Anatolius
2002-Nov-18 10:11 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
Hi everybody, I have installed Shorewall on the basis of the three-interface guide & script. My pptp adsl connection gets automatically started on Mandrake 9.0 startup, Shorewall either (after eth0, eth1 and pptp). The pptp connection is blocked and I have to shorewall clear, then restart dsl connection by typing pptp 10.0.0.138, and shorewall restart. And finally it works. shorewall status before : [H[JShorewall-1.3.10 Status at mandrake.maison.ici - lun nov 18 10:14:37 CET 2002 Counters reset Mon Nov 18 10:09:01 CET 2002 Chain INPUT (policy DROP 3 packets, 397 bytes) pkts bytes target prot opt in out source destination 90 6840 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 18698 3933K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 102 packets, 8574 bytes) pkts bytes target prot opt in out source destination 90 6840 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2 88 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 18981 7417K all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 4 660 fw2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (5 references) pkts bytes target prot opt in out source destination 18969 7414K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 12 2316 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (6 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 16 2976 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255 0 0 DROP all -- * * 0.0.0.0/0 10.0.0.255 Chain dmz2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dynamic (6 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 loc2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 18698 3933K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 2 88 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 18696 3933K loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dmz2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 dmz2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 4 660 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain loc2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 18640 3924K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 55 8841 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ppp0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 net2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ppp0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (6 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain shorewall (0 references) pkts bytes target prot opt in out source destination Nov 18 10:00:39 OUTPUT:REJECT:IN= OUT=ppp1 SRC=212.11.34.127 DST=192.203.230.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:00:41 OUTPUT:REJECT:IN= OUT=ppp1 SRC=212.11.34.127 DST=128.63.2.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:01:42 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40373 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:45 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40470 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:51 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40821 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:14 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35284 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:17 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35544 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:23 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=36032 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:27 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43033 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:30 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43155 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:36 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43521 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:03:19 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40176 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:22 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40432 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:28 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40902 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:21 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44485 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:23 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44679 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:29 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=45054 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:05:18 net2all:DROP:IN=ppp0 OUT= SRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5120 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:21 net2all:DROP:IN=ppp0 OUT= SRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5483 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:22 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=48555 DF PROTO=TCP SPT=4999 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Chain PREROUTING (policy ACCEPT 20 packets, 2508 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4 packets, 275 bytes) pkts bytes target prot opt in out source destination 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 122 packets, 11825 bytes) pkts bytes target prot opt in out source destination Chain ppp0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination udp 17 176 src=10.0.0.10 dst=10.0.0.10 sport=32779 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32779 [ASSURED] use=1 udp 17 156 src=192.168.0.100 dst=192.168.0.1 sport=137 dport=137 src=192.168.0.1 dst=192.168.0.100 sport=137 dport=137 [ASSURED] use=1 tcp 6 431709 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1189 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1189 [ASSURED] use=1 tcp 6 431985 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1028 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1028 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1044 dport=5901 src=192.168.0.1 dst=192.168.0.100 sport=5901 dport=1044 [ASSURED] use=1 udp 17 126 src=10.0.0.10 dst=10.0.0.10 sport=32775 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32775 [ASSURED] use=1 udp 17 141 src=192.168.0.100 dst=192.168.0.1 sport=138 dport=138 src=192.168.0.1 dst=192.168.0.100 sport=138 dport=138 [ASSURED] use=1 tcp 6 431998 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1042 dport=22 src=192.168.0.1 dst=192.168.0.100 sport=22 dport=1042 [ASSURED] use=1 Shorewall status after : [H[JShorewall-1.3.10 Status at mandrake.maison.ici - lun nov 18 10:15:23 CET 2002 Counters reset Mon Nov 18 10:15:18 CET 2002 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 28 1350 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 3 196 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 2 packets, 3000 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 31 18134 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 3 112 fw2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (5 references) pkts bytes target prot opt in out source destination 34 18330 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (6 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255 0 0 DROP all -- * * 0.0.0.0/0 10.0.0.255 Chain dmz2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dynamic (6 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 loc2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 28 1350 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 28 1350 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dmz2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 dmz2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 3 196 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 3 196 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2dmz (1 references) pkts bytes target prot opt in out source destination 3 112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain loc2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 28 1350 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ppp0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 net2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ppp0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (6 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain shorewall (0 references) pkts bytes target prot opt in out source destination Nov 18 10:00:39 OUTPUT:REJECT:IN= OUT=ppp1 SRC=212.11.34.127 DST=192.203.230.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:00:41 OUTPUT:REJECT:IN= OUT=ppp1 SRC=212.11.34.127 DST=128.63.2.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:01:42 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40373 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:45 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40470 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:51 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40821 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:14 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35284 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:17 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35544 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:23 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=36032 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:27 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43033 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:30 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43155 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:36 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43521 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:03:19 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40176 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:22 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40432 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:28 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40902 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:21 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44485 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:23 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44679 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:29 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=45054 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:05:18 net2all:DROP:IN=ppp0 OUT= SRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5120 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:21 net2all:DROP:IN=ppp0 OUT= SRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5483 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:22 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=48555 DF PROTO=TCP SPT=4999 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Chain PREROUTING (policy ACCEPT 24 packets, 3009 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 17 packets, 1448 bytes) pkts bytes target prot opt in out source destination 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 135 packets, 12998 bytes) pkts bytes target prot opt in out source destination Chain ppp0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Chain PREROUTING (policy ACCEPT 734 packets, 49015 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 731 packets, 48775 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1048 packets, 1022K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1047 packets, 1019K bytes) pkts bytes target prot opt in out source destination udp 17 162 src=10.0.0.10 dst=10.0.0.10 sport=32779 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32779 [ASSURED] use=1 udp 17 11 src=212.11.34.127 dst=192.33.4.12 sport=32769 dport=53 src=192.33.4.12 dst=212.11.34.127 sport=53 dport=32769 use=1 udp 17 9 src=212.11.34.127 dst=128.63.2.53 sport=32769 dport=53 [UNREPLIED] src=128.63.2.53 dst=212.11.34.127 sport=53 dport=32769 use=1 udp 17 111 src=192.168.0.100 dst=192.168.0.1 sport=137 dport=137 src=192.168.0.1 dst=192.168.0.100 sport=137 dport=137 [ASSURED] use=1 tcp 6 431664 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1189 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1189 [ASSURED] use=1 tcp 6 431967 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1028 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1028 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1044 dport=5901 src=192.168.0.1 dst=192.168.0.100 sport=5901 dport=1044 [ASSURED] use=1 udp 17 3 src=10.0.0.10 dst=10.0.0.255 sport=138 dport=138 [UNREPLIED] src=10.0.0.255 dst=10.0.0.10 sport=138 dport=138 use=1 udp 17 10 src=192.168.0.1 dst=192.168.0.100 sport=53 dport=1041 [UNREPLIED] src=192.168.0.100 dst=192.168.0.1 sport=1041 dport=53 use=1 udp 17 157 src=10.0.0.10 dst=10.0.0.10 sport=32775 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32775 [ASSURED] use=1 tcp 6 431968 ESTABLISHED src=10.0.0.10 dst=10.0.0.138 sport=32772 dport=1723 src=10.0.0.138 dst=10.0.0.10 sport=1723 dport=32772 [ASSURED] use=1 udp 17 3 src=192.168.0.100 dst=192.168.0.255 sport=138 dport=138 [UNREPLIED] src=192.168.0.255 dst=192.168.0.100 sport=138 dport=138 use=1 udp 17 153 src=192.168.0.100 dst=192.168.0.1 sport=138 dport=138 src=192.168.0.1 dst=192.168.0.100 sport=138 dport=138 [ASSURED] use=1 udp 17 166 src=212.11.34.127 dst=192.5.5.241 sport=32769 dport=53 src=192.5.5.241 dst=212.11.34.127 sport=53 dport=32769 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1042 dport=22 src=192.168.0.1 dst=192.168.0.100 sport=22 dport=1042 [ASSURED] use=1 udp 17 166 src=212.11.34.127 dst=212.180.0.137 sport=32769 dport=53 src=212.180.0.137 dst=212.11.34.127 sport=53 dport=32769 [ASSURED] use=1 udp 17 16 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32776 [UNREPLIED] src=10.0.0.10 dst=10.0.0.10 sport=32776 dport=53 use=1 unknown 47 599 src=10.0.0.10 dst=10.0.0.138 src=10.0.0.138 dst=10.0.0.10 use=1 tcp 6 102 TIME_WAIT src=212.11.34.127 dst=212.180.1.61 sport=32773 dport=143 src=212.180.1.61 dst=212.11.34.127 sport=143 dport=32773 [ASSURED] use=1 udp 17 8 src=212.11.34.127 dst=128.9.0.107 sport=32769 dport=53 [UNREPLIED] src=128.9.0.107 dst=212.11.34.127 sport=53 dport=32769 use=1 udp 17 7 src=212.11.34.127 dst=192.203.230.10 sport=32769 dport=53 [UNREPLIED] src=192.203.230.10 dst=212.11.34.127 sport=53 dport=32769 use=1 eth0 is my internal interface with ip 192.168.0.1 eth1 is ethernet card with ip 10.0.0.10 connected to adsl pptp modem ppp0 Thanks in advance for your help Anatole
Tom Eastep
2002-Nov-18 14:33 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
--On Monday, November 18, 2002 11:11:59 AM +0100 Anatolius <anatolius@hotmail.com> wrote:> > Hi everybody, > > I have installed Shorewall on the basis of the three-interface guide & > script. My pptp adsl connection gets automatically started on Mandrake > 9.0 startup, Shorewall either (after eth0, eth1 and pptp). The pptp > connection is blocked and I have to shorewall clear, then restart dsl > connection by typing pptp 10.0.0.138, and shorewall restart. And finally > it works. > shorewall status before : >Your "shorewall status" output had all white-space and newline characters replaced with a single space and was consequently completely unreadable (without my spending hours with a text editor to reformat it). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Anatolius
2002-Nov-18 14:50 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
> Your "shorewall status" output had all white-space and newline characters > replaced with a single space and was consequently completely unreadable > (without my spending hours with a text editor to reformat it). > > -Tom > --Tom, So sorry for this mistake ! I repost the same message in a hopefully more readable format. Thx in advance, Anatole I have installed Shorewall on the basis of the three-interface guide & script. My pptp adsl connection gets automatically started on Mandrake 9.0 startup, Shorewall either (after eth0, eth1 and pptp). The pptp connection is blocked and I have to shorewall clear, then restart dsl connection by typing pptp 10.0.0.138, and shorewall restart. And finally it works. shorewall status before : [H[JShorewall-1.3.10 Status at mandrake.maison.ici - lun nov 18 10:14:37 CET 2002 Counters reset Mon Nov 18 10:09:01 CET 2002 Chain INPUT (policy DROP 3 packets, 397 bytes) pkts bytes target prot opt in out source destination 90 6840 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 18698 3933K eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 102 packets, 8574 bytes) pkts bytes target prot opt in out source destination 90 6840 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2 88 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 18981 7417K all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 4 660 fw2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (5 references) pkts bytes target prot opt in out source destination 18969 7414K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 12 2316 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (6 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 16 2976 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255 0 0 DROP all -- * * 0.0.0.0/0 10.0.0.255 Chain dmz2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dynamic (6 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 loc2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 18698 3933K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 2 88 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 18696 3933K loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dmz2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 dmz2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 4 660 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain loc2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 18640 3924K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 55 8841 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ppp0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 net2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ppp0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (6 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain shorewall (0 references) pkts bytes target prot opt in out source destination Nov 18 10:00:39 OUTPUT:REJECT:IN= OUT=ppp1 SRC=212.11.34.127 DST=192.203.230.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:00:41 OUTPUT:REJECT:IN= OUT=ppp1 SRC=212.11.34.127 DST=128.63.2.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:01:42 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40373 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:45 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40470 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:51 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40821 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:14 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35284 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:17 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35544 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:23 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=36032 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:27 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43033 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:30 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43155 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:36 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43521 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:03:19 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40176 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:22 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40432 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:28 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40902 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:21 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44485 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:23 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44679 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:29 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=45054 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:05:18 net2all:DROP:IN=ppp0 OUT= SRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5120 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:21 net2all:DROP:IN=ppp0 OUT= SRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5483 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:22 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=48555 DF PROTO=TCP SPT=4999 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Chain PREROUTING (policy ACCEPT 20 packets, 2508 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4 packets, 275 bytes) pkts bytes target prot opt in out source destination 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 122 packets, 11825 bytes) pkts bytes target prot opt in out source destination Chain ppp0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination udp 17 176 src=10.0.0.10 dst=10.0.0.10 sport=32779 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32779 [ASSURED] use=1 udp 17 156 src=192.168.0.100 dst=192.168.0.1 sport=137 dport=137 src=192.168.0.1 dst=192.168.0.100 sport=137 dport=137 [ASSURED] use=1 tcp 6 431709 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1189 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1189 [ASSURED] use=1 tcp 6 431985 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1028 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1028 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1044 dport=5901 src=192.168.0.1 dst=192.168.0.100 sport=5901 dport=1044 [ASSURED] use=1 udp 17 126 src=10.0.0.10 dst=10.0.0.10 sport=32775 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32775 [ASSURED] use=1 udp 17 141 src=192.168.0.100 dst=192.168.0.1 sport=138 dport=138 src=192.168.0.1 dst=192.168.0.100 sport=138 dport=138 [ASSURED] use=1 tcp 6 431998 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1042 dport=22 src=192.168.0.1 dst=192.168.0.100 sport=22 dport=1042 [ASSURED] use=1 Shorewall status after : [H[JShorewall-1.3.10 Status at mandrake.maison.ici - lun nov 18 10:15:23 CET 2002Counters reset Mon Nov 18 10:15:18 CET 2002Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 28 1350 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 3 196 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 2 packets, 3000 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 31 18134 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 3 112 fw2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (5 references) pkts bytes target prot opt in out source destination 34 18330 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (6 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 192.168.0.255 0 0 DROP all -- * * 0.0.0.0/0 10.0.0.255 Chain dmz2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dynamic (6 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 loc2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 28 1350 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 28 1350 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 dmz2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 dmz2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 3 196 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 3 196 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2dmz (1 references) pkts bytes target prot opt in out source destination 3 112 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Chain loc2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 28 1350 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2dmz (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ppp0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 net2dmz all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ppp0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (6 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain shorewall (0 references) pkts bytes target prot opt in out source destination Nov 18 10:00:39 OUTPUT:REJECT:INOUT=ppp1 SRC=212.11.34.127 DST=192.203.230.10 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:00:41 OUTPUT:REJECT:IN= OUT=ppp1 SRC=212.11.34.127 DST=128.63.2.53 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32769 DPT=53 LEN=40 Nov 18 10:01:42 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40373 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:45 net2all:DROP:IN=ppp0 OUTSRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40470 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:01:51 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=40821 DF PROTO=TCP SPT=3840 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:14 net2all:DROP:IN=ppp0 OUTSRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35284 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:17 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=35544 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:23 net2all:DROP:IN=ppp0 OUTSRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=36032 DF PROTO=TCP SPT=3762 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:02:27 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43033 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:30 net2all:DROP:IN=ppp0 OUTSRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43155 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:02:36 net2all:DROP:IN=ppp0 OUT= SRC=80.15.111.28 DST=212.11.34.127 LEN=52 TOS=0x00 PREC=0x00 TTL=55 ID=43521 DF PROTO=TCP SPT=4199 DPT=4662 WINDOW=60352 RES=0x00 SYN URGP=0 Nov 18 10:03:19 net2all:DROP:IN=ppp0 OUTSRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40176 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:22 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40432 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:03:28 net2all:DROP:IN=ppp0 OUTSRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=40902 DF PROTO=TCP SPT=4110 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:21 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44485 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:23 net2all:DROP:IN=ppp0 OUTSRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=44679 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:04:29 net2all:DROP:IN=ppp0 OUT= SRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=45054 DF PROTO=TCP SPT=4557 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Nov 18 10:05:18 net2all:DROP:IN=ppp0 OUTSRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5120 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:21 net2all:DROP:IN=ppp0 OUT= SRC=81.66.147.201 DST=212.11.34.127 LEN=60 TOS=0x02 PREC=0x00 TTL=55 ID=5483 DF PROTO=TCP SPT=4156 DPT=4662 WINDOW=32120 RES=0x00 SYN URGP=0 Nov 18 10:05:22 net2all:DROP:IN=ppp0 OUTSRC=213.213.199.226 DST=212.11.34.127 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=48555 DF PROTO=TCP SPT=4999 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 Chain PREROUTING (policy ACCEPT 24 packets, 3009 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 17 packets, 1448 bytes) pkts bytes target prot opt in out source destination 0 0 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 135 packets, 12998 bytes) pkts bytes target prot opt in out source destination Chain ppp0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0 Chain PREROUTING (policy ACCEPT 734 packets, 49015 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 731 packets, 48775 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1048 packets, 1022K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1047 packets, 1019K bytes) pkts bytes target prot opt in out source destination udp 17 162 src=10.0.0.10 dst=10.0.0.10 sport=32779 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32779 [ASSURED] use=1 udp 17 11 src=212.11.34.127 dst=192.33.4.12 sport=32769 dport=53 src=192.33.4.12 dst=212.11.34.127 sport=53 dport=32769 use=1 udp 17 9 src=212.11.34.127 dst=128.63.2.53 sport=32769 dport=53 [UNREPLIED] src=128.63.2.53 dst=212.11.34.127 sport=53 dport=32769 use=1 udp 17 111 src=192.168.0.100 dst=192.168.0.1 sport=137 dport=137 src=192.168.0.1 dst=192.168.0.100 sport=137 dport=137 [ASSURED] use=1 tcp 6 431664 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1189 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1189 [ASSURED] use=1 tcp 6 431967 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1028 dport=139 src=192.168.0.1 dst=192.168.0.100 sport=139 dport=1028 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1044 dport=5901 src=192.168.0.1 dst=192.168.0.100 sport=5901 dport=1044 [ASSURED] use=1 udp 17 3 src=10.0.0.10 dst=10.0.0.255 sport=138 dport=138 [UNREPLIED] src=10.0.0.255 dst=10.0.0.10 sport=138 dport=138 use=1 udp 17 10 src=192.168.0.1 dst=192.168.0.100 sport=53 dport=1041 [UNREPLIED] src=192.168.0.100 dst=192.168.0.1 sport=1041 dport=53 use=1 udp 17 157 src=10.0.0.10 dst=10.0.0.10 sport=32775 dport=53 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32775 [ASSURED] use=1 tcp 6 431968 ESTABLISHED src=10.0.0.10 dst=10.0.0.138 sport=32772 dport=1723 src=10.0.0.138 dst=10.0.0.10 sport=1723 dport=32772 [ASSURED] use=1 udp 17 3 src=192.168.0.100 dst=192.168.0.255 sport=138 dport=138 [UNREPLIED] src=192.168.0.255 dst=192.168.0.100 sport=138 dport=138 use=1 udp 17 153 src=192.168.0.100 dst=192.168.0.1 sport=138 dport=138 src=192.168.0.1 dst=192.168.0.100 sport=138 dport=138 [ASSURED] use=1 udp 17 166 src=212.11.34.127 dst=192.5.5.241 sport=32769 dport=53 src=192.5.5.241 dst=212.11.34.127 sport=53 dport=32769 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.0.100 dst=192.168.0.1 sport=1042 dport=22 src=192.168.0.1 dst=192.168.0.100 sport=22 dport=1042 [ASSURED] use=1 udp 17 166 src=212.11.34.127 dst=212.180.0.137 sport=32769 dport=53 src=212.180.0.137 dst=212.11.34.127 sport=53 dport=32769 [ASSURED] use=1 udp 17 16 src=10.0.0.10 dst=10.0.0.10 sport=53 dport=32776 [UNREPLIED] src=10.0.0.10 dst=10.0.0.10 sport=32776 dport=53 use=1 unknown 47 599 src=10.0.0.10 dst=10.0.0.138 src=10.0.0.138 dst=10.0.0.10 use=1 tcp 6 102 TIME_WAIT src=212.11.34.127 dst=212.180.1.61 sport=32773 dport=143 src=212.180.1.61 dst=212.11.34.127 sport=143 dport=32773 [ASSURED] use=1 udp 17 8 src=212.11.34.127 dst=128.9.0.107 sport=32769 dport=53 [UNREPLIED] src=128.9.0.107 dst=212.11.34.127 sport=53 dport=32769 use=1 udp 17 7 src=212.11.34.127 dst=192.203.230.10 sport=32769 dport=53 [UNREPLIED] src=192.203.230.10 dst=212.11.34.127 sport=53 dport=32769 use=1 eth0 is my internal interface with ip 192.168.0.1eth1 is ethernet card with ip 10.0.0.10 connected to adsl pptp modem ppp0 Thanks in advance for your helpAnatole
Tom Eastep
2002-Nov-18 14:57 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
--On Monday, November 18, 2002 11:11:59 AM +0100 Anatolius <anatolius@hotmail.com> wrote:> > Hi everybody, > > I have installed Shorewall on the basis of the three-interface guide & > script. My pptp adsl connection gets automatically started on Mandrake > 9.0 startup, Shorewall either (after eth0, eth1 and pptp). The pptp > connection is blocked and I have to shorewall clear, then restart dsl > connection by typing pptp 10.0.0.138, and shorewall restart. And finally > it works.Try making the following changes to your configuration: /etc/shorewall/zones adsl ADSL ADSL Modem /etc/shorewall/interfaces adsl eth0 detect /etc/shorewall/rules: fw adsl:10.0.0.138 tcp 1723 fw adsl:10.0.0.138 gre adsl:10.0.0.138 fw gre -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Anatolius
2002-Nov-18 18:33 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
> > I have installed Shorewall on the basis of the three-interface guide & > > script. My pptp adsl connection gets automatically started on Mandrake > > 9.0 startup, Shorewall either (after eth0, eth1 and pptp). The pptp > > connection is blocked and I have to shorewall clear, then restart dsl > > connection by typing pptp 10.0.0.138, and shorewall restart. And finally > > it works. > > Try making the following changes to your configuration: > > /etc/shorewall/zones > > adsl ADSL ADSL Modem > > /etc/shorewall/interfaces > > adsl eth0 detect > > /etc/shorewall/rules: > > fw adsl:10.0.0.138 tcp 1723 > fw adsl:10.0.0.138 gre > adsl:10.0.0.138 fw gre > > -Tom > --> > I have installed Shorewall on the basis of the three-interface guide & > > script. My pptp adsl connection gets automatically started on Mandrake > > 9.0 startup, Shorewall either (after eth0, eth1 and pptp). The pptp > > connection is blocked and I have to shorewall clear, then restart dsl > > connection by typing pptp 10.0.0.138, and shorewall restart. And finally > > it works. > > Try making the following changes to your configuration: > > /etc/shorewall/zones > > adsl ADSL ADSL Modem > > /etc/shorewall/interfaces > > adsl eth0 detect > > /etc/shorewall/rules: > > fw adsl:10.0.0.138 tcp 1723 > fw adsl:10.0.0.138 gre > adsl:10.0.0.138 fw gre > > -TomTom, I made the changes you told me. Unfortunately, it doesn''t seem tomake any difference.. Here are my config files : interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect loc eth0 detect routestopped adsl eth1 detect loc ppp+ masq #INTERFACE SUBNET ADDRESS ppp0 192.168.0.1/24 #eth1 ppp0 policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT loc fw ACCEPT fw adsl DROP # # If you want open access to the internet from your firewall, uncomment the # following line fw net ACCEPT net all DROP info all all REJECT info loc loc ACCEPT rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept outgoing DNS connections from the firewall # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local network to the firewall and adsl # ACCEPT loc fw tcp 22 ACCEPT loc adsl tcp 22 # # FTP connections ACCEPT net fw tcp ftp - # # Enable connection to ftp server ACCEPT net loc:192.168.0.1 tcp ftp - all ACCEPT fw net tcp ftp - # # adsl DNS access to the internet # ACCEPT adsl net tcp 53 ACCEPT adsl net udp 53 # # Make ping work between the adsl, net and local zone (assumes that the loc-> # net policy is ACCEPT). # ACCEPT loc adsl icmp 8 ACCEPT adsl loc icmp 8 ACCEPT adsl net icmp 8 ACCEPT net adsl icmp 8 # Only with Proxy ARP and ACCEPT net loc icmp 8 # static NAT # # eDonkey ACCEPT net loc:192.168.0.100 tcp 4662 - all ACCEPT net loc:192.168.0.100 tcp 4661 - all ACCEPT net loc:192.168.0.100 udp 4665 - all ACCEPT net loc:192.168.0.100 tcp 3000 - all# # # ACCEPT fw adsl:10.0.0.138 tcp 1723 ACCEPT fw adsl:10.0.0.138 gre ACCEPT adsl:10.0.0.138 fw gre # # ACCEPT net fw tcp 1723 ACCEPT net fw 47 ACCEPT fw net 47 shorewall.conf PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED=yes MODULESDIRLOGRATELOGBURSTLOGUNCLEAN=info LOGFILE=/var/log/messages NAT_ENABLED=Yes MANGLE_ENABLED=No IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVELCLAMPMSS=Yes ROUTE_FILTER=No NAT_BEFORE_RULES=Yes MULTIPORT=No DETECT_DNAT_IPADDRS=No MERGE_HOSTS=Yes MUTEX_TIMEOUT=60 LOGNEWNOTSYNFORWARDPING=Yes NEWNOTSYN=No MACLIST_DISPOSITION=REJECT MACLIST_LOG_LEVEL=info tunnels # TYPE ZONE GATEWAY GATEWAY ZONE pptpserver net 0.0.0.0/0 zones #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks adsl ADSL ADSL Modem Thx again for your help, Anatole
Tom Eastep
2002-Nov-18 18:55 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
--On Monday, November 18, 2002 07:33:54 PM +0100 Anatolius <anatolius@hotmail.com> wrote: What Shorewall messages are you getting before you restart pptp and Shorewall? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Anatolius
2002-Nov-18 20:13 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@shorewall.net> Sent: Monday, November 18, 2002 7:55 PM Subject: Re: [Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart> > > --On Monday, November 18, 2002 07:33:54 PM +0100 Anatolius > <anatolius@hotmail.com> wrote: > > > What Shorewall messages are you getting before you restart pptp and > Shorewall? > > -TomAfter I completely restart Linux, I get these messages (extract): Nov 18 20:47:57 mandrake pptp[1254]: Client connection established. Nov 18 20:47:58 mandrake pptp[1254]: Incomming call established. Nov 18 20:47:58 mandrake pptp[1264]: pptp: call_id = 0 peer_call_id = 0 Nov 18 20:48:00 mandrake kernel: CSLIP: code copyright 1989 Regents of the University of California Nov 18 20:48:00 mandrake kernel: PPP generic driver version 2.4.2 Nov 18 20:48:00 mandrake pppd[1268]: pppd 2.4.1 started by root, uid 0 Nov 18 20:48:00 mandrake pppd[1268]: Using interface ppp0 Nov 18 20:48:00 mandrake pppd[1268]: Connect: ppp0 <--> /dev/ttya0 Nov 18 20:48:00 mandrake named[1272]: starting BIND 9.2.1 -u named Nov 18 20:48:00 mandrake named[1272]: using 1 CPU nov 18 20:48:00 mandrake named: Démarrage de named succeeded Nov 18 20:48:00 mandrake /etc/hotplug/net.agent: assuming ppp0 is already up (...) Nov 18 20:48:02 mandrake named[1279]: no IPv6 interfaces found Nov 18 20:48:02 mandrake named[1279]: listening on IPv4 interface lo, 127.0.0.1#53 Nov 18 20:48:02 mandrake named[1279]: listening on IPv4 interface eth0, 192.168.0.1#53 Nov 18 20:48:02 mandrake named[1279]: listening on IPv4 interface eth1, 10.0.0.10#53 nov 18 20:48:02 mandrake ntpd: Démarrage de ntpd succeeded Nov 18 20:48:02 mandrake named[1279]: command channel listening on 127.0.0.1#953 Nov 18 20:48:02 mandrake named[1279]: zone 0010.in-addr.arpa/IN: loaded serial 2002102700 Nov 18 20:48:02 mandrake named[1279]: 127.0.0.rev:8: no TTL specified; using SOA MINTTL instead Nov 18 20:48:02 mandrake named[1279]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2002102700 Nov 18 20:48:03 mandrake named[1279]: zone maison.ici/IN: loaded serial 2002102700 Nov 18 20:48:03 mandrake named[1279]: running Nov 18 20:48:03 mandrake named[1279]: zone maison.ici/IN: sending notifies (serial 2002102700) nov 18 20:48:03 mandrake sshd: Lancement de sshd : Nov 18 20:48:07 mandrake kernel: PPP BSD Compression module registered Nov 18 20:48:07 mandrake kernel: PPP Deflate Compression module registered Nov 18 20:48:07 mandrake pppd[1268]: local IP address 212.11.34.xxx Nov 18 20:48:07 mandrake pppd[1268]: remote IP address 212.180.0.166 Nov 18 20:48:07 mandrake pppd[1268]: primary DNS address 212.180.0.137 Nov 18 20:48:07 mandrake pppd[1268]: secondary DNS address 212.180.1.79 (...) nov 18 20:48:15 mandrake dhcpd: Démarrage de dhcpd succeeded (...) nov 18 20:48:48 mandrake postfix: succeeded nov 18 20:48:53 mandrake internet: Checking internet connections to start at boot succeeded (...) nov 18 20:49:02 mandrake fetchmail: Démarrage de fetchmail succeeded (...) nov 18 20:49:07 mandrake smb: Démarrage de smbd succeeded (...) nov 18 20:49:10 mandrake smb: Démarrage de nmbd succeeded Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:add_logon_names(155) Nov 18 20:49:10 mandrake nmbd[1974]: add_domain_logon_names: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become logon server for workgroup MAISON on subnet 192.168.0.1 Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:add_logon_names(155) Nov 18 20:49:10 mandrake nmbd[1974]: add_domain_logon_names: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become logon server for workgroup MAISON on subnet 10.0.0.10 Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:add_logon_names(155) Nov 18 20:49:10 mandrake nmbd[1974]: add_domain_logon_names: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become logon server for workgroup MAISON on subnet UNICAST_SUBNET Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(339) Nov 18 20:49:10 mandrake nmbd[1974]: become_domain_master_browser_wins: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become domain master browser on workgroup MAISON, subnet UNICAST_SUBNET. Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(354) Nov 18 20:49:10 mandrake nmbd[1974]: become_domain_master_browser_wins: querying WINS server at IP 10.0.0.10 for domain master browser name MAISON<1b> on workgroup MAISON nov 18 20:49:10 mandrake lisa: Lancement de lisa : succeeded Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(114) Nov 18 20:49:11 mandrake nmbd[1974]: become_logon_server_success: Samba is now a logon server for workgroup MAISON on subnet UNICAST_SUBNET Nov 18 20:49:11 mandrake nmbd[1974]: [2002/11/18 20:49:11, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(114) Nov 18 20:49:12 mandrake nmbd[1974]: Samba server SERVEUR is now a domain master (...) nov 18 20:49:13 mandrake shorewall: Processing /etc/shorewall/shorewall.conf ... nov 18 20:49:14 mandrake shorewall: Processing /etc/shorewall/params ... Nov 18 20:49:15 mandrake nmbd[1974]: [2002/11/18 20:49:15, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(114) Nov 18 20:49:15 mandrake nmbd[1974]: become_logon_server_success: Samba is now a logon server for workgroup MAISON on subnet 192.168.0.1 Nov 18 20:49:15 mandrake nmbd[1974]: [2002/11/18 20:49:15, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(114) Nov 18 20:49:15 mandrake nmbd[1974]: become_logon_server_success: Samba is now a logon server for workgroup MAISON on subnet 10.0.0.10 Nov 18 20:49:15 mandrake kernel: ip_tables: (C) 2000-2002 Netfilter core team nov 18 20:49:15 mandrake shorewall: Starting Shorewall... nov 18 20:49:15 mandrake shorewall: Loading Modules... Nov 18 20:49:16 mandrake kernel: ip_conntrack version 2.1 (1536 buckets, 12288 max) - 300 bytes per conntrack nov 18 20:49:16 mandrake shorewall: Initializing... nov 18 20:49:16 mandrake shorewall: Determining Zones... nov 18 20:49:16 mandrake shorewall: Zones: net loc adsl nov 18 20:49:16 mandrake shorewall: Validating interfaces file... nov 18 20:49:16 mandrake shorewall: Validating hosts file... nov 18 20:49:16 mandrake shorewall: Validating Policy file... nov 18 20:49:17 mandrake shorewall: Determining Hosts in Zones... nov 18 20:49:17 mandrake shorewall: Net Zone: ppp0:0.0.0.0/0 nov 18 20:49:17 mandrake shorewall: Local Zone: eth0:0.0.0.0/0 ppp+:0.0.0.0/0 nov 18 20:49:17 mandrake shorewall: ADSL Zone: eth1:0.0.0.0/0 nov 18 20:49:17 mandrake shorewall: Deleting user chains... nov 18 20:49:18 mandrake shorewall: Creating input Chains... nov 18 20:49:19 mandrake shorewall: Configuring Proxy ARP (...) nov 18 20:49:21 mandrake shorewall: Adding rules for DHCP nov 18 20:49:21 mandrake shorewall: IP Forwarding Enabled nov 18 20:49:21 mandrake shorewall: Processing /etc/shorewall/tunnels... nov 18 20:49:21 mandrake shorewall: PPTP server defined. Nov 18 20:49:21 mandrake nmbd[1974]: [2002/11/18 20:49:21, 0] (...) (...) nov 18 20:49:21 mandrake shorewall: Processing /etc/shorewall/rules... Nov 18 20:49:21 mandrake nmbd[1974]: Packet send failed to 10.0.0.255(137) ERRNO=Operation not permitted Nov 18 20:49:22 mandrake nmbd[1974]: [2002/11/18 20:49:22, 0] nmbd/nmbd_packets.c:retransmit_or_expire_response_records(1655) Nov 18 20:49:22 mandrake nmbd[1974]: retransmit_or_expire_response_records: Failed to resend packet id 16473 to IP 10.0.0.255 on subnet 10.0.0.10 nov 18 20:49:22 mandrake shorewall: Rule "ACCEPT fw net tcp 53" added. nov 18 20:49:22 mandrake shorewall: Rule "ACCEPT fw net udp 53" added. nov 18 20:49:22 mandrake shorewall: Rule "ACCEPT loc fw tcp 22" added. nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT loc adsl tcp 22" added. nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT net fw tcp ftp -" added. Nov 18 20:49:23 mandrake nmbd[1974]: Samba server SERVEUR is now a domain master browser for workgroup MAISON on subnet 10.0.0.10 Nov 18 20:49:23 mandrake nmbd[1974]: nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.1 tcp ftp - all" added. Nov 18 20:49:23 mandrake nmbd[1974]: ***** nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT fw net tcp ftp -" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl net tcp 53" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl net udp 53" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT loc adsl icmp 8" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl loc icmp 8" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl net icmp 8" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net adsl icmp 8" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net loc icmp 8" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 tcp 4662 - all" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 tcp 4661 - all" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 udp 4665 - all" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 tcp 3000 - all" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT fw adsl:10.0.0.138 tcp 1723" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT fw adsl:10.0.0.138 gre" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT adsl:10.0.0.138 fw gre" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT net fw tcp 1723" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT net fw 47" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT fw net 47" added. nov 18 20:49:27 mandrake shorewall: Setting up ICMP Echo handling... nov 18 20:49:28 mandrake shorewall: Processing /etc/shorewall/policy... nov 18 20:49:29 mandrake shorewall: Policy ACCEPT for fw to net using chain fw2net nov 18 20:49:29 mandrake shorewall: Policy DROP for fw to adsl using chain fw2adsl nov 18 20:49:29 mandrake shorewall: Policy DROP for net to fw using chain net2all nov 18 20:49:29 mandrake shorewall: Policy DROP for net to loc using chain net2all nov 18 20:49:29 mandrake shorewall: Policy DROP for net to adsl using chain net2all nov 18 20:49:29 mandrake shorewall: Policy ACCEPT for loc to fw using chain loc2fw nov 18 20:49:29 mandrake shorewall: Policy ACCEPT for loc to net using chain loc2net nov 18 20:49:29 mandrake shorewall: Policy REJECT for loc to loc using chain all2all nov 18 20:49:29 mandrake shorewall: Policy REJECT for loc to adsl using chain all2all nov 18 20:49:29 mandrake shorewall: Policy REJECT for adsl to fw using chain all2all nov 18 20:49:30 mandrake shorewall: Policy REJECT for adsl to net using chain all2all nov 18 20:49:30 mandrake shorewall: Policy REJECT for adsl to loc using chain all2all nov 18 20:49:30 mandrake shorewall: Masqueraded Subnets and Hosts: nov 18 20:49:30 mandrake shorewall: To 0.0.0.0/0 from 192.168.0.1/24 through ppp0 nov 18 20:49:30 mandrake shorewall: Activating Rules... nov 18 20:49:32 mandrake shorewall: Shorewall Started Nov 18 20:49:32 mandrake logger: Shorewall Started nov 18 20:49:33 mandrake rc: Lancement de shorewall : succeeded Nov 18 20:47:57 mandrake pptp[1254]: Client connection established. Nov 18 20:47:58 mandrake pptp[1254]: Incomming call established. Nov 18 20:47:58 mandrake pptp[1264]: pptp: call_id = 0 peer_call_id = 0 Nov 18 20:48:00 mandrake kernel: CSLIP: code copyright 1989 Regents of the University of California Nov 18 20:48:00 mandrake kernel: PPP generic driver version 2.4.2 Nov 18 20:48:00 mandrake pppd[1268]: pppd 2.4.1 started by root, uid 0 Nov 18 20:48:00 mandrake pppd[1268]: Using interface ppp0 Nov 18 20:48:00 mandrake pppd[1268]: Connect: ppp0 <--> /dev/ttya0 Nov 18 20:48:00 mandrake named[1272]: starting BIND 9.2.1 -u named Nov 18 20:48:00 mandrake named[1272]: using 1 CPU nov 18 20:48:00 mandrake named: Démarrage de named succeeded Nov 18 20:48:00 mandrake /etc/hotplug/net.agent: assuming ppp0 is already up (...) Nov 18 20:48:02 mandrake named[1279]: no IPv6 interfaces found Nov 18 20:48:02 mandrake named[1279]: listening on IPv4 interface lo, 127.0.0.1#53 Nov 18 20:48:02 mandrake named[1279]: listening on IPv4 interface eth0, 192.168.0.1#53 Nov 18 20:48:02 mandrake named[1279]: listening on IPv4 interface eth1, 10.0.0.10#53 nov 18 20:48:02 mandrake ntpd: Démarrage de ntpd succeeded Nov 18 20:48:02 mandrake named[1279]: command channel listening on 127.0.0.1#953 Nov 18 20:48:02 mandrake named[1279]: zone 0010.in-addr.arpa/IN: loaded serial 2002102700 Nov 18 20:48:02 mandrake named[1279]: 127.0.0.rev:8: no TTL specified; using SOA MINTTL instead Nov 18 20:48:02 mandrake named[1279]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2002102700 Nov 18 20:48:03 mandrake named[1279]: zone maison.ici/IN: loaded serial 2002102700 Nov 18 20:48:03 mandrake named[1279]: running Nov 18 20:48:03 mandrake named[1279]: zone maison.ici/IN: sending notifies (serial 2002102700) nov 18 20:48:03 mandrake sshd: Lancement de sshd : Nov 18 20:48:07 mandrake kernel: PPP BSD Compression module registered Nov 18 20:48:07 mandrake kernel: PPP Deflate Compression module registered Nov 18 20:48:07 mandrake pppd[1268]: local IP address 212.11.34.xxx Nov 18 20:48:07 mandrake pppd[1268]: remote IP address 212.180.0.166 Nov 18 20:48:07 mandrake pppd[1268]: primary DNS address 212.180.0.137 Nov 18 20:48:07 mandrake pppd[1268]: secondary DNS address 212.180.1.79 (...) nov 18 20:48:15 mandrake dhcpd: Démarrage de dhcpd succeeded (...) nov 18 20:48:48 mandrake postfix: succeeded nov 18 20:48:53 mandrake internet: Checking internet connections to start at boot succeeded (...) nov 18 20:49:02 mandrake fetchmail: Démarrage de fetchmail succeeded (...) nov 18 20:49:07 mandrake smb: Démarrage de smbd succeeded (...) nov 18 20:49:10 mandrake smb: Démarrage de nmbd succeeded Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:add_logon_names(155) Nov 18 20:49:10 mandrake nmbd[1974]: add_domain_logon_names: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become logon server for workgroup MAISON on subnet 192.168.0.1 Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:add_logon_names(155) Nov 18 20:49:10 mandrake nmbd[1974]: add_domain_logon_names: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become logon server for workgroup MAISON on subnet 10.0.0.10 Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:add_logon_names(155) Nov 18 20:49:10 mandrake nmbd[1974]: add_domain_logon_names: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become logon server for workgroup MAISON on subnet UNICAST_SUBNET Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(339) Nov 18 20:49:10 mandrake nmbd[1974]: become_domain_master_browser_wins: Nov 18 20:49:10 mandrake nmbd[1974]: Attempting to become domain master browser on workgroup MAISON, subnet UNICAST_SUBNET. Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(354) Nov 18 20:49:10 mandrake nmbd[1974]: become_domain_master_browser_wins: querying WINS server at IP 10.0.0.10 for domain master browser name MAISON<1b> on workgroup MAISON nov 18 20:49:10 mandrake lisa: Lancement de lisa : succeeded Nov 18 20:49:10 mandrake nmbd[1974]: [2002/11/18 20:49:10, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(114) Nov 18 20:49:11 mandrake nmbd[1974]: become_logon_server_success: Samba is now a logon server for workgroup MAISON on subnet UNICAST_SUBNET Nov 18 20:49:11 mandrake nmbd[1974]: [2002/11/18 20:49:11, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(114) Nov 18 20:49:12 mandrake nmbd[1974]: Samba server SERVEUR is now a domain master (...) nov 18 20:49:13 mandrake shorewall: Processing /etc/shorewall/shorewall.conf ... nov 18 20:49:14 mandrake shorewall: Processing /etc/shorewall/params ... Nov 18 20:49:15 mandrake nmbd[1974]: [2002/11/18 20:49:15, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(114) Nov 18 20:49:15 mandrake nmbd[1974]: become_logon_server_success: Samba is now a logon server for workgroup MAISON on subnet 192.168.0.1 Nov 18 20:49:15 mandrake nmbd[1974]: [2002/11/18 20:49:15, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(114) Nov 18 20:49:15 mandrake nmbd[1974]: become_logon_server_success: Samba is now a logon server for workgroup MAISON on subnet 10.0.0.10 Nov 18 20:49:15 mandrake kernel: ip_tables: (C) 2000-2002 Netfilter core team nov 18 20:49:15 mandrake shorewall: Starting Shorewall... nov 18 20:49:15 mandrake shorewall: Loading Modules... Nov 18 20:49:16 mandrake kernel: ip_conntrack version 2.1 (1536 buckets, 12288 max) - 300 bytes per conntrack nov 18 20:49:16 mandrake shorewall: Initializing... nov 18 20:49:16 mandrake shorewall: Determining Zones... nov 18 20:49:16 mandrake shorewall: Zones: net loc adsl nov 18 20:49:16 mandrake shorewall: Validating interfaces file... nov 18 20:49:16 mandrake shorewall: Validating hosts file... nov 18 20:49:16 mandrake shorewall: Validating Policy file... nov 18 20:49:17 mandrake shorewall: Determining Hosts in Zones... nov 18 20:49:17 mandrake shorewall: Net Zone: ppp0:0.0.0.0/0 nov 18 20:49:17 mandrake shorewall: Local Zone: eth0:0.0.0.0/0 ppp+:0.0.0.0/0 nov 18 20:49:17 mandrake shorewall: ADSL Zone: eth1:0.0.0.0/0 nov 18 20:49:17 mandrake shorewall: Deleting user chains... nov 18 20:49:18 mandrake shorewall: Creating input Chains... nov 18 20:49:19 mandrake shorewall: Configuring Proxy ARP (...) nov 18 20:49:21 mandrake shorewall: Adding rules for DHCP nov 18 20:49:21 mandrake shorewall: IP Forwarding Enabled nov 18 20:49:21 mandrake shorewall: Processing /etc/shorewall/tunnels... nov 18 20:49:21 mandrake shorewall: PPTP server defined. Nov 18 20:49:21 mandrake nmbd[1974]: [2002/11/18 20:49:21, 0] (...) (...) nov 18 20:49:21 mandrake shorewall: Processing /etc/shorewall/rules... Nov 18 20:49:21 mandrake nmbd[1974]: Packet send failed to 10.0.0.255(137) ERRNO=Operation not permitted Nov 18 20:49:22 mandrake nmbd[1974]: [2002/11/18 20:49:22, 0] nmbd/nmbd_packets.c:retransmit_or_expire_response_records(1655) Nov 18 20:49:22 mandrake nmbd[1974]: retransmit_or_expire_response_records: Failed to resend packet id 16473 to IP 10.0.0.255 on subnet 10.0.0.10 nov 18 20:49:22 mandrake shorewall: Rule "ACCEPT fw net tcp 53" added. nov 18 20:49:22 mandrake shorewall: Rule "ACCEPT fw net udp 53" added. nov 18 20:49:22 mandrake shorewall: Rule "ACCEPT loc fw tcp 22" added. nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT loc adsl tcp 22" added. nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT net fw tcp ftp -" added. Nov 18 20:49:23 mandrake nmbd[1974]: Samba server SERVEUR is now a domain master browser for workgroup MAISON on subnet 10.0.0.10 Nov 18 20:49:23 mandrake nmbd[1974]: nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.1 tcp ftp - all" added. Nov 18 20:49:23 mandrake nmbd[1974]: ***** nov 18 20:49:23 mandrake shorewall: Rule "ACCEPT fw net tcp ftp -" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl net tcp 53" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl net udp 53" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT loc adsl icmp 8" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl loc icmp 8" added. nov 18 20:49:24 mandrake shorewall: Rule "ACCEPT adsl net icmp 8" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net adsl icmp 8" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net loc icmp 8" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 tcp 4662 - all" added. nov 18 20:49:25 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 tcp 4661 - all" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 udp 4665 - all" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT net loc:192.168.0.100 tcp 3000 - all" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT fw adsl:10.0.0.138 tcp 1723" added. nov 18 20:49:26 mandrake shorewall: Rule "ACCEPT fw adsl:10.0.0.138 gre" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT adsl:10.0.0.138 fw gre" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT net fw tcp 1723" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT net fw 47" added. nov 18 20:49:27 mandrake shorewall: Rule "ACCEPT fw net 47" added. nov 18 20:49:27 mandrake shorewall: Setting up ICMP Echo handling... nov 18 20:49:28 mandrake shorewall: Processing /etc/shorewall/policy... nov 18 20:49:29 mandrake shorewall: Policy ACCEPT for fw to net using chain fw2net nov 18 20:49:29 mandrake shorewall: Policy DROP for fw to adsl using chain fw2adsl nov 18 20:49:29 mandrake shorewall: Policy DROP for net to fw using chain net2all nov 18 20:49:29 mandrake shorewall: Policy DROP for net to loc using chain net2all nov 18 20:49:29 mandrake shorewall: Policy DROP for net to adsl using chain net2all nov 18 20:49:29 mandrake shorewall: Policy ACCEPT for loc to fw using chain loc2fw nov 18 20:49:29 mandrake shorewall: Policy ACCEPT for loc to net using chain loc2net nov 18 20:49:29 mandrake shorewall: Policy REJECT for loc to loc using chain all2all nov 18 20:49:29 mandrake shorewall: Policy REJECT for loc to adsl using chain all2all nov 18 20:49:29 mandrake shorewall: Policy REJECT for adsl to fw using chain all2all nov 18 20:49:30 mandrake shorewall: Policy REJECT for adsl to net using chain all2all nov 18 20:49:30 mandrake shorewall: Policy REJECT for adsl to loc using chain all2all nov 18 20:49:30 mandrake shorewall: Masqueraded Subnets and Hosts: nov 18 20:49:30 mandrake shorewall: To 0.0.0.0/0 from 192.168.0.1/24 through ppp0 nov 18 20:49:30 mandrake shorewall: Activating Rules... nov 18 20:49:32 mandrake shorewall: Shorewall Started Nov 18 20:49:32 mandrake logger: Shorewall Started nov 18 20:49:33 mandrake rc: Lancement de shorewall : succeeded After that, I clear shorewall, kill pptp & pppd and start them again and start shorewall : log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:580]: Client connection established. Nov 18 21:08:21 mandrake pptp[4567]: log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:708]: Outgoing call established (call ID 0, peer''s call ID 0). Nov 18 21:08:21 mandrake pppd[4569]: pppd 2.4.1 started by root, uid 0 Nov 18 21:08:21 mandrake pppd[4569]: Using interface ppp0 Nov 18 21:08:21 mandrake pppd[4569]: Connect: ppp0 <--> /dev/pts/2 Nov 18 21:08:21 mandrake /etc/hotplug/net.agent: assuming ppp0 is already up Nov 18 21:08:28 mandrake pppd[4569]: local IP address 212.11.xxx.xxx Nov 18 21:08:28 mandrake pppd[4569]: remote IP address 212.180.xxx.xxx Nov 18 21:08:28 mandrake pppd[4569]: primary DNS address 212.180.xxx.xxx Nov 18 21:08:28 mandrake pppd[4569]: secondary DNS address 212.180.xxx.xxx Nov 18 21:08:34 mandrake named[1279]: client 192.168.0.100#2538: error sending response: host unreachable Nov 18 21:08:34 mandrake last message repeated 4 times Nov 18 21:08:34 mandrake named[1279]: client 192.168.0.100#2540: error sending response: host unreachable Nov 18 21:08:34 mandrake last message repeated 4 times Nov 18 21:08:34 mandrake named[1279]: client 192.168.0.100#2542: error sending response: host unreachable Nov 18 21:08:34 mandrake last message repeated 4 times Nov 18 21:08:42 mandrake nmbd[1974]: [2002/11/18 21:08:42, 0] libsmb/nmblib.c:send_udp(756) Nov 18 21:08:42 mandrake nmbd[1974]: Packet send failed to 192.168.0.255(138) ERRNO=Operation not permitted Nov 18 21:08:44 mandrake root: Shorewall Started
Tom Eastep
2002-Nov-18 20:30 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
--On Monday, November 18, 2002 09:13:18 PM +0100 Anatolius <anatolius@hotmail.com> wrote:> > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: <shorewall-users@shorewall.net> > Sent: Monday, November 18, 2002 7:55 PM > Subject: Re: [Shorewall-users] ADSL pptp connection blocked until > shorewall clear, pptp 10.0.0.138, pptp restart > > >> >> >> --On Monday, November 18, 2002 07:33:54 PM +0100 Anatolius >> <anatolius@hotmail.com> wrote: >> >> >> What Shorewall messages are you getting before you restart pptp and >> Shorewall? >> >> -Tom > > After I completely restart Linux, I get these messages (extract): >< Snip >> Nov 18 20:49:32 mandrake logger: Shorewall Started > nov 18 20:49:33 mandrake rc: Lancement de shorewall : succeeded >So Shorewall starts successfully at 20.49.33 (After your internet connection).> nov 18 20:48:53 mandrake internet: Checking internet connections to start > at boot succeeded > (...)And your PPTP connection starts at 20:48:53> nov 18 20:49:32 mandrake shorewall: Shorewall Started > Nov 18 20:49:32 mandrake logger: Shorewall Started > nov 18 20:49:33 mandrake rc: Lancement de shorewall : succeededFor some reason, you are getting two copies of the Shorewall startup sequence in your log.... It is in this area that I''m interested in whether you get Shorewall packet log messages (before you issue the "shorewall clear")!!! Also, what exactly doesn''t work? Access to net from the firewall? Access to net from masqueraded systems. Access to fw from masqueraded systems? ???> After that, I clear shorewall, kill pptp & pppd and start them again and > start shorewall : >-Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Anatolius
2002-Nov-18 21:26 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Anatolius" <anatolius@hotmail.com>; <shorewall-users@shorewall.net> Sent: Monday, November 18, 2002 9:30 PM Subject: Re: [Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart> > > --On Monday, November 18, 2002 09:13:18 PM +0100 Anatolius > <anatolius@hotmail.com> wrote: > > > > > ----- Original Message ----- > > From: "Tom Eastep" <teastep@shorewall.net> > > To: <shorewall-users@shorewall.net> > > Sent: Monday, November 18, 2002 7:55 PM > > Subject: Re: [Shorewall-users] ADSL pptp connection blocked until > > shorewall clear, pptp 10.0.0.138, pptp restart > > > > > > > For some reason, you are getting two copies of the Shorewall startup > sequence in your log.... > > It is in this area that I''m interested in whether you get Shorewall packet > log messages (before you issue the "shorewall clear")!!! Also, whatexactly> doesn''t work? Access to net from the firewall? Access to net from > masqueraded systems. Access to fw from masqueraded systems? ??? >Only communication within the LAN works, between Linux Box (running fw) and workstations in both directions, and between workstations. SSH works, too. here are messages when I try to open a www site in browser from a ws (192.168.252) and to get my mail from the same ws: Nov 18 22:10:19 mandrake nmbd[1894]: Packet send failed to 192.168.0.255(138) ERRNO=Operation not permitted Nov 18 22:10:19 mandrake nmbd[1894]: [2002/11/18 22:10:19, 0] libsmb/nmblib.c:send_udp(756) Nov 18 22:10:19 mandrake nmbd[1894]: Packet send failed to 10.0.0.255(138) ERRNO=Operation not permitted Nov 18 22:10:29 mandrake named[1284]: client 192.168.0.252#3005: error sending response: host unreachable Nov 18 22:10:29 mandrake last message repeated 4 times Nov 18 22:11:00 mandrake CROND[4247]: (mail) CMD (/usr/bin/python -S /var/lib/mailman/cron/qrunner) Nov 18 22:12:00 mandrake CROND[4252]: (mail) CMD (/usr/bin/python -S /var/lib/mailman/cron/qrunner) Nov 18 22:12:08 mandrake named[1284]: client 192.168.0.252#3007: error sending response: host unreachable Nov 18 22:12:08 mandrake last message repeated 4 times Nov 18 22:12:41 mandrake kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.200 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=32787 DPT=445 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 18 22:12:41 mandrake kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.0.1 DST=192.168.0.200 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=32788 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 Nov 18 22:12:59 mandrake CROND[4262]: (mail) CMD (/usr/bin/python -S /var/lib/mailman/cron/qrunner) Nov 18 22:14:00 mandrake CROND[4264]: (mail) CMD (/usr/bin/python -S /var/lib/mailman/cron/qrunner) Nov 18 22:14:01 mandrake nmbd[1894]: [2002/11/18 22:14:01, 0] libsmb/nmblib.c:send_udp(756) Nov 18 22:14:01 mandrake nmbd[1894]: Packet send failed to 192.168.0.255(137) ERRNO=Operation not permitted Nov 18 22:14:01 mandrake nmbd[1894]: [2002/11/18 22:14:01, 0] nmbd/nmbd_packets.c:send_netbios_packet(172) Nov 18 22:14:01 mandrake nmbd[1894]: send_netbios_packet: send_packet() to IP 192.168.0.255 port 137 failed Nov 18 22:14:01 mandrake nmbd[1894]: [2002/11/18 22:14:01, 0] nmbd/nmbd_namequery.c:query_name(256) Nov 18 22:14:01 mandrake nmbd[1894]: query_name: Failed to send packet trying to query name MAISON<1d> Nov 18 22:14:01 mandrake nmbd[1894]: [2002/11/18 22:14:01, 0] libsmb/nmblib.c:send_udp(756) Nov 18 22:14:01 mandrake nmbd[1894]: Packet send failed to 10.0.0.255(137) ERRNO=Operation not permitted Nov 18 22:14:01 mandrake nmbd[1894]: [2002/11/18 22:14:01, 0] nmbd/nmbd_packets.c:send_netbios_packet(172) Nov 18 22:14:01 mandrake nmbd[1894]: send_netbios_packet: send_packet() to IP 10.0.0.255 port 137 failed Nov 18 22:14:01 mandrake nmbd[1894]: [2002/11/18 22:14:01, 0] nmbd/nmbd_namequery.c:query_name(256) Nov 18 22:14:01 mandrake nmbd[1894]: query_name: Failed to send packet trying to query name MAISON<1d> Nov 18 22:14:02 mandrake named[1284]: client 192.168.0.252#3014: error sending response: host unreachable That''s all ! Anatole
Tom Eastep
2002-Nov-18 21:45 UTC
[Shorewall-users] ADSL pptp connection blocked until shorewall clear, pptp 10.0.0.138, pptp restart
> > ----- Original Message ----- > Here are messages when I try to open a www site in browser > from a ws (192.168.252) and to get my mail from the same ws: ><Log showing no Shorewall messages related to http deleted>> > That''s all ! >It doesn''t look as though Shorewall is blocking anything (if it is, it certainly isn''t logging the event). You might compare the contents of the routing table ("route -n") at the point before you "shorewall clear" and then after you have restarted pptp and Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net