Jayel
2003-Apr-15 21:34 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
I apologize for the first message. :) --------------------------------------- I have an FTP server running in the DMZ section of my home network. It uses port 23000 for connection and ports 19990 to 19994 for data transfer. I have setup the following rule for outside people to connect to it: DNAT net dmz:192.168.2.2 tcp 23000 I''m at work right now and I can''t use passive connection to it. I can''t get a directory listing. Active connections work. I have setup my /etc/shorewall/modules and /etc/modules.conf according the FTP section of this page http://shorewall.sourceforge.net/ports.htm Here''s the contents of /etc/shorewall/modules ------------- loadmodule ip_tables loadmodule iptable_filter loadmodule ip_conntrack loadmodule ip_conntrack_ftp ports=21,23000 loadmodule ip_conntrack_irc loadmodule iptable_nat loadmodule ip_nat_ftp ports=21,23000 loadmodule ip_nat_irc --------------- Here''s the contents of /etc/modules.conf ------------- alias eth2 3c59x alias eth1 3c59x alias eth0 3c59x options ip_conntrack_ftp ports=21,23000 options ip_nat_ftp ports=21,23000 ---------- I searched the mailing list and found these 2 threads 1. http://lists.shorewall.net/pipermail/shorewall-users/2003-February/005291.html 2. http://lists.shorewall.net/pipermail/shorewall-users/2002-December/003879.html -------------------- In the 1st link, Tom mentioned "FTP tracking/NAT" and "ALLOWRELATED". I checked what modules are being loaded and found these: ip_conntrack_irc 4400 1 [ip_nat_irc] ip_conntrack_ftp 5424 2 [ip_nat_ftp] ip_conntrack 29920 5 [ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp] In regards to "ALLOWRELATED", I had a looked at shorewall.conf and I can''t find an entry for it. Tom mentioned that "ALLOWRELATED" must beset to "Yes". So I created a new entry "ALLOWRELATED" and set it''s value to "Yes". ---------------------- In the 2nd link, Tom mentioned port 113. The only rule that uses port 113 (auth) in my setup is this: ACCEPT $_Local net udp auth #ident I used for it ident as this website (http://www.practicallynetworked.com/) mentioned that it''s needed for IRC ident. _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Tom Eastep
2003-Apr-16 06:45 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
On Wed, 16 Apr 2003, Jayel wrote:> > I apologize for the first message. :) > --------------------------------------- > > I have an FTP server running in the DMZ section of my home network. It uses port 23000 for connection and ports 19990 to 19994 for data transfer. > I have setup the following rule for outside people to connect to it: > DNAT net dmz:192.168.2.2 tcp 23000 > > I''m at work right now and I can''t use passive connection to it. I can''t > get a directory listing. Active connections work. > > I have setup my /etc/shorewall/modules and /etc/modules.conf according > the FTP section of this page http://shorewall.sourceforge.net/ports.htmAnd did you unload and reload the modules whose definition you changed?> > I searched the mailing list and found these 2 threads > > In the 1st link, Tom mentioned "FTP tracking/NAT" and "ALLOWRELATED". I > checked what modules are being loaded and found these:> ip_conntrack_irc 4400 1 [ip_nat_irc] > ip_conntrack_ftp 5424 2 [ip_nat_ftp] > ip_conntrack 29920 5 [ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp] > > In regards to "ALLOWRELATED", I had a looked at shorewall.conf and I > can''t find an entry for it. Tom mentioned that "ALLOWRELATED" must beset > to "Yes". So I created a new entry "ALLOWRELATED" and set it''s value to > "Yes".Totally unnecessary -- ALLOWRELATED was removed from Shorewall in 1.4.0.> ----------------------> In the 2nd link, Tom mentioned port 113.If you had a port 113 problem, you wouldn''t have been able to connect in the first place. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Jayel
2003-Apr-16 08:36 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
I have rebooted the machine thrice probably more since I edited /etc/modules.conf and /etc/shorewall/modules. I still can''t use passive. I dunno if this is relevant but here is my /etc/shorewall/policy ------ loc net DROP fw net DROP dmz net DROP net all DROP info all all DROP info ------------- I have removed "ALLOWRELATED" from my shorewall.conf. thanks for the replies. Jayel _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Tom Eastep
2003-Apr-16 08:38 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
On Wed, 16 Apr 2003, Jayel wrote:> > I have rebooted the machine thrice probably more since I edited /etc/modules.conf and /etc/shorewall/modules. I still can''t use passive. > > I dunno if this is relevant but here is my /etc/shorewall/policy > ------ > loc net DROPBoy -- that''s unfriendly to your local users...> fw net DROP > dmz net DROP > net all DROP info > all all DROP info > ------------- > > I have removed "ALLOWRELATED" from my shorewall.conf. >Please submit the information described for "Connection problems" at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Apr-16 15:47 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
On Wed, 16 Apr 2003, Tom Eastep wrote:> > Please submit the information described for "Connection problems" at > http://www.shorewall.net/support.htm. >Another strategy is to run tcpdump (with the "-w" and "-s 2048" options) while you are trying a passive connection then use Ethereal to digest the tracefile. When we did that recently on a similar problem, we discovered that the user''s FTP server was broken. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Chris Petersen
2003-Apr-16 19:37 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
> I have an FTP server running in the DMZ section of my home network. It uses port 23000 for connection and ports 19990 to 19994 for data transfer. > I have setup the following rule for outside people to connect to it: > DNAT net dmz:192.168.2.2 tcp 23000I ran into this same issue on my machine. SOME people could connect via passive when the port was non-standard, but others couldn''t. As best as I can figure, *I* had my configuration working fine, but if I was connecting to my machine from behind another firewall, it had issues, probably related to that ip_conntrack_ftp option (or whatever it links to, since I know that the firewall machine at work is just running some basic ipchains rules). -Chris
Jayel
2003-Apr-23 04:31 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
cut and paste from putty window
-------------------
[root@nynaeve nynaeve]# shorewall version
1.4.2
========[root@nynaeve nynaeve]# uname -a
Linux nynaeve.wot.local 2.4.21-0.13mdksecure #1 SMP Fri Mar 14 14:10:36 EST 2003
i686 unknown unknown GNU/Linux
==============[root@nynaeve nynaeve]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
100
link/ether 00:10:5a:7a:84:90 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.10/8 brd 10.255.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:08:66:85:75 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:08:67:6c:f7 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global eth2
6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
inet 202.45.118.1 peer 203.17.101.70/32 scope global ppp0
=====================[root@nynaeve nynaeve]# ip route show
203.17.101.70 dev ppp0 proto kernel scope link src 202.45.118.1
192.168.2.0/24 dev eth2 scope link
192.168.1.0/24 dev eth1 scope link
10.0.0.0/8 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 203.17.101.70 dev ppp0
====================[root@nynaeve nynaeve]# /sbin/lsmod
Module Size Used by Not tainted
ppp_synctty 8000 0 (unused)
ppp_async 9632 1 (autoclean)
ppp_generic 27168 3 (autoclean) [ppp_synctty ppp_async]
slhc 6668 0 (autoclean) [ppp_generic]
ipt_TOS 1592 12 (autoclean)
ipt_MASQUERADE 2200 2 (autoclean)
ipt_unclean 7416 2 (autoclean)
ipt_LOG 4376 7 (autoclean)
ipt_REJECT 3640 6 (autoclean)
ipt_state 1112 81 (autoclean)
iptable_mangle 2712 1 (autoclean)
ip_nat_irc 3408 0 (unused)
ip_nat_ftp 4208 0 (unused)
iptable_nat 22328 4 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 4400 1 [ip_nat_irc]
ip_conntrack_ftp 5424 2 [ip_nat_ftp]
ip_conntrack 29920 5 [ipt_MASQUERADE ipt_state ip_nat_irc
ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2348 1 (autoclean)
ip_tables 15480 11 [ipt_TOS ipt_MASQUERADE ipt_unclean ipt_LOG
ipt_REJECT ipt_state iptable_mangle iptable_nat iptable_filter]
af_packet 16360 3 (autoclean)
ide-cd 33888 0 (autoclean)
cdrom 31808 0 (autoclean) [ide-cd]
floppy 55868 0
3c59x 30256 3 (autoclean)
supermount 15552 2 (autoclean)
rtc 8892 0 (autoclean)
ext3 62636 2
jbd 42600 2 [ext3]
------------------
I have the following rules in my shorewall:
############################
# Gives local access to FTP servers in DMZ
ACCEPT $_Local $_DMZ tcp 23000
ACCEPT $_Local $_DMZ tcp 19990:19994
With this, I am able to use passive from my LAN. If I remove the 2nd accept
line, PASV won''t work any more. Active still works.
I did not install the shorewall that came with MDK. I downloaded the RPM from
the website and installed that instead.
I have attached the status of my shorewall.
Thank you.
Jayel
--- On Wed 04/16, Tom Eastep < teastep@shorewall.net > wrote:
Please submit the information described for "Connection problems" at
http://www.shorewall.net/support.htm
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
-------------- next part --------------
[H[2JShorewall-1.4.2 Status at nynaeve.wot.local - Wed Apr 23 20:40:42 CST 2003
Counters reset Tue Apr 22 02:01:46 CST 2003
Chain INPUT (policy DROP 2 packets, 96 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4690 355K ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
10292 616K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
19 1002 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 1452 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
2452K 2015M ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
2781K 1156M eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
5358K 3259M eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 3 packets, 96 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2415 154K fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
15323 794K fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
5125 168K fw2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
5118 164K common all -- * * 0.0.0.0/0 0.0.0.0/0
5118 164K LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:DROP:''
5118 164K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (6 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
10313 334K common all -- * * 0.0.0.0/0 0.0.0.0/0
65 5270 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:''
65 5270 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain badpkt (2 references)
pkts bytes target prot opt in out source destination
2 2764 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 6 level 6 prefix `Shorewall:badpkt:DROP:''
2 112 LOG !tcp -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 4 level 6 prefix `Shorewall:badpkt:DROP:''
4 2876 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain blacklst (2 references)
pkts bytes target prot opt in out source destination
Chain common (8 references)
pkts bytes target prot opt in out source destination
5 2390 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
96 7488 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445 reject-with icmp-port-unreachable
4 184 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139 reject-with icmp-port-unreachable
68 3276 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
23 1404 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
6 390 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
5118 164K DROP all -- * * 0.0.0.0/0
192.168.1.255
5118 164K DROP all -- * * 0.0.0.0/0
192.168.2.255
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 192.168.2.0/24 0.0.0.0/0
icmp type 8
19 1002 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2loc (1 references)
pkts bytes target prot opt in out source destination
3029K 2211M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 192.168.2.0/24
192.168.1.0/24 icmp type 8
41 1968 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dmz2net (1 references)
pkts bytes target prot opt in out source destination
2326K 1047M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
56 2322 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 192.168.2.0/24 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0
state NEW tcp dpt:53
435 29782 ACCEPT udp -- * * 192.168.2.0/24 0.0.0.0/0
state NEW udp dpt:53
471 22608 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0
state NEW tcp dpt:80
5 240 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0
state NEW tcp dpt:443
378 18144 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0
state NEW tcp dpts:6661:6669
0 0 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0
state NEW tcp dpts:7000:7002
527 25296 ACCEPT tcp -- * * 192.168.2.2 0.0.0.0/0
state NEW tcp dpt:21
633 30384 ACCEPT tcp -- * * 192.168.2.2 0.0.0.0/0
state NEW tcp dpts:1025:65535
0 0 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0
state NEW tcp dpt:4661
48 2304 common all -- * * 0.0.0.0/0 0.0.0.0/0
48 2304 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
2781K 1156M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
17030 1594K loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
2764K 1154M loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
10292 616K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
10292 616K loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
5358K 3259M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
2329K 1047M dmz2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
3029K 2211M dmz2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
19 1002 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
19 1002 dmz2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source destination
3 1728 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
state NEW tcp dpt:5901
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.3
state NEW tcp dpt:5902
0 0 ACCEPT icmp -- * * 0.0.0.0/0
192.168.2.0/24 icmp type 8
5122 166K all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
10204 630K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2
state NEW tcp dpt:5900
0 0 ACCEPT icmp -- * * 0.0.0.0/0
192.168.1.0/24 icmp type 8
5119 164K all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
213 20363 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
324 20776 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
1878 113K common all -- * * 0.0.0.0/0 0.0.0.0/0
1878 113K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source destination
2762K 1154M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
446 26760 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0
icmp type 8
21 1008 ACCEPT tcp -- * * 192.168.1.0/24
192.168.2.0/24 state NEW tcp dpt:23000
1091 52368 ACCEPT tcp -- * * 192.168.1.0/24
192.168.2.0/24 state NEW tcp dpts:19990:19994
42 2016 ACCEPT tcp -- * * 192.168.1.0/24
192.168.2.0/24 state NEW tcp dpts:5900:5910
3 144 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
322 17296 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
9960 598K ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0
icmp type 8
1 48 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:22
9 702 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
15944 1540K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
30 1326 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
5 300 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:53
132 8365 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW udp dpt:53
11 528 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:22
856 41088 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:80
10 480 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:443
2 96 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:110
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpts:6661:6669
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpts:7000:7002
0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW udp dpt:113
19 912 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:1863
0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW udp dpt:1863
0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW udp dpt:5190
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpts:6891:6900
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:6901
0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW udp dpt:6901
10 480 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:6301
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:119
0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW udp dpt:119
7 336 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpt:5190
3 144 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0
state NEW tcp dpts:5900:5910
1 48 common all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
4137 213K common all -- * * 0.0.0.0/0 0.0.0.0/0
3952 201K LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
3952 201K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source destination
2432K 1995M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 40 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
43 2152 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
state NEW tcp dpt:23000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
state NEW tcp dpt:59
98 4756 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2
state NEW tcp dpts:19995:19999
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.0/24 state NEW tcp dpt:6060
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.2.0/24 state NEW tcp dpt:3333
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.2
state NEW udp dpt:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.2
state NEW udp dpt:4672
0 0 ACCEPT icmp -- * * 0.0.0.0/0
192.168.2.0/24 icmp type 8
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
328 80007 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
208 60468 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
15 996 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
4137 213K net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
20550 20M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
192.168.1.0/24 icmp type 8
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (14 references)
pkts bytes target prot opt in out source destination
295 64156 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
2452K 2015M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
4 2876 badpkt all -- * * 0.0.0.0/0 0.0.0.0/0
unclean
2452K 2015M blacklst all -- * * 0.0.0.0/0 0.0.0.0/0
20550 20M net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
2432K 1995M net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
4690 355K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 badpkt all -- * * 0.0.0.0/0 0.0.0.0/0
unclean
4690 355K blacklst all -- * * 0.0.0.0/0 0.0.0.0/0
4690 355K net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (2 references)
pkts bytes target prot opt in out source destination
23 1404 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Apr 23 20:31:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=55426 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:31:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=47282 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:32:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=45975 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:32:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=23343 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:33:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=13015 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:33:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=10766 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:34:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=23584 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:34:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=27037 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:35:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=4698 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:35:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=32315 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:36:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=40263 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:36:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=61754 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:37:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=49574 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:37:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=52434 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:38:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=57492 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:38:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=36311 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:39:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=5502 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:39:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=29522 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:40:00 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=21714 DF PROTO=UDP SPT=520 DPT=520 LEN=12
Apr 23 20:40:30 OUTPUT:DROP:IN= OUT=eth0 SRC=10.0.0.10 DST=10.255.255.255 LEN=32
TOS=0x00 PREC=0x00 TTL=64 ID=8440 DF PROTO=UDP SPT=520 DPT=520 LEN=12
NAT Table
Chain PREROUTING (policy ACCEPT 46974 packets, 2575K bytes)
pkts bytes target prot opt in out source destination
4504 282K net_dnat all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 4871 packets, 255K bytes)
pkts bytes target prot opt in out source destination
3695 192K ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 51209 packets, 1823K bytes)
pkts bytes target prot opt in out source destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
44 2192 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:23000 to:192.168.2.2
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:59 to:192.168.2.2
98 4756 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:19995:19999 to:192.168.2.2
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
1013 50241 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
2337 120K MASQUERADE all -- * * 192.168.2.0/24 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 31M packets, 21G bytes)
pkts bytes target prot opt in out source destination
11M 6431M pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 29345 packets, 1934K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 31M packets, 21G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 63880 packets, 2698K bytes)
pkts bytes target prot opt in out source destination
27982 1279K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 31M packets, 21G bytes)
pkts bytes target prot opt in out source destination
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
249 32365 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
334 17896 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
1424 68042 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
1232 76463 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
554 94754 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
441 18528 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 78389 ESTABLISHED src=65.49.122.185 dst=202.45.118.1 sport=2898
dport=19996 src=192.168.2.2 dst=65.49.122.185 sport=19996 dport=2898 [ASSURED]
use=1
tcp 6 429153 ESTABLISHED src=192.168.2.2 dst=202.45.118.25 sport=1800
dport=3749 src=202.45.118.25 dst=202.45.118.1 sport=3748 dport=1800 [ASSURED]
use=1
tcp 6 397282 ESTABLISHED src=203.125.5.21 dst=202.45.118.1 sport=1082
dport=19999 src=192.168.2.2 dst=203.125.5.21 sport=19999 dport=1082 [ASSURED]
use=1
tcp 6 431989 ESTABLISHED src=192.168.2.2 dst=128.61.50.168 sport=1520
dport=2121 src=128.61.50.168 dst=202.45.118.1 sport=2121 dport=1520 [ASSURED]
use=1
tcp 6 230329 ESTABLISHED src=192.168.2.2 dst=202.45.118.25 sport=3999
dport=3672 src=202.45.118.25 dst=202.45.118.1 sport=3671 dport=3999 [ASSURED]
use=1
tcp 6 142777 ESTABLISHED src=148.243.56.41 dst=202.45.118.1 sport=1471
dport=19997 src=192.168.2.2 dst=148.243.56.41 sport=19997 dport=1471 [ASSURED]
use=1
udp 17 149 src=192.168.2.2 dst=203.17.103.1 sport=1026 dport=53
src=203.17.103.1 dst=202.45.118.1 sport=53 dport=1026 [ASSURED] use=1
tcp 6 431999 ESTABLISHED src=192.168.2.2 dst=66.69.135.156 sport=1654
dport=1337 src=66.69.135.156 dst=202.45.118.1 sport=1337 dport=1654 [ASSURED]
use=1
tcp 6 431997 ESTABLISHED src=192.168.2.2 dst=24.72.40.108 sport=1460
dport=6667 src=24.72.40.108 dst=202.45.118.1 sport=6667 dport=1460 [ASSURED]
use=1
tcp 6 8805 ESTABLISHED src=141.151.81.222 dst=202.45.118.1 sport=17497
dport=19995 src=192.168.2.2 dst=141.151.81.222 sport=19995 dport=17497 [ASSURED]
use=1
tcp 6 430405 ESTABLISHED src=202.45.118.25 dst=202.45.118.1 sport=3108
dport=23000 src=192.168.2.2 dst=202.45.118.25 sport=23000 dport=3108 [ASSURED]
use=2
tcp 6 431999 ESTABLISHED src=192.168.2.2 dst=202.45.118.25 sport=2123
dport=3111 src=202.45.118.25 dst=202.45.118.1 sport=3110 dport=2123 [ASSURED]
use=1
tcp 6 431982 ESTABLISHED src=192.168.2.2 dst=157.156.254.111 sport=1039
dport=6667 src=157.156.254.111 dst=202.45.118.1 sport=6667 dport=1039 [ASSURED]
use=1
tcp 6 431991 ESTABLISHED src=192.168.1.2 dst=192.168.1.1 sport=1684
dport=22 src=192.168.1.1 dst=192.168.1.2 sport=22 dport=1684 [ASSURED] use=1
tcp 6 431999 ESTABLISHED src=219.93.220.95 dst=202.45.118.1 sport=1643
dport=19998 src=192.168.2.2 dst=219.93.220.95 sport=19998 dport=1643 [ASSURED]
use=1
tcp 6 431968 ESTABLISHED src=192.168.2.2 dst=216.32.207.207 sport=1047
dport=6666 src=216.32.207.207 dst=202.45.118.1 sport=6666 dport=1047 [ASSURED]
use=1
tcp 6 37771 ESTABLISHED src=65.49.122.185 dst=202.45.118.1 sport=2370
dport=19995 src=192.168.2.2 dst=65.49.122.185 sport=19995 dport=2370 [ASSURED]
use=1
tcp 6 431998 ESTABLISHED src=192.168.2.2 dst=209.131.67.20 sport=1037
dport=6668 src=209.131.67.20 dst=202.45.118.1 sport=6668 dport=1037 [ASSURED]
use=1
tcp 6 47 TIME_WAIT src=192.168.2.2 dst=128.61.50.168 sport=2172 dport=38480
src=128.61.50.168 dst=202.45.118.1 sport=38480 dport=2172 [ASSURED] use=1
tcp 6 389393 ESTABLISHED src=192.168.2.2 dst=198.49.161.206 sport=1407
dport=80 src=198.49.161.206 dst=202.45.118.1 sport=80 dport=1407 [ASSURED] use=1
tcp 6 271071 ESTABLISHED src=192.168.1.2 dst=192.168.2.2 sport=1621
dport=5900 src=192.168.2.2 dst=192.168.1.2 sport=5900 dport=1621 [ASSURED] use=1
tcp 6 367034 ESTABLISHED src=192.168.2.2 dst=202.45.118.25 sport=1352
dport=4715 src=202.45.118.25 dst=202.45.118.1 sport=4714 dport=1352 [ASSURED]
use=1
tcp 6 63192 ESTABLISHED src=192.168.2.2 dst=202.45.118.25 sport=1167
dport=3809 src=202.45.118.25 dst=202.45.118.1 sport=3808 dport=1167 [ASSURED]
use=1
tcp 6 422096 ESTABLISHED src=219.93.218.128 dst=202.45.118.1 sport=1585
dport=19999 src=192.168.2.2 dst=219.93.218.128 sport=19999 dport=1585 [ASSURED]
use=1
tcp 6 339532 ESTABLISHED src=192.168.2.2 dst=202.45.118.25 sport=1207
dport=3959 src=202.45.118.25 dst=202.45.118.1 sport=3958 dport=1207 [ASSURED]
use=1
tcp 6 82650 ESTABLISHED src=192.168.2.2 dst=202.45.118.25 sport=1465
dport=4613 src=202.45.118.25 dst=202.45.118.1 sport=4612 dport=1465 [ASSURED]
use=1
tcp 6 13996 ESTABLISHED src=141.151.81.222 dst=202.45.118.1 sport=17173
dport=19998 src=192.168.2.2 dst=141.151.81.222 sport=19998 dport=17173 [ASSURED]
use=1
tcp 6 431971 ESTABLISHED src=192.168.1.2 dst=192.168.2.2 sport=1554
dport=23000 src=192.168.2.2 dst=192.168.1.2 sport=23000 dport=1554 [ASSURED]
use=1
tcp 6 396776 ESTABLISHED src=203.125.5.21 dst=202.45.118.1 sport=2967
dport=19996 src=192.168.2.2 dst=203.125.5.21 sport=19996 dport=2967 [ASSURED]
use=1
tcp 6 431959 ESTABLISHED src=192.168.1.2 dst=209.10.203.102 sport=1618
dport=6301 src=209.10.203.102 dst=202.45.118.1 sport=6301 dport=1618 [ASSURED]
use=1
tcp 6 429219 ESTABLISHED src=202.45.118.25 dst=202.45.118.1 sport=4768
dport=23000 src=192.168.2.2 dst=202.45.118.25 sport=23000 dport=4768 [ASSURED]
use=2
tcp 6 29 TIME_WAIT src=192.168.1.2 dst=192.168.2.2 sport=1732 dport=19990
src=192.168.2.2 dst=192.168.1.2 sport=19990 dport=1732 [ASSURED] use=1
tcp 6 90 TIME_WAIT src=192.168.1.2 dst=192.168.2.2 sport=1733 dport=19990
src=192.168.2.2 dst=192.168.1.2 sport=19990 dport=1733 [ASSURED] use=1
tcp 6 367028 ESTABLISHED src=192.168.2.2 dst=128.61.50.168 sport=1351
dport=4078 src=128.61.50.168 dst=202.45.118.1 sport=4078 dport=1351 [ASSURED]
use=1
tcp 6 339598 ESTABLISHED src=202.45.118.25 dst=202.45.118.1 sport=4575
dport=23000 src=192.168.2.2 dst=202.45.118.25 sport=23000 dport=4575 [ASSURED]
use=2
Tom Eastep
2003-Apr-23 07:31 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
On Wed, 23 Apr 2003, Jayel wrote:> With this, I am able to use passive from my LAN. If I remove the 2nd > accept line, PASV won''t work any more. Active still works. > > I did not install the shorewall that came with MDK. I downloaded the RPM from the website and installed that instead. > > I have attached the status of my shorewall. >There is nothing wrong with your Shorewall setup -- you can either try to diagnose the problem further using tcpdump as I suggested earlier or you can leave the configuration the way that it is. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Apr-23 11:06 UTC
[Shorewall-users] repost (passive FTP server in DMZ and shorewall 1.4.2)
On Wed, 23 Apr 2003, Tom Eastep wrote:> On Wed, 23 Apr 2003, Jayel wrote: > > > With this, I am able to use passive from my LAN. If I remove the 2nd > > accept line, PASV won''t work any more. Active still works. > > > > I did not install the shorewall that came with MDK. I downloaded the RPM from the website and installed that instead. > > > > I have attached the status of my shorewall. > > > > There is nothing wrong with your Shorewall setup -- you can either try to > diagnose the problem further using tcpdump as I suggested earlier or you > can leave the configuration the way that it is. >Are you perhaps configuring your ftp server to use a particular passive IP address (the firewall''s external IP address)? If so, try removing that specification and restarting your server. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net