Duncan E. Leaf
2003-Mar-02 16:25 UTC
[Shorewall-users] HTTP connections timeout from the net
I''m running a web server on the firewall computer. HTTP connections
from
the net to the firewall timeout. However, connections from the firewall
to to the firewall are successful. Example:
On the firewall computer lynx 24.234.142.71 succeeds
On a remote computer on the internet, lynx 24.234.142.71 says:
Alert!: Unable to connect to remote host.
Looking up 24.234.142.71 first
Looking up 24.234.142.71
24.234.142.71
Making HTTP connection to 24.234.142.71
Alert!: Unable to connect to remote host.
Just to be sure I tried to telnet:
telnet 24.234.142.71 80
Trying 24.234.142.71...
telnet: connect to address 24.234.142.71: Connection timed out
In /etc/shorewall/rules I have:
ACCEPT net fw tcp 80
I also have:
ACCEPT net fw tcp 22
And ssh connections from the net will work, so I assume that HTTP
connections should also work.
I checked my web server config and it is listening on port 80 on the
external IP address.
Here is my config info.
shorewall version
1.3.14
uname -a
Linux masina 2.4.9 #3 Sat Feb 15 00:52:20 PST 2003 i686 unknown
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:20:78:13:e1:1f brd ff:ff:ff:ff:ff:ff
inet 24.234.142.71/27 brd 24.234.142.95 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:33:d3:d4:f9 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
ip route show
24.234.142.64/27 via 24.234.142.71 dev eth0 scope link
24.234.142.64/27 dev eth0 proto kernel scope link src 24.234.142.71
192.168.0.0/24 via 192.168.0.1 dev eth1 scope link
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
127.0.0.0/8 dev lo scope link
default via 24.234.142.65 dev eth0
lsmod
Module Size Used by
ipt_TOS 1248 12 (autoclean)
iptable_mangle 2032 0 (autoclean) (unused)
8139too 11904 1 (autoclean)
ne2k-pci 5536 1 (autoclean)
8390 6480 0 (autoclean) [ne2k-pci]
Shorewall was installed via the two-connection guide.
My /sbin/shorewall status output is attached.
Here is the output of shorewall start:
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/rules...
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT net fw tcp 22" added.
Rule "ACCEPT loc fw icmp 8" added.
Rule "ACCEPT net fw icmp 8" added.
Rule "ACCEPT net fw tcp 80" added.
Rule "ACCEPT loc fw tcp 80" added.
Rule "ACCEPT net fw tcp 25" added.
Rule "ACCEPT loc fw tcp 25" added.
Rule "ACCEPT loc fw tcp 137:139" added.
Rule "ACCEPT loc fw udp 137:139" added.
Rule "ACCEPT fw loc tcp 137:139" added.
Rule "ACCEPT fw loc udp 137:139" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy REJECT for fw to loc using chain all2all
Policy DROP for net to fw using chain net2all
Policy ACCEPT for loc to fw using chain loc2fw
Policy ACCEPT for loc to net using chain loc2net
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.0.0/24 through eth0 using 24.234.142.71
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started
-------------- next part --------------
[H[2JShorewall-1.3.14 Status at masina - Sun Mar 2 16:22:55 PST 2003
Counters reset Sun Mar 2 16:21:59 PST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 1474 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
110 8723 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7 384 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
9 372 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
9 612 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
97 35140 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
24.234.142.95
0 0 DROP all -- * * 0.0.0.0/0
192.168.0.255
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
7 384 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
7 384 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
7 384 net2all all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
7 1474 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
7 1474 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
6 1144 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
9 372 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
9 372 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
110 8723 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
110 8723 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
97 35140 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpts:137:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpts:137:139
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
9 612 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
110 8723 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpts:137:139
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpts:137:139
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
9 372 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (27 references)
pkts bytes target prot opt in out source destination
1 330 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:''
1 330 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
7 384 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
6 1144 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
1 330 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 222.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Mar 2 16:09:09 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=64791 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 2 16:11:08 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=64837 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:11:08 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=64839 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:12:29 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=64871 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:14:06 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=64917 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:15:45 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=64953 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 2 16:15:45 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=64955 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 2 16:16:09 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=64957 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 2 16:16:47 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=64975 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:17:55 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=65008 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 2 16:18:24 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=65020 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:19:31 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=65034 PROTO=UDP SPT=67 DPT=68 LEN=316
Mar 2 16:19:34 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=65036 PROTO=UDP SPT=67 DPT=68 LEN=316
Mar 2 16:19:35 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=65038 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:20:00 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=65043 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 2 16:20:01 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=65047 PROTO=UDP SPT=67 DPT=68 LEN=308
Mar 2 16:21:19 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=65080 PROTO=UDP SPT=67 DPT=68 LEN=316
Mar 2 16:21:22 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=336 TOS=0x00 PREC=0x00 TTL=255 ID=65083 PROTO=UDP SPT=67 DPT=68 LEN=316
Mar 2 16:21:47 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=65095 PROTO=UDP SPT=67 DPT=68 LEN=310
Mar 2 16:22:24 rfc1918:DROP:IN=eth0 OUT= SRC=10.4.32.1 DST=255.255.255.255
LEN=330 TOS=0x00 PREC=0x00 TTL=255 ID=65109 PROTO=UDP SPT=67 DPT=68 LEN=310
NAT Table
Chain PREROUTING (policy ACCEPT 53 packets, 8115 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 29 packets, 2321 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 29 packets, 2321 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.0.0/24 0.0.0.0/0
to:24.234.142.71
Mangle Table
Chain PREROUTING (policy ACCEPT 2135 packets, 776K bytes)
pkts bytes target prot opt in out source destination
14 1858 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
135 11033 pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 890 packets, 125K bytes)
pkts bytes target prot opt in out source destination
107 35876 outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (27 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
1 330 RETURN all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0
172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 logdrop all -- * * 0.0.0.0/0
192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 222.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
9 612 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
59 30344 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
66 3176 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
6 1144 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 101264 ESTABLISHED src=192.168.0.4 dst=64.12.25.224 sport=1036
dport=5190 src=64.12.25.224 dst=24.234.142.71 sport=5190 dport=1036 [ASSURED]
use=1
tcp 6 64425 ESTABLISHED src=192.168.0.4 dst=64.12.25.224 sport=1052
dport=5190 src=64.12.25.224 dst=24.234.142.71 sport=5190 dport=1052 [ASSURED]
use=1
tcp 6 8 TIME_WAIT src=192.168.0.4 dst=209.123.109.175 sport=1401 dport=80
src=209.123.109.175 dst=24.234.142.71 sport=80 dport=1401 [ASSURED] use=1
tcp 6 431999 ESTABLISHED src=192.168.0.4 dst=192.168.0.1 sport=1029
dport=139 src=192.168.0.1 dst=192.168.0.4 sport=139 dport=1029 [ASSURED] use=1
tcp 6 338857 ESTABLISHED src=192.168.0.4 dst=64.12.25.228 sport=1615
dport=5190 src=64.12.25.228 dst=24.234.142.71 sport=5190 dport=1615 [ASSURED]
use=1
tcp 6 405225 ESTABLISHED src=192.168.0.4 dst=64.12.25.228 sport=1045
dport=5190 src=64.12.25.228 dst=24.234.142.71 sport=5190 dport=1045 [ASSURED]
use=1
tcp 6 430663 ESTABLISHED src=192.168.0.4 dst=192.168.0.1 sport=1369
dport=993 src=192.168.0.1 dst=192.168.0.4 sport=993 dport=1369 [ASSURED] use=1
tcp 6 431978 ESTABLISHED src=192.168.0.4 dst=205.188.6.133 sport=1041
dport=5190 src=205.188.6.133 dst=24.234.142.71 sport=5190 dport=1041 [ASSURED]
use=1
tcp 6 431970 ESTABLISHED src=24.234.142.71 dst=131.216.18.41 sport=2178
dport=22 src=131.216.18.41 dst=24.234.142.71 sport=22 dport=2178 [ASSURED] use=1
tcp 6 431991 ESTABLISHED src=192.168.0.4 dst=64.12.30.140 sport=1036
dport=5190 src=64.12.30.140 dst=24.234.142.71 sport=5190 dport=1036 [ASSURED]
use=1
tcp 6 271622 ESTABLISHED src=192.168.0.4 dst=64.12.25.228 sport=1038
dport=5190 src=64.12.25.228 dst=24.234.142.71 sport=5190 dport=1038 [ASSURED]
use=1
tcp 6 138877 ESTABLISHED src=192.168.0.4 dst=64.12.25.224 sport=1042
dport=5190 src=64.12.25.224 dst=24.234.142.71 sport=5190 dport=1042 [ASSURED]
use=1
tcp 6 431970 ESTABLISHED src=192.168.0.4 dst=192.168.0.1 sport=1272
dport=22 src=192.168.0.1 dst=192.168.0.4 sport=22 dport=1272 [ASSURED] use=1
tcp 6 19346 ESTABLISHED src=192.168.0.4 dst=64.12.25.224 sport=1720
dport=5190 src=64.12.25.224 dst=24.234.142.71 sport=5190 dport=1720 [ASSURED]
use=1
tcp 6 431944 ESTABLISHED src=192.168.0.4 dst=192.168.0.1 sport=1046
dport=993 src=192.168.0.1 dst=192.168.0.4 sport=993 dport=1046 [ASSURED] use=1
tcp 6 431999 ESTABLISHED src=192.168.0.4 dst=192.168.0.1 sport=1310
dport=22 src=192.168.0.1 dst=192.168.0.4 sport=22 dport=1310 [ASSURED] use=1
On Sun, 2 Mar 2003, Duncan E. Leaf wrote:> I''m running a web server on the firewall computer. HTTP connections from > the net to the firewall timeout. However, connections from the firewall > to to the firewall are successful. Example: > > On the firewall computer lynx 24.234.142.71 succeedsAs you indicate.... telnet 24.234.142.71 22 as well as telnet 24.234.142.71 25 succeed. So, it would appear that you have everything configured properly since your rules/policy for port 80 are the same as for the other ports. Have you tried putting another host in the 24.234.142.64 subnet and trying that? Maybe your ISP is blocking port 80 to you? Regards, Ed -- http://www.shorewall.net/ for all your firewall needs http://www.greshko.com
Duncan E. Leaf
2003-Mar-03 02:03 UTC
[Shorewall-users] HTTP connections timeout from the net
I set the web server to listen on another port and was able to connect, so I guess my ISP is blocking traffic. Thanks for pointing that out. Duncan Ed Greshko wrote:> On Sun, 2 Mar 2003, Duncan E. Leaf wrote: > > > I''m running a web server on the firewall computer. HTTP connections from > > the net to the firewall timeout. However, connections from the firewall > > to to the firewall are successful. Example: > > > > On the firewall computer lynx 24.234.142.71 succeeds > > As you indicate.... > > telnet 24.234.142.71 22 as well as > telnet 24.234.142.71 25 > > succeed. So, it would appear that you have everything configured > properly since your rules/policy for port 80 are the same as for the other > ports. > > Have you tried putting another host in the 24.234.142.64 subnet and trying > that? Maybe your ISP is blocking port 80 to you? > > Regards, > Ed > > -- > http://www.shorewall.net/ for all your firewall needs > http://www.greshko.com