Hello Tom and others on the list.
Tom - you might recall that the other day (night) I had problems with my
axip setup (protocol 93) and we made some changes to the policy, zones and
interfaces files. You added ''peers and tunl+''
Following that change nothing seemed to work. In fact you wanted to see
the shorewall status file, among other things.
Well - tonight, I carefully put things together and find that everything
works just fine! It is like an eerie occurance. How could I have had so
much trouble the other night where I had to go back to ipchains to
survive?
In any event, I have attached a bunch of files above that will show you
(and others) what is happening. My question that goes with this is, do
these files above show that I am still in trouble, or that things are all
ok. I particularily ask this because the log file shows nothing?
Anyways - if I can be so bold as to ask you to quickly run through those
files above and if I am in big trouble, well i can live with that.
But at the moment - EVERYTHING seems to work just fine The axip link is
streaming right along, and my two lan machines haven''t missed a beat.
---
Ted Gervais
Coldbrook Nova Scotia
Canada B4R1A7
-------------- next part --------------
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc pfifo_fast
qlen 100
link/ether 00:50:da:92:bb:20 brd ff:ff:ff:ff:ff:ff
inet 24.224.173.220/24 brd 24.224.173.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:ba:d0:f2:16 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
4: tunl0@NONE: <NOARP,UP> mtu 256 qdisc noqueue
link/ipip 0.0.0.0 brd 0.0.0.0
inet 44.135.34.201/32 scope global tunl0
5: nr0: <UP> mtu 216 qdisc noqueue
link/generic ac:8a:62:88:a4:8e:0e brd 00:00:00:00:00:00:00
inet 44.135.34.201/24 brd 44.135.34.255 scope global nr0
6: nr1: <UP> mtu 216 qdisc noqueue
link/generic ac:8a:62:88:a4:8e:00 brd 00:00:00:00:00:00:00
inet 44.135.34.201/24 brd 44.135.34.255 scope global nr1
7: nr2: <> mtu 236 qdisc noop
link/generic 00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00
8: nr3: <> mtu 236 qdisc noop
link/generic 00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00
9: ax0: <BROADCAST,UP> mtu 256 qdisc pfifo_fast qlen 10
link/ax25 ac:8a:62:88:a4:8e:10 brd a2:a6:a8:40:40:40:60
inet 44.135.34.201/24 brd 44.135.34.255 scope global ax0
-------------- next part --------------
44.137.28.48 via 62.238.66.67 dev tunl0 proto static onlink
24.224.173.0/24 dev eth0 proto kernel scope link src 24.224.173.220
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
127.0.0.0/8 dev lo scope link
44.0.0.0/8 via 24.138.74.225 dev tunl0 proto static onlink
default via 24.224.173.1 dev eth0
-------------- next part --------------
Module Size Used by Not tainted
ipt_TOS 1048 12 (autoclean)
ipt_MASQUERADE 1208 1 (autoclean)
ipt_LOG 3224 5 (autoclean)
ipt_REJECT 2840 4 (autoclean)
ipt_state 568 40 (autoclean)
iptable_mangle 2160 1 (autoclean)
ip_nat_irc 2256 0 (unused)
ip_nat_ftp 2832 0 (unused)
iptable_nat 13880 3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 2992 1
ip_conntrack_ftp 3728 1
ip_conntrack 16064 4 [ipt_MASQUERADE ipt_state ip_nat_irc
ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 1668 1 (autoclean)
ip_tables 10488 10 [ipt_TOS ipt_MASQUERADE ipt_LOG ipt_REJECT
ipt_state iptable_mangle iptable_nat iptable_filter]
netrom 24592 4
mkiss 6400 1
ax25 38748 2 [netrom mkiss]
ipip 5828 1
ide-scsi 7600 0
smbfs 32528 0 (unused)
hpfs 62304 0 (unused)
8139too 14632 1
mii 2208 0 [8139too]
3c59x 24880 1
slip 8128 0 (unused)
slhc 4464 0 [slip]
-------------- next part --------------
Shorewall-1.3.14 Log at linux.ve1drg.ampr.org - Tue Feb 25 21:37:39 AST 2003
Counters reset Tue Feb 25 21:31:04 AST 2003
-------------- next part --------------
[H[JShorewall-1.3.14 Status at linux.ve1drg.ampr.org - Tue Feb 25 21:39:23 AST
2003
Counters reset Tue Feb 25 21:31:04 AST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
79 12869 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5 1015 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
7 361 tunl_in all -- tunl+ * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 2 packets, 96 bytes)
pkts bytes target prot opt in out source destination
260 201K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
297 43893 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 tunl_fwd all -- tunl+ * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
49 4830 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
4 801 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
11 577 fw2peers all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
10 1522 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (6 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
9 1816 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
19 3338 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
24.224.173.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.0.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
260 201K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
260 201K net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 net2all all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
79 12869 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
15 4920 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
64 7949 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
297 43893 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
297 43893 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
5 1015 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
5 1015 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
23 1216 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
1 61 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
25 3553 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2peers (1 references)
pkts bytes target prot opt in out source destination
9 451 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
2 126 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:20
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:24
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:137
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:138
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:139
5 1015 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
260 38931 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
9 3546 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
28 1416 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source destination
260 201K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
2 407 common all -- * * 0.0.0.0/0 0.0.0.0/0
2 407 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
2 407 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
25 3617 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
15 604 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:20
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:23
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:24
12 1080 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:137
10 2241 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:138
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:139
2 407 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (8 references)
pkts bytes target prot opt in out source destination
24 4150 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain peers2fw (1 references)
pkts bytes target prot opt in out source destination
7 361 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain tunl_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 all2all all -- * tunl+ 0.0.0.0/0 0.0.0.0/0
Chain tunl_in (1 references)
pkts bytes target prot opt in out source destination
7 361 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
7 361 peers2fw all -- * * 0.0.0.0/0 0.0.0.0/0
NAT Table
Chain PREROUTING (policy ACCEPT 65 packets, 8396 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 10 packets, 1195 bytes)
pkts bytes target prot opt in out source destination
36 2485 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 24 packets, 3518 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
28 1416 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 650 packets, 259K bytes)
pkts bytes target prot opt in out source destination
648 259K pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 91 packets, 14245 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 559 packets, 245K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 74 packets, 7730 bytes)
pkts bytes target prot opt in out source destination
74 7730 outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 630 packets, 250K bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
unknown 93 314 src=24.224.173.220 dst=24.138.74.225 src=24.138.74.225
dst=24.224.173.220 use=2
tcp 6 431970 ESTABLISHED src=192.168.0.147 dst=207.182.241.228 sport=1799
dport=80 src=207.182.241.228 dst=24.224.173.220 sport=80 dport=1799 [ASSURED]
use=1
unknown 4 119 src=24.224.173.220 dst=62.238.66.67 [UNREPLIED] src=62.238.66.67
dst=24.224.173.220 use=2
unknown 4 151 src=24.224.173.220 dst=24.138.74.225 src=24.138.74.225
dst=24.224.173.220 use=1
unknown 93 119 src=44.135.34.201 dst=44.137.28.48 [UNREPLIED] src=44.137.28.48
dst=44.135.34.201 use=1
-------------- next part --------------
Linux linux 2.4.20 #1 Thu Feb 13 15:48:30 AST 2003 i586 unknown
-------------- next part --------------
1.3.14
