Eric Raskin
2003-Mar-25 17:11 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
Hello all:
I''ve got a confusing issue. I had a working shorewall configuration
(based on the two interface model) using DNAT for redirection to my HTTP
server. The HTTP server is on my inside network (I know - bad juju, but
one thing at a time). I changed my configuration this morning to use
views in my BIND (named) configuration. Everyone outside the firewall
is able to get in fine. Everyone inside the firewall is able to browse
the Internet just fine. The only thing that broke is my internal net to
internal HTTP server DNAT. I can''t figure out what has gone wrong. I
need the port redirection capability of DNAT inside my network, so I''ve
set my www.paslists.com <http://www.paslists.com/> to be the
firewall''s
internal interface, rather than pointing it directly at the HTTP server.
I''ve also tried pointing my www.paslists.com
<http://www.paslists.com/>
directly at the HTTP server, but that doesn''t work either. To finish
the picture for you, my HTTP server has a rewrite rule that issues a
redirect from http://www.paslists.com <http://www.paslists.com/> to
http://www.paslists.com/pas/. This is needed for my J2EE objects in my
web site. Again, this all worked before I changed my BIND
configuration, but I can''t seem to figure out what broke.
My test is to issue the following command from a system on my internal
network:
$ telnet fw 80
Trying 192.168.10.1..
telnet: Unable to connect to remote host: Connection refused
$
I did a shorewall reset, then tried this telnet, then did a shorewall
status (status.txt). I also had a tcpdump on my internal Ethernet port
in promiscuous mode running. All I see is a request to the firewall on
port 80 and a reject from the firewall (dump.txt). There is no log of
the reject in the status, which is a bit confusing. I thought that I
would not receive a reject packet if shorewall was just dropping them.
So, if it''s rejecting them, why isn''t it logging the reject?
I''ve attached everything I''ve touched in the configuration in
case some
of it is relevant. Our changes were:
Allow SMTP, HTTP, HTTPS, DNS, NTP, FTP.
Allow SSH to the Firewall from my Internal network.
Allow PPTP to the firewall (running PoPToP).
DNAT HTTP/HTTPS to our internal server running on ports 7778/4460.
SNAT/DNAT internal network for HTTP/HTTPS.
Please help!!!
PS. I''ve also attached my named.conf file so you can see what the
views
are. I''ll be happy to send my internal view to whoever needs it, but I
would rather not post it.
------------------------------------------------------------------------
----
Eric H. Raskin Voice:
914-741-1100
President Fax:
914-741-2788
Professional Advertising Systems Inc.
eraskin@paslists.com
70 Memorial Plaza
Pleasantville, NY 10570
-------------- next part --------------
#
# Shorewall 1.4 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
#
# IPIP, GRE and OPENVPN tunnels must be configured on the
# firewall/gateway itself. IPSEC endpoints may be defined
# on the firewall/gateway or on an internal system.
#
# The columns are:
#
# TYPE -- must start in column 1 and be "ipsec",
"ipsecnat","ip"
# "gre", "pptpclient", "pptpserver" or
"openvpn".
#
# If type is "openvpn", it may optionally be followed
# by ":" and the port number used by the tunnel. if no
# ":" and port number are included, then the default port
# of 5000 will be used
#
# ZONE -- The zone of the physical interface through which
# tunnel traffic passes. This is normally your internet
# zone.
#
# GATEWAY -- The IP address of the remote tunnel gateway. If the
# remote getway has no fixed address (Road Warrior)
# then specify the gateway as 0.0.0.0/0.
#
# GATEWAY
# ZONES -- Optional. If the gateway system specified in the third
# column is a standalone host then this column should
# contain a comma-separated list of the names of the
# zones that the host might be in. This column only
# applies to IPSEC tunnels.
#
# Example 1:
#
# IPSec tunnel. The remote gateway is 4.33.99.124 and
# the remote subnet is 192.168.9.0/24
#
# ipsec net 4.33.99.124
#
# Example 2:
#
# Road Warrior (LapTop that may connect from anywhere)
# where the "gw" zone is used to represent the remote
# LapTop.
#
# ipsec net 0.0.0.0/0 gw
#
# Example 3:
#
# Host 4.33.99.124 is a standalone system connected
# via an ipsec tunnel to the firewall system. The host
# is in zone gw.
#
# ipsec net 4.33.99.124 gw
#
# Example 4:
#
# Road Warriors that may belong to zones vpn1, vpn2 or
# vpn3. The FreeS/Wan _updown script will add the
# host to the appropriate zone using the "shorewall add"
# command on connect and will remove the host from the
# zone at disconnect time.
#
# ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3
#
# Example 5:
#
# You run the Linux PPTP client on your firewall and
# connect to server 192.0.2.221.
#
# pptpclient net 192.0.2.221
#
# Example 6:
#
# You run a PPTP server on your firewall.
#
# pptpserver net
#
# Example 7:
#
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
# openvpn uses port 7777.
#
# openvpn:7777 net 4.33.99.124
#
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
pptpserver net
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
19:38:50.287942 sol.paslists.com.35572 > fw.http: S 810501628:810501628(0)
win 64240 <mss 1460> (DF)
19:38:50.288119 fw.http > sol.paslists.com.35572: R 0:0(0) ack 810501629 win
0 (DF)
19:38:55.283193 arp who-has sol.paslists.com tell fw
19:38:55.283424 arp reply sol.paslists.com is-at 0:50:da:17:1:26
-------------- next part --------------
#
# Shorewall 1.4 - /etc/shorewall/hosts
#
# WARNING: 90% of Shorewall users don''t need to add entries to this
# file and 80% of those who try to add such entries get it
# wrong. Unless you are ABSOLUTELY SURE that you need entries
# in this file, don''t touch it!
#
# This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don''t need to
# (should not) place anything in this file.
#
# ZONE - The name of a zone defined in /etc/shorewall/zones
#
# HOST(S) - The name of an interface followed by a colon (":") and
# either:
#
# a) The IP address of a host
# b) A subnetwork in the form
# <subnet-address>/<mask width>
#
# The interface must be defined in the
# /etc/shorewall/interfaces file.
#
# Examples:
#
# eth1:192.168.1.3
# eth2:192.168.2.0/24
#
# OPTIONS - A comma-separated list of options. Currently-defined
# options are:
#
# maclist - Connection requests from these hosts
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
#
#
#ZONE HOST(S) OPTIONS
loc eth1:192.168.10.0/24 routestopped
loc ppp+:192.168.10.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.4 - Sample Masquerade file For Two Interfaces
#
# etc/shorewall/masq
#
# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
# (SNAT).
#
# Columns are:
#
# INTERFACE
# Outgoing interface. This is usually your internet
# interface. If ADD_SNAT_ALIASES=Yes in
# /etc/shorewall/shorewall.conf, you may add ":" and
# a digit to indicate that you want the alias added with
# that name (e.g., eth0:0). This will allow the alias to
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
# PLACE IN YOUR SHOREWALL CONFIGURATION.
#
# This may be qualified by adding the character
# ":" followed by a destination host or subnet.
#
#
# SUBNET
# Subnet that you wish to masquerade. You can specify this as
# a subnet or as an interface. If you give the name of an
# interface, you must have iproute installed and the interface
# must be up before you start the firewall.
#
# In order to exclude a subset of the specified SUBNET, you
# may append "!" and a comma-separated list of IP addresses
# and/or subnets that you wish to exclude.
#
# Example: eth1!192.168.1.4,192.168.32.0/27
#
# In that example traffic from eth1 would be masqueraded unless
# it came from 192.168.1.4 or 196.168.32.0/27
#
# ADDRESS (Optional)
# If you specify an address here, SNAT will be
# used and this will be the source address. If
# ADD_SNAT_ALIASES is set to Yes or yes in
# /etc/shorewall/shorewall.conf then Shorewall
# will automatically add this address to the
# INTERFACE named in the first column.
#
# WARNING: Do NOT specify ADD_SNAT_ALIASES=Yes if
# the address given in this column is the primary
# IP address for the interface in the INTERFACE
# column.
#
# This column may not contain a DNS Name.
#
# Example 1:
#
# You have a simple masquerading setup where eth0 connects to
# a DSL or cable modem and eth1 connects to your local network
# with subnet 192.168.0.0/24.
#
# Your entry in the file can be either:
#
# #INTERFACE SUBNET ADDRESS
# eth0 eth1
#
# or
#
# #INTERFACE SUBNET ADDRESS
# eth0 192.168.0.0/24
#
# Example 2:
#
# You add a router to your local network to connect subnet
# 192.168.1.0/24 which you also want to masquerade. You then
# add a second entry for eth0 to this file:
#
# #INTERFACE SUBNET ADDRESS
# eth0 192.168.1.0/24
#
# Example 3:
#
# You have an IPSEC tunnel through ipsec0 and you want to
# masquerade packets coming from 192.168.1.0/24 but only if
# these packets are destined for hosts in 10.1.1.0/24:
#
# #INTERFACE SUBNET ADDRESS
# ipsec0:10.1.1.0/24 196.168.1.0/24
#
# Example 4:
#
# You want all outgoing traffic from 192.168.1.0/24 through
# eth0 to use source address 206.124.146.176 which is NOT the
# primary address of eth0. You want 206.124.146.176 added to
# be added to eth0 with name eth0:0.
#
# #INTERFACE SUBNET ADDRESS
# eth0:0 192.168.1.0/24 206.124.146.176
#
##############################################################################
#INTERFACE SUBNET ADDRESS
eth0 192.168.10.0/24 168.100.199.154
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.4 -- Sample Policy File For Two Interfaces
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or
"CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd (http://www.gnumonks.org/projects/ulogd).
#
# If you don''t want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the Internet are allowed
# b) All connections from the Internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc loc ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall version 1.4 - Sample Rules File For Two Interfaces
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT- or REDIRECT
#
# ACCEPT
# Allow the connection request
# DROP
# Ignore the request
# REJECT
# Disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT
# Forward the request to another
# system (and optionally another
# port).
# DNAT-
# Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT
# Redirect the request to a local
# port on the firewall.
# CONTINUE
# (For experts only). Do Not Process
# any of the following rules for this
# (source zone,destination zone). If
# the source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zones(s).
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level. This will log to the ULOG target for routing
# to a separate log through use of ulogd.
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!'' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# Some Examples:
#
# net:155.186.235.1
# Host 155.186.235.1 on the Internet
#
# loc:192.168.1.0/24
# Subnet 192.168.1.0/24 on the
# Local Network
#
# net:155.186.235.1,155.186.235.2
# Hosts 155.186.235.1 and
# 155.186.235.2 on the Internet.
#
# loc:~00-A0-C9-15-39-78
# Host on the Local Network with
# MAC address 00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, net:eth0 specifies a
# client that communicates with the firewall system
# through eth0. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., net:eth0:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: net:155.186.235.1:25 specifies a Internet
# server at IP address 155.186.235.1 and listening on port
# 25. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# If the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp",
a number,
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# Also by default all outbound loc -> net communications are allowed.
# You can change this behavior in the sample policy file.
#
# Example: Accept www requests to the firewall.
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT net fw tcp http
#
# Example: Accept SMTP requests from the Local Network to the Internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT loc net tcp smtp
#
# Example: Forward all ssh and http connection requests from the Internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the Internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
# Accept DNS connections from the firewall or our internal network to the
network
#
ACCEPT fw net tcp domain
ACCEPT fw net udp domain
ACCEPT fw loc tcp domain
ACCEPT fw loc udp domain
ACCEPT loc net tcp domain
ACCEPT loc net udp domain
ACCEPT loc fw tcp domain
ACCEPT loc fw udp domain
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp ssh
#
# Allow SMTP traffic -- run a mail relay STMP server on the firewall
#
ACCEPT net fw tcp smtp
ACCEPT loc net tcp smtp
ACCEPT loc fw tcp smtp
ACCEPT fw loc tcp smtp
#
# Accept FTP traffic
#
ACCEPT net fw tcp ftp
ACCEPT loc fw tcp ftp
ACCEPT loc net tcp ftp
#
# Accept ntp traffic
#
ACCEPT net fw tcp ntp
ACCEPT fw net tcp ntp
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
# Allow HTTP access to Firewall from Local Net
#
ACCEPT loc fw tcp 80
ACCEPT loc fw tcp 443
ACCEPT loc fw tcp 4460
ACCEPT loc fw tcp 7778
ACCEPT fw loc tcp 80
ACCEPT fw loc tcp 443
ACCEPT fw loc tcp 4460
ACCEPT fw loc tcp 7778
#
# Redirect all WWW traffic to our HTTP server from both inside and outside
#
DNAT net loc:192.168.10.4 tcp 80
DNAT net loc:192.168.10.4 tcp 443
DNAT net loc:192.168.10.4 tcp 4460
DNAT net loc:192.168.10.4 tcp 7778
DNAT loc loc:192.168.10.4 tcp 80 - 168.100.199.154:192.168.10.1
DNAT loc loc:192.168.10.4 tcp 443 - 168.100.199.154:192.168.10.1
DNAT loc loc:192.168.10.4 tcp 4460 - 168.100.199.154:192.168.10.1
DNAT loc loc:192.168.10.4 tcp 7778 - 168.100.199.154:192.168.10.1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
[H[2JShorewall-1.4.0 Status at fw.paslists.com - Tue Mar 25 19:38:58 EST 2003
Counters reset Tue Mar 25 19:38:41 EST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
2 205 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1 44 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ppp_in all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ppp_fwd all -- ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
2 205 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
1 40 fw2loc all -- * eth1 0.0.0.0/0
192.168.10.0/24
0 0 fw2loc all -- * ppp+ 0.0.0.0/0
192.168.10.0/24
0 0 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139 reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
168.100.199.159
0 0 DROP all -- * * 0.0.0.0/0
192.168.10.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2loc all -- * eth1 0.0.0.0/0
192.168.10.0/24
0 0 net2loc all -- * ppp+ 0.0.0.0/0
192.168.10.0/24
0 0 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- * eth0 192.168.10.0/24 0.0.0.0/0
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc2loc all -- * eth1 192.168.10.0/24
192.168.10.0/24
0 0 loc2loc all -- * ppp+ 192.168.10.0/24
192.168.10.0/24
0 0 loc2loc all -- * eth1 192.168.10.0/24 0.0.0.0/0
0 0 loc2loc all -- * eth1 0.0.0.0/0
192.168.10.0/24
0 0 loc2loc all -- * ppp+ 0.0.0.0/0
192.168.10.0/24
0 0 loc2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
1 44 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
1 44 loc2fw all -- * * 192.168.10.0/24 0.0.0.0/0
0 0 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (3 references)
pkts bytes target prot opt in out source destination
1 40 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:4460
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:7778
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:123
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
1 44 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:4460
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:7778
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2loc (9 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:4460
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:7778
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 6 level 6 prefix
`Shorewall:logflags:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:123
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:4460
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.10.4
state NEW tcp dpt:7778
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (9 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- * eth0 192.168.10.0/24 0.0.0.0/0
0 0 loc2loc all -- * eth1 192.168.10.0/24
192.168.10.0/24
0 0 loc2loc all -- * ppp+ 192.168.10.0/24
192.168.10.0/24
0 0 loc2loc all -- * eth1 192.168.10.0/24 0.0.0.0/0
Chain ppp_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2fw all -- * * 192.168.10.0/24 0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain tcpflags (2 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:0 flags:0x16/0x02
NAT Table
Chain PREROUTING (policy ACCEPT 1 packets, 44 bytes)
pkts bytes target prot opt in out source destination
0 0 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1 44 loc_dnat all -- eth1 * 192.168.10.0/24 0.0.0.0/0
0 0 loc_dnat all -- ppp+ * 192.168.10.0/24 0.0.0.0/0
1 44 loc_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 loc_snat all -- * eth1 0.0.0.0/0
192.168.10.0/24
0 0 loc_snat all -- * ppp+ 0.0.0.0/0
192.168.10.0/24
0 0 loc_snat all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.10.0/24 0.0.0.0/0
to:168.100.199.154
Chain loc_dnat (3 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0
168.100.199.154 tcp dpt:80 to:192.168.10.4
0 0 DNAT tcp -- * * 0.0.0.0/0
168.100.199.154 tcp dpt:443 to:192.168.10.4
0 0 DNAT tcp -- * * 0.0.0.0/0
168.100.199.154 tcp dpt:4460 to:192.168.10.4
0 0 DNAT tcp -- * * 0.0.0.0/0
168.100.199.154 tcp dpt:7778 to:192.168.10.4
Chain loc_snat (3 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:80 to:192.168.10.1
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:80 to:192.168.10.1
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.10.4
tcp dpt:80 to:192.168.10.1
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:443 to:192.168.10.1
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:443 to:192.168.10.1
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.10.4
tcp dpt:443 to:192.168.10.1
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:4460 to:192.168.10.1
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:4460 to:192.168.10.1
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.10.4
tcp dpt:4460 to:192.168.10.1
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:7778 to:192.168.10.1
0 0 SNAT tcp -- * * 192.168.10.0/24 192.168.10.4
tcp dpt:7778 to:192.168.10.1
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.10.4
tcp dpt:7778 to:192.168.10.1
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 to:192.168.10.4
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443 to:192.168.10.4
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:4460 to:192.168.10.4
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:7778 to:192.168.10.4
Mangle Table
Chain PREROUTING (policy ACCEPT 3 packets, 249 bytes)
pkts bytes target prot opt in out source destination
0 0 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state NEW
3 249 pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 3 packets, 249 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 245 bytes)
pkts bytes target prot opt in out source destination
3 245 outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 3 packets, 245 bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
limit: avg 10/min burst 5 LOG flags 0 level 6 prefix
`Shorewall:man1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0
172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 logdrop all -- * * 0.0.0.0/0
192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0
198.18.0.0/15
0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 86 TIME_WAIT src=192.168.10.101 dst=167.206.112.6 sport=3645
dport=110 src=167.206.112.6 dst=168.100.199.154 sport=110 dport=3645 [ASSURED]
use=1
tcp 6 80 TIME_WAIT src=192.168.10.101 dst=192.168.10.1 sport=2901 dport=22
src=192.168.10.1 dst=192.168.10.101 sport=22 dport=2901 [ASSURED] use=1
udp 17 171 src=192.168.10.1 dst=192.168.10.1 sport=32771 dport=53
src=192.168.10.1 dst=192.168.10.1 sport=53 dport=32771 [ASSURED] use=1
udp 17 70 src=168.100.199.154 dst=192.43.244.18 sport=123 dport=123
src=192.43.244.18 dst=168.100.199.154 sport=123 dport=123 [ASSURED] use=1
-------------- next part --------------
## named.custom - custom configuration for bind
#
# Any changes not currently supported by redhat-config-bind should be put
# in this file.
#
view "internal" {
match-clients { 192.168.10.0/24; };
recursion yes;
zone "." in {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "paslists.com" in {
type master;
notify no;
allow-update { none; };
file "paslists.com.zone.int";
};
zone "10.168.192.in-addr.arpa" {
type master;
notify no;
allow-update { none; };
file "paslists.com.rev.int";
};
};
view "external" {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa.zone";
};
zone "localhost" {
type master;
file "localhost.zone";
};
zone "paslists.com" in {
type master;
notify yes;
allow-update { none; };
file "paslists.com.zone";
};
zone "199.100.168.in-addr.arpa" {
type master;
notify no;
allow-update { none; };
file "paslists.com.rev";
};
};
Tom Eastep
2003-Mar-25 17:38 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
On Tue, 25 Mar 2003, Eric Raskin wrote:> Hello all: > > > > I''ve got a confusing issue. I had a working shorewall configuration > (based on the two interface model) using DNAT for redirection to my HTTP > server. The HTTP server is on my inside network (I know - bad juju, but > one thing at a time). I changed my configuration this morning to use > views in my BIND (named) configuration. Everyone outside the firewall > is able to get in fine. Everyone inside the firewall is able to browse > the Internet just fine. The only thing that broke is my internal net to > internal HTTP server DNAT. I can''t figure out what has gone wrong. I > need the port redirection capability of DNAT inside my network, so I''ve > set my www.paslists.com <http://www.paslists.com/> to be the firewall''s > internal interface, rather than pointing it directly at the HTTP server. > I''ve also tried pointing my www.paslists.com <http://www.paslists.com/> > directly at the HTTP server, but that doesn''t work either. To finish > the picture for you, my HTTP server has a rewrite rule that issues a > redirect from http://www.paslists.com <http://www.paslists.com/> to > http://www.paslists.com/pas/. This is needed for my J2EE objects in my > web site. Again, this all worked before I changed my BIND > configuration, but I can''t seem to figure out what broke. >Let me make sure that I am clear on what happened here -- a) Your system worked. b) You changed your BIND configuration. c) Your system doesn''t work. d) It must be a Shorewall problem so you post on the Shorewall list. Do I have that right? I truly hope that someone on the list helps you. But in the mean time, you might drag out tcpdump or ethereal and see what is going on at L2 - L4 level... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Mar-25 17:46 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
> > I truly hope that someone on the list helps you. But in the mean time, > you might drag out tcpdump or ethereal and see what is going on at L2 - L4 > level... >Oh -- and use the "-n" option so that your mis-configured BIND doesn''t parrot bad information back to you to be placed in the trace file. (read: the tcpdump in your original post was worthless) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Mar-25 18:04 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
On Tue, 25 Mar 2003, Tom Eastep wrote:> > > > I truly hope that someone on the list helps you. But in the mean time, > > you might drag out tcpdump or ethereal and see what is going on at L2 - L4 > > level... > > > > Oh -- and use the "-n" option so that your mis-configured BIND doesn''t > parrot bad information back to you to be placed in the trace file. > > (read: the tcpdump in your original post was worthless) >And I suspect that you will find that: a) Your DNAT rule has the external firewall IP address as the ORIGINAL DEST. b) From your internal net, ''fw'' resolves to the address of the internal interface. c) You don''t have a web server running on the firewall so the "telnet fw 80" gets a "connection refused" and Shorewall logs nothing... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Cowles, Steve
2003-Mar-26 04:14 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
> -----Original Message----- > From: Eric Raskin > Sent: Tuesday, March 25, 2003 7:12 PM > Subject: [Shorewall-users] DNAT not working after changing BIND to use > views > > > Hello all: > > > > I''ve got a confusing issue. I had a working shorewall configuration > (based on the two interface model) using DNAT for redirection > to my HTTP server. The HTTP server is on my inside network (I know - > bad juju, but one thing at a time).I''ve been running on one public IP for years without a problem. But then the applications I run (dns/http/ftp/smtp) do not have problems running masq''d.> I changed my configuration this morning to use views in my BIND > (named) configuration. Everyone outside the firewall is able > to get in fine. Everyone inside the firewall is able to browse > the Internet just fine. The only thing that broke is my internal > net to internal HTTP server DNAT. I can''t figure out what has > gone wrong. I need the port redirection capability of DNAT inside > my network, so I''ve set my www.paslists.com > <http://www.paslists.com/> to be the firewall''s internal interface, > rather than pointing it directly at the HTTP server.Why are you pointing it to the internal interface?> I''ve also tried pointing my www.paslists.com > <http://www.paslists.com/> directly at the HTTP server, but that > doesn''t work either. To finish the picture for you, my HTTP server > has a rewrite rule that issues a redirect from http://www.paslists.com > <http://www.paslists.com/> to http://www.paslists.com/pas/. This is > needed for my J2EE objects in my web site. Again, this all worked > before I changed my BIND configuration, but I can''t seem to figure > out what broke. >Since I''m not an apache expert, I''m not going to question your reason for still requiring DNAT, but based on what I''ve read... it seems like your negating the primary reason for implementing BIND views. FWIW: I run multiview BIND at this end (best feature ISC ever implemented); but I point my internal www address directly to my apache server, not the firewall. DNAT''ing internal www requests seemed like a waste of firewall resources. Also, when I implemented multiview bind, I had to make the appropriate changes to apache''s name based virtual hosting parameters. i.e. move some of the "global" parameters within the virtual host definitions. Steve Cowles
Tom Eastep
2003-Mar-26 06:31 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
On Wed, 26 Mar 2003, Cowles, Steve wrote:> > <http://www.paslists.com/> to be the firewall''s internal interface, > > rather than pointing it directly at the HTTP server. > > Why are you pointing it to the internal interface? > > > I''ve also tried pointing my www.paslists.com > > <http://www.paslists.com/> directly at the HTTP server, but that > > doesn''t work either. To finish the picture for you, my HTTP server > > has a rewrite rule that issues a redirect from http://www.paslists.com > > <http://www.paslists.com/> to http://www.paslists.com/pas/. This is > > needed for my J2EE objects in my web site. Again, this all worked > > before I changed my BIND configuration, but I can''t seem to figure > > out what broke. > > > > Since I''m not an apache expert, I''m not going to question your reason for > still requiring DNAT, but based on what I''ve read... it seems like your > negating the primary reason for implementing BIND views. >I was going to make that point this morning myself. It seems silly to implement views then continue to use DNAT. But if you must, your DNAT rule needs to change accordingly to use your internal interface IP address in the ORIGINAL DESTINATION column. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Eric Raskin
2003-Mar-26 06:57 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
> Why are you pointing it to the internal interface? > > > I''ve also tried pointing my www.paslists.com > > <http://www.paslists.com/> directly at the HTTP server, but that > > doesn''t work either. To finish the picture for you, my HTTP server > > has a rewrite rule that issues a redirect fromhttp://www.paslists.com> > <http://www.paslists.com/> to http://www.paslists.com/pas/. Thisis> > needed for my J2EE objects in my web site. Again, this all worked > > before I changed my BIND configuration, but I can''t seem to figure > > out what broke. > > > > Since I''m not an apache expert, I''m not going to question your reasonfor> still requiring DNAT, but based on what I''ve read... it seems likeyour> negating the primary reason for implementing BIND views. >Thanks for the help, everyone. You were absolutely correct. I needed to change my DNAT rules from my external IP to my internal IP. If anyone is interested in the ugly details of my J2EE problems, feel free to contact me directly. It''s a bit off-topic...
Eric Raskin
2003-Mar-26 07:02 UTC
[Shorewall-users] DNAT not working after changing BIND to use views
> FWIW: I run multiview BIND at this end (best feature ISC everimplemented);> but I point my internal www address directly to my apache server, notthe> firewall. DNAT''ing internal www requests seemed like a waste offirewall> resources. Also, when I implemented multiview bind, I had to make the > appropriate changes to apache''s name based virtual hosting parameters.i.e.> move some of the "global" parameters within the virtual hostdefinitions.> Steve CowlesSteve: I''ll have to look into this. You may have hit why my direct access to the web server from my LAN isn''t working. Thanks! _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm