Hi there,
On a Server that has its Firewall configured with Shorewall there is an
application running that dynamically inserts and deletes its own rules
in the Firewall.
To work properly it needs some configurations in the Firewall.
1) Some IPs that are directly configured to be prefered
2) A Custom Chain that holds Rules to define Actions on dynamically
inserted IPs
# shorewall show raw
Shorewall 5.0.14.1 RAW Table at dev-lan34.domibay.org - lun jul 3
14:50:09 WEST 2017
Counters reset lun jul 3 13:50:33 WEST 2017
Chain PREROUTING (policy ACCEPT 49746 packets, 2017K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 80.32.1.20 0.0.0.0/0
0 0 ACCEPT all -- * * 217.125.25.169 0.0.0.0/0
Chain BLOCKLIST (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 10/sec burst 10 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -t filter -nL INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 80.32.1.20 0.0.0.0/0
ACCEPT all -- 217.125.25.169 0.0.0.0/0
to achieve this configuration I wanted to create a "initdone" script
with the Shorewall-perl API
[2017-07-03 14:02:18 - root@dev-lan34 shorewall]# cat initdone
use lib '/usr/share/shorewall';
use Shorewall::Chains;
use Data::Dump qw(dump);
my $chainpreroute = $chain_table{"raw"}{"PREROUTING"};
my $chaininput = $chain_table{"filter"}{"INPUT"};
#my $chainblocklist = new_chain "raw", "BLOCKLIST";
my $chainblocklist = new_manual_chain "BLOCKLIST";
#my $chainblocklist = $chain_table{"raw"}{"BLOCKLIST"};
print "nw mnl chn dmp:\n"
. dump($chainblocklist);
print "\n";
my $sipnet1 = "80.32.1.20";
my $sipnet2 = "217.125.25.169";
my $srulenet1accept = "-s $sipnet1 -j ACCEPT";
my $srulenet2accept = "-s $sipnet2 -j ACCEPT";
my $sruleblocklistlog = "-m limit --limit 10/sec --limit-burst 10 -j LOG";
my $sruleblocklistdrop = "-j DROP";
my $iscs = 1;
add_rule $chainpreroute, $srulenet1accept;
add_rule $chainpreroute, $srulenet2accept;
add_rule $chaininput, $srulenet1accept;
add_rule $chaininput, $srulenet2accept;
add_rule $chainblocklist, $sruleblocklistlog;
add_rule $chainblocklist, $sruleblocklistdrop;
print "tbl raw dmp:\n"
. dump($chain_table{"raw"});
print "\n";
print "tbl filter dmp:\n"
. dump($chain_table{"filter"});
print "\n";
return $iscs;
I found that the IPs from $srulenet1accept and $srulenet2accept were
published in the Firewall. but the Custom Chain was not published at all.
I was visualizing the Content of $chain_table to see how the Custom
Chain was created in Shorewall and I saw:
# shorewall check
Checking using Shorewall 5.0.14.1...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Interface "lan enp3s0 tcpflags,nosmurfs,logmartians" Validated
Determining Hosts in Zones...
fw (firewall)
lan (ipv4)
enp3s0:0.0.0.0/0
Locating Action Files...
Checking /etc/shorewall/policy...
Policy for lan to fw is DROP using chain lan-all
Policy for fw to lan is REJECT using chain fw-all
Running /etc/shorewall/initdone...
$chainblocklist
{
cmdlevel => 0,
filtered => 0,
log => 1,
loglevel => "",
manual => 1,
name => "BLOCKLIST",
optflags => 0,
origin => "",
referenced => 1,
references => {},
restriction => 0,
rules => [],
table => "filter",
}
$chain_table{"filter"}{"BLOCKLIST"}
and also was created and the rules where added
"BLOCKLIST" => {
cmdlevel => 0,
complete => 1,
filtered => 0,
log => 1,
loglevel => "",
manual => 1,
name => "BLOCKLIST",
optflags => 0,
origin => "",
referenced => 1,
references => {},
restriction => 0,
rules => [
{
cmdlevel => 0,
comment => "",
jump => "j",
limit => "--limit 10/sec
--limit-burst 10",
matches => ["limit",
"targetopts"],
mode => 1,
origin => "",
simple => 0,
target => "LOG",
targetopts => "",
},
{
cmdlevel => 0,
comment => "",
jump => "j",
matches => ["targetopts"],
mode => 1,
origin => "",
simple => 1,
target => "DROP",
targetopts => "",
},
],
table => "filter",
},
but finally the new Custom Chain was not published in the Firewall
Researching the Logs I found this notice:
# vi /var/log/shorewall-init.log
Jul 3 13:10:10 Chain BLOCKLIST deleted
You find added also the Shorewall Dump. There you can see additional
Details.
So I am wondering why was my Manual Chain deleted?
Please, let me know if you see how I can achieve this Firewall
Configuration I am looking for.
Best Regards,
Hugo
Shorewall 5.0.14.1 Dump - lun jul 3 15:06:43 WEST 2017
Shorewall is running
State:Started lun jul 3 15:05:45 WEST 2017 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled lun jul 3 15:05:45 WEST 2017 by Shorewall version 5.0.14.1)
Counters reset lun jul 3 15:05:45 WEST 2017
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 80.32.1.20 0.0.0.0/0
0 0 ACCEPT all -- * * 217.125.25.169 0.0.0.0/0
3398 144K lan-fw all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3291 204K fw-lan all -- * enp3s0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:OUTPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
6 832 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
Chain Drop (2 references)
pkts bytes target prot opt in out source destination
6 832 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
6 832 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain Reject (3 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* Needed ICMP types */
0 0 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */
Chain dynamic (1 references)
pkts bytes target prot opt in out source destination
Chain fw-lan (1 references)
pkts bytes target prot opt in out source destination
122 13380 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /* NTP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 /* FTP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
1 90 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
3168 190K ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.101 tcp dpt:41121
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 /* mDNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:5353 dpts:1024:65535 /* mDNS */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.251 /* mDNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 /* mDNS */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.251 /* mDNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* SMTP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /* SMTPS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* Web */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* Web */
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:fw-lan:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain lan-fw (1 references)
pkts bytes target prot opt in out source destination
7 910 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
7 910 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
3391 143K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
3391 143K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 /* FTP */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */
1 78 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 /* mDNS */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.251 /* mDNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 /* mDNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:5353 dpts:1024:65535 /* mDNS */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 224.0.0.251 /* mDNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 /* POP3 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /* POP3S */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* SMTP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /* SMTPS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* Web */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* Web */
6 832 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:lan-fw:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 2 prefix "Shorewall:logdrop:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 2 prefix "Shorewall:logreject:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (8 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain sha-lh-ecca6d642ef95dc01675 (0 references)
pkts bytes target prot opt in out source destination
Chain sha-rh-18d62566702599d5236c (0 references)
pkts bytes target prot opt in out source destination
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0 [goto]
Chain tcpflags (1 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02
Log (/var/log/messages)
NAT Table
Chain PREROUTING (policy ACCEPT 7 packets, 910 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3169 packets, 190K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3169 packets, 190K bytes)
pkts bytes target prot opt in out source destination
Mangle Table
Chain PREROUTING (policy ACCEPT 3398 packets, 144K bytes)
pkts bytes target prot opt in out source destination
3398 144K tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 3398 packets, 144K bytes)
pkts bytes target prot opt in out source destination
3398 144K tcin all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00
0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3291 packets, 204K bytes)
pkts bytes target prot opt in out source destination
3291 204K tcout all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 3291 packets, 204K bytes)
pkts bytes target prot opt in out source destination
3291 204K tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcin (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
Raw Table
Chain PREROUTING (policy ACCEPT 3399 packets, 144K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 80.32.1.20 0.0.0.0/0
0 0 ACCEPT all -- * * 217.125.25.169 0.0.0.0/0
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667 CT helper irc
1 78 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 CT helper tftp
Chain OUTPUT (policy ACCEPT 3292 packets, 204K bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667 CT helper irc
1 90 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 CT helper tftp
Conntrack Table (27 out of 65536)
ipv4 2 tcp 6 431896 ESTABLISHED src=192.168.10.115 dst=192.168.10.34 sport=42700 dport=22 src=192.168.10.34 dst=192.168.10.115 sport=22 dport=42700 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 udp 17 14 src=192.168.10.34 dst=192.168.10.29 sport=137 dport=137 [UNREPLIED] src=192.168.10.29 dst=192.168.10.34 sport=137 dport=137 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 udp 17 14 src=192.168.10.29 dst=192.168.10.255 sport=137 dport=137 [UNREPLIED] src=192.168.10.255 dst=192.168.10.29 sport=137 dport=137 mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 tcp 6 431956 ESTABLISHED src=192.168.10.115 dst=192.168.10.34 sport=33902 dport=445 src=192.168.10.34 dst=192.168.10.115 sport=445 dport=33902 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=192.168.10.115 dst=192.168.10.34 sport=42702 dport=22 src=192.168.10.34 dst=192.168.10.115 sport=22 dport=42702 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.10.34/24 brd 192.168.10.255 scope global enp3s0
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
163635010 1831669 0 0 0 0
TX: bytes packets errors dropped carrier collsns
163635010 1831669 0 0 0 0
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether f8:32:e4:87:a5:c0 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
9967273454 163146670 0 0 0 95240
TX: bytes packets errors dropped carrier collsns
35370662323 176114048 0 0 0 0
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
local 192.168.10.34 dev enp3s0 proto kernel scope host src 192.168.10.34
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 192.168.10.255 dev enp3s0 proto kernel scope link src 192.168.10.34
broadcast 192.168.10.0 dev enp3s0 proto kernel scope link src 192.168.10.34
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
192.168.10.0/24 dev enp3s0 proto kernel scope link src 192.168.10.34 metric 100
default via 192.168.10.1 dev enp3s0 proto static metric 100
Per-IP Counters
iptaccount is not installed
NF Accounting
No NF Accounting defined (nfacct not found)
Events
/proc
/proc/version = Linux version 3.10.0-327.10.1.el7.x86_64 ([email protected]) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Tue Feb 16 17:03:50 UTC 2016
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/enp3s0/proxy_arp = 0
/proc/sys/net/ipv4/conf/enp3s0/arp_filter = 0
/proc/sys/net/ipv4/conf/enp3s0/arp_ignore = 0
/proc/sys/net/ipv4/conf/enp3s0/rp_filter = 0
/proc/sys/net/ipv4/conf/enp3s0/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
ARP
? (192.168.10.115) at 14:da:e9:96:34:3e [ether] on enp3s0
? (192.168.10.110) at 14:da:e9:9c:ad:95 [ether] on enp3s0
? (192.168.10.27) at b8:ac:6f:97:ee:03 [ether] on enp3s0
? (192.168.10.22) at b8:ac:6f:97:eb:bb [ether] on enp3s0
? (192.168.10.1) at c4:6e:1f:03:d4:e1 [ether] on enp3s0
? (192.168.10.18) at b8:ac:6f:98:0a:b0 [ether] on enp3s0
? (192.168.10.101) at 40:16:7e:73:f6:f1 [ether] on enp3s0
? (192.168.10.144) at a8:20:66:4e:7e:ba [ether] on enp3s0
? (192.168.10.105) at 14:da:e9:96:33:9e [ether] on enp3s0
? (192.168.10.100) at 14:da:e9:96:34:f5 [ether] on enp3s0
? (192.168.10.12) at 00:13:d3:39:21:ed [ether] on enp3s0
? (192.168.10.29) at b8:ac:6f:97:df:b4 [ether] on enp3s0
? (192.168.10.23) at 00:1a:4d:9d:91:4c [ether] on enp3s0
? (192.168.10.24) at f8:32:e4:bc:e9:0f [ether] on enp3s0
? (192.168.10.14) at 00:40:f4:97:72:d0 [ether] on enp3s0
? (192.168.10.10) at ac:22:0b:78:2b:55 [ether] on enp3s0
Modules
ip_set 36439 2 ip_set_hash_ip,xt_set
ip_set_hash_ip 27260 0
iptable_filter 12810 1
iptable_mangle 12695 1
iptable_nat 12875 0
iptable_raw 12678 1
ip_tables 27240 4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_MASQUERADE 12678 0
ipt_REJECT 12541 4
ipt_rpfilter 12546 0
nf_conntrack 105745 32 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_conntrack_proto_udplite,nf_nat,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda 13041 3 nf_nat_amanda
nf_conntrack_broadcast 12589 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 18638 3 nf_nat_ftp
nf_conntrack_h323 73895 5 nf_nat_h323
nf_conntrack_ipv4 14862 29
nf_conntrack_irc 13518 3 nf_nat_irc
nf_conntrack_netbios_ns 12665 2
nf_conntrack_netlink 36150 0
nf_conntrack_pptp 19257 3 nf_nat_pptp
nf_conntrack_proto_gre 14287 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 18877 0
nf_conntrack_proto_udplite 13122 0
nf_conntrack_sane 13143 2
nf_conntrack_sip 33860 3 nf_nat_sip
nf_conntrack_snmp 12857 3 nf_nat_snmp_basic
nf_conntrack_tftp 13121 3 nf_nat_tftp
nf_defrag_ipv4 12729 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 34768 1 xt_TPROXY
nf_log_common 13317 1 nf_log_ipv4
nf_log_ipv4 12767 9
nf_nat 26146 11 nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_nat_amanda 12491 0
nf_nat_ftp 12770 0
nf_nat_h323 17720 0
nf_nat_ipv4 14115 1 iptable_nat
nf_nat_irc 12723 0
nf_nat_masquerade_ipv4 13412 1 ipt_MASQUERADE
nf_nat_pptp 13115 0
nf_nat_proto_gre 13009 1 nf_nat_pptp
nf_nat_sip 17152 0
nf_nat_snmp_basic 17302 0
nf_nat_tftp 12489 0
xt_addrtype 12635 5
xt_AUDIT 12678 0
xt_CHECKSUM 12549 0
xt_CLASSIFY 12507 0
xt_comment 12504 51
xt_connlimit 12917 0
xt_connmark 12755 0
xt_conntrack 12760 6
xt_CT 12956 22
xt_dscp 12597 0
xt_DSCP 12629 0
xt_hashlimit 17569 0
xt_helper 12583 0
xt_iprange 12783 0
xt_length 12536 0
xt_limit 12711 0
xt_LOG 12690 9
xt_mark 12563 1
xt_multiport 12798 8
xt_nat 12681 0
xt_NFLOG 12537 0
xt_NFQUEUE 12697 0
xt_owner 12534 0
xt_physdev 12587 0
xt_pkttype 12504 0
xt_policy 12582 0
xt_realm 12498 0
xt_recent 18542 1
xt_set 13181 0
xt_statistic 12601 0
xt_tcpmss 12501 0
xt_TCPMSS 12664 0
xt_time 12661 0
xt_TPROXY 17327 0
Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
AUDIT Target (AUDIT_TARGET): Available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
Capabilities Version (CAPVERSION): 50004
Checksum Target (CHECKSUM_TARGET): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Connmark Match (CONNMARK_MATCH): Available
CONNMARK Target (CONNMARK): Available
CT Target (CT_TARGET): Available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Extended CONNMARK Target (XCONNMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended MARK Target (XMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP-0 Helper: Not available
FTP Helper: Available
fwmark route mask (FWMARK_RT_MASK): Available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Available
Iface Match (IFACE_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IP range Match(IPRANGE_MATCH): Available
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available
iptables -S (IPTABLES_S): Available
iptables --wait option (WAIT_OPTION): Available
IRC-0 Helper: Not available
IRC Helper: Available
Kernel Version (KERNELVERSION): 31000
LOGMARK Target (LOGMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
Netbios_ns Helper: Available
New tos Match (NEW_TOS_MATCH): Available
NFAcct Match: Not available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Packet length Match (LENGTH_MATCH): Available
Packet Mangling (MANGLE_ENABLED): Available
Packet Type Match (USEPKTTYPE): Available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Physdev Match (PHYSDEV_MATCH): Available
Policy Match (POLICY_MATCH): Available
PPTP Helper: Available
Rawpost Table (RAWPOST_TABLE): Not available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Available
Recent Match "--reap" option (REAP_OPTION): Available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Available
RPFilter Match (RPFILTER_MATCH): Available
SANE-0 Helper: Not available
SANE Helper: Available
SIP-0 Helper: Not available
SIP Helper: Available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP-0 Helper: Not available
TFTP Helper: Available
Time Match (TIME_MATCH): Available
TPROXY Target (TPROXY_TARGET): Available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Not available
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:44849 *:* users:(("avahi-daemon",pid=722,fd=13))
udp UNCONN 0 0 192.168.10.34:123 *:* users:(("ntpd",pid=733,fd=21))
udp UNCONN 0 0 127.0.0.1:123 *:* users:(("ntpd",pid=733,fd=18))
udp UNCONN 0 0 *:123 *:* users:(("ntpd",pid=733,fd=16))
udp UNCONN 0 0 192.168.10.255:137 *:* users:(("nmbd",pid=2649,fd=18))
udp UNCONN 0 0 192.168.10.34:137 *:* users:(("nmbd",pid=2649,fd=17))
udp UNCONN 0 0 *:137 *:* users:(("nmbd",pid=2649,fd=15))
udp UNCONN 0 0 192.168.10.255:138 *:* users:(("nmbd",pid=2649,fd=20))
udp UNCONN 0 0 192.168.10.34:138 *:* users:(("nmbd",pid=2649,fd=19))
udp UNCONN 0 0 *:138 *:* users:(("nmbd",pid=2649,fd=16))
udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=722,fd=12))
tcp LISTEN 0 50 *:139 *:* users:(("smbd",pid=2660,fd=35))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1435,fd=3))
tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=19631,fd=13))
tcp LISTEN 0 50 *:445 *:* users:(("smbd",pid=2660,fd=34))
tcp LISTEN 0 16 127.0.0.1:3493 *:* users:(("upsd",pid=2775,fd=4))
tcp ESTAB 0 0 192.168.10.34:22 192.168.10.115:42700 users:(("sshd",pid=32582,fd=3),("sshd",pid=947,fd=3))
tcp ESTAB 0 0 192.168.10.34:22 192.168.10.115:42702 users:(("sshd",pid=5794,fd=3),("sshd",pid=5258,fd=3))
tcp ESTAB 0 0 192.168.10.34:445 192.168.10.115:33902 users:(("smbd",pid=25459,fd=36))
Traffic Control
Device enp3s0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 35370663137 bytes 176114059 pkt (dropped 0, overlimits 0 requeues 13289)
backlog 0b 0p requeues 13289
TC Filters
Device enp3s0:
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
