thr3ads.net - Shorewall devel - [Shorewall-devel] squid on DMZ using proxyarp [Sep 2004]

If this information is useful, please help other people find it:
Share via:

bodo

2004-Sep-21 06:30 UTC

[Shorewall-devel] squid on DMZ using proxyarp

sorry, i''m confuse where to post my problem..
i was post to shorewall-users, but must read to 
support.html
this''s my problem
-----------
  
i have squid running on DMZ zone
and my network using ProxyARP on eth1 and eth2
mylinuxbox slackware 9.2

my network can access to internet normal, but can''t
redirect to squid server from firewall.
sometimes my network can connect to squid and sometimes
bypass this squid server. i dont know what going on.
now.. my network bypass redirect to squid server.

my config file follow document on
Shorewall_Squid_Usage.html (Squid (transparent) Running
in
the DMZ)

----------

root@gdln:/tmp# shorewall version
2.0.8
root@gdln:/tmp# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc 
htb qlen 1000
     link/ether 00:10:4b:65:ff:27 brd ff:ff:ff:ff:ff:ff
     inet 202.124.35.35/28 brd 202.124.35.47 scope global 
eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 
1000
     link/ether 00:10:4b:66:c6:5f brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.254/29 brd 192.168.1.255 scope global 
eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc 
pfifo_fast qlen 1000
     link/ether 00:05:5d:78:64:88 brd ff:ff:ff:ff:ff:ff
     inet 192.168.2.254/29 brd 192.168.2.255 scope global 
eth2
root@gdln:/tmp# ip route show
202.124.35.38 dev eth1  scope link
202.124.35.39 dev eth1  scope link
202.124.35.36 dev eth2  scope link
202.124.35.37 dev eth1  scope link
202.124.35.42 dev eth1  scope link
202.124.35.43 dev eth1  scope link
202.124.35.40 dev eth1  scope link
202.124.35.41 dev eth1  scope link
202.124.35.46 dev eth1  scope link
202.124.35.44 dev eth1  scope link
202.124.35.45 dev eth1  scope link
192.168.1.248/29 dev eth1  proto kernel  scope link  src 
192.168.1.254
192.168.2.248/29 dev eth2  proto kernel  scope link  src 
192.168.2.254
202.124.35.32/28 dev eth0  proto kernel  scope link  src 
202.124.35.35
127.0.0.0/8 dev lo  scope link
default via 202.124.35.33 dev eth0  metric 1

Counters reset Wed Sep 22 20:21:17 CIT 2004

Chain INPUT (policy DROP 1 packets, 72 bytes)
  pkts bytes target     prot opt in     out     source 
              destination
    18  2241 ACCEPT     all  --  lo     *       0.0.0.0/0 
           0.0.0.0/0
     0     0 DROP      !icmp --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID
   239 57749 eth0_in    all  --  eth0   *       0.0.0.0/0 
           0.0.0.0/0
69020 5750K eth1_in    all  --  eth1   *       0.0.0.0/0 
           0.0.0.0/0
   121 19329 eth2_in    all  --  eth2   *       0.0.0.0/0 
           0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain FORWARD (policy DROP 8 packets, 924 bytes)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 DROP      !icmp --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID
43951 9522K eth0_fwd   all  --  eth0   *       0.0.0.0/0 
           0.0.0.0/0
42821 2267K eth1_fwd   all  --  eth1   *       0.0.0.0/0 
           0.0.0.0/0
  3636  787K eth2_fwd   all  --  eth2   *       0.0.0.0/0 
           0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
              destination
    18  2241 ACCEPT     all  --  *      lo      0.0.0.0/0 
           0.0.0.0/0
     0     0 DROP      !icmp --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID
     0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0 
           0.0.0.0/0          udp dpts:67:68
   253 21599 fw2net     all  --  *      eth0    0.0.0.0/0 
           0.0.0.0/0
61649   12M fw2loc     all  --  *      eth1    0.0.0.0/0 
           0.0.0.0/0
   110 43464 fw2dmz     all  --  *      eth2    0.0.0.0/0 
           0.0.0.0/0
     0     0 Reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain AllowDNS (6 references)
  pkts bytes target     prot opt in     out     source 
              destination
     2   126 ACCEPT     udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpt:53
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:53

Chain AllowFTP (3 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:21

Chain AllowPOP3 (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:110
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:995

Chain AllowPing (9 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
           0.0.0.0/0          icmp type 8

Chain AllowSMTP (4 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:25

Chain AllowSSH (7 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:22

Chain AllowWeb (9 references)
  pkts bytes target     prot opt in     out     source 
              destination
    77  3972 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:80
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:443

Chain Drop (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
   167 12188 RejectAuth  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   166 12128 dropBcast  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   166 12128 dropInvalid  all  --  *      * 
      0.0.0.0/0            0.0.0.0/0
   166 12128 DropSMB    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   166 12128 DropUPnP   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   166 12128 dropNotSyn  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   158 11800 DropDNSrep  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain DropDNSrep (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp spt:53

Chain DropSMB (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpt:135
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpts:137:139
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpt:445
     0     0 DROP       tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:135
     0     0 DROP       tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:139
     0     0 DROP       tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:445

Chain DropUPnP (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 DROP       udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpt:1900

Chain Reject (4 references)
  pkts bytes target     prot opt in     out     source 
              destination
   100 10326 RejectAuth  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   100 10326 dropBcast  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    60  6720 dropInvalid  all  --  *      * 
      0.0.0.0/0            0.0.0.0/0
    60  6720 RejectSMB  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    60  6720 DropUPnP   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    60  6720 dropNotSyn  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    60  6720 DropDNSrep  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain RejectAuth (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
     1    60 reject     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:113

Chain RejectSMB (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 reject     udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpt:135
     0     0 reject     udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpts:137:139
     0     0 reject     udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpt:445
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:135
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:139
     0     0 reject     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:445

Chain all2all (6 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
   100 10326 Reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    60  6720 reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain dmz2fw (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
    87 16941 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    34  2388 AllowSSH   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    34  2388 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    34  2388 AllowWeb   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    29  2088 AllowDNS   all  --  *      * 
      202.124.35.36        0.0.0.0/0
     0     0 ACCEPT     tcp  --  *      * 
      202.124.35.36        0.0.0.0/0          tcp dpt:3401
     0     0 ACCEPT     udp  --  *      * 
      202.124.35.36        0.0.0.0/0          udp dpt:3401
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:5555
    29  2088 all2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain dmz2loc (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
  2818  676K ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
     0     0 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 all2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain dmz2net (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
   780  108K ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    38  2286 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    38  2286 AllowWeb   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    20  1206 AllowSMTP  all  --  *      * 
      202.124.35.36        0.0.0.0/0
    20  1206 AllowDNS   all  --  *      * 
      202.124.35.36        0.0.0.0/0
    18  1080 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain dropBcast (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
    40  3606 DROP       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          PKTTYPE = broadcast
     0     0 DROP       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          PKTTYPE = multicast

Chain dropInvalid (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 DROP       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID

Chain dropNotSyn (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
     8   328 DROP       tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp flags:!0x16/0x02

Chain dynamic (6 references)
  pkts bytes target     prot opt in     out     source 
              destination

Chain eth0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
   182 10988 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID,NEW
   182 10988 norfc1918  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state NEW
43153 9147K net2loc    all  --  *      eth1    0.0.0.0/0 
           0.0.0.0/0
   798  375K net2dmz    all  --  *      eth2    0.0.0.0/0 
           0.0.0.0/0

Chain eth0_in (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
    39  3792 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID,NEW
     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          udp dpts:67:68
    39  3792 norfc1918  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state NEW
   239 57749 net2fw     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain eth1_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
   295 15181 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID,NEW
   295 15181 eth1_mac   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state NEW
39414 1929K loc2net    all  --  *      eth0    0.0.0.0/0 
           0.0.0.0/0
  3407  338K loc2dmz    all  --  *      eth2    0.0.0.0/0 
           0.0.0.0/0

Chain eth1_in (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
    11  1518 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID,NEW
    11  1518 eth1_mac   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state NEW
69020 5750K loc2fw     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain eth1_mac (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
    43  2634 RETURN     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          MAC 00:80:48:21:18:7C
     0     0 RETURN     all  --  *      * 
      202.124.35.38        0.0.0.0/0          MAC 
00:80:48:20:9D:9C
     8   897 RETURN     all  --  *      * 
      202.124.35.39        0.0.0.0/0          MAC 
00:10:C6:1B:DD:A5
   129  7740 RETURN     all  --  *      * 
      202.124.35.40        0.0.0.0/0          MAC 
00:02:2D:18:1D:DC
   123  5284 RETURN     all  --  *      * 
      202.124.35.41        0.0.0.0/0          MAC 
00:02:2D:8B:26:2D
     0     0 RETURN     all  --  *      * 
      202.124.35.45        0.0.0.0/0          MAC 
00:02:2D:B4:9B:F9
     0     0 RETURN     all  --  *      * 
      202.124.35.43        0.0.0.0/0          MAC 
00:02:2D:A6:A4:E0
     0     0 RETURN     all  --  *      * 
      202.124.35.44        0.0.0.0/0          MAC 
00:02:2D:5F:E5:51
     0     0 RETURN     all  --  *      * 
      202.124.35.42        0.0.0.0/0          MAC 
00:80:48:21:18:7C
     3   144 RETURN     all  --  *      * 
      202.124.35.46        0.0.0.0/0          MAC 
00:30:1A:04:BF:C0
     0     0 RETURN     all  --  *      * 
      192.168.1.254        192.168.1.255
     0     0 RETURN     all  --  *      * 
      192.168.1.248/29     255.255.255.255
     0     0 RETURN     all  --  *      * 
      192.168.1.248/29     224.0.0.0/4
     0     0 LOG        all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          LOG flags 0 level 6 prefix 
`Shorewall:eth1_mac:REJECT:''
     0     0 reject     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain eth2_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
    38  2286 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID,NEW
   818  110K dmz2net    all  --  *      eth0    0.0.0.0/0 
           0.0.0.0/0
  2818  676K dmz2loc    all  --  *      eth1    0.0.0.0/0 
           0.0.0.0/0

Chain eth2_in (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
    34  2388 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state INVALID,NEW
   121 19329 dmz2fw     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain fw2dmz (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
    77 39681 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    33  3783 AllowSSH   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    33  3783 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    33  3783 AllowWeb   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    33  3783 AllowFTP   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     3   423 AllowSMTP  all  --  *      *       0.0.0.0/0 
           202.124.35.36
     3   423 AllowDNS   all  --  *      *       0.0.0.0/0 
           202.124.35.36
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           202.124.35.36      tcp dpt:3401
     3   423 ACCEPT     udp  --  *      *       0.0.0.0/0 
           202.124.35.36      udp dpt:3401
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:6666
    30  3360 all2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain fw2loc (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
61619   12M ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    30  3360 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    30  3360 all2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain fw2net (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
   188 15725 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    65  5874 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    65  5874 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain icmpdef (0 references)
  pkts bytes target     prot opt in     out     source 
              destination

Chain loc2dmz (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
  3375  337K ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    32  1536 AllowSSH   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    32  1536 AllowWeb   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    32  1536 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:3128
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:10000
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:20000
     0     0 AllowSMTP  all  --  *      *       0.0.0.0/0 
           202.124.35.36
     0     0 AllowPOP3  all  --  *      *       0.0.0.0/0 
           202.124.35.36
     0     0 AllowWeb   all  --  *      *       0.0.0.0/0 
           202.124.35.36
     0     0 AllowDNS   all  --  *      *       0.0.0.0/0 
           202.124.35.36
     0     0 all2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain loc2fw (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
69009 5749K ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    11  1518 AllowSSH   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    11  1518 AllowSSH   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    11  1518 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    11  1518 AllowWeb   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:10000
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:20000
    11  1518 AllowFTP   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    11  1518 all2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain loc2net (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
39151 1915K ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
   263 13645 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain net2all (3 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
   167 12188 Drop       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   158 11800 LOG        all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          LOG flags 0 level 6 prefix 
`Shorewall:net2all:DROP:''
   158 11800 DROP       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain net2dmz (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
   743  372K ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    55  2624 AllowSSH   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    55  2624 AllowWeb   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     2    80 AllowFTP   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     2    80 AllowSMTP  all  --  *      *       0.0.0.0/0 
           202.124.35.36
     2    80 AllowPOP3  all  --  *      *       0.0.0.0/0 
           202.124.35.36
     2    80 AllowWeb   all  --  *      *       0.0.0.0/0 
           202.124.35.36
     2    80 AllowDNS   all  --  *      *       0.0.0.0/0 
           202.124.35.36
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:6666
     2    80 net2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain net2fw (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
   200 53957 ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
    39  3792 AllowSSH   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    39  3792 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    39  3792 AllowWeb   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
    38  3744 AllowDNS   all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:5555
    38  3744 net2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain net2loc (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
43026 9139K ACCEPT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          state RELATED,ESTABLISHED
   127  8364 AllowPing  all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
   127  8364 net2all    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain norfc1918 (2 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 rfc1918    all  --  *      * 
      172.16.0.0/12        0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          ctorigdst 172.16.0.0/12
     0     0 rfc1918    all  --  *      * 
      192.168.0.0/16       0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          ctorigdst 192.168.0.0/16
     0     0 rfc1918    all  --  *      *       10.0.0.0/8 
          0.0.0.0/0
     0     0 rfc1918    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          ctorigdst 10.0.0.0/8

Chain reject (12 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 DROP       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          PKTTYPE = broadcast
     0     0 DROP       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          PKTTYPE = multicast
     0     0 DROP       all  --  *      * 
      202.124.35.47        0.0.0.0/0
     0     0 DROP       all  --  *      * 
      192.168.1.255        0.0.0.0/0
     0     0 DROP       all  --  *      * 
      192.168.2.255        0.0.0.0/0
     0     0 DROP       all  --  *      * 
      255.255.255.255      0.0.0.0/0
     0     0 DROP       all  --  *      * 
      224.0.0.0/4          0.0.0.0/0
     1    60 REJECT     tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          reject-with tcp-reset
    60  6720 REJECT     udp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          reject-with 
icmp-port-unreachable
     0     0 REJECT     icmp --  *      *       0.0.0.0/0 
           0.0.0.0/0          reject-with 
icmp-host-unreachable
     0     0 REJECT     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          reject-with 
icmp-host-prohibited

Chain rfc1918 (6 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 LOG        all  --  *      *       0.0.0.0/0 
           0.0.0.0/0          LOG flags 0 level 6 prefix 
`Shorewall:rfc1918:DROP:''
     0     0 DROP       all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain shorewall (0 references)
  pkts bytes target     prot opt in     out     source 
              destination

Chain smurfs (0 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 LOG        all  --  *      * 
      202.124.35.47        0.0.0.0/0          LOG flags 0 
level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      * 
      202.124.35.47        0.0.0.0/0
     0     0 LOG        all  --  *      * 
      192.168.1.255        0.0.0.0/0          LOG flags 0 
level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      * 
      192.168.1.255        0.0.0.0/0
     0     0 LOG        all  --  *      * 
      192.168.2.255        0.0.0.0/0          LOG flags 0 
level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      * 
      192.168.2.255        0.0.0.0/0
     0     0 LOG        all  --  *      * 
      255.255.255.255      0.0.0.0/0          LOG flags 0 
level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      * 
      255.255.255.255      0.0.0.0/0
     0     0 LOG        all  --  *      * 
      224.0.0.0/4          0.0.0.0/0          LOG flags 0 
level 6 prefix `Shorewall:smurfs:DROP:''
     0     0 DROP       all  --  *      * 
      224.0.0.0/4          0.0.0.0/0

Sep 22 20:34:53 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=60 TOS=0x00 
PREC=0x00 TTL=51 ID=34667 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:34:56 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=60 TOS=0x00 
PREC=0x00 TTL=51 ID=35096 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:34:59 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=60 TOS=0x00 
PREC=0x00 TTL=51 ID=35577 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:02 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=35998 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:05 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=36400 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:08 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=36750 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:13 net2all:DROP:IN=eth0 OUT=eth1 
SRC=82.161.136.81 DST=202.124.35.46 LEN=60 TOS=0x00 
PREC=0x00 TTL=45 ID=4653 DF PROTO=TCP SPT=15661 DPT=4662 
WINDOW=5840 RES=0x00 SYN URGP=0
Sep 22 20:35:14 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=37425 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:19 net2all:DROP:IN=eth0 OUT=eth1 
SRC=82.161.136.81 DST=202.124.35.46 LEN=60 TOS=0x00 
PREC=0x00 TTL=45 ID=4654 DF PROTO=TCP SPT=15661 DPT=4662 
WINDOW=5840 RES=0x00 SYN URGP=0
Sep 22 20:35:23 net2all:DROP:IN=eth0 OUT= 
SRC=202.124.35.35 DST=202.124.35.47 LEN=112 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=92
Sep 22 20:35:26 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=38962 DF PROTO=TCP SPT=3915 DPT=23 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:31 net2all:DROP:IN=eth0 OUT=eth1 
SRC=82.161.136.81 DST=202.124.35.46 LEN=60 TOS=0x00 
PREC=0x00 TTL=45 ID=4655 DF PROTO=TCP SPT=15661 DPT=4662 
WINDOW=5840 RES=0x00 SYN URGP=0
Sep 22 20:35:39 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=60 TOS=0x00 
PREC=0x00 TTL=51 ID=40563 DF PROTO=TCP SPT=4762 DPT=6667 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:42 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=60 TOS=0x00 
PREC=0x00 TTL=51 ID=41062 DF PROTO=TCP SPT=4762 DPT=6667 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:45 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=60 TOS=0x00 
PREC=0x00 TTL=51 ID=41576 DF PROTO=TCP SPT=4762 DPT=6667 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:48 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=42006 DF PROTO=TCP SPT=4762 DPT=6667 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:51 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=42438 DF PROTO=TCP SPT=4762 DPT=6667 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:35:53 net2all:DROP:IN=eth0 OUT= 
SRC=202.124.35.35 DST=202.124.35.47 LEN=112 TOS=0x00 
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=520 DPT=520 LEN=92
Sep 22 20:35:54 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=42785 DF PROTO=TCP SPT=4762 DPT=6667 
WINDOW=57344 RES=0x00 SYN URGP=0
Sep 22 20:36:00 net2all:DROP:IN=eth0 OUT=eth1 
SRC=204.152.186.58 DST=202.124.35.39 LEN=44 TOS=0x00 
PREC=0x00 TTL=51 ID=43620 DF PROTO=TCP SPT=4762 DPT=6667 
WINDOW=57344 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 456K packets, 24M bytes)
  pkts bytes target     prot opt in     out     source 
              destination

Chain POSTROUTING (policy ACCEPT 421K packets, 21M bytes)
  pkts bytes target     prot opt in     out     source 
              destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
              destination

Mangle Table

Chain PREROUTING (policy ACCEPT 4589K packets, 823M bytes)
  pkts bytes target     prot opt in     out     source 
              destination
  160K   18M pretos     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
  6259  489K MARK       tcp  --  eth1   *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:80 MARK set 0xca

Chain INPUT (policy ACCEPT 166K packets, 15M bytes)
  pkts bytes target     prot opt in     out     source 
              destination

Chain FORWARD (policy ACCEPT 4407K packets, 807M bytes)
  pkts bytes target     prot opt in     out     source 
              destination

Chain OUTPUT (policy ACCEPT 202K packets, 38M bytes)
  pkts bytes target     prot opt in     out     source 
              destination
62058   13M outtos     all  --  *      *       0.0.0.0/0 
           0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 4584K packets, 844M 
bytes)
  pkts bytes target     prot opt in     out     source 
              destination

Chain outtos (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:22 TOS set 0x10
61647   12M TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp spt:22 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:21 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp spt:21 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp spt:20 TOS set 0x08
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
  pkts bytes target     prot opt in     out     source 
              destination
72081 6028K TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:22 TOS set 0x10
  2357  369K TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp spt:22 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:21 TOS set 0x10
     5   200 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp spt:21 TOS set 0x10
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp spt:20 TOS set 0x08
     0     0 TOS        tcp  --  *      *       0.0.0.0/0 
           0.0.0.0/0          tcp dpt:20 TOS set 0x08

tcp      6 66 TIME_WAIT src=202.124.35.41 dst=64.41.73.139 
sport=4710 dport=80 src=64.41.73.139 dst=202.124.35.41 
sport=80 dport=4710 [ASSURED] use=1
tcp      6 117 TIME_WAIT src=202.124.35.41 
dst=64.233.171.104 sport=4702 dport=80 src=64.233.171.104 
dst=202.124.35.41 sport=80 dport=4702 [ASSURED] use=1
tcp      6 431995 ESTABLISHED src=202.124.35.37 
dst=201.224.87.98 sport=2568 dport=7000 src=201.224.87.98 
dst=202.124.35.37 sport=7000 dport=2568 [ASSURED] use=1
tcp      6 431995 ESTABLISHED src=202.124.35.35 
dst=201.224.87.98 sport=32787 dport=6667 src=201.224.87.98 
dst=202.124.35.35 sport=6667 dport=32787 [ASSURED] use=1
udp      17 138 src=202.124.35.40 dst=202.134.1.10 
sport=53 dport=53 src=202.134.1.10 dst=202.124.35.40 
sport=53 dport=53 [ASSURED] use=1
tcp      6 21 TIME_WAIT src=202.124.35.36 dst=66.102.7.104 
sport=1669 dport=80 src=66.102.7.104 dst=202.124.35.36 
sport=80 dport=1669 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.46 
dst=202.93.18.38 sport=3806 dport=5000 src=202.93.18.38 
dst=202.124.35.46 sport=5000 dport=3806 [ASSURED] use=1
tcp      6 12 TIME_WAIT src=202.124.35.36 dst=202.134.0.12 
sport=1663 dport=80 src=202.134.0.12 dst=202.124.35.36 
sport=80 dport=1663 [ASSURED] use=1
tcp      6 410993 ESTABLISHED src=202.124.35.39 
dst=206.190.38.28 sport=1027 dport=80 [UNREPLIED] 
src=206.190.38.28 dst=202.124.35.39 sport=80 dport=1027 
use=1
icmp     1 15 src=202.124.35.41 dst=66.94.230.47 type=8 
code=0 id=512 [UNREPLIED] src=66.94.230.47 
dst=202.124.35.41 type=0 code=0 id=512 use=1
tcp      6 76 TIME_WAIT src=65.54.188.86 dst=202.124.35.36 
sport=26893 dport=80 src=202.124.35.36 dst=65.54.188.86 
sport=80 dport=26893 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.46 
dst=202.93.18.38 sport=3771 dport=5000 src=202.93.18.38 
dst=202.124.35.46 sport=5000 dport=3771 [ASSURED] use=1
tcp      6 31 TIME_WAIT src=202.124.35.36 dst=202.134.0.12 
sport=1660 dport=80 src=202.134.0.12 dst=202.124.35.36 
sport=80 dport=1660 [ASSURED] use=1
tcp      6 415922 ESTABLISHED src=202.124.35.46 
dst=202.93.18.38 sport=3627 dport=5000 src=202.93.18.38 
dst=202.124.35.46 sport=5000 dport=3627 [ASSURED] use=1
tcp      6 411681 ESTABLISHED src=202.124.35.39 
dst=216.148.222.35 sport=1026 dport=25 src=216.148.222.35 
dst=202.124.35.39 sport=25 dport=1026 [ASSURED] use=1
udp      17 30 src=202.124.35.35 dst=202.134.0.155 
sport=32934 dport=53 src=202.134.0.155 dst=202.124.35.35 
sport=53 dport=32934 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.46 
dst=202.43.167.94 sport=3796 dport=5000 src=202.43.167.94 
dst=202.124.35.46 sport=5000 dport=3796 [ASSURED] use=1
tcp      6 44 TIME_WAIT src=202.124.35.40 
dst=64.152.73.238 sport=38027 dport=80 src=64.152.73.238 
dst=202.124.35.40 sport=80 dport=38027 [ASSURED] use=1
udp      17 74 src=202.124.35.35 dst=202.134.1.10 
sport=32934 dport=53 src=202.134.1.10 dst=202.124.35.35 
sport=53 dport=32934 [ASSURED] use=1
udp      17 122 src=202.124.35.41 dst=202.134.1.10 
sport=1039 dport=53 src=202.134.1.10 dst=202.124.35.41 
sport=53 dport=1039 [ASSURED] use=1
tcp      6 68 TIME_WAIT src=202.124.35.41 
dst=63.211.210.219 sport=4720 dport=80 src=63.211.210.219 
dst=202.124.35.41 sport=80 dport=4720 [ASSURED] use=1
udp      17 113 src=127.0.0.1 dst=127.0.0.1 sport=32935 
dport=161 src=127.0.0.1 dst=127.0.0.1 sport=161 
dport=32935 [ASSURED] use=1
tcp      6 415922 ESTABLISHED src=202.124.35.46 
dst=202.93.18.36 sport=3665 dport=5000 src=202.93.18.36 
dst=202.124.35.46 sport=5000 dport=3665 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.37 
dst=202.124.35.35 sport=2524 dport=22 src=202.124.35.35 
dst=202.124.35.37 sport=22 dport=2524 [ASSURED] use=1
tcp      6 52 TIME_WAIT src=202.124.35.41 dst=12.129.23.73 
sport=4700 dport=80 src=12.129.23.73 dst=202.124.35.41 
sport=80 dport=4700 [ASSURED] use=1
tcp      6 67 TIME_WAIT src=202.124.35.41 
dst=63.211.210.219 sport=4718 dport=80 src=63.211.210.219 
dst=202.124.35.41 sport=80 dport=4718 [ASSURED] use=1
tcp      6 11 TIME_WAIT src=202.124.35.36 dst=202.134.0.12 
sport=1661 dport=80 src=202.134.0.12 dst=202.124.35.36 
sport=80 dport=1661 [ASSURED] use=1
tcp      6 67 TIME_WAIT src=202.124.35.36 
dst=66.195.18.137 sport=1672 dport=2095 src=66.195.18.137 
dst=202.124.35.36 sport=2095 dport=1672 [ASSURED] use=1
tcp      6 64 TIME_WAIT src=202.124.35.41 dst=64.41.73.139 
sport=4708 dport=80 src=64.41.73.139 dst=202.124.35.41 
sport=80 dport=4708 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.46 
dst=202.43.167.94 sport=3722 dport=5000 src=202.43.167.94 
dst=202.124.35.46 sport=5000 dport=3722 [ASSURED] use=1
udp      17 113 src=192.168.2.254 dst=202.124.35.36 
sport=32935 dport=3401 src=202.124.35.36 dst=192.168.2.254 
sport=3401 dport=32935 [ASSURED] use=1
tcp      6 409884 ESTABLISHED src=202.124.35.39 
dst=203.201.214.130 sport=2875 dport=25 
src=203.201.214.130 dst=202.124.35.39 sport=25 dport=2875 
[ASSURED] use=1
tcp      6 431960 ESTABLISHED src=202.124.35.40 
dst=64.233.171.104 sport=38037 dport=80 src=64.233.171.104 
dst=202.124.35.40 sport=80 dport=38037 [ASSURED] use=1
tcp      6 4 TIME_WAIT src=202.124.35.37 dst=202.124.35.36 
sport=3398 dport=3128 src=202.124.35.36 dst=202.124.35.37 
sport=3128 dport=3398 [ASSURED] use=1
tcp      6 12 TIME_WAIT src=202.124.35.41 dst=64.14.49.46 
sport=4695 dport=80 src=64.14.49.46 dst=202.124.35.41 
sport=80 dport=4695 [ASSURED] use=1
tcp      6 45 TIME_WAIT src=202.124.35.36 
dst=202.124.35.35 sport=1670 dport=80 src=202.124.35.35 
dst=202.124.35.36 sport=80 dport=1670 [ASSURED] use=1
tcp      6 409691 ESTABLISHED src=202.124.35.39 
dst=164.109.25.248 sport=1032 dport=80 src=164.109.25.248 
dst=202.124.35.39 sport=80 dport=1032 [ASSURED] use=1
tcp      6 408863 ESTABLISHED src=202.124.35.41 
dst=202.10.32.3 sport=1741 dport=8352 src=202.10.32.3 
dst=202.124.35.41 sport=8352 dport=1741 [ASSURED] use=1
udp      17 140 src=202.124.35.35 dst=202.134.1.10 
sport=32935 dport=53 src=202.134.1.10 dst=202.124.35.35 
sport=53 dport=32935 [ASSURED] use=1
tcp      6 81 TIME_WAIT src=65.54.188.86 dst=202.124.35.36 
sport=28376 dport=80 src=202.124.35.36 dst=65.54.188.86 
sport=80 dport=28376 [ASSURED] use=1
tcp      6 425717 ESTABLISHED src=202.124.35.46 
dst=202.93.18.36 sport=3736 dport=5000 src=202.93.18.36 
dst=202.124.35.46 sport=5000 dport=3736 [ASSURED] use=1
udp      17 15 src=202.124.35.35 dst=202.124.35.47 
sport=520 dport=520 [UNREPLIED] src=202.124.35.47 
dst=202.124.35.35 sport=520 dport=520 use=1
tcp      6 70 TIME_WAIT src=202.124.35.41 dst=64.41.73.216 
sport=4714 dport=80 src=64.41.73.216 dst=202.124.35.41 
sport=80 dport=4714 [ASSURED] use=1
tcp      6 409701 ESTABLISHED src=202.124.35.39 
dst=164.109.25.248 sport=1027 dport=80 src=164.109.25.248 
dst=202.124.35.39 sport=80 dport=1027 [ASSURED] use=1
tcp      6 409120 ESTABLISHED src=202.124.35.41 
dst=62.241.53.2 sport=1495 dport=4242 src=62.241.53.2 
dst=202.124.35.41 sport=4242 dport=1495 [ASSURED] use=1
tcp      6 71 TIME_WAIT src=202.124.35.41 
dst=63.211.210.219 sport=4722 dport=80 src=63.211.210.219 
dst=202.124.35.41 sport=80 dport=4722 [ASSURED] use=1
tcp      6 47 TIME_WAIT src=202.124.35.41 
dst=64.233.171.104 sport=4664 dport=80 src=64.233.171.104 
dst=202.124.35.41 sport=80 dport=4664 [ASSURED] use=1
tcp      6 10 TIME_WAIT src=202.124.35.36 
dst=216.211.130.20 sport=1664 dport=80 src=216.211.130.20 
dst=202.124.35.36 sport=80 dport=1664 [ASSURED] use=1
tcp      6 431958 ESTABLISHED src=202.124.35.40 
dst=216.239.39.99 sport=38036 dport=80 src=216.239.39.99 
dst=202.124.35.40 sport=80 dport=38036 [ASSURED] use=1
tcp      6 431980 ESTABLISHED src=202.124.35.36 
dst=129.27.9.248 sport=1048 dport=6667 src=129.27.9.248 
dst=202.124.35.36 sport=6667 dport=1048 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.46 
dst=202.93.18.35 sport=3774 dport=5000 src=202.93.18.35 
dst=202.124.35.46 sport=5000 dport=3774 [ASSURED] use=1
udp      17 125 src=202.124.35.36 dst=202.134.1.10 
sport=1026 dport=53 src=202.134.1.10 dst=202.124.35.36 
sport=53 dport=1026 [ASSURED] use=1
tcp      6 410545 ESTABLISHED src=202.124.35.39 
dst=64.233.167.99 sport=1028 dport=80 src=64.233.167.99 
dst=202.124.35.39 sport=80 dport=1028 [ASSURED] use=1
tcp      6 78 TIME_WAIT src=202.124.35.40 
dst=66.218.71.101 sport=38035 dport=80 src=66.218.71.101 
dst=202.124.35.40 sport=80 dport=38035 [ASSURED] use=1
tcp      6 415922 ESTABLISHED src=202.124.35.46 
dst=202.93.18.35 sport=3643 dport=5000 src=202.93.18.35 
dst=202.124.35.46 sport=5000 dport=3643 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.46 
dst=202.93.18.36 sport=3802 dport=5000 src=202.93.18.36 
dst=202.124.35.46 sport=5000 dport=3802 [ASSURED] use=1
tcp      6 69 TIME_WAIT src=65.54.188.86 dst=202.124.35.36 
sport=25015 dport=80 src=202.124.35.36 dst=65.54.188.86 
sport=80 dport=25015 [ASSURED] use=1
tcp      6 417602 ESTABLISHED src=202.124.35.39 
dst=66.102.123.54 sport=1084 dport=25 [UNREPLIED] 
src=66.102.123.54 dst=202.124.35.39 sport=25 dport=1084 
use=1
tcp      6 431998 ESTABLISHED src=202.124.35.46 
dst=202.93.18.35 sport=3758 dport=5000 src=202.93.18.35 
dst=202.124.35.46 sport=5000 dport=3758 [ASSURED] use=1
tcp      6 409729 ESTABLISHED src=202.124.35.41 
dst=64.124.173.41 sport=1314 dport=21 src=64.124.173.41 
dst=202.124.35.41 sport=21 dport=1314 [ASSURED] use=2
icmp     1 29 src=202.124.35.40 dst=202.124.35.33 type=8 
code=0 id=55049 src=202.124.35.33 dst=202.124.35.40 type=0 
code=0 id=55049 use=1
tcp      6 7 TIME_WAIT src=202.124.35.41 dst=64.14.49.46 
sport=4694 dport=80 src=64.14.49.46 dst=202.124.35.41 
sport=80 dport=4694 [ASSURED] use=1
tcp      6 45 TIME_WAIT src=202.124.35.36 
dst=202.124.35.35 sport=1671 dport=80 src=202.124.35.35 
dst=202.124.35.36 sport=80 dport=1671 [ASSURED] use=1
tcp      6 409594 ESTABLISHED src=202.124.35.41 
dst=64.124.173.41 sport=1315 dport=29323 src=64.124.173.41 
dst=202.124.35.41 sport=29323 dport=1315 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=202.124.35.37 
dst=202.124.35.35 sport=2514 dport=22 src=202.124.35.35 
dst=202.124.35.37 sport=22 dport=2514 [ASSURED] use=1
tcp      6 103 TIME_WAIT src=202.124.35.41 
dst=216.127.33.119 sport=4712 dport=80 src=216.127.33.119 
dst=202.124.35.41 sport=80 dport=4712 [ASSURED] use=1
tcp      6 410713 ESTABLISHED src=202.124.35.39 
dst=64.233.167.99 sport=1029 dport=80 src=64.233.167.99 
dst=202.124.35.39 sport=80 dport=1029 [ASSURED] use=1
tcp      6 11 TIME_WAIT src=202.124.35.36 dst=202.134.0.12 
sport=1662 dport=80 src=202.134.0.12 dst=202.124.35.36 
sport=80 dport=1662 [ASSURED] use=1
tcp      6 66 TIME_WAIT src=202.124.35.37 
dst=202.124.35.36 sport=3405 dport=3128 src=202.124.35.36 
dst=202.124.35.37 sport=3128 dport=3405 [ASSURED] use=1
tcp      6 409265 ESTABLISHED src=202.124.35.39 
dst=203.201.214.130 sport=2823 dport=25 
src=203.201.214.130 dst=202.124.35.39 sport=25 dport=2823 
[ASSURED] use=1
tcp      6 409535 ESTABLISHED src=202.124.35.39 
dst=207.68.179.219 sport=1025 dport=80 src=207.68.179.219 
dst=202.124.35.39 sport=80 dport=1025 [ASSURED] use=1
tcp      6 431847 ESTABLISHED src=202.124.35.40 
dst=66.218.71.234 sport=38031 dport=443 src=66.218.71.234 
dst=202.124.35.40 sport=443 dport=38031 [ASSURED] use=1
tcp      6 414551 ESTABLISHED src=202.124.35.41 
dst=202.10.32.4 sport=1756 dport=8363 src=202.10.32.4 
dst=202.124.35.41 sport=8363 dport=1756 [ASSURED] use=1
tcp      6 5 TIME_WAIT src=202.124.35.36 dst=66.195.18.137 
sport=1668 dport=2095 src=66.195.18.137 dst=202.124.35.36 
sport=2095 dport=1668 [ASSURED] use=1
tcp      6 408271 ESTABLISHED src=202.124.35.43 
dst=65.75.132.10 sport=1291 dport=80 src=65.75.132.10 
dst=202.124.35.43 sport=80 dport=1291 [ASSURED] use=1
tcp      6 431693 ESTABLISHED src=202.124.35.39 
dst=216.155.193.184 sport=1304 dport=5050 
src=216.155.193.184 dst=202.124.35.39 sport=5050 
dport=1304 [ASSURED] use=1
tcp      6 73 TIME_WAIT src=65.54.188.86 dst=202.124.35.36 
sport=26055 dport=80 src=202.124.35.36 dst=65.54.188.86 
sport=80 dport=26055 [ASSURED] use=1
tcp      6 431932 ESTABLISHED src=192.168.2.254 
dst=202.124.35.36 sport=32788 dport=6666 src=202.124.35.36 
dst=192.168.2.254 sport=6666 dport=32788 [ASSURED] use=1
tcp      6 20 TIME_WAIT src=202.124.35.37 
dst=202.124.35.36 sport=3404 dport=3128 src=202.124.35.36 
dst=202.124.35.37 sport=3128 dport=3404 [ASSURED] use=1
tcp      6 82 TIME_WAIT src=202.124.35.40 
dst=64.233.171.104 sport=38038 dport=80 src=64.233.171.104 
dst=202.124.35.40 sport=80 dport=38038 [ASSURED] use=1
tcp      6 79 TIME_WAIT src=65.54.188.86 dst=202.124.35.36 
sport=27607 dport=80 src=202.124.35.36 dst=65.54.188.86 
sport=80 dport=27607 [ASSURED] use=1
tcp      6 46 TIME_WAIT src=65.54.188.86 dst=202.124.35.36 
sport=22686 dport=80 src=202.124.35.36 dst=65.54.188.86 
sport=80 dport=22686 [ASSURED] use=1
tcp      6 407089 ESTABLISHED src=202.124.35.38 
dst=66.195.18.137 sport=2197 dport=80 src=66.195.18.137 
dst=202.124.35.38 sport=80 dport=2197 [ASSURED] use=1

IP Configuration

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc 
htb qlen 1000
     link/ether 00:10:4b:65:ff:27 brd ff:ff:ff:ff:ff:ff
     inet 202.124.35.35/28 brd 202.124.35.47 scope global 
eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 
1000
     link/ether 00:10:4b:66:c6:5f brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.254/29 brd 192.168.1.255 scope global 
eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc 
pfifo_fast qlen 1000
     link/ether 00:05:5d:78:64:88 brd ff:ff:ff:ff:ff:ff
     inet 192.168.2.254/29 brd 192.168.2.255 scope global 
eth2

Routing Rules

0:	from all lookup local
32765:	from all fwmark       ca lookup www.out
32766:	from all lookup main
32767:	from all lookup default

Table local:

local 192.168.2.254 dev eth2  proto kernel  scope host 
 src 192.168.2.254
local 202.124.35.35 dev eth0  proto kernel  scope host 
 src 202.124.35.35
broadcast 192.168.2.255 dev eth2  proto kernel  scope link 
 src 192.168.2.254
broadcast 127.255.255.255 dev lo  proto kernel  scope link 
 src 127.0.0.1
broadcast 202.124.35.32 dev eth0  proto kernel  scope link 
 src 202.124.35.35
broadcast 192.168.2.248 dev eth2  proto kernel  scope link 
 src 192.168.2.254
local 192.168.1.254 dev eth1  proto kernel  scope host 
 src 192.168.1.254
broadcast 192.168.1.255 dev eth1  proto kernel  scope link 
 src 192.168.1.254
broadcast 202.124.35.47 dev eth0  proto kernel  scope link 
 src 202.124.35.35
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 
127.0.0.1
broadcast 192.168.1.248 dev eth1  proto kernel  scope link 
 src 192.168.1.254
local 127.0.0.1 dev lo  proto kernel  scope host  src 
127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 
127.0.0.1

Table www.out:


Table main:

202.124.35.38 dev eth1  scope link
202.124.35.39 dev eth1  scope link
202.124.35.36 dev eth2  scope link
202.124.35.37 dev eth1  scope link
202.124.35.42 dev eth1  scope link
202.124.35.43 dev eth1  scope link
202.124.35.40 dev eth1  scope link
202.124.35.41 dev eth1  scope link
202.124.35.46 dev eth1  scope link
202.124.35.44 dev eth1  scope link
202.124.35.45 dev eth1  scope link
192.168.1.248/29 dev eth1  proto kernel  scope link  src 
192.168.1.254
192.168.2.248/29 dev eth2  proto kernel  scope link  src 
192.168.2.254
202.124.35.32/28 dev eth0  proto kernel  scope link  src 
202.124.35.35
127.0.0.0/8 dev lo  scope link
default via 202.124.35.33 dev eth0  metric 1

Table default:

root@gdln:/etc/shorewall# cat start
############################################################################
# Shorewall 2.0 -- /etc/shorewall/start
#
# Add commands below that you want to be executed after 
shorewall has
# been started or restarted.
#
iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 
-j MARK --set-mark 202

tcrules file
202     eth1     0.0.0.0/0      tcp         80


root@gdln:/etc/shorewall# cat init
############################################################################
# Shorewall 2.0 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the 
beginning of
# a "shorewall start" or "shorewall restart" command.
#
if [ -z "`ip rule list | grep www.out`" ] ; then
         ip rule add fwmark CA table www.out # Note 0xCA = 
202
         ip route add default via 202.124.35.36 dev eth2 
table www.out
         ip route flush cache
fi

root@gdln:/etc/shorewall# cat /etc/iproute2/rt_tables
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
202 www.out


============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

Tom Eastep

2004-Sep-21 08:05 UTC

head link

[Shorewall-devel] squid on DMZ using proxyarp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

bodo wrote:
| sorry, i''m confuse where to post my problem..
| i was post to shorewall-users, but must read to support.html


In the future, please post questions that don''t involve new 2.1
features
to the user''s list. I''ve updated
http://shorewall.net/support.htm to
reflect a new policy.

| this''s my problem
| -----------
|
| i have squid running on DMZ zone
| and my network using ProxyARP on eth1 and eth2
| mylinuxbox slackware 9.2
|
| my network can access to internet normal, but can''t
| redirect to squid server from firewall.
| sometimes my network can connect to squid and sometimes
| bypass this squid server. i dont know what going on.
| now.. my network bypass redirect to squid server.
|
| my config file follow document on
| Shorewall_Squid_Usage.html (Squid (transparent) Running
| in
| the DMZ)

|
| Routing Rules
|
| 0:    from all lookup local
| 32765:    from all fwmark       ca lookup www.out
| 32766:    from all lookup main
| 32767:    from all lookup default

That looks good.

|
| Table local:
|
| local 192.168.2.254 dev eth2  proto kernel  scope host src 192.168.2.254
| local 202.124.35.35 dev eth0  proto kernel  scope host src 202.124.35.35
| broadcast 192.168.2.255 dev eth2  proto kernel  scope link src
| 192.168.2.254
| broadcast 127.255.255.255 dev lo  proto kernel  scope link src 127.0.0.1
| broadcast 202.124.35.32 dev eth0  proto kernel  scope link src
| 202.124.35.35
| broadcast 192.168.2.248 dev eth2  proto kernel  scope link src
| 192.168.2.254
| local 192.168.1.254 dev eth1  proto kernel  scope host src 192.168.1.254
| broadcast 192.168.1.255 dev eth1  proto kernel  scope link src
| 192.168.1.254
| broadcast 202.124.35.47 dev eth0  proto kernel  scope link src
| 202.124.35.35
| broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
| broadcast 192.168.1.248 dev eth1  proto kernel  scope link src
| 192.168.1.254
| local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
| local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
|
| Table www.out:
|
|
| Table main:

That''s bad -- your www.out routing table had no entries!!!!

|
| root@gdln:/etc/shorewall# cat start
|
############################################################################

|
| # Shorewall 2.0 -- /etc/shorewall/start
| #
| # Add commands below that you want to be executed after shorewall has
| # been started or restarted.
| #
| iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
| --set-mark 202
|
| tcrules file
| 202     eth1     0.0.0.0/0      tcp         80

Why are you doing both???? One or the other would be sufficient.

|
|
| root@gdln:/etc/shorewall# cat init
|
############################################################################

|
| # Shorewall 2.0 -- /etc/shorewall/init
| #
| # Add commands below that you want to be executed at the beginning of
| # a "shorewall start" or "shorewall restart" command.
| #
| if [ -z "`ip rule list | grep www.out`" ] ; then
|         ip rule add fwmark CA table www.out # Note 0xCA = 202
|         ip route add default via 202.124.35.36 dev eth2 table www.out
|         ip route flush cache
| fi

Something you are doing is causing the default route in www.out to be
deleted after the above code is executed. Try changing your
/etc/shorewall/init to look like this:

~   if [ -z "`ip rule list | grep www.out`" ] ; then
~        ip rule add fwmark CA table www.out # Note 0xCA = 202
~        ip route flush cache
~   fi

~   ip route replace default via 202.124.35.36 dev eth2 table www.out

If that doesn''t work then you are going to have to determine what is
causing the route to be deleted -- and it will NOT be Shorewall that is
doing it.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBUEMqO/MAbZfjDLIRAqbuAKCDxowV+UOjIwOQZ9GLAD/1P8tfcwCfTHlh
k5Dwdhpt5QFJG3MN1SB/vkw=yf3r
-----END PGP SIGNATURE-----

Possibly Parallel Threads

Search for more possibly parallel threads

Shorewall devel - Sep 2004 - squid on DMZ using proxyarp

[Shorewall-devel] squid on DMZ using proxyarp

[Shorewall-devel] squid on DMZ using proxyarp

Possibly Parallel Threads