mask (FWMARK_RT_MASK): Available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Available
Iface Match (IFACE_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IP range Match(IPRANGE_MATCH): Available
ipset V5 (IPSET_V5): Not available
iptables -S (IPTABLES_S): Available
iptables --wait option (WAIT_OPTION): Not available
IRC-0 Helper: Not available
IRC Helper: Available
Kernel Version (KERNELVERSION): 20632
LOGMARK Target (LOGMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
Netbios_ns Helper: Not available
NETMAP Target (NETMAP_TARGET): Available
New tos Match (NEW_TOS_MATCH): Available
NFAcct Match: Not available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE CPU Fanout (CPU_FANOUT): Not available
NFQUEUE Target (NFQUEUE_TARGET): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Packet length Match (LENGTH_MATCH): Available
Packet Mangling (MANGLE_ENABLED): Available
Packet Type Match (USEPKTTYPE): Available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Physdev Match (PHYSDEV_MATCH): Available
Policy Match (POLICY_MATCH): Available
PPTP Helper: Available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Available
Recent Match "--reap" option (REAP_OPTION): Not available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Available
RPFilter Match (RPFILTER_MATCH): Not available
SANE-0 Helper: Not available
SANE Helper: Available
SIP-0 Helper: Not available
SIP Helper: Available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP-0 Helper: Not available
TFTP Helper: Available
Time Match (TIME_MATCH): Available
TPROXY Target (TPROXY_TARGET): Available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Available
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:5353 *:*
users:(("avahi-daemon",1210,13))
udp UNCONN 0 0 192.168.20.1:123 *:*
users:(("ntpd",1345,24))
udp UNCONN 0 0 192.168.122.195:123 *:*
users:(("ntpd",1345,21))
udp UNCONN 0 0 127.0.0.1:123 *:*
users:(("ntpd",1345,18))
udp UNCONN 0 0 *:123 *:*
users:(("ntpd",1345,16))
udp UNCONN 0 0 *:48126 *:*
users:(("asterisk",1927,20))
udp UNCONN 0 0 *:48769 *:*
users:(("avahi-daemon",1210,14))
udp UNCONN 0 0 *:5160 *:*
users:(("asterisk",1927,25))
udp UNCONN 0 0 *:53 *:*
users:(("dnsmasq",1312,4))
udp UNCONN 0 0 *:5060 *:*
users:(("asterisk",1927,22))
udp UNCONN 0 0 *:69 *:*
users:(("xinetd",1336,5))
udp UNCONN 0 0 *:4569 *:*
users:(("asterisk",1927,28))
tcp LISTEN 0 128 *:5280 *:*
users:(("lua",1676,8))
tcp LISTEN 0 128 *:5281 *:*
users:(("lua",1676,9))
tcp LISTEN 0 128 127.0.0.1:5347 *:*
users:(("lua",1676,6))
tcp LISTEN 0 128 *:5222 *:*
users:(("lua",1676,10))
tcp LISTEN 0 50 127.0.0.1:3306 *:*
users:(("mysqld",1505,10))
tcp LISTEN 0 10 *:5038 *:*
users:(("asterisk",1927,17))
tcp LISTEN 0 128 127.0.0.1:5582 *:*
users:(("lua",1676,7))
tcp LISTEN 0 128 *:5269 *:*
users:(("lua",1676,5))
tcp LISTEN 0 5 *:53 *:*
users:(("dnsmasq",1312,5))
tcp LISTEN 0 128 *:22 *:*
users:(("sshd",1327,3))
tcp LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",1614,12))
tcp ESTAB 0 0 127.0.0.1:5038 127.0.0.1:51086
users:(("asterisk",1927,29))
tcp ESTAB 0 0 127.0.0.1:5347 127.0.0.1:45586
users:(("lua",1676,13))
tcp ESTAB 0 0 127.0.0.1:49786 127.0.0.1:5038
users:(("start-xmpp.sh",2098,8),("su",2099,8),("presence.php",2100,8))
tcp ESTAB 0 0 192.168.122.195:22 192.168.122.221:59951
users:(("sshd",6981,3))
tcp ESTAB 0 0 127.0.0.1:45586 127.0.0.1:5347
users:(("presence.php",2100,13))
tcp ESTAB 0 0 127.0.0.1:5038 127.0.0.1:49794
users:(("asterisk",1927,35))
tcp ESTAB 0 0 127.0.0.1:49794 127.0.0.1:5038
users:(("presence.php",2100,12))
tcp ESTAB 0 0 127.0.0.1:5038 127.0.0.1:49786
users:(("asterisk",1927,18))
tcp ESTAB 0 0 127.0.0.1:3306 127.0.0.1:60838
users:(("mysqld",1505,69))
tcp ESTAB 0 0 127.0.0.1:60838 127.0.0.1:3306
users:(("node",5580,10))
tcp TIME-WAIT 0 0 127.0.0.1:51668 127.0.0.1:5038
tcp ESTAB 0 0 127.0.0.1:51086 127.0.0.1:5038
users:(("node",5580,11))
tcp TIME-WAIT 0 0 127.0.0.1:51664 127.0.0.1:5038
tcp TIME-WAIT 0 0 127.0.0.1:51660 127.0.0.1:5038
Traffic Control
Device eth0:
qdisc mq 0: root
Sent 835773 bytes 5286 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc pfifo_fast 0: parent :1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 835773 bytes 5286 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc pfifo_fast 0: parent :2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
class mq :1 root
Sent 835773 bytes 5286 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
class mq :2 root
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth1:
qdisc mq 0: root
Sent 7524 bytes 96 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc pfifo_fast 0: parent :1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 7524 bytes 96 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc pfifo_fast 0: parent :2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
class mq :1 root
Sent 7524 bytes 96 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
class mq :2 root
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth2:
qdisc mq 0: root
Sent 1844 bytes 15 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc pfifo_fast 0: parent :1 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 1844 bytes 15 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
qdisc pfifo_fast 0: parent :2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
class mq :1 root
Sent 1844 bytes 15 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
class mq :2 root
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
TC Filters
Device eth0:
Device eth1:
Device eth2:
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
