thr3ads.net - Shorewall devel - [Shorewall-devel] SFTP [Nov 2004]

If this information is useful, please help other people find it:
Share via:

Matthew Hodgett

2004-Nov-29 06:56 UTC

[Shorewall-devel] SFTP

(anonymous post) I have a simple 2 interface firewall setup and all is
good, almost. I am hosting virtual websites and DNS behind shorewall no
problem. However I am trying to use SFTP via a different port number and
have no luck even though Putty works well. Is there anything weird to
sftp and shorewall? My lab uses a different firewall (firestarter) and
it works OK.

I am using;
DNAT	net	loc:192.168.20.10:22	tcp	522

I would also like to stop 169.254.0.0/16 in masq but can''t find where
it
is coming from.

As per suport instruction I include all the following;

[root@shields-svr00 shorewall]# shorewall version
2.0.10
[root@shields-svr00 shorewall]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:af:06:a7 brd ff:ff:ff:ff:ff:ff
    inet 202.159.16.150/28 brd 202.159.16.159 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:af:02:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.1/24 brd 192.168.20.255 scope global eth1
[root@shields-svr00 shorewall]# ip route show
202.159.16.144/28 dev eth0  scope link
192.168.20.0/24 dev eth1  scope link
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 202.159.16.145 dev eth0
[root@shields-svr00 shorewall]#

Matthew Hodgett
-------------- next part --------------
[H[2JShorewall-2.0.10 Status at shields-svr00.shields.shieldssecurity.com - Mon
Nov 29 18:47:40 WIT 2004

Counters reset Mon Nov 29 18:19:40 WIT 2004

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
   63  8700 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  602 38984 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
  618 85948 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
  795 96621 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  448 96464 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source               destination
   63  8700 RejectAuth  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   63  8700 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   43  2140 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   43  2140 DropSMB    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   29  1464 DropUPnP   all  --  *      *       0.0.0.0/0            0.0.0.0/0
   29  1464 dropNotSyn  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   28  1424 DropDNSrep  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DropDNSrep (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53

Chain DropSMB (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    1    48 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    7   340 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    6   288 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445

Chain DropUPnP (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900

Chain Reject (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RejectAuth  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 RejectSMB  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DropUPnP   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dropNotSyn  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DropDNSrep  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain RejectAuth (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113

Chain RejectSMB (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:135
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445

Chain all2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination
   20  6560 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = multicast

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1    40 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:!0x16/0x02

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   17   949 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
   17   949 norfc1918  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
  611 85305 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
  618 85948 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   63  8700 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
   63  8700 norfc1918  all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
   43  2140 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
   63  8700 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   160 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
  788 95655 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
  795 96621 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID,NEW
  602 38984 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
  602 38984 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
  448 96464 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:53
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
  602 38984 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
  793 96461 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    2   160 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logflags (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   63  8700 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
   28  1424 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
   28  1424 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
   63  8700 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
  601 84999 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.20.10      tcp dpt:53
    4   313 ACCEPT     udp  --  *      *       0.0.0.0/0           
192.168.20.10      udp dpt:53
   13   636 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.20.10      tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.20.10      tcp dpt:22
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain norfc1918 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 rfc1918    all  --  *      *       172.16.0.0/12        0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctorigdst 172.16.0.0/12
    0     0 rfc1918    all  --  *      *       192.168.0.0/16       0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctorigdst 192.168.0.0/16
    0     0 rfc1918    all  --  *      *       10.0.0.0/8           0.0.0.0/0
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctorigdst 10.0.0.0/8

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = broadcast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
PKTTYPE = multicast
    0     0 DROP       all  --  *      *       202.159.16.159       0.0.0.0/0
    0     0 DROP       all  --  *      *       192.168.20.255       0.0.0.0/0
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain rfc1918 (6 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       202.159.16.159       0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       202.159.16.159       0.0.0.0/0
    0     0 LOG        all  --  *      *       192.168.20.255       0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       192.168.20.255       0.0.0.0/0
    0     0 LOG        all  --  *      *       255.255.255.255      0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 LOG        all  --  *      *       224.0.0.0/4          0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0

Chain tcpflags (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x3F/0x29
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x3F/0x00
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x06/0x06
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x03/0x03
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:0 flags:0x16/0x02

Nov 29 18:41:32 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13106 DF PROTO=TCP SPT=4754 DPT=1025
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:41:35 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13180 DF PROTO=TCP SPT=4754 DPT=1025
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:41:41 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13284 DF PROTO=TCP SPT=4754 DPT=1025
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:42:16 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13580 DF PROTO=TCP SPT=4866 DPT=2745
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:42:19 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13640 DF PROTO=TCP SPT=4866 DPT=2745
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:42:26 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13751 DF PROTO=TCP SPT=4866 DPT=2745
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:42:38 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13837 DF PROTO=TCP SPT=4921 DPT=5000
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:42:41 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=13920 DF PROTO=TCP SPT=4921 DPT=5000
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:42:47 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14005 DF PROTO=TCP SPT=4921 DPT=5000
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:43:00 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14113 DF PROTO=TCP SPT=3031 DPT=6129
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:43:03 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14169 DF PROTO=TCP SPT=3031 DPT=6129
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:43:21 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14294 DF PROTO=TCP SPT=3078 DPT=3140
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:43:24 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14345 DF PROTO=TCP SPT=3078 DPT=3140
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:43:30 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14411 DF PROTO=TCP SPT=3078 DPT=3140
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:43:54 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14707 DF PROTO=TCP SPT=3158 DPT=31337
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:43:56 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14729 DF PROTO=TCP SPT=3158 DPT=31337
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:44:02 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14742 DF PROTO=TCP SPT=3158 DPT=31337
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:44:16 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14965 DF PROTO=TCP SPT=3213 DPT=443
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:44:19 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=14991 DF PROTO=TCP SPT=3213 DPT=443
WINDOW=3216 RES=0x00 SYN URGP=0
Nov 29 18:44:25 net2all:DROP:IN=eth0 OUT= SRC=202.159.251.31 DST=202.159.16.150
LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=15062 DF PROTO=TCP SPT=3213 DPT=443
WINDOW=3216 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 36335 packets, 5238K bytes)
 pkts bytes target     prot opt in     out     source               destination
  116 14886 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 5732 packets, 369K bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   160 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 55 packets, 3768 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   160 MASQUERADE  all  --  *      *       192.168.20.0/24      0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       169.254.0.0/16       0.0.0.0/0

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:53 to:192.168.20.10
    4   313 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:53 to:192.168.20.10
   13   636 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:80 to:192.168.20.10
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:522 to:192.168.20.10:22

Mangle Table

Chain PREROUTING (policy ACCEPT 196K packets, 78M bytes)
 pkts bytes target     prot opt in     out     source               destination
 2121  236K pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 32332 packets, 3741K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 149K packets, 73M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 13627 packets, 4087K bytes)
 pkts bytes target     prot opt in     out     source               destination
  450 96712 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 163K packets, 77M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
  450 96712 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
  605 39136 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
  697 50476 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 431989 ESTABLISHED src=202.159.16.149 dst=202.159.16.150 sport=55936
dport=522 src=192.168.20.10 dst=202.159.16.149 sport=22 dport=55936 [ASSURED]
use=1
tcp      6 431989 ESTABLISHED src=192.168.20.10 dst=192.168.20.1 sport=33128
dport=22 src=192.168.20.1 dst=192.168.20.10 sport=22 dport=33128 [ASSURED] use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:af:06:a7 brd ff:ff:ff:ff:ff:ff
    inet 202.159.16.150/28 brd 202.159.16.159 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:af:02:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.1/24 brd 192.168.20.255 scope global eth1

/proc

   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0

Routing Rules

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup 253 

Table local:

broadcast 202.159.16.144 dev eth0  proto kernel  scope link  src 202.159.16.150 
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
broadcast 192.168.20.255 dev eth1  proto kernel  scope link  src 192.168.20.1 
local 202.159.16.150 dev eth0  proto kernel  scope host  src 202.159.16.150 
broadcast 192.168.20.0 dev eth1  proto kernel  scope link  src 192.168.20.1 
local 192.168.20.1 dev eth1  proto kernel  scope host  src 192.168.20.1 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
broadcast 202.159.16.159 dev eth0  proto kernel  scope link  src 202.159.16.150 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 

Table main:

202.159.16.144/28 dev eth0  scope link 
192.168.20.0/24 dev eth1  scope link 
169.254.0.0/16 dev eth1  scope link 
127.0.0.0/8 dev lo  scope link 
default via 202.159.16.145 dev eth0 

Table 253:

Tom Eastep

2004-Nov-29 07:11 UTC

head link

[Shorewall-devel] SFTP

On Mon, 2004-11-29 at 16:55 +0700, Matthew Hodgett
wrote:> (anonymous post) I have a simple 2 interface firewall setup and all is
> good, almost. I am hosting virtual websites and DNS behind shorewall no
> problem. However I am trying to use SFTP via a different port number and
> have no luck even though Putty works well. Is there anything weird to
> sftp and shorewall? My lab uses a different firewall (firestarter) and
> it works OK.
So what rules does firestarter generate?
> 
> I would also like to stop 169.254.0.0/16 in masq but can''t find
where it
> is coming from.
Check the archives -- the solution is distribution-dependent.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep

2004-Nov-29 08:24 UTC

head link

[Shorewall-devel] SFTP

On Mon, 2004-11-29 at 16:55 +0700, Matthew Hodgett
wrote:> (anonymous post) I have a simple 2 interface firewall setup and all is
> good, almost. I am hosting virtual websites and DNS behind shorewall no
> problem. However I am trying to use SFTP via a different port number and
> have no luck even though Putty works well. Is there anything weird to
> sftp and shorewall? My lab uses a different firewall (firestarter) and
> it works OK.
> 
> I am using;
> DNAT	net	loc:192.168.20.10:22	tcp	522
I just tried this rule:

DNAT   loc    dmz:206.124.146.177:22  tcp     522 - 192.168.1.254

Then from a system in the local zone:

 	sftp -oPort=522 192.168.1.254

works fine (once I removed all entries for my firewall from
~/.ssh/known_hosts on the client system :-) )
> 
> I would also like to stop 169.254.0.0/16 in masq but can''t find
where it
> is coming from.
As I mentioned in an earlier post, there is a distribution-specific
solution which prevents a route to that network from being added to your
local network. You can also change your entry in /etc/shorewall/masq to:

eth0	192.168.20.0/24

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Seemingly Similar Threads

Search for more possibly parallel threads

Shorewall devel - Nov 2004 - SFTP

[Shorewall-devel] SFTP

[Shorewall-devel] SFTP

[Shorewall-devel] SFTP

Seemingly Similar Threads