Hello All,
I''m having a problem with Masq with Shorewall. I
recently upgraded my server from Redhat 7.3 to Redhat
9.0, Shorewall & Masq were working perfectly well
before the ugprade. Since then, I''ve tried
reinstalling and reconfiguring Shorewall, and editing
as many relevant system files as I can find, with no
success.
I believe the root of the problem is with DNS. My
workstation times out when querying my ISP for DNS
resolution. I did install named and ISC/BIND when I
performed the upgrade, because I plan to eventually
use the server for caching DNS. I can ping the
Shorewall machine, and workstation vice-versa.
Also, one interesting note in my syslog. Shorewall is
REJECTING packets on the traditional DNS ports, but it
is pecuilar in that it seems to be rejecting them from
eth0 (internal NIC) to eth0 (internal NIC). Which I
don''t understand, it would make more sense to me if it
was rejecting them from 192.168.1.5 (workstation) to
eth0 (internal NIC).
Any help you can give would be appreciated!
Andrew
Shorewall Version: 1.4.8
Quick Start Guide, using two interfaces sample file*
*note, I did edit the file to make sure that my
external interface is eth1 and my internal interface
is eth0.
Redhat Linux 9.0 (recently upgraded from 7.3)
ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:10:5a:09:aa:80 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global
eth0
3: eth1: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500
qdisc pfifo_fast qlen 100
link/ether 00:60:08:3e:66:47 brd ff:ff:ff:ff:ff:ff
inet 68.98.149.50/22 brd 68.98.151.255 scope
global eth1
ip route show:
192.168.1.0/24 dev eth0 scope link
68.98.148.0/22 dev eth1 proto kernel scope link src
68.98.149.50
169.254.0.0/16 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0
/sbin/shorewall show log:
Shorewall-1.4.8 Log at lime - Tue Nov 25 19:40:17 EST
2003
Counters reset Tue Nov 25 19:32:14 EST 2003
Nov 24 22:37:51 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=62 TOS=0x00
PREC=0x00 TTL=127 ID=2423 PROTO=UDP SPT=1225 DPT=53
LEN=42
Nov 24 22:37:53 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=62 TOS=0x00
PREC=0x00 TTL=127 ID=2424 PROTO=UDP SPT=1225 DPT=53
LEN=42
Nov 24 22:37:53 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=62 TOS=0x00
PREC=0x00 TTL=127 ID=2425 PROTO=UDP SPT=1225 DPT=53
LEN=42
Nov 24 22:37:57 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=62 TOS=0x00
PREC=0x00 TTL=127 ID=2426 PROTO=UDP SPT=1225 DPT=53
LEN=42
Nov 24 22:37:57 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=62 TOS=0x00
PREC=0x00 TTL=127 ID=2427 PROTO=UDP SPT=1225 DPT=53
LEN=42
Nov 24 22:38:05 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2430 PROTO=UDP SPT=1226 DPT=53
LEN=48
Nov 24 22:38:06 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2431 PROTO=UDP SPT=1226 DPT=53
LEN=48
Nov 24 22:38:06 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2432 PROTO=UDP SPT=1226 DPT=53
LEN=48
Nov 24 22:42:48 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=62 TOS=0x00
PREC=0x00 TTL=127 ID=2471 PROTO=UDP SPT=1227 DPT=53
LEN=42
Nov 24 22:42:49 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=62 TOS=0x00
PREC=0x00 TTL=127 ID=2472 PROTO=UDP SPT=1227 DPT=53
LEN=42
Nov 24 22:45:58 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2511 PROTO=UDP SPT=1229 DPT=53
LEN=48
Nov 24 22:45:59 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2512 PROTO=UDP SPT=1229 DPT=53
LEN=48
Nov 24 22:46:01 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2522 PROTO=UDP SPT=1229 DPT=53
LEN=48
Nov 24 22:46:03 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2523 PROTO=UDP SPT=1229 DPT=53
LEN=48
Nov 24 22:46:03 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2524 PROTO=UDP SPT=1229 DPT=53
LEN=48
Nov 24 22:46:07 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2529 PROTO=UDP SPT=1229 DPT=53
LEN=48
Nov 24 22:46:07 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2530 PROTO=UDP SPT=1229 DPT=53
LEN=48
Nov 24 22:46:15 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2537 PROTO=UDP SPT=1230 DPT=53
LEN=48
Nov 24 22:46:16 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2538 PROTO=UDP SPT=1230 DPT=53
LEN=48
Nov 24 22:46:17 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=2539 PROTO=UDP SPT=1230 DPT=53
LEN=48
status file:
[H[JShorewall-1.4.8 Status at lime - Tue Nov 25
20:48:32 EST 2003
Counters reset Tue Nov 25 20:47:42 EST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- lo *
0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * *
0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 eth1_in all -- eth1 *
0.0.0.0/0 0.0.0.0/0
1 235 eth0_in all -- eth0 *
0.0.0.0/0 0.0.0.0/0
0 0 common all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * *
0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * *
0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out
source destination
0 0 DROP !icmp -- * *
0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 eth1_fwd all -- eth1 *
0.0.0.0/0 0.0.0.0/0
10 680 eth0_fwd all -- eth0 *
0.0.0.0/0 0.0.0.0/0
10 680 common all -- * *
0.0.0.0/0 0.0.0.0/0
10 680 LOG all -- * *
0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:FORWARD:REJECT:''
10 680 reject all -- * *
0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- * lo
0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * *
0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * eth1
0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 fw2net all -- * eth1
0.0.0.0/0 0.0.0.0/0
1 96 fw2loc all -- * eth0
0.0.0.0/0 0.0.0.0/0
0 0 common all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * *
0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * *
0.0.0.0/0 0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
flags:!0x16/0x02
1 235 common all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * *
0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * *
0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out
source destination
0 0 icmpdef icmp -- * *
0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * *
0.0.0.0/0 0.0.0.0/0 udp dpt:135
1 235 reject udp -- * *
0.0.0.0/0 0.0.0.0/0 udp
dpts:137:139
0 0 reject udp -- * *
0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 reject tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * *
0.0.0.0/0 255.255.255.255
0 0 DROP all -- * *
0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * *
0.0.0.0/0 0.0.0.0/0 udp spt:53
state NEW
0 0 DROP all -- * *
0.0.0.0/0 68.98.151.255
0 0 DROP all -- * *
0.0.0.0/0 192.168.1.255
Chain dynamic (4 references)
pkts bytes target prot opt in out
source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out
source destination
10 680 dynamic all -- * *
0.0.0.0/0 0.0.0.0/0 state NEW
0 0 loc2net all -- * eth1
0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out
source destination
1 235 dynamic all -- * *
0.0.0.0/0 0.0.0.0/0 state NEW
1 235 loc2fw all -- * *
0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out
source destination
0 0 dynamic all -- * *
0.0.0.0/0 0.0.0.0/0 state NEW
0 0 net2all all -- * eth0
0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out
source destination
0 0 dynamic all -- * *
0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * *
0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 net2fw all -- * *
0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out
source destination
1 96 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
flags:!0x16/0x02
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 all2all all -- * *
0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
flags:!0x16/0x02
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:53
0 0 ACCEPT udp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW udp
dpt:53
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 all2all all -- * *
0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out
source destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
flags:!0x16/0x02
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:53
0 0 ACCEPT udp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW udp
dpt:53
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:22
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
dpt:10000
1 235 all2all all -- * *
0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
flags:!0x16/0x02
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
flags:!0x16/0x02
0 0 common all -- * *
0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * *
0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:net2all:DROP:''
0 0 DROP all -- * *
0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out
source destination
0 0 ACCEPT all -- * *
0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * *
0.0.0.0/0 0.0.0.0/0 state NEW tcp
flags:!0x16/0x02
0 0 ACCEPT icmp -- * *
0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 net2all all -- * *
0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (7 references)
pkts bytes target prot opt in out
source destination
0 0 LOG all -- * *
0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Shorewall:newnotsyn:DROP:''
0 0 DROP all -- * *
0.0.0.0/0 0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out
source destination
0 0 REJECT tcp -- * *
0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
11 915 REJECT udp -- * *
0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
0 0 REJECT icmp -- * *
0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-unreachable
0 0 REJECT all -- * *
0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out
source destination
Nov 25 20:47:04 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16742 PROTO=UDP SPT=1931 DPT=53
LEN=48
Nov 25 20:47:04 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16743 PROTO=UDP SPT=1931 DPT=53
LEN=48
Nov 25 20:47:08 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16749 PROTO=UDP SPT=1931 DPT=53
LEN=48
Nov 25 20:47:08 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16750 PROTO=UDP SPT=1931 DPT=53
LEN=48
Nov 25 20:47:08 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16752 PROTO=UDP SPT=1932 DPT=53
LEN=48
Nov 25 20:47:09 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16754 PROTO=UDP SPT=1932 DPT=53
LEN=48
Nov 25 20:47:10 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16756 PROTO=UDP SPT=1932 DPT=53
LEN=48
Nov 25 20:47:16 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16767 PROTO=UDP SPT=1933 DPT=53
LEN=48
Nov 25 20:47:17 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16768 PROTO=UDP SPT=1933 DPT=53
LEN=48
Nov 25 20:47:18 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16769 PROTO=UDP SPT=1933 DPT=53
LEN=48
Nov 25 20:47:54 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16781 PROTO=UDP SPT=1936 DPT=53
LEN=48
Nov 25 20:47:55 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16782 PROTO=UDP SPT=1936 DPT=53
LEN=48
Nov 25 20:47:57 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16783 PROTO=UDP SPT=1936 DPT=53
LEN=48
Nov 25 20:47:59 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16784 PROTO=UDP SPT=1936 DPT=53
LEN=48
Nov 25 20:47:59 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16785 PROTO=UDP SPT=1936 DPT=53
LEN=48
Nov 25 20:48:03 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.25 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16786 PROTO=UDP SPT=1936 DPT=53
LEN=48
Nov 25 20:48:03 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16787 PROTO=UDP SPT=1936 DPT=53
LEN=48
Nov 25 20:48:11 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16790 PROTO=UDP SPT=1937 DPT=53
LEN=48
Nov 25 20:48:12 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16792 PROTO=UDP SPT=1937 DPT=53
LEN=48
Nov 25 20:48:13 FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=192.168.1.5 DST=68.100.16.30 LEN=68 TOS=0x00
PREC=0x00 TTL=127 ID=16793 PROTO=UDP SPT=1937 DPT=53
LEN=48
NAT Table
Chain PREROUTING (policy ACCEPT 13 packets, 971 bytes)
pkts bytes target prot opt in out
source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out
source destination
0 0 eth1_masq all -- * eth1
0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out
source destination
Chain eth1_masq (1 references)
pkts bytes target prot opt in out
source destination
0 0 MASQUERADE all -- * *
192.168.1.5 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 13 packets, 971 bytes)
pkts bytes target prot opt in out
source destination
13 971 pretos all -- * *
0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1 packets, 235 bytes)
pkts bytes target prot opt in out
source destination
Chain FORWARD (policy ACCEPT 10 packets, 680 bytes)
pkts bytes target prot opt in out
source destination
Chain OUTPUT (policy ACCEPT 10 packets, 960 bytes)
pkts bytes target prot opt in out
source destination
10 960 outtos all -- * *
0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1 packets, 96 bytes)
pkts bytes target prot opt in out
source destination
Chain outtos (1 references)
pkts bytes target prot opt in out
source destination
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS
set 0x08
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS
set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out
source destination
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS
set 0x10
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS
set 0x08
0 0 TOS tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS
set 0x08
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
-------------- next part --------------
#
# Shorewall 1.4.8 -- Sample Policy File For Two Interfaces
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT",
"CONTINUE" Or "NONE"
#
# ACCEPT
# Accept the connection
# DROP
# Ignore the connection request.
# REJECT
# For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# CONTINUE
# Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy)
# NONE
# Assume that there will never be any
# packets from this SOURCE to this
# DEST. Shorewall will not set up any
# infrastructure to handle such packets
# and you may not have any rules with
# this SOURCE and DEST in the /etc/shorewall/rules
# file. If such a packet is received the result
# is undefined.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd (http://www.gnumonks.org/projects/ulogd).
#
# If you don''t want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the Internet are allowed
# b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall version 1.4.8 - Sample Rules File For Two Interfaces
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
# REDIRECT-, CONTINUE, LOG Or QUEUE.
#
# ACCEPT
# Allow the connection request
# DROP
# Ignore the request
# REJECT
# Disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT
# Forward the request to another
# system (and optionally another
# port).
# DNAT-
# Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT
# Redirect the request to a local
# port on the firewall.
# REDIRECT-
# Advanced users only.
# Like REDIRECT but only generates the
# REDIRECT iptables rule and not the
# companion ACCEPT rule.
# CONTINUE
# (For experts only). Do Not Process
# any of the following rules for this
# (source zone,destination zone). If
# the source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zones(s).
# LOG
# Simply log the packet and continue.
# QUEUE
# Queue the packet to a user-space
# application such as p2pwall.
#
# You may rate-limit the rule by optionally following
# ACCEPT, DNAT[-], REDIRECT[-] or LOG with
#
# < <rate>/<interval>[:<burst>] >
#
# Where <rate> is the number of connections per
# <interval> ("sec" or "min") and <burst> is
the largest
# burst permitted. If no <burst> is given, a value of 5
# is assumed. There may be no whitespace embedded in the
# specification.
#
# Example:
# ACCEPT<10/sec:20>
#
# The ACTION (and rate limit) may optionally be followed by ":"
# and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
# This causes the packet to be logged at the specified level.
#
# NOTE: For those of you who prefer to place the rate limit in a separate
column,
# see the RATE LIMIT column below. If you specify a value in that column you
must include
# a rate limit in the action column.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
# to a separate log through use of ulogd.
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!'' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Some Examples:
#
# net:155.186.235.1
# Host 155.186.235.1 on the Internet
#
# loc:192.168.1.0/24
# Subnet 192.168.1.0/24 on the
# Local Network
#
# net:155.186.235.1,155.186.235.2
# Hosts 155.186.235.1 and
# 155.186.235.2 on the Internet.
#
# loc:~00-A0-C9-15-39-78
# Host on the Local Network with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, net:eth0 specifies a
# client that communicates with the firewall system
# through eth0. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., net:eth0:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3 You may not specify both an interface and
# an address.
#
# Unlike in the SOURCE column, you may specify a range of
# up to 256 IP addresses using the syntax
# <first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
# the connections will be assigned to the addresses in the
# range in a round-robin fashion.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: net:155.186.235.1:25 specifies a Internet
# server at IP address 155.186.235.1 and listening on port
# 25. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# If the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp",
a number or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following fields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If your kernel contains multi-port match support, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT[-] or
# REDIRECT[-]) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# A comma-separated list of addresses may also be used.
# This is usually most useful with the REDIRECT target
# where you want to redirect traffic destined for
# a particular set of hosts.
#
# Finally, if the list of addresses begins with "!" then
# the rule will be followed only if the original
# destination address in the connection request does not
# match any of the addresses listed.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# RATE LIMIT You may rate-limit the rule by placing a value in this column:
#
# <rate>/<interval>[:<burst>]
#
# Where <rate> is the number of connections per <interval>
("sec"
# or "min") and <burst> is the largest burst permitted. If no
# <burst> is given, a value of 5 is assummed. There may be no
# whitespace embedded in the specification.
#
# Example:
# 10/sec:20
#
# If you place a rate limit in this column, you may not place
# a similiar limit in the ACTION column.
#
# USER SET This Column may only be non-empty if the SOURCE is the firewall
# itself and the ACTION is ACCEPT, DROP or REJECT.
#
# The column may contain a user set name defined in the
# /etc/shorewall/usersets file or it may contain:
#
# [<user name or number>]:[<group name or number>]
#
# When this column is non-empty, the rule applies only if the
# program generating the output is running under the effective
# <user>(s) and/or <group>(s) specified. When a user set name is
# given, a log level may not be present in the ACTION column;
# logging for such rules is controlled by user set''s entry in
# /etc/shorewall/usersets.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# # PORT PORT(S) DEST LIMIT SET
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT SET
#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
ACCEPT loc net icmp 8
#
ACCEPT loc fw tcp 10000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE