thr3ads.net - Shorewall users - [Shorewall-users] multiple subnets [May 2003]

If this information is useful, please help other people find it:
Share via:

Nerijus Baliunas

2003-May-06 09:01 UTC

[Shorewall-users] multiple subnets

Hello,

I have the following working situation (shorewall 1.4.2).

ifconfig:
eth0	inet addr:192.168.56.1  Bcast:192.168.56.255
eth1	inet addr:213.197.143.57  Bcast:213.197.143.59
eth2	inet addr:213.197.143.54  Bcast:213.197.143.55
ppp0	...

interfaces:
mail    eth2    213.197.143.55
dsl     ppp0    detect
loc    eth0    192.168.56.255
dmz     eth1    213.197.143.59

policy:
loc             dmz             ACCEPT

PCs in loc zone can access services in dmz.

Now 3 new subnets 192.168.57.0/24 - 59.0/24 (radio lan) were connected
to the loc lan through 192.168.56.22, which is configured to route to
192.168.56.1.

According to
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html I changed
interfaces to:
...
-   eth0  192.168.56.255,192.168.57.255,192.168.58.255,192.168.59.255
...

and hosts to:
loc     eth0:192.168.56.0/24
loc     eth0:192.168.57.0/24
loc     eth0:192.168.58.0/24
loc     eth0:192.168.59.0/24

Also entered such commands at the firewall console:
route add -net 192.168.57.0/24 dev eth0 gateway 192.168.56.22
route add -net 192.168.58.0/24 dev eth0 gateway 192.168.56.22
route add -net 192.168.59.0/24 dev eth0 gateway 192.168.56.22

The problem is that PCs from radio link (192.168.58.2 for example) can
ping the firewall, but cannot access dmz. What could be a problem?
I can provide radio lan connection details.

Thanks,
Nerijus

Tom Eastep

2003-May-06 10:29 UTC

head link

[Shorewall-users] multiple subnets

On 06 May 2003 19:00:48 +0300, Nerijus Baliunas 
<nerijus@users.sourceforge.net> wrote:
> Hello,
>
> I have the following working situation (shorewall 1.4.2).
>
> ifconfig:
> eth0	inet addr:192.168.56.1  Bcast:192.168.56.255
> eth1	inet addr:213.197.143.57  Bcast:213.197.143.59
> eth2	inet addr:213.197.143.54  Bcast:213.197.143.55
> ppp0	...
>
> interfaces:
> mail    eth2    213.197.143.55
> dsl     ppp0    detect
> loc    eth0    192.168.56.255
> dmz     eth1    213.197.143.59
>
> policy:
> loc             dmz             ACCEPT
>
> PCs in loc zone can access services in dmz.
>
> Now 3 new subnets 192.168.57.0/24 - 59.0/24 (radio lan) were connected
> to the loc lan through 192.168.56.22, which is configured to route to
> 192.168.56.1.
>
> According to
> http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html I changed
> interfaces to:
> ...
> -   eth0  192.168.56.255,192.168.57.255,192.168.58.255,192.168.59.255
> ...
>
Why? the new subnetworks aren''t in the same broadcast domain as your 
firewall.
> and hosts to:
> loc     eth0:192.168.56.0/24
> loc     eth0:192.168.57.0/24
> loc     eth0:192.168.58.0/24
> loc     eth0:192.168.59.0/24
Why?
>
> Also entered such commands at the firewall console:
> route add -net 192.168.57.0/24 dev eth0 gateway 192.168.56.22
> route add -net 192.168.58.0/24 dev eth0 gateway 192.168.56.22
> route add -net 192.168.59.0/24 dev eth0 gateway 192.168.56.22
Ok.
>
> The problem is that PCs from radio link (192.168.58.2 for example) can
> ping the firewall, but cannot access dmz. What could be a problem?
> I can provide radio lan connection details.
>
Has 192.168.56.22 been configured with it''s default gateway set to 
192.168.56.1?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Nerijus Baliunas

2003-May-06 10:48 UTC

head link

[Shorewall-users] multiple subnets

> Why? the new subnetworks aren''t in the same broadcast domain as
your
> firewall.
> 
> > and hosts to:
> > loc     eth0:192.168.56.0/24
> > loc     eth0:192.168.57.0/24
> > loc     eth0:192.168.58.0/24
> > loc     eth0:192.168.59.0/24
> 
> Why?
I changed interfaces and hosts files back, but it didn''t help.
> Has 192.168.56.22 been configured with it''s default gateway set to
> 192.168.56.1?
Yes.

Nerijus

Tom Eastep

2003-May-06 11:01 UTC

head link

[Shorewall-users] multiple subnets

On 06 May 2003 20:48:27 +0300, Nerijus Baliunas 
<nerijus@users.sourceforge.net> wrote:
>> Why? the new subnetworks aren''t in the same broadcast domain
as your
>> firewall.
>>
>> > and hosts to:
>> > loc     eth0:192.168.56.0/24
>> > loc     eth0:192.168.57.0/24
>> > loc     eth0:192.168.58.0/24
>> > loc     eth0:192.168.59.0/24
>>
>> Why?
>
> I changed interfaces and hosts files back, but it didn''t help.
>
Did you have any entries in the hosts file to start with (I wouldn''t
have
thought so but...)?
>> Has 192.168.56.22 been configured with it''s default gateway
set to
>> 192.168.56.1?
>
> Yes.
You can try:

a) shorewall reset
b) Try to connect to the dmz
c) shorewall status > status.txt

and look at the status.txt file. Are you seeing any traffic in the loc2dmz 
chain? In the FORWARD chain? Any Shorewall log messages?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Nerijus Baliunas

2003-May-06 11:21 UTC

head link

[Shorewall-users] multiple subnets

> > I changed interfaces and hosts files back, but it didn''t
help.
> Did you have any entries in the hosts file to start with (I
wouldn''t have
> thought so but...)?
No, and there are no entries now.
> You can try:
> 
> a) shorewall reset
> b) Try to connect to the dmz
> c) shorewall status > status.txt
> 
> and look at the status.txt file. Are you seeing any traffic in the loc2dmz 
> chain? In the FORWARD chain? Any Shorewall log messages?
No shorewall log messages in syslog in regard to this problem. I am
attaching status.txt. Please tell me if you see smth suspicious.

Thanks,
Nerijus

-------------- next part --------------
[H[2JShorewall-1.4.2 Status at wall.n-k.lt - Tue May  6 21:07:40 EEST 2003

Counters reset Tue May  6 21:06:50 EEST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 eth2_in    all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
   77  4440 ppp0_in    all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
   36  5039 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    0     0 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    3   144 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 eth2_fwd   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
  304  197K ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
  361  288K eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
    3   249 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 fw2mail    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
   51  6120 fw2dsl     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
   22   909 all2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 fw2dmz     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (6 references)
 pkts bytes target     prot opt in     out     source               destination
   22   909 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   16  2568 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain common (8 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
   16  2568 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0           
213.197.143.55
    0     0 DROP       all  --  *      *       0.0.0.0/0           
192.168.56.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
213.197.143.59

Chain dmz2dsl (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    1    57 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   192 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dmz2mail (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dsl2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
  302  197K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:dsl2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dsl2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   170 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:80
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:dsl2dmz:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dsl2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
   77  4440 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 dsl2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain dynamic (8 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  361  288K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 loc2mail   all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
  351  288K loc2dsl    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
   10   711 loc2dmz    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   36  5039 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   36  5039 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   249 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dmz2mail   all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
    1    57 dmz2dsl    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    2   192 dmz2loc    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dmz2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 mail2all   all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 mail2all   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 mail2dmz   all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 mail2fw    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:80
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW udp dpt:53
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2dsl (1 references)
 pkts bytes target     prot opt in     out     source               destination
   51  6120 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:25
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2mail (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:25
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:110
   10   711 ACCEPT     udp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW udp dpt:53
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2dsl (1 references)
 pkts bytes target     prot opt in     out     source               destination
  349  288K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    2    96 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
   20  2471 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
   16  2568 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2mail (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain mail2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:mail2all:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain mail2dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
213.197.143.58     state NEW tcp dpt:110
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:mail2dmz:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain mail2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 mail2all   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (18 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  304  197K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 dsl2all    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0
  302  197K dsl2all    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    2   170 dsl2dmz    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   77  4440 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   77  4440 dsl2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

May  6 20:24:56 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.60 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50341 DF PROTO=TCP
SPT=2813 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:56 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.62 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50343 DF PROTO=TCP
SPT=2815 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:56 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.61 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50342 DF PROTO=TCP
SPT=2814 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:56 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.63 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50344 DF PROTO=TCP
SPT=2816 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:56 mail2dmz:DROP:IN=eth2 OUT=eth1 SRC=217.150.64.43
DST=213.197.143.58 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50339 DF PROTO=TCP
SPT=2811 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2all:DROP:IN=eth2 OUT= SRC=217.150.64.43 DST=213.197.143.54
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=50459 DF PROTO=TCP SPT=2807 DPT=17300
WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2all:DROP:IN=eth2 OUT= SRC=217.150.64.43 DST=213.197.143.56
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=50461 DF PROTO=TCP SPT=2809 DPT=17300
WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2dmz:DROP:IN=eth2 OUT=eth1 SRC=217.150.64.43
DST=213.197.143.58 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50463 DF PROTO=TCP
SPT=2811 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.60 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50465 DF PROTO=TCP
SPT=2813 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.61 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50466 DF PROTO=TCP
SPT=2814 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.62 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50467 DF PROTO=TCP
SPT=2815 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=217.150.64.43
DST=213.197.143.63 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=50468 DF PROTO=TCP
SPT=2816 DPT=17300 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:24:59 mail2all:DROP:IN=eth2 OUT= SRC=217.150.64.43 DST=213.197.143.57
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=50462 DF PROTO=TCP SPT=2810 DPT=17300
WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:30:46 mail2all:DROP:IN=eth2 OUT= SRC=213.64.169.208 DST=213.197.143.54
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=28461 DF PROTO=TCP SPT=1706 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:30:49 mail2all:DROP:IN=eth2 OUT= SRC=213.64.169.208 DST=213.197.143.54
LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=28704 DF PROTO=TCP SPT=1706 DPT=80
WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:43:59 mail2all:DROP:IN=eth2 OUT= SRC=67.85.73.245 DST=213.197.143.56
LEN=404 TOS=0x00 PREC=0x00 TTL=109 ID=24009 PROTO=UDP SPT=1302 DPT=1434 LEN=384
May  6 20:50:18 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=213.194.100.106
DST=213.197.143.61 LEN=48 TOS=0x00 PREC=0x00 TTL=104 ID=11529 DF PROTO=TCP
SPT=17462 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:50:21 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=213.194.100.106
DST=213.197.143.61 LEN=48 TOS=0x00 PREC=0x00 TTL=104 ID=11678 DF PROTO=TCP
SPT=17462 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 20:50:27 mail2all:DROP:IN=eth2 OUT=ppp0 SRC=213.194.100.106
DST=213.197.143.61 LEN=48 TOS=0x00 PREC=0x00 TTL=104 ID=12003 DF PROTO=TCP
SPT=17462 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
May  6 21:03:52 mail2all:DROP:IN=eth2 OUT= SRC=68.0.2.232 DST=213.197.143.56
LEN=404 TOS=0x00 PREC=0x00 TTL=105 ID=33599 PROTO=UDP SPT=1082 DPT=1434 LEN=384

NAT Table

Chain PREROUTING (policy ACCEPT 22 packets, 2940 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 dsl_dnat   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 4 packets, 267 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   105 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain dsl_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:25 to:213.197.143.58
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:110 to:213.197.143.58
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:25252 to:213.197.143.58:80

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    48 MASQUERADE  all  --  *      *       192.168.56.50        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.51        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.52        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.53        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.54        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.55        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.56        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.57        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.58        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.59        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.85        0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.86        0.0.0.0/0
    1    57 MASQUERADE  all  --  *      *       213.197.143.58       0.0.0.0/0
    0     0 MASQUERADE  all  --  *      *       192.168.56.0/24     
193.110.9.37

Mangle Table

Chain PREROUTING (policy ACCEPT 791 packets, 502K bytes)
 pkts bytes target     prot opt in     out     source               destination
  791  502K pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  791  502K tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 113 packets, 9479 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 678 packets, 493K bytes)
 pkts bytes target     prot opt in     out     source               destination
  678  493K tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 73 packets, 7029 bytes)
 pkts bytes target     prot opt in     out     source               destination
   73  7029 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
   73  7029 tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 751 packets, 500K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
   51  6120 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
   77  4440 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination

tcp      6 430798 ESTABLISHED src=192.168.56.50 dst=80.133.144.53 sport=4434
dport=4662 src=80.133.144.53 dst=213.190.52.135 sport=4662 dport=4434 [ASSURED]
use=1
tcp      6 6 TIME_WAIT src=192.168.56.50 dst=213.197.143.58 sport=4823 dport=110
src=213.197.143.58 dst=192.168.56.50 sport=110 dport=4823 [ASSURED] use=1
tcp      6 431999 ESTABLISHED src=192.168.56.50 dst=80.15.94.194 sport=4623
dport=4662 src=80.15.94.194 dst=213.190.52.135 sport=4662 dport=4623 [ASSURED]
use=1
tcp      6 431998 ESTABLISHED src=192.168.56.50 dst=217.82.194.50 sport=4833
dport=4662 src=217.82.194.50 dst=213.190.52.135 sport=4662 dport=4833 [ASSURED]
use=1
udp      17 20 src=192.168.56.50 dst=213.197.143.58 sport=4830 dport=53
src=213.197.143.58 dst=192.168.56.50 sport=53 dport=4830 use=1
tcp      6 431998 ESTABLISHED src=213.226.179.176 dst=213.190.52.135 sport=43005
dport=22 src=213.190.52.135 dst=213.226.179.176 sport=22 dport=43005 [ASSURED]
use=1
udp      17 20 src=192.168.56.50 dst=213.197.143.58 sport=4831 dport=53
src=213.197.143.58 dst=192.168.56.50 sport=53 dport=4831 use=1
tcp      6 431948 ESTABLISHED src=213.226.179.176 dst=213.190.52.135 sport=43006
dport=22 src=213.190.52.135 dst=213.226.179.176 sport=22 dport=43006 [ASSURED]
use=1
tcp      6 431978 ESTABLISHED src=213.197.143.58 dst=64.12.163.132 sport=2592
dport=80 src=64.12.163.132 dst=213.190.52.135 sport=80 dport=2592 [ASSURED]
use=1
tcp      6 88 TIME_WAIT src=192.168.56.50 dst=80.130.21.12 sport=4827 dport=4662
src=80.130.21.12 dst=213.190.52.135 sport=4662 dport=4827 [ASSURED] use=1
tcp      6 3 SYN_SENT src=192.168.56.50 dst=213.51.57.60 sport=4812 dport=4662
[UNREPLIED] src=213.51.57.60 dst=213.190.52.135 sport=4662 dport=4812 use=1
tcp      6 80 TIME_WAIT src=192.168.56.50 dst=24.197.176.53 sport=4825
dport=4662 src=24.197.176.53 dst=213.190.52.135 sport=4662 dport=4825 [ASSURED]
use=1
tcp      6 431999 ESTABLISHED src=192.168.56.50 dst=80.138.254.254 sport=4077
dport=4118 src=80.138.254.254 dst=213.190.52.135 sport=4118 dport=4077 [ASSURED]
use=1
tcp      6 10 TIME_WAIT src=192.168.56.50 dst=12.249.203.77 sport=4767
dport=4662 src=12.249.203.77 dst=213.190.52.135 sport=4662 dport=4767 [ASSURED]
use=1
tcp      6 48 SYN_SENT src=192.168.56.50 dst=213.51.57.60 sport=4829 dport=4662
[UNREPLIED] src=213.51.57.60 dst=213.190.52.135 sport=4662 dport=4829 use=1
tcp      6 52 TIME_WAIT src=192.168.56.50 dst=211.197.191.174 sport=4814
dport=4662 src=211.197.191.174 dst=213.190.52.135 sport=4662 dport=4814
[ASSURED] use=1
tcp      6 431998 ESTABLISHED src=192.168.56.50 dst=172.180.237.243 sport=4651
dport=4662 src=172.180.237.243 dst=213.190.52.135 sport=4662 dport=4651
[ASSURED] use=1
tcp      6 49 TIME_WAIT src=192.168.56.50 dst=212.179.203.244 sport=4804
dport=4662 src=212.179.203.244 dst=213.190.52.135 sport=4662 dport=4804
[ASSURED] use=1
tcp      6 48 TIME_WAIT src=192.168.56.50 dst=66.149.102.156 sport=4808
dport=4662 src=66.149.102.156 dst=213.190.52.135 sport=4662 dport=4808 [ASSURED]
use=1
tcp      6 430717 ESTABLISHED src=192.168.56.50 dst=80.133.144.53 sport=4362
dport=4662 src=80.133.144.53 dst=213.190.52.135 sport=4662 dport=4362 [ASSURED]
use=1
tcp      6 430758 ESTABLISHED src=192.168.56.50 dst=80.133.144.53 sport=4394
dport=4662 src=80.133.144.53 dst=213.190.52.135 sport=4662 dport=4394 [ASSURED]
use=1
tcp      6 40 TIME_WAIT src=192.168.56.50 dst=217.132.86.133 sport=4806
dport=4662 src=217.132.86.133 dst=213.190.52.135 sport=4662 dport=4806 [ASSURED]
use=1
tcp      6 60 TIME_WAIT src=192.168.56.50 dst=24.157.173.6 sport=4819 dport=4662
src=24.157.173.6 dst=213.190.52.135 sport=4662 dport=4819 [ASSURED] use=1
tcp      6 50 TIME_WAIT src=192.168.56.50 dst=213.190.37.102 sport=4802
dport=4662 src=213.190.37.102 dst=213.190.52.135 sport=4662 dport=4802 [ASSURED]
use=1
tcp      6 21 TIME_WAIT src=213.197.143.58 dst=64.12.163.132 sport=2531 dport=80
src=64.12.163.132 dst=213.190.52.135 sport=80 dport=2531 [ASSURED] use=1
tcp      6 47 TIME_WAIT src=192.168.56.50 dst=217.98.188.124 sport=4816
dport=4662 src=217.98.188.124 dst=213.190.52.135 sport=4662 dport=4816 [ASSURED]
use=1
tcp      6 428595 ESTABLISHED src=192.168.56.50 dst=80.15.153.158 sport=3546
dport=4662 src=80.15.153.158 dst=213.190.52.135 sport=4662 dport=3546 [ASSURED]
use=1
tcp      6 431968 ESTABLISHED src=192.168.56.1 dst=192.168.58.2 sport=1211
dport=23 src=192.168.58.2 dst=192.168.56.1 sport=23 dport=1211 [ASSURED] use=1
tcp      6 39 TIME_WAIT src=192.168.56.50 dst=62.65.225.94 sport=4810 dport=4662
src=62.65.225.94 dst=213.190.52.135 sport=4662 dport=4810 [ASSURED] use=1
tcp      6 19 TIME_WAIT src=192.168.56.98 dst=213.197.143.58 sport=3054
dport=8565 src=213.197.143.58 dst=192.168.56.98 sport=8565 dport=3054 [ASSURED]
use=1
udp      17 7 src=192.168.58.2 dst=213.197.143.58 sport=1043 dport=53
[UNREPLIED] src=213.197.143.58 dst=192.168.58.2 sport=53 dport=1043 use=1
tcp      6 431899 ESTABLISHED src=192.168.56.98 dst=213.197.143.58 sport=3055
dport=8565 src=213.197.143.58 dst=192.168.56.98 sport=8565 dport=3055 [ASSURED]
use=1
tcp      6 53 TIME_WAIT src=192.168.56.77 dst=213.197.143.58 sport=2838
dport=110 src=213.197.143.58 dst=192.168.56.77 sport=110 dport=2838 [ASSURED]
use=1
tcp      6 411464 ESTABLISHED src=192.168.56.50 dst=62.217.137.213 sport=4990
dport=4662 src=62.217.137.213 dst=213.190.52.135 sport=4662 dport=4990 [ASSURED]
use=1
udp      17 85 src=213.197.143.58 dst=192.175.48.6 sport=53 dport=53
src=192.175.48.6 dst=213.190.52.135 sport=53 dport=53 [ASSURED] use=1
udp      17 20 src=213.197.143.58 dst=193.219.32.13 sport=53 dport=53
src=193.219.32.13 dst=213.190.52.135 sport=53 dport=53 use=1
tcp      6 431441 ESTABLISHED src=192.168.56.50 dst=66.227.96.252 sport=4122
dport=4661 src=66.227.96.252 dst=213.197.143.54 sport=4661 dport=4122 [ASSURED]
use=1
udp      17 24 src=192.168.58.2 dst=213.197.143.58 sport=1044 dport=53
[UNREPLIED] src=213.197.143.58 dst=192.168.58.2 sport=53 dport=1044 use=1
tcp      6 431968 ESTABLISHED src=213.226.179.176 dst=213.190.52.135 sport=43335
dport=22 src=213.190.52.135 dst=213.226.179.176 sport=22 dport=43335 [ASSURED]
use=1
tcp      6 417204 ESTABLISHED src=192.168.56.50 dst=212.254.98.187 sport=4581
dport=4662 src=212.254.98.187 dst=213.190.52.135 sport=4662 dport=4581 [ASSURED]
use=1
tcp      6 423597 ESTABLISHED src=192.168.56.50 dst=65.54.249.126 sport=2411
dport=443 src=65.54.249.126 dst=213.190.52.135 sport=443 dport=2411 [ASSURED]
use=1
tcp      6 10 TIME_WAIT src=192.168.56.50 dst=213.197.143.58 sport=4821
dport=110 src=213.197.143.58 dst=192.168.56.50 sport=110 dport=4821 [ASSURED]
use=1
tcp      6 430268 ESTABLISHED src=192.168.56.50 dst=145.254.83.80 sport=4204
dport=4662 src=145.254.83.80 dst=213.190.52.135 sport=4662 dport=4204 [ASSURED]
use=1
tcp      6 431997 ESTABLISHED src=192.168.56.50 dst=81.48.129.179 sport=4590
dport=4662 src=81.48.129.179 dst=213.190.52.135 sport=4662 dport=4590 [ASSURED]
use=1

Tom Eastep

2003-May-06 11:52 UTC

head link

Fwd: Re: [Shorewall-users] multiple subnets

------- Forwarded message -------
From: Tom Eastep <teastep@shorewall.net>
To: Nerijus Baliunas <nerijus@users.sourceforge.net>
Subject: Re: [Shorewall-users] multiple subnets
Date: Tue, 06 May 2003 11:28:32 -0700
> On 06 May 2003 21:20:58 +0300, Nerijus Baliunas 
> <nerijus@users.sourceforge.net> wrote:
>
>>> > I changed interfaces and hosts files back, but it
didn''t help.
>>
>>> Did you have any entries in the hosts file to start with (I
wouldn''t
>>> have thought so but...)?
>>
>> No, and there are no entries now.
>>
>>> You can try:
>>>
>>> a) shorewall reset
>>> b) Try to connect to the dmz
>>> c) shorewall status > status.txt
>>>
>>> and look at the status.txt file. Are you seeing any traffic in the 
>>> loc2dmz chain? In the FORWARD chain? Any Shorewall log messages?
>>
>> No shorewall log messages in syslog in regard to this problem. I am
>> attaching status.txt. Please tell me if you see smth suspicious.
>
> What does the firewall routing table look like?
> What connection were you trying to make to the DMZ? (source IP, dest IP, 
> proto, [port])
>
> -Tom


-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep

2003-May-06 12:07 UTC

head link

[Shorewall-users] multiple subnets

On 06 May 2003 21:55:26 +0300, Nerijus Baliunas 
<nerijus@users.sourceforge.net> wrote:
>> What does the firewall routing table look like?
>
> # route -n
> Kernel IP routing table
> Destination    Gateway       Genmask         Flags Metric Ref  Use Iface
> 81.7.112.1     0.0.0.0       255.255.255.255 UH    0      0      0 ppp0
> 213.197.143.52 0.0.0.0       255.255.255.252 U     0      0      0 eth2
> 213.197.143.56 0.0.0.0       255.255.255.252 U     0      0      0 eth1
> 192.168.58.0   192.168.56.22 255.255.255.0   UG    0      0      0 eth0
> 192.168.59.0   192.168.56.22 255.255.255.0   UG    0      0      0 eth0
> 192.168.56.0   0.0.0.0       255.255.255.0   U     0      0      0 eth0
> 192.168.57.0   192.168.56.22 255.255.255.0   UG    0      0      0 eth0
> 127.0.0.0      0.0.0.0       255.0.0.0       U     0      0      0 lo
> 0.0.0.0        81.7.112.1    0.0.0.0         UG    0      0      0 ppp0
>
>> What connection were you trying to make to the DMZ? (source IP, dest
IP,
>> proto, [port])
>
> I was trying to ping dmz by its DNS name, which should be resolved
> first. The DNS server is dmz, so connection should be a DNS request from
> 192.168.58.2 to 213.197.143.58.
Here''s the connection tracking table entry:

udp      17 24 src=192.168.58.2 dst=213.197.143.58 sport=1044 dport=53 
[UNREPLIED] src=213.197.143.58 dst=192.168.58.2 sport=53 dport=1044 use=1

The request has been sent to 213.197.143.58 but the firewall has not seen a 
reply from 213.197.143.58 that matches this request. This means that your 
Shorewall ruleset is correct.

What does the routing table on 213.197.143.58 look like?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Nerijus Baliunas

2003-May-06 12:37 UTC

head link

[Shorewall-users] multiple subnets

An, 2003-05-06 22:07, Tom Eastep wrote:
> > I was trying to ping dmz by its DNS name, which should be resolved
> > first. The DNS server is dmz, so connection should be a DNS request
from
> > 192.168.58.2 to 213.197.143.58.
> 
> Here''s the connection tracking table entry:
> 
> udp      17 24 src=192.168.58.2 dst=213.197.143.58 sport=1044 dport=53 
> [UNREPLIED] src=213.197.143.58 dst=192.168.58.2 sport=53 dport=1044 use=1
> 
> The request has been sent to 213.197.143.58 but the firewall has not seen a
> reply from 213.197.143.58 that matches this request. This means that your 
> Shorewall ruleset is correct.
> 
> What does the routing table on 213.197.143.58 look like?
That''s AIX.
# netstat -r -n
Routing tables
Destination      Gateway           Flags   Refs     Use  If   PMTU  Exp 
Groups
Netmasks:
(0) 0 ff00                                   
(0) 0 ffff ff00                              
(0) 0 ffff fffc                              

Route Tree for Protocol Family 2:
default          213.197.143.57    UG     4994 18752328  en1    -    -  
127              127.0.0.1         U         2  6211908  lo0    -    -  
192.168.58       192.168.58.1      U         1      572  en0    -    -  
213.197.143.56   213.197.143.58    U         4    37029  en1    -    -  

And now I see the problem - unused interface en0 is configured as
192.168.58.1! I can only say in my defence that it was not me who
installed this server and I totally forgot about the unused network
card! After reconfiguring en0 everything works. Sorry and thank you very
much,

Nerijus

Shorewall users - May 2003 - multiple subnets

[Shorewall-users] multiple subnets

[Shorewall-users] multiple subnets

[Shorewall-users] multiple subnets

[Shorewall-users] multiple subnets

[Shorewall-users] multiple subnets

Fwd: Re: [Shorewall-users] multiple subnets

[Shorewall-users] multiple subnets

[Shorewall-users] multiple subnets