I am experiencing a strange routing issue. I am currently using Shorewall
1.4.4b, iptables 1.2.7a-2, and iproute 2.4.7-7 on RedHat 8.0 (kernal
2.4.18-14).
According to the Shorewall log, it is doing everything as it should
(ACCEPTs, REJECTs, etc) ... however ... I am not getting responses from the
firewall when I initiate requests to go through it for services (http,
https, icmp, etc).
For instance, I initiate a ping from my internal LAN (host 192.168.10.2) to
my public LAN (host 64.211.36.4). The Shorewall log shows that it ACCEPTED
the ICMP request from the correct SRC to DST addresses. However, I am
getting "Request timed out" on the internal host. I can ping the same
address just fine from the firewall itself. In fact, I can ping successfully
to both, LAN and WAN from the firewall and I can ping the firewall from the
internal LAN. (I currently reject ICMP to the firewall from the WAN)
I know I am missing something simple but can not put my finger on it. I have
attached all pertinent information.
Thanks in advance.
_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
-------------- next part --------------
[H[JShorewall-1.4.4b Status at gatekeeper.internal-tnt.biz - Wed Jun 4
00:53:25 CDT 2003
Counters reset Wed Jun 4 00:20:51 CDT 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
1424 93139 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
31 5447 eth1_in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
1637 121K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
309 125K eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
1025 212K fw2all all -- * eth0 0.0.0.0/0 0.0.0.0/0
31 2213 fw2wan all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:ACCEPT:''
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (4 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
192.168.10.255
0 0 DROP all -- * * 0.0.0.0/0
64.211.36.255
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
1637 121K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
1637 121K lan2wan all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
1424 93139 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
1424 93139 lan2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
309 125K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
309 125K wan2lan all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
31 5447 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
31 5447 wan2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2all (2 references)
pkts bytes target prot opt in out source
destination
1025 212K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2all:ACCEPT:''
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2wan (1 references)
pkts bytes target prot opt in out source
destination
28 1999 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
3 214 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
Chain lan2fw (1 references)
pkts bytes target prot opt in out source
destination
1172 62688 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
6 240 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
4 192 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:123
242 30019 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:lan2fw:ACCEPT:''
242 30019 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain lan2wan (1 references)
pkts bytes target prot opt in out source
destination
70 5737 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:6667 LOG flags 0 level 6 prefix
`Shorewall:lan2wan:REJECT:''
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:6667
44 17338 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpts:137:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpts:137:139
1523 98397 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:lan2wan:ACCEPT:''
1523 98397 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (8 references)
pkts bytes target prot opt in out source
destination
6 240 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (14 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
44 17338 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain wan2all (2 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:wan2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wan2fw (1 references)
pkts bytes target prot opt in out source
destination
31 5447 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:1433
0 0 wan2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain wan2lan (1 references)
pkts bytes target prot opt in out source
destination
101 102K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
3 180 ACCEPT tcp -- * * 0.0.0.0/0
192.168.10.2 state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.10.2 state NEW tcp dpt:443
0 0 ACCEPT tcp -- * * 64.211.36.0/24
192.168.10.3 state NEW tcp dpt:617
205 22992 ACCEPT udp -- * * 64.211.36.0/24
192.168.10.16 state NEW udp spt:514 dpt:514
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.10.2 state NEW tcp dpt:3389
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.10.31 state NEW tcp dpt:3389
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.10.32 state NEW tcp dpt:3389
0 0 wan2all all -- * * 0.0.0.0/0
0.0.0.0/0
Jun 4 00:52:59 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=64.211.36.4 LEN=48 TOS=0x00 PREC=0x40 TTL=127 ID=61195 DF PROTO=TCP
SPT=27637 DPT=25 WINDOW=64240 RES=0x00 SYN URGP=0
Jun 4 00:52:59 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.112.36.4 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61199 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:52:59 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.33.4.12 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61200 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:02 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.36.148.17 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61228 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:06 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.36.148.17 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61267 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:06 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.112.36.4 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61268 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:10 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.112.36.4 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61403 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:10 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.33.4.12 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61404 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:13 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.16
DST=64.211.36.2 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=7458 DF PROTO=UDP
SPT=1975 DPT=53 LEN=50
Jun 4 00:53:22 lan2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.10.2
DST=255.255.255.255 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=61645 PROTO=UDP
SPT=1040 DPT=6666 LEN=42
Jun 4 00:53:23 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.58.128.30 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61659 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:23 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.16
DST=64.211.36.2 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=10021 DF PROTO=UDP
SPT=1975 DPT=53 LEN=50
Jun 4 00:53:26 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.36.148.17 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61690 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:26 lan2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.10.2
DST=255.255.255.255 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=61697 PROTO=UDP
SPT=1041 DPT=6549 LEN=42
Jun 4 00:53:30 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.36.148.17 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61731 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:30 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.112.36.4 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61732 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:34 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.112.36.4 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61952 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:34 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.33.4.12 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61953 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:34 lan2wan:ACCEPT:IN=eth0 OUT=eth1 SRC=192.168.10.2
DST=192.58.128.30 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=61959 PROTO=UDP
SPT=3023 DPT=53 LEN=50
Jun 4 00:53:35 lan2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.10.98
DST=192.168.10.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=9748 PROTO=UDP
SPT=137 DPT=137 LEN=58
NAT Table
Chain PREROUTING (policy ACCEPT 399 packets, 48699 bytes)
pkts bytes target prot opt in out source
destination
38 3782 wan_dnat all -- eth1 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 207 packets, 14245 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 3 packets, 214 bytes)
pkts bytes target prot opt in out source
destination
Chain wan_dnat (1 references)
pkts bytes target prot opt in out source
destination
3 180 DNAT tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:25 to:192.168.10.2
0 0 DNAT tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:443 to:192.168.10.2
0 0 LOG tcp -- * * 64.211.36.0/24
64.211.36.250 tcp dpt:617 LOG flags 0 level 6 prefix
`Shorewall:wan_dnat:DNAT:''
0 0 DNAT tcp -- * * 64.211.36.0/24
64.211.36.250 tcp dpt:617 to:192.168.10.3
35 3602 LOG udp -- * * 64.211.36.0/24
64.211.36.250 udp spt:514 dpt:514 LOG flags 0 level 6 prefix
`Shorewall:wan_dnat:DNAT:''
35 3602 DNAT udp -- * * 64.211.36.0/24
64.211.36.250 udp spt:514 dpt:514 to:192.168.10.16
0 0 LOG tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:3389 LOG flags 0 level 6 prefix
`Shorewall:wan_dnat:DNAT:''
0 0 DNAT tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:3389 to:192.168.10.2:3389
0 0 LOG tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:3388 LOG flags 0 level 6 prefix
`Shorewall:wan_dnat:DNAT:''
0 0 DNAT tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:3388 to:192.168.10.31:3389
0 0 LOG tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:3387 LOG flags 0 level 6 prefix
`Shorewall:wan_dnat:DNAT:''
0 0 DNAT tcp -- * * 0.0.0.0/0
64.211.36.250 tcp dpt:3387 to:192.168.10.32:3389
Mangle Table
Chain PREROUTING (policy ACCEPT 3416 packets, 346K bytes)
pkts bytes target prot opt in out source
destination
3416 346K pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1458 packets, 98766 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 1952 packets, 247K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1056 packets, 214K bytes)
pkts bytes target prot opt in out source
destination
1056 214K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 2964 packets, 444K bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
981 193K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
1183 63160 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
udp 17 28 src=192.168.10.2 dst=192.33.4.12 sport=3023 dport=53
[UNREPLIED] src=192.33.4.12 dst=192.168.10.2 sport=53 dport=3023 use=1
udp 17 28 src=192.168.10.2 dst=192.58.128.30 sport=3023 dport=53
[UNREPLIED] src=192.58.128.30 dst=192.168.10.2 sport=53 dport=3023 use=1
tcp 6 24 SYN_SENT src=192.168.10.2 dst=66.250.222.158 sport=27626
dport=25 [UNREPLIED] src=66.250.222.158 dst=192.168.10.2 sport=25
dport=27626 use=1
udp 17 28 src=192.168.10.2 dst=192.112.36.4 sport=3023 dport=53
[UNREPLIED] src=192.112.36.4 dst=192.168.10.2 sport=53 dport=3023 use=1
tcp 6 431988 ESTABLISHED src=192.168.10.31 dst=192.168.10.1 sport=3953
dport=22 src=192.168.10.1 dst=192.168.10.31 sport=22 dport=3953 [ASSURED]
use=1
udp 17 16 src=192.168.10.16 dst=64.211.36.2 sport=1975 dport=53
[UNREPLIED] src=64.211.36.2 dst=192.168.10.16 sport=53 dport=1975 use=1
udp 17 28 src=192.168.10.98 dst=192.168.10.255 sport=137 dport=137
[UNREPLIED] src=192.168.10.255 dst=192.168.10.98 sport=137 dport=137 use=1
tcp 6 44 SYN_SENT src=192.168.10.2 dst=64.211.36.4 sport=27628 dport=25
[UNREPLIED] src=64.211.36.4 dst=192.168.10.2 sport=25 dport=27628 use=1
udp 17 15 src=192.168.10.2 dst=255.255.255.255 sport=1040 dport=6666
[UNREPLIED] src=255.255.255.255 dst=192.168.10.2 sport=6666 dport=1040 use=1
udp 17 24 src=192.168.10.2 dst=192.36.148.17 sport=3023 dport=53
[UNREPLIED] src=192.36.148.17 dst=192.168.10.2 sport=53 dport=3023 use=1
tcp 6 62 SYN_SENT src=192.168.10.2 dst=64.211.36.4 sport=27630 dport=25
[UNREPLIED] src=64.211.36.4 dst=192.168.10.2 sport=25 dport=27630 use=1
tcp 6 82 SYN_SENT src=192.168.10.2 dst=64.211.36.4 sport=27637 dport=25
[UNREPLIED] src=64.211.36.4 dst=192.168.10.2 sport=25 dport=27637 use=1
udp 17 20 src=192.168.10.2 dst=255.255.255.255 sport=1041 dport=6549
[UNREPLIED] src=255.255.255.255 dst=192.168.10.2 sport=6549 dport=1041 use=1
-------------- next part --------------
#
# Shorewall 1.4 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on your
# firewall system.
#
# Columns are:
#
# ZONE Zone for this interface. Must match the short name
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface. Each interface may be listed only
# once in this file. You may NOT specify the name of
# an alias (e.g., eth0:0) here; see
# http://www.shorewall.net/FAQ.htm#faq18
#
# DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
# If you don''t want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter
# "-" in this column.
#
# OPTIONS A comma-separated list of options including the
# following:
#
# dhcp - interface is managed by DHCP or used by
# a DHCP server running on the firewall
or
# you have a static IP but are on a LAN
# segment with lots of Laptop DHCP clients.
# norfc1918 - This interface should not receive
# any packets whose source is in one
# of the ranges reserved by RFC 1918
# (i.e., private or "non-routable"
# addresses. If packet mangling is
# enabled in shorewall.conf, packets
# whose destination addresses are
# reserved by RFC 1918 are also rejected.
# routefilter - turn on kernel route filtering for this
# interface (anti-spoofing measure). This
# option can also be enabled globally
in
# the /etc/shorewall/shorewall.conf file.
# dropunclean - Logs and drops mangled/invalid packets
#
# logunclean - Logs mangled/invalid packets but does
# not drop them.
# . . blacklist - Check packets arriving on this interface
# against the /etc/shorewall/blacklist
# file.
# maclist - Connection requests from this interface
# are compared against the contents of
# /etc/shorewall/maclist. If this option
# is specified, the interface must be
# an ethernet NIC and must be up before
# Shorewall is started.
# tcpflags - Packets arriving on this interface are
# checked for certain illegal combinations
# of TCP flags. Packets found to have
# such a combination of flags are handled
# according to the setting of
# TCP_FLAGS_DISPOSITION after having been
# logged according to the setting of
# TCP_FLAGS_LOG_LEVEL.
# proxyarp -
# Sets
# /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
# Do NOT use this option if you are
# employing Proxy ARP through entries in
# /etc/shorewall/proxyarp. This option is
# intended soley for use with Proxy ARP
# sub-networking as described at:
# http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#
# The order in which you list the options is not
# significant but the list should have no embedded white
# space.
#
# Example 1: Suppose you have eth0 connected to a DSL modem and
# eth1 connected to your local network and that your
# local subnet is 192.168.1.0/24. The interface gets
# it''s IP address via DHCP from subnet
# 206.191.149.192/27. You have a DMZ with subnet
# 192.168.2.0/24 using eth2.
#
# Your entries for this setup would look like:
#
# net eth0 206.191.149.223 dhcp
# local eth1 192.168.1.255
# dmz eth2 192.168.2.255
#
# Example 2: The same configuration without specifying broadcast
# addresses is:
#
# net eth0 detect dhcp
# loc eth1 detect
# dmz eth2 detect
#
# Example 3: You have a simple dial-in system with no ethernet
# connections.
#
# net ppp0 -
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
lan eth0 192.168.10.255
wan eth1 64.211.36.255
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.4 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from the
# /etc/shorewall/common[.def] file. For each source/destination pair, the
# file is processed in order until a match is found ("all" will match
# any client or server).
#
# Columns are:
#
# SOURCE Source zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all".
#
# DEST Destination zone. Must be the name of a zone defined
# in /etc/shorewall/zones, $FW or "all"
#
# WARNING: Firewall->Firewall policies are not allowed; if
# you have a policy where both SOURCE and DEST are $FW,
# Shorewall will not start!
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT",
"CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined.
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no
# log message is generated. See syslog.conf(5) for a
# description of log levels.
#
# Beginning with Shorewall version 1.3.12, you may
# also specify ULOG (must be in upper case). This will
# log to the ULOG target and sent to a separate log
# through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# If you don''t want to log but need to specify the
# following column, place "_" here.
#
# LIMIT:BURST If passed, specifies the maximum TCP connection rate
# and the size of an acceptable burst. If not specified,
# TCP connections are not limited.
#
# As shipped, the default policies are:
#
# a) All connections from the local network to the internet are allowed
# b) All connections from the internet are ignored but logged at syslog
# level KERNEL.INFO.
# d) All other connection requests are rejected and logged at level
# KERNEL.INFO.
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
lan fw ACCEPT info
lan wan ACCEPT info
fw all ACCEPT info
wan all REJECT info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall version 1.4 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
# indicate that the rule matches all addresses except the address/subnet
# given. Notice that no white space is permitted between "!" and the
# address/subnet.
#
# Columns are:
#
#
# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
# or LOG.
#
# ACCEPT -- allow the connection request
# DROP -- ignore the request
# REJECT -- disallow the request and return an
# icmp-unreachable or an RST packet.
# DNAT -- Forward the request to another
# system (and optionally another
# port).
# DNAT- -- Advanced users only.
# Like DNAT but only generates the
# DNAT iptables rule and not
# the companion ACCEPT rule.
# REDIRECT -- Redirect the request to a local
# port on the firewall.
# REDIRECT-
# -- Advanced users only.
# Like REDIRET but only generates the
# REDIRECT iptables rule and not
# the companion ACCEPT rule.
# CONTINUE -- (For experts only). Do not process
# any of the following rules for this
# (source zone,destination zone). If
# The source and/or destination IP
# address falls into a zone defined
# later in /etc/shorewall/zones, this
# connection request will be passed
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
#
# May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be
# logged at the specified level.
#
# You may also specify ULOG (must be in upper case) as a
# log level.This will log to the ULOG target for routing
# to a separate log through use of ulogd
# (http://www.gnumonks.org/projects/ulogd).
#
# SOURCE Source hosts to which the rule applies. May be a zone
# defined in /etc/shorewall/zones, $FW to indicate the
# firewall itself, or "all" If the ACTION is DNAT or
# REDIRECT, sub-zones of the specified zone may be
# excluded from the rule by following the zone name with
# "!'' and a comma-separated list of sub-zone names.
#
# Except when "all" is specified, clients may be further
# restricted to a list of subnets and/or hosts by
# appending ":" and a comma-separated list of subnets
# and/or hosts. Hosts may be specified by IP or MAC
# address; mac addresses must begin with "~" and must use
# "-" as a separator.
#
# dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
#
# net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
# Internet
#
# loc:192.168.1.1,192.168.1.2
# Hosts 192.168.1.1 and
# 192.168.1.2 in the local zone.
# loc:~00-A0-C9-15-39-78 Host in the local zone with
# MAC address
00:A0:C9:15:39:78.
#
# Alternatively, clients may be specified by interface
# by appending ":" to the zone name followed by the
# interface name. For example, loc:eth1 specifies a
# client that communicates with the firewall system
# through eth1. This may be optionally followed by
# another colon (":") and an IP/MAC/subnet address
# as described above (e.g., loc:eth1:192.168.1.5).
#
# DEST Location of Server. May be a zone defined in
# /etc/shorewall/zones, $FW to indicate the firewall
# itself or "all"
#
# Except when "all" is specified, the server may be
# further restricted to a particular subnet, host or
# interface by appending ":" and the subnet, host or
# interface. See above.
#
# Restrictions:
#
# 1. MAC addresses are not allowed.
# 2. In DNAT rules, only IP addresses are
# allowed; no FQDNs or subnet addresses
# are permitted.
# 3. You may not specify both an interface and
# an address.
#
# The port that the server is listening on may be
# included and separated from the server''s IP address by
# ":". If omitted, the firewall will not modifiy the
# destination port. A destination port may only be
# included if the ACTION is DNAT or REDIRECT.
#
# Example: loc:192.168.1.3:3128 specifies a local
# server at IP address 192.168.1.3 and listening on port
# 3128. The port number MUST be specified as an integer
# and not as a name from /etc/services.
#
# if the ACTION is REDIRECT, this column needs only to
# contain the port number on the firewall that the
# request should be redirected to.
#
# PROTO Protocol - Must be "tcp", "udp", "icmp",
a number, or
# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
# A port range is expressed as <low port>:<high port>.
#
# This column is ignored if PROTOCOL = all but must be
# entered if any of the following ields are supplied.
# In that case, it is suggested that this field contain
# "-"
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the CLIENT PORT(S) list below:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
# any source port is acceptable. Specified as a comma-
# separated list of port names, port numbers or port
# ranges.
#
# If you don''t want to restrict client ports but need to
# specify an ADDRESS in the next column, then place "-"
# in this column.
#
# If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
# only a single Netfilter rule will be generated if in
# this list and the DEST PORT(S) list above:
# 1. There are 15 or less ports listed.
# 2. No port ranges are included.
# Otherwise, a separate rule will be generated for each
# port.
#
# ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
# REDIRECT) If included and different from the IP
# address given in the SERVER column, this is an address
# on some interface on the firewall and connections to
# that address will be forwarded to the IP and port
# specified in the DEST column.
#
# The address may optionally be followed by
# a colon (":") and a second IP address. This causes
# Shorewall to use the second IP address as the source
# address in forwarded packets. See the Shorewall
# documentation for restrictions concerning this feature.
# If no source IP address is given, the original source
# address is not altered.
#
# Example: Accept SMTP requests from the DMZ to the internet
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# ACCEPT dmz net tcp smtp
#
# Example: Forward all ssh and http connection requests from the internet
# to local system 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp ssh,http
#
# Example: Redirect all locally-originating www connection requests to
# port 3128 on the firewall (Squid running on the firewall
# system) except when the destination address is 192.168.2.2
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# REDIRECT loc 3128 tcp www - !192.168.2.2
#
# Example: All http requests from the internet to address
# 130.252.100.69 are to be forwarded to 192.168.1.3
#
# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# # PORT PORT(S) DEST
# DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
##############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#
############################################################################
# LAN to WAN
#
# -> Block trojans from calling home
REJECT:info lan wan tcp 6667
# -> Don''t route NetBios stuff
REJECT lan wan udp 137:139
REJECT lan wan tcp 137:139
#
#
############################################################################
# LAN to FW
#
ACCEPT lan fw icmp 8
ACCEPT lan fw tcp 22
ACCEPT lan fw udp ntp
#
#
############################################################################
# WAN to LAN
#
DNAT wan lan:192.168.10.2 tcp smtp - 64.211.36.250
DNAT wan lan:192.168.10.2 tcp 443 - 64.211.36.250
DNAT:info wan:64.211.36.0/24 lan:192.168.10.3 tcp 617 - 64.211.36.250
DNAT:info wan:64.211.36.0/24 lan:192.168.10.16 udp 514 514 64.211.36.250
# -> Accept incoming RDP connections
DNAT:info wan lan:192.168.10.2:3389 tcp 3389 - 64.211.36.250
DNAT:info wan lan:192.168.10.31:3389 tcp 3388 - 64.211.36.250
DNAT:info wan lan:192.168.10.32:3389 tcp 3387 - 64.211.36.250
#
#
############################################################################
# WAN to FW
#
ACCEPT wan fw icmp 8
DROP wan fw tcp 1433
#
#
############################################################################
# FW to WAN
#
ACCEPT fw wan icmp 8
ACCEPT fw wan udp domain
ACCEPT fw wan tcp domain,http,https,ssh
#
#
# -> Left overs...
#ACCEPT fw lan icmp 8
#ACCEPT fw wan:20022 tcp ftp
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-------------- next part --------------
#
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in length).
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
lan Internal LAN Internal Private LAN
wan External LAN External Public LAN
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE