Chris Meadows
2003-Aug-26 06:08 UTC
[Shorewall-users] ADSL router, two nics, web server not visible from internet
I have an ADSL router, a linux box with two NICS connected to the
router and another PC connected to the router.
I installed shorewall using the two interface method.
I can ping and see the webserver on the linux box from the local
network, but not from the internet.
Sys info as follows:
[root@wilma root]# shorewall version
1.4.6b
[root@wilma root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:60:08:46:2d:1f brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f4:60:a1:78 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.4/24 brd 192.168.0.255 scope global eth1
[root@wilma root]# ip route show
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.4
127.0.0.0/8 dev lo scope link
default via 192.168.0.1 dev eth0
Attached is the shorewall status output after a ''shorewall
reset'', then
a ping from the internet.
my nat file hasn''t changed
my policy file hasn''t changed other than allowing fw -> net
my rules files is also attached
I read the following snippet on the shorewall website
----
Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular
snafus:
* Port Forwarding where client and server are in the same subnet.
See FAQ 2.
* Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the ''net'' zone.
* Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.
----
So I guess I''m breaking the third point, but the website
doesn''t say
that this setup can''t be made to work, it just says that it
doesn''t
work the way you expect to.
Any help much appreciated
Regards,
Chris
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
-------------- next part --------------
[H[2JShorewall-1.4.6b Status at wilma - Tue Aug 26 12:10:49 BST 2003
Counters reset Tue Aug 26 12:08:51 BST 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
6 312 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
12 1366 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
192.168.0.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.0.255
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
0 0 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
6 312 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
6 312 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:445
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp spt:137 dpts:1024:65535
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
8 416 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
4 950 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:445
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp spt:137 dpts:1024:65535
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
6 312 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:443
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.4
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.4
state NEW tcp dpt:443
0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (8 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:''
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Aug 26 11:53:48 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.3
DST=192.168.0.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=3300 PROTO=UDP SPT=138
DPT=138 LEN=215
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=204 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=9
DPT=138 LEN=184
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.3
DST=192.168.0.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=3301 PROTO=UDP SPT=138
DPT=138 LEN=215
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=221
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=214
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=9
DPT=138 LEN=221
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=9
DPT=138 LEN=214
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=221
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=214
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=11
DPT=138 LEN=221
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=11
DPT=138 LEN=214
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=221
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=214
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=12
DPT=138 LEN=221
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=12
DPT=138 LEN=214
Aug 26 12:05:46 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.3
DST=192.168.0.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=3827 PROTO=UDP SPT=138
DPT=138 LEN=215
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=221
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
DPT=138 LEN=214
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=13
DPT=138 LEN=221
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=13
DPT=138 LEN=214
NAT Table
Chain PREROUTING (policy ACCEPT 2 packets, 475 bytes)
pkts bytes target prot opt in out source destination
0 0 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 482 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 482 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
2 482 MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 to:192.168.0.4:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443 to:192.168.0.4:443
Mangle Table
Chain PREROUTING (policy ACCEPT 10 packets, 1262 bytes)
pkts bytes target prot opt in out source destination
4 950 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state NEW
10 1262 pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 6 packets, 312 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12 packets, 1366 bytes)
pkts bytes target prot opt in out source destination
12 1366 outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 16 packets, 2316 bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
4 950 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:''
4 950 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0
172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
4 950 logdrop all -- * * 0.0.0.0/0
192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0
198.18.0.0/15
0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 428859 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1028 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1028 [ASSURED] use=1
tcp 6 428855 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1029 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1029 [ASSURED] use=1
tcp 6 428855 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1030 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1030 [ASSURED] use=1
tcp 6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1031 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1031 [ASSURED] use=1
tcp 6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1032 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1032 [ASSURED] use=1
tcp 6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1033 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1033 [ASSURED] use=1
tcp 6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1034 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1034 [ASSURED] use=1
tcp 6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1035 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1035 [ASSURED] use=1
tcp 6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1036 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1036 [ASSURED] use=1
tcp 6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1037 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1037 [ASSURED] use=1
tcp 6 428891 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1038 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1038 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1039 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1039 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1040 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1040 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1041 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1041 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1042 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1042 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1043 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1043 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1044 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1044 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1045 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1045 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1046 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1046 [ASSURED] use=1
tcp 6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1047 dport=3306
src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1047 [ASSURED] use=1
tcp 6 5 TIME_WAIT src=192.168.0.2 dst=193.108.93.106 sport=1093 dport=80
src=193.108.93.106 dst=192.168.0.2 sport=80 dport=1093 [ASSURED] use=1
tcp 6 35 TIME_WAIT src=192.168.0.2 dst=193.108.93.114 sport=1089 dport=80
src=193.108.93.114 dst=192.168.0.2 sport=80 dport=1089 [ASSURED] use=1
tcp 6 5 TIME_WAIT src=192.168.0.2 dst=193.108.93.114 sport=1090 dport=80
src=193.108.93.114 dst=192.168.0.2 sport=80 dport=1090 [ASSURED] use=1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules
Type: application/octet-stream
Size: 9192 bytes
Desc: rules
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030826/f5b70e80/rules-0001.obj
Tom Eastep
2003-Aug-26 07:15 UTC
[Shorewall-users] ADSL router, two nics, web server not visible from internet
On Tue, 2003-08-26 at 06:07, Chris Meadows wrote:> I have an ADSL router, a linux box with two NICS connected to the > router and another PC connected to the router. >> ---- > Many times when people have problems with Shorewall, the problem is > actually an ill-conceived network setup. Here are several popular > snafus: > > * Port Forwarding where client and server are in the same subnet. > See FAQ 2. > * Changing the IP address of a local system to be in the external > subnet, thinking that Shorewall will suddenly believe that the system > is in the ''net'' zone. > * Multiple interfaces connected to the same HUB or Switch. Given > the way that the Linux kernel respond to ARP "who-has" requests, this > type of setup does NOT work the way that you expect it to. > > ---- > > So I guess I''m breaking the third point, but the website doesn''t say > that this setup can''t be made to work, it just says that it doesn''t > work the way you expect to. >Well, it is working -- just not the way that you expect. You expect it to act as a firewall -- it can''t really do that because it isn''t positioned between the internet and your local systems. You expect the interfaces to only respond to ARP requests for addresses on that interface. It isn''t doing that either. There is nothing that can be done about the first problem. The second can be worked around by placing the following commands in /etc/shorewall/start: echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter ech0 1 > /proc/sys/net/ipv4/conf/eth1/arp_filter or if you are running Shorewall 1.4.7 Beta 1 (or one of the recent snapshots), you can just set the arp_filter option for both interfaces in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net