thr3ads.net - Shorewall users - [Shorewall-users] all2all REJECT problem [Aug 2003]

If this information is useful, please help other people find it:
Share via:

Ricardo Kleemann

2003-Aug-04 08:29 UTC

[Shorewall-users] all2all REJECT problem

Hello,

I''m having trouble configuring shorewall. I''m running the
latest shorewall
(1.4) that comes with Bering 1.2

I''ve attached a file with the shorewall status output.

I setup the rules file such that connections from net to fw are allowed
for HTTP and also for rdate (tcp 37). I have these rules:

ACCEPT  net     fw              tcp     80
ACCEPT  net     fw              tcp     37

However, I''m getting connection refused errors when I try to access
http
from within the firewall, and also when I try to run rdate...

And I get all2all REJECT messages in shorewall.log: (also note that the
date on the log is all screwed up, since I haven''t been able to sync
the
date yet)

Jun 14 04:20:56 firewall Shorewall:all2all:REJECT: IN= OUT=eth0
MAC=ff:ff:ff:ff:ff:ff:00:07:e9:c0:7c:5c:08:00  SRC=38.118.152.244
DST=128.46.136.95 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=3104 DPT=37 SEQ=459025160 ACK=0 WINDOW=5840 SYN URGP=0

Jun 14 04:54:03 firewall Shorewall:all2all:REJECT: IN= OUT=eth0
MAC=ff:ff:ff:ff:ff:ff:00:07:e9:c0:7c:5c:08:00  SRC=38.118.152.244
DST=216.52.220.101 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP
SPT=1185 DPT=80 SEQ=816070065 ACK=0 WINDOW=5840 SYN URGP=0


Thanks for any help!

Ricardo
-------------- next part --------------
[H[JShorewall-1.4.2 Status at firewall - Sat Jun 14 04:57:38 UTC 1980

Counters reset Sat Jun 14 04:18:03 UTC 1980

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
   33  2534 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 1620  135K eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   59  8657 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:''
queue_threshold 1
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
   26  2144 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
   13  1045 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:''
queue_threshold 1
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
state INVALID
   33  2534 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 1485  151K fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
   92  8404 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:OUTPUT:REJECT:''
queue_threshold 1
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain all2all (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    9   604 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    9   604 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:all2all:REJECT:''
queue_threshold 1
    9   604 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain blacklst (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0
   28  2961 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:139
    6   288 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:445
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900
    1    29 DROP       all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0           
38.118.152.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
192.168.1.255

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   26  2144 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   13   744 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
   26  2144 blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0
   26  2144 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1620  135K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   48  6338 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW
 1620  135K blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1620  135K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1045 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   13  1045 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
   59  8657 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   59  8657 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
   91  8344 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:123
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:123
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1470  150K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:53
    6   360 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    9   604 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
   58  8590 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    1    67 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:53
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    8   697 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    5   348 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:rfc1918:DROP:''
queue_threshold 1
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
   35  3278 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:net2all:DROP:''
queue_threshold 1
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1572  129K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
   21  3540 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:123
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:37
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:2201
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:2202
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:2203
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
   25  2678 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1400 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:123
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW udp dpt:123
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.245      state NEW tcp dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
192.168.1.245      state NEW udp dpt:53
    3   144 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.246      state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.246      state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.247      state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.246      state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.247      state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.246      state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.247      state NEW tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.246      state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.247      state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.246      state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.247      state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.245      state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.245      state NEW tcp spt:2201 dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.246      state NEW tcp spt:2202 dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0           
192.168.1.247      state NEW tcp spt:2203 dpt:22
   10   600 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain newnotsyn (8 references)
 pkts bytes target     prot opt in     out     source               destination
   21  3540 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination
   11   588 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
   32  3265 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable

Chain rfc1918 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       255.255.255.255      0.0.0.0/0
    0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0
    0     0 logdrop    all  --  *      *       172.16.0.0/12        0.0.0.0/0
    0     0 logdrop    all  --  *      *       192.0.2.0/24         0.0.0.0/0
    0     0 logdrop    all  --  *      *       192.168.0.0/16       0.0.0.0/0
    0     0 logdrop    all  --  *      *       0.0.0.0/7            0.0.0.0/0
    0     0 logdrop    all  --  *      *       2.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       5.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       7.0.0.0/8            0.0.0.0/0
    0     0 logdrop    all  --  *      *       10.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       23.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       27.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       31.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       36.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       39.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       41.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       42.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       49.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       50.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       58.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       60.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       70.0.0.0/7           0.0.0.0/0
    0     0 logdrop    all  --  *      *       72.0.0.0/5           0.0.0.0/0
    0     0 logdrop    all  --  *      *       83.0.0.0/8           0.0.0.0/0
    0     0 logdrop    all  --  *      *       84.0.0.0/6           0.0.0.0/0
    0     0 logdrop    all  --  *      *       88.0.0.0/5           0.0.0.0/0
    0     0 logdrop    all  --  *      *       96.0.0.0/3           0.0.0.0/0
    0     0 logdrop    all  --  *      *       127.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       197.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       198.18.0.0/15        0.0.0.0/0
    0     0 logdrop    all  --  *      *       201.0.0.0/8          0.0.0.0/0
    0     0 logdrop    all  --  *      *       240.0.0.0/4          0.0.0.0/0

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Jun 14 04:00:02 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=128.46.136.95 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=34405 DF PROTO=UDP SPT=1024
DPT=123 LEN=56
Jun 14 04:00:03 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=128.46.136.95 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=61895 DF PROTO=UDP SPT=1024
DPT=123 LEN=56
Jun 14 04:00:04 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=128.46.136.95 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=56249 DF PROTO=UDP SPT=1024
DPT=123 LEN=56
Jun 14 04:00:14 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=128.46.136.95 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=42737 DF PROTO=UDP SPT=1024
DPT=123 LEN=56
Jun 14 04:01:58 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=198.144.201.9 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP SPT=2448
DPT=80 SEQ=20662934 ACK=0 WINDOW=5840 SYN URGP=0
Jun 14 04:01:58 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=198.144.201.9 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP SPT=3177
DPT=80 SEQ=824191162 ACK=0 WINDOW=5840 SYN URGP=0
Jun 14 04:02:08 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=198.144.201.9 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP SPT=2658
DPT=80 SEQ=1324161104 ACK=0 WINDOW=5840 SYN URGP=0
Jun 14 04:05:56 rfc1918:DROP: IN=eth0 OUT= SRC=10.10.10.1 DST=255.255.255.255
LEN=328 TOS=00 PREC=0x00 TTL=128 ID=47489 PROTO=UDP SPT=67 DPT=68 LEN=308
Jun 14 04:06:04 rfc1918:DROP: IN=eth0 OUT= SRC=10.10.10.1 DST=255.255.255.255
LEN=328 TOS=00 PREC=0x00 TTL=128 ID=48517 PROTO=UDP SPT=67 DPT=68 LEN=308
Jun 14 04:06:12 rfc1918:DROP: IN=eth0 OUT= SRC=10.10.10.1 DST=255.255.255.255
LEN=328 TOS=00 PREC=0x00 TTL=128 ID=49010 PROTO=UDP SPT=67 DPT=68 LEN=308
Jun 14 04:06:22 rfc1918:DROP: IN=eth0 OUT= SRC=10.10.10.1 DST=255.255.255.255
LEN=328 TOS=00 PREC=0x00 TTL=128 ID=49423 PROTO=UDP SPT=67 DPT=68 LEN=308
Jun 14 04:19:27 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=192.43.244.18 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3123
DPT=37 SEQ=881097157 ACK=0 WINDOW=5840 SYN URGP=0
Jun 14 04:20:16 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=192.43.244.18 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=49055 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Jun 14 04:20:17 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=192.43.244.18 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=55624 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Jun 14 04:20:18 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=192.43.244.18 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=60359 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Jun 14 04:20:28 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=192.43.244.18 LEN=76 TOS=00 PREC=0x00 TTL=64 ID=39136 DF PROTO=UDP SPT=123
DPT=123 LEN=56
Jun 14 04:20:56 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=128.46.136.95 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3104
DPT=37 SEQ=459025160 ACK=0 WINDOW=5840 SYN URGP=0
Jun 14 04:54:03 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=216.52.220.101 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP SPT=1185
DPT=80 SEQ=816070065 ACK=0 WINDOW=5840 SYN URGP=0
Jun 14 04:54:03 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=216.52.220.101 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP SPT=3004
DPT=80 SEQ=370278556 ACK=0 WINDOW=5840 SYN URGP=0
Jun 14 04:54:13 all2all:REJECT: IN= OUT=eth0 SRC=38.118.152.244
DST=216.52.220.101 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP SPT=1387
DPT=80 SEQ=418655167 ACK=0 WINDOW=5840 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 103K packets, 11M bytes)
 pkts bytes target     prot opt in     out     source               destination
 1915  199K eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 1904  198K net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 615 packets, 38671 bytes)
 pkts bytes target     prot opt in     out     source               destination
   17   948 eth0_out   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    6   360 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 698 packets, 48443 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    78 DNAT       all  --  *      *       0.0.0.0/0           
38.118.152.245     to:192.168.1.245
    7   366 DNAT       all  --  *      *       0.0.0.0/0           
38.118.152.246     to:192.168.1.246
    1    78 DNAT       all  --  *      *       0.0.0.0/0           
38.118.152.247     to:192.168.1.247
    2   126 DNAT       all  --  *      *       0.0.0.0/0           
38.118.152.248     to:192.168.1.248

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       192.168.1.0/24       0.0.0.0/0

Chain eth0_out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       192.168.1.245        0.0.0.0/0   
to:38.118.152.245
   11   588 SNAT       all  --  *      *       192.168.1.246        0.0.0.0/0   
to:38.118.152.246
    0     0 SNAT       all  --  *      *       192.168.1.247        0.0.0.0/0   
to:38.118.152.247
    0     0 SNAT       all  --  *      *       192.168.1.248        0.0.0.0/0   
to:38.118.152.248

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.244     tcp dpt:53 to:192.168.1.245
    0     0 DNAT       udp  --  *      *       0.0.0.0/0           
38.118.152.244     udp dpt:53 to:192.168.1.245
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.244     tcp dpt:80 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.245     tcp dpt:80 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.246     tcp dpt:80 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.245     tcp dpt:443 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.246     tcp dpt:443 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.245     tcp dpt:25 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.246     tcp dpt:25 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.245     tcp dpt:143 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.246     tcp dpt:143 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.245     tcp dpt:110 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.246     tcp dpt:110 to:192.168.1.247
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 to:192.168.1.245
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.244     tcp spt:2201 dpt:22 to:192.168.1.245
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.244     tcp spt:2202 dpt:22 to:192.168.1.246
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
38.118.152.244     tcp spt:2203 dpt:22 to:192.168.1.247

Mangle Table

Chain PREROUTING (policy ACCEPT 198K packets, 82M bytes)
 pkts bytes target     prot opt in     out     source               destination
 1920  199K man1918    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0   
state NEW
 3609  342K pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 23947 packets, 3405K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 74513 packets, 67M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 23621 packets, 2325K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1612  162K outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 97230 packets, 70M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ULOG       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ULOG copy_range 0 nlgroup 1 prefix `Shorewall:man1918:DROP:''
queue_threshold 1
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain man1918 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    29 RETURN     all  --  *      *       0.0.0.0/0           
255.255.255.255
    0     0 DROP       all  --  *      *       0.0.0.0/0           
169.254.0.0/16
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
172.16.0.0/12
    0     0 logdrop    all  --  *      *       0.0.0.0/0            192.0.2.0/24
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
192.168.0.0/16
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            2.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            5.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            7.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            10.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            23.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            27.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            31.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            36.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            39.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            41.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            42.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            49.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            50.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            58.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            60.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            70.0.0.0/7
    0     0 logdrop    all  --  *      *       0.0.0.0/0            72.0.0.0/5
    0     0 logdrop    all  --  *      *       0.0.0.0/0            83.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            84.0.0.0/6
    0     0 logdrop    all  --  *      *       0.0.0.0/0            88.0.0.0/5
    0     0 logdrop    all  --  *      *       0.0.0.0/0            96.0.0.0/3
    0     0 logdrop    all  --  *      *       0.0.0.0/0            127.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            197.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0           
198.18.0.0/15
    0     0 logdrop    all  --  *      *       0.0.0.0/0            201.0.0.0/8
    0     0 logdrop    all  --  *      *       0.0.0.0/0            240.0.0.0/4

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination
   90  8238 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
 1458  149K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1591  131K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 TOS set 0x10
   57  8523 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:22 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:21 TOS set 0x10
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp spt:20 TOS set 0x08
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:20 TOS set 0x08

tcp      6 431998 ESTABLISHED src=216.52.220.121 dst=38.118.152.244 sport=64690
dport=22 src=38.118.152.244 dst=216.52.220.121 sport=22 dport=64690 [ASSURED]
use=1
tcp      6 431575 ESTABLISHED src=192.168.1.254 dst=192.168.1.246 sport=3224
dport=22 src=192.168.1.246 dst=192.168.1.254 sport=22 dport=3224 [ASSURED] use=1
tcp      6 431575 ESTABLISHED src=216.52.220.121 dst=38.118.152.244 sport=64399
dport=22 src=38.118.152.244 dst=216.52.220.121 sport=22 dport=64399 [ASSURED]
use=1
tcp      6 429841 ESTABLISHED src=192.168.1.254 dst=192.168.1.246 sport=1346
dport=22 src=192.168.1.246 dst=192.168.1.254 sport=22 dport=1346 [ASSURED] use=1
tcp      6 429841 ESTABLISHED src=216.52.220.121 dst=38.118.152.244 sport=61424
dport=22 src=38.118.152.244 dst=216.52.220.121 sport=22 dport=61424 [ASSURED]
use=1
tcp      6 430233 ESTABLISHED src=216.52.220.121 dst=38.118.152.244 sport=61236
dport=22 src=38.118.152.244 dst=216.52.220.121 sport=22 dport=61236 [ASSURED]
use=1

Tom Eastep

2003-Aug-04 08:42 UTC

head link

[Shorewall-users] all2all REJECT problem

On Mon, 2003-08-04 at 08:29, Ricardo Kleemann wrote:> Hello,
> 
> I''m having trouble configuring shorewall. I''m running the
latest shorewall
> (1.4) that comes with Bering 1.2
> 
> I''ve attached a file with the shorewall status output.
> 
> I setup the rules file such that connections from net to fw are allowed
> for HTTP and also for rdate (tcp 37). I have these rules:
> 
> ACCEPT  net     fw              tcp     80
> ACCEPT  net     fw              tcp     37
> 
> However, I''m getting connection refused errors when I try to
access http
> from within the firewall, and also when I try to run rdate...
> 
> And I get all2all REJECT messages in shorewall.log: (also note that the
> date on the log is all screwed up, since I haven''t been able to
sync the
> date yet)
> 
> Jun 14 04:20:56 firewall Shorewall:all2all:REJECT: IN= OUT=eth0
> MAC=ff:ff:ff:ff:ff:ff:00:07:e9:c0:7c:5c:08:00  SRC=38.118.152.244
> DST=128.46.136.95 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=3104 DPT=37 SEQ=459025160 ACK=0 WINDOW=5840 SYN URGP=0
> 
> Jun 14 04:54:03 firewall Shorewall:all2all:REJECT: IN= OUT=eth0
> MAC=ff:ff:ff:ff:ff:ff:00:07:e9:c0:7c:5c:08:00  SRC=38.118.152.244
> DST=216.52.220.101 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=264 DF PROTO=TCP
> SPT=1185 DPT=80 SEQ=816070065 ACK=0 WINDOW=5840 SYN URGP=0
> 
> 
> Thanks for any help!
These appear to be fw->net requests -- the rules that you post above are
net->fw.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

ricardo@americasnet.com

2003-Aug-04 08:59 UTC

head link

[Shorewall-users] all2all REJECT problem

Thank you! I had it backwards, sorry!

On 04 Aug 2003 08:41:54 -0700 Tom Eastep wrote:
> On Mon, 2003-08-04 at 08:29, Ricardo Kleemann wrote:
> > Hello,
> >=20
> > I''m having trouble configuring shorewall. I''m
running the latest
> shorewall
> > (1.4) that comes with Bering 1.2
> >=20
> > I''ve attached a file with the shorewall status output.
> >=20
> > I setup the rules file such that connections from net to fw are
allowed
> > for HTTP and also for rdate (tcp 37). I have these rules:
> >=20
> > ACCEPT  net     fw              tcp     80
> > ACCEPT  net     fw              tcp     37
> >=20
> > However, I''m getting connection refused errors when I try to
access http
> > from within the firewall, and also when I try to run rdate...
> >=20
> > And I get all2all REJECT messages in shorewall.log: (also note that
the
> > date on the log is all screwed up, since I haven''t been able
to sync the
> > date yet)
> >=20
> > Jun 14 04:20:56 firewall Shorewall:all2all:REJECT: IN=3D OUT=3Deth0
> > MAC=3Dff:ff:ff:ff:ff:ff:00:07:e9:c0:7c:5c:08:00  SRC=3D38.118.152.244
> > DST=3D128.46.136.95 LEN=3D60 TOS=3D00 PREC=3D0x00 TTL=3D64 ID=3D0 DF
PROTO=3DTCP
> > SPT=3D3104 DPT=3D37 SEQ=3D459025160 ACK=3D0 WINDOW=3D5840 SYN URGP=3D0
> >=20
> > Jun 14 04:54:03 firewall Shorewall:all2all:REJECT: IN=3D OUT=3Deth0
> > MAC=3Dff:ff:ff:ff:ff:ff:00:07:e9:c0:7c:5c:08:00  SRC=3D38.118.152.244
> > DST=3D216.52.220.101 LEN=3D60 TOS=3D00 PREC=3D0x00 TTL=3D64 ID=3D264
DF PROTO=3DTCP
> > SPT=3D1185 DPT=3D80 SEQ=3D816070065 ACK=3D0 WINDOW=3D5840 SYN URGP=3D0
> >=20
> >=20
> > Thanks for any help!
>=20
> These appear to be fw->net requests -- the rules that you post above are
> net->fw.
>=20
> -Tom
> --=20
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>=20

Shorewall users - Aug 2003 - all2all REJECT problem

[Shorewall-users] all2all REJECT problem

[Shorewall-users] all2all REJECT problem

[Shorewall-users] all2all REJECT problem