ether bunny
2003-Oct-09 14:58 UTC
[Shorewall-users] shorewall problem following power outage
(Had a v fine PNW storm just blow through).. our power flickered and afterwhich my firewall machine is acting v strangely. This machine has been running for 4-5 mos now without issue. Now it seems like Im getting "REJECT" messages on most every packet that should be passing through - DNS, HTTP, etc. Here is a sample of the /var/log/syslog: Oct 9 06:02:29 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.101 LEN=83 TOS=0x00 PREC=0xC0 TTL=64 ID=39392 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.101 DST=209.25.157.130 LEN=55 TOS=0x00 PREC=0x00 TTL=128 ID=45514 DF PROTO=TCP SPT=3717 DPT=119 WINDOW=64240 RES=0x00 ACK PSH URGP=0 ] Oct 9 06:02:31 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.101 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=39393 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.101 DST=216.239.33.104 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=45515 DF PROTO=TCP SPT=3799 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 ] Oct 9 06:02:34 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.101 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=39394 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.101 DST=216.239.33.104 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=45516 DF PROTO=TCP SPT=3799 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 ] Oct 9 06:02:40 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.101 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=39395 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.101 DST=216.239.33.104 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=45517 DF PROTO=TCP SPT=3799 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 ] Oct 9 06:02:43 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.101 LEN=68 TOS=0x00 PREC=0xC0 TTL=64 ID=39396 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.101 DST=209.25.157.130 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=45519 DF PROTO=TCP SPT=3717 DPT=119 WINDOW=64240 RES=0x00 ACK FIN URGP=0 ] Oct 9 06:02:46 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.101 LEN=68 TOS=0x00 PREC=0xC0 TTL=64 ID=39397 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.101 DST=64.236.34.141 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=45520 DF PROTO=TCP SPT=3787 DPT=80 WINDOW=64304 RES=0x00 ACK FIN URGP=0 ] Oct 9 06:02:58 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=81 TOS=0x00 PREC=0xC0 TTL=64 ID=48499 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.31.80.30 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33080 DPT=53 LEN=33 ] Oct 9 06:03:00 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=81 TOS=0x00 PREC=0xC0 TTL=64 ID=48500 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.41.162.30 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33080 DPT=53 LEN=33 ] Oct 9 06:03:02 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=81 TOS=0x00 PREC=0xC0 TTL=64 ID=48501 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.26.92.30 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33080 DPT=53 LEN=33 ] Oct 9 06:03:04 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=81 TOS=0x00 PREC=0xC0 TTL=64 ID=48502 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.42.93.30 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33080 DPT=53 LEN=33 ] Oct 9 06:03:06 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=81 TOS=0x00 PREC=0xC0 TTL=64 ID=48503 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.43.172.30 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33080 DPT=53 LEN=33 ] Oct 9 06:03:08 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=81 TOS=0x00 PREC=0xC0 TTL=64 ID=48504 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.5.6.30 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33080 DPT=53 LEN=33 ] Oct 9 06:03:10 graendal kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=81 TOS=0x00 PREC=0xC0 TTL=64 ID=48505 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.48.79.30 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33080 DPT=53 LEN=33 ] (1.231 is the def gateway. 1.101 is an XP machine and 1.200 is my caching DNS.) here is my rules file: ACCEPT net fw icmp 8 ACCEPT loc fw icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw dmz icmp 8 ACCEPT net dmz icmp 8 # Only with Proxy ARP and ACCEPT net loc icmp 8 # static NAT ############################ # my mods start here ############################ # SMTP DNAT net dmz:192.168.100.2 tcp 25 - #ACCEPT loc net tcp 25 - ACCEPT dmz net tcp 25 ACCEPT dmz net icmp 25 ACCEPT loc dmz tcp 25 ACCEPT loc dmz tcp 110 ACCEPT loc dmz icmp 25 # HTTP - external server (corp web server) DNAT net dmz:192.168.100.2 tcp 80 - # NTP ACCEPT loc net udp 123 ACCEPT net loc udp 123 ACCEPT fw loc udp 123 ACCEPT dmz loc udp 123 # web viewing ACCEPT loc net tcp 80 ACCEPT loc net tcp 443 ACCEPT dmz net tcp 80 # http to the firewall ACCEPT loc fw tcp 80 # scheduling server DNAT net loc:192.168.1.202:8080 tcp 635 - # webmin ACCEPT loc fw tcp 10000 ACCEPT loc dmz tcp 10000 # DNS (cont''d) ACCEPT loc net tcp 53 ACCEPT loc net udp 53 # DNS - caching DNS is inside ACCEPT fw loc udp 53 ACCEPT fw loc tcp 53 # DNS - getting to caching DNS from DMZ ACCEPT dmz loc udp 53 ACCEPT dmz loc tcp 53 # DNS - from the outside DNAT net dmz:192.168.100.2 tcp 53 DNAT net dmz:192.168.100.2 udp 53 # NIS ACCEPT fw loc udp 975 ACCEPT fw loc tcp 978 ACCEPT dmz loc udp 975 ACCEPT dmz loc tcp 978 # ?? what is this port for ?? shows up in syslog ACCEPT fw loc udp 111 ACCEPT fw loc tcp 111 ACCEPT fw loc udp 32773 ACCEPT fw loc udp 2049 ACCEPT fw loc udp 977 ACCEPT fw loc tcp 980 ACCEPT loc fw udp 111 ACCEPT dmz loc udp 111 ACCEPT dmz loc udp 977 ACCEPT dmz loc tcp 111 ACCEPT dmz loc tcp 980 ACCEPT dmz loc udp 32772 ACCEPT dmz loc udp 2049 ACCEPT dmz loc udp 32769 ACCEPT loc dmz udp 111 ACCEPT loc dmz udp 977 ACCEPT loc dmz tcp 111 ACCEPT loc dmz tcp 980 ACCEPT loc dmz udp 32772 ACCEPT loc dmz udp 2049 ACCEPT loc dmz udp 32769 # AC incoming ACCEPT net loc udp 9000 # SSH - is it a good idea? ACCEPT net fw tcp 22 ACCEPT fw loc tcp 22 ACCEPT fw dmz tcp 22 ACCEPT loc dmz tcp 22 # rules (including entry in ''nat'') for making DMZ server accessible ACCEPT net dmz:192.168.100.10 tcp 80,443,8080 DNAT loc dmz:192.168.100.10 tcp 80,443,8080 - 155.229.27.54 # proftpd DNAT net dmz:192.168.100.10 tcp ftp DNAT loc:192.168.1.0/24 dmz:192.168.100.10 tcp ftp - 155.229.27.54 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The server isn''t letting any packets in or out - nothing is getting to the DMZ or the local zone. (Im sending this via hotmail as I can''t get to my email server (in the DMZ) - im using an old linksys router to bypass the angry firewall) suggestions? more data I need to send? _________________________________________________________________ Get MSN 8 Dial-up Internet Service FREE for one month. Limited time offer-- sign up now! http://join.msn.com/?page=dept/dialup
Tom Eastep
2003-Oct-09 15:02 UTC
[Shorewall-users] shorewall problem following power outage
On Thu, 2003-10-09 at 14:57, ether bunny wrote: Log messages and rules are meaningless without the policy and interfaces files. The output of "shorewall status" as a text attachment is also useful. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
ether bunny
2003-Oct-09 15:15 UTC
[Shorewall-users] shorewall problem following power outage
1K pardons (policy) net all DROP info all all REJECT info (interface) net eth0 155.229.27.255 loc eth1 192.168.1.231 dmz eth2 192.168.100.1 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE shorewall status > status.out (attached)>From: Tom Eastep <teastep@shorewall.net> >To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> >CC: ether bunny <ethrbunny@hotmail.com> >Subject: Re: [Shorewall-users] shorewall problem following power outage >Date: 09 Oct 2003 15:02:19 -0700 >MIME-Version: 1.0 >Received: from lists.shorewall.net ([206.124.146.177]) by >mc8-f33.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 9 Oct 2003 >15:07:43 -0700 >Received: from wookie.shorewall.net (wookie.shorewall.net >[192.168.1.3])(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 >bits))(No client certificate requested)by lists.shorewall.net (Postfix) >with ESMTPid 8640233FA6; Thu, 9 Oct 2003 15:02:20 -0700 (PDT) >X-Message-Info: JGTYoYF78jHYNNRmvVO4fZ0P4jJ+8Wxk >In-Reply-To: <Law9-F111JagXTi8M19000005e4@hotmail.com> >References: <Law9-F111JagXTi8M19000005e4@hotmail.com> >Organization: Message-Id: <1065736939.25240.100.camel@wookie.shorewall.net> >X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Return-Path: >teastep@shorewall.net >X-OriginalArrivalTime: 09 Oct 2003 22:07:44.0609 (UTC) >FILETIME=[C40DA510:01C38EB1] > >On Thu, 2003-10-09 at 14:57, ether bunny wrote: > >Log messages and rules are meaningless without the policy and interfaces >files. > >The output of "shorewall status" as a text attachment is also useful. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_________________________________________________________________ Get McAfee virus scanning and cleaning of incoming attachments. Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es -------------- next part -------------- [H[2JShorewall-1.4.2 Status at graendal - Thu Oct 9 09:07:06 PDT 2003 Counters reset Thu Oct 9 07:38:44 PDT 2003 Chain INPUT (policy DROP 2 packets, 128 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 271 31024 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 64 7028 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 2220 157K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 28 6762 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 94 8308 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 661 47001 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 1138 85733 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 271 31024 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 37 3108 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 2266 1173K fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 381 40224 fw2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (8 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 184 24188 common all -- * * 0.0.0.0/0 0.0.0.0/0 110 10447 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 110 10447 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 48 4494 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 17 3619 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 2 152 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 2 110 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 155.229.27.255 0 0 DROP all -- * * 0.0.0.0/0 192.168.1.231 0 0 DROP all -- * * 0.0.0.0/0 192.168.100.1 Chain dmz2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 28 6762 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2loc (1 references) pkts bytes target prot opt in out source destination 706 53367 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 12 1280 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:975 49 2940 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:978 246 20664 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:977 118 7080 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:980 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32772 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2net (1 references) pkts bytes target prot opt in out source destination 6 330 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 1 72 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dynamic (6 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 94 8308 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 9 1904 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 85 6404 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 64 7028 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 64 7028 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 661 47001 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 9 515 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 652 46486 loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 2220 157K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 2220 157K loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth2_fwd (1 references) pkts bytes target prot opt in out source destination 1138 85733 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 7 402 dmz2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 1131 85331 dmz2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth2_in (1 references) pkts bytes target prot opt in out source destination 28 6762 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 28 6762 dmz2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2dmz (1 references) pkts bytes target prot opt in out source destination 371 39120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 10 1104 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2loc (1 references) pkts bytes target prot opt in out source destination 1844 1136K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 10 630 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 18 2044 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:975 7 420 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:978 285 23940 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32773 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:977 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:980 2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 100 9343 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 37 3108 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination Chain loc2dmz (1 references) pkts bytes target prot opt in out source destination 649 46258 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:977 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:980 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32772 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:8080 0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.100.10 state NEW tcp dpt:21 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 2168 150K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 3 168 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 3 408 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 46 6979 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 7 395 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 2 120 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 16 3352 common all -- * * 0.0.0.0/0 0.0.0.0/0 1 404 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 1 404 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2dmz (1 references) pkts bytes target prot opt in out source destination 56 4160 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 7 644 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 7 364 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.2 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.2 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.2 state NEW tcp dpt:53 8 544 ACCEPT udp -- * * 0.0.0.0/0 192.168.100.2 state NEW udp dpt:53 6 288 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:8080 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:21 1 404 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 46 3936 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 15 2948 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 9 1904 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.202 state NEW tcp dpt:8080 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:9000 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (14 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (10 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 182 24078 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain shorewall (0 references) pkts bytes target prot opt in out source destination Oct 9 08:32:20 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37072 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=193.0.14.129 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:32:24 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37073 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.112.36.4 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:32:26 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37074 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.32.64.12 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:32:30 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37075 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=193.0.14.129 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:32:32 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37076 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=128.9.0.107 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:32:36 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37077 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.32.64.12 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:32:38 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37078 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=128.8.10.90 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:32:42 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37079 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=128.9.0.107 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:32:44 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37080 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.36.148.17 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:32:48 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37081 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=128.8.10.90 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:32:50 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37082 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.10 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:32:53 all2all:REJECT:IN= OUT=eth2 SRC=192.168.100.1 DST=192.168.100.10 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=5460 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.100.10 DST=155.229.116.11 LEN=92 TOS=0x00 PREC=0x00 TTL=64 ID=1369 PROTO=ICMP TYPE=0 CODE=0 ID=768 SEQ=42288 ] Oct 9 08:32:54 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37083 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.36.148.17 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:32:56 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37084 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=202.12.27.33 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:33:00 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37085 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:33:02 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37086 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.4 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:33:06 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37087 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=202.12.27.33 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:33:08 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37088 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.203.230.10 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:33:12 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37089 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.4 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:33:18 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37094 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.203.230.10 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] NAT Table Chain PREROUTING (policy ACCEPT 2075 packets, 200K bytes) pkts bytes target prot opt in out source destination 677 75541 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 663 74205 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 157 14446 loc_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 894 packets, 70001 bytes) pkts bytes target prot opt in out source destination 3 192 eth0_out all -- * eth0 0.0.0.0/0 0.0.0.0/0 2 120 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 366 packets, 31050 bytes) pkts bytes target prot opt in out source destination Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 14 1336 DNAT all -- * * 0.0.0.0/0 155.229.27.54 to:192.168.100.10 Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 2 120 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.100.0/24 0.0.0.0/0 0 0 SNAT all -- * * 192.168.1.0/24 0.0.0.0/0 to:155.229.27.55 Chain eth0_out (1 references) pkts bytes target prot opt in out source destination 1 72 SNAT all -- * * 192.168.100.10 0.0.0.0/0 to:155.229.27.54 Chain loc_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 155.229.27.54 tcp dpt:80 to:192.168.100.10 0 0 DNAT tcp -- * * 0.0.0.0/0 155.229.27.54 tcp dpt:443 to:192.168.100.10 0 0 DNAT tcp -- * * 0.0.0.0/0 155.229.27.54 tcp dpt:8080 to:192.168.100.10 0 0 DNAT tcp -- * * 192.168.1.0/24 155.229.27.54 tcp dpt:21 to:192.168.100.10 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 7 364 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.100.2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.100.2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:635 to:192.168.1.202:8080 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:192.168.100.2 6 407 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:192.168.100.2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.100.10 Mangle Table Chain PREROUTING (policy ACCEPT 7651 packets, 615K bytes) pkts bytes target prot opt in out source destination 5249 423K pretos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 3611 packets, 286K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 2790 packets, 212K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3926 packets, 1358K bytes) pkts bytes target prot opt in out source destination 2956 1247K outtos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 6361 packets, 1538K bytes) pkts bytes target prot opt in out source destination Chain outtos (1 references) pkts bytes target prot opt in out source destination 708 931K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 980 192K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 Chain pretos (1 references) pkts bytes target prot opt in out source destination 1503 108K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 684 50853 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 2551 181K TOS tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 TOS set 0x00 tcp 6 431999 ESTABLISHED src=192.168.1.102 dst=192.168.1.231 sport=32788 dport=22 src=192.168.1.231 dst=192.168.1.102 sport=22 dport=32788 [ASSURED] use=1 udp 17 18 src=192.168.1.200 dst=192.168.1.255 sport=32783 dport=111 [UNREPLIED] src=192.168.1.255 dst=192.168.1.200 sport=111 dport=32783 use=1 udp 17 172 src=192.168.1.231 dst=192.168.1.200 sport=32772 dport=975 src=192.168.1.200 dst=192.168.1.231 sport=975 dport=32772 [ASSURED] use=1 tcp 6 427377 ESTABLISHED src=192.168.1.102 dst=192.168.100.10 sport=32787 dport=22 src=192.168.100.10 dst=192.168.1.102 sport=22 dport=32787 [ASSURED] use=1 udp 17 0 src=192.168.1.231 dst=192.168.1.200 sport=772 dport=111 [UNREPLIED] src=192.168.1.200 dst=192.168.1.231 sport=111 dport=772 use=1 udp 17 1 src=192.168.1.231 dst=192.168.1.200 sport=773 dport=111 [UNREPLIED] src=192.168.1.200 dst=192.168.1.231 sport=111 dport=773 use=1 udp 17 22 src=192.168.1.231 dst=192.168.1.200 sport=774 dport=111 src=192.168.1.200 dst=192.168.1.231 sport=111 dport=774 use=1 udp 17 22 src=192.168.1.231 dst=192.168.1.200 sport=775 dport=111 src=192.168.1.200 dst=192.168.1.231 sport=111 dport=775 use=1 udp 17 156 src=192.168.100.2 dst=192.168.1.200 sport=33125 dport=975 src=192.168.1.200 dst=192.168.100.2 sport=975 dport=33125 [ASSURED] use=1 udp 17 26 src=192.168.100.2 dst=192.168.1.200 sport=600 dport=975 src=192.168.1.200 dst=192.168.100.2 sport=975 dport=600 use=1 tcp 6 31 SYN_SENT src=192.168.100.2 dst=192.168.1.200 sport=734 dport=111 [UNREPLIED] src=192.168.1.200 dst=192.168.100.2 sport=111 dport=734 use=1 tcp 6 90 SYN_SENT src=192.168.100.2 dst=192.168.1.200 sport=736 dport=111 [UNREPLIED] src=192.168.1.200 dst=192.168.100.2 sport=111 dport=736 use=1 udp 17 6 src=192.168.100.2 dst=192.168.1.200 sport=1022 dport=111 src=192.168.1.200 dst=192.168.100.2 sport=111 dport=1022 use=1 udp 17 6 src=192.168.100.2 dst=192.168.1.200 sport=1023 dport=111 src=192.168.1.200 dst=192.168.100.2 sport=111 dport=1023 use=1 tcp 6 427190 ESTABLISHED src=192.168.1.101 dst=192.168.1.231 sport=3122 dport=22 src=192.168.1.231 dst=192.168.1.101 sport=22 dport=3122 [ASSURED] use=1 tcp 6 429686 ESTABLISHED src=192.168.1.101 dst=192.168.1.231 sport=3221 dport=22 src=192.168.1.231 dst=192.168.1.101 sport=22 dport=3221 [ASSURED] use=1
Tom Eastep
2003-Oct-09 15:25 UTC
[Shorewall-users] shorewall problem following power outage
On Thu, 2003-10-09 at 15:14, ether bunny wrote:> 1K pardons > > (policy) > net all DROP info > all all REJECT info > > > (interface) > net eth0 155.229.27.255 > loc eth1 192.168.1.231 > dmz eth2 192.168.100.1 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > shorewall status > status.out (attached) >It looks like your default gateway is returning "net unreachable" to any connection attempt through it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
ether bunny
2003-Oct-09 20:32 UTC
[Shorewall-users] shorewall problem following power outage
Is this ''status'' any more informative? (sorry for the confusion - im using a linksys router to get past the firewall machine - it might not have been properly connected when I asked for the previous status). The fact is that using this linksys box I can connect to the net - this seems like my network connection is ok.. could I have a faulty NIC?>From: Tom Eastep <teastep@shorewall.net> >To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> >CC: ether bunny <ethrbunny@hotmail.com> >Subject: Re: [Shorewall-users] shorewall problem following power outage >Date: 09 Oct 2003 15:25:32 -0700 >MIME-Version: 1.0 >Received: from lists.shorewall.net ([206.124.146.177]) by >mc12-f32.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 9 Oct 2003 >15:35:16 -0700 >Received: from wookie.shorewall.net (wookie.shorewall.net >[192.168.1.3])(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 >bits))(No client certificate requested)by lists.shorewall.net (Postfix) >with ESMTPid 8D8AD33F35; Thu, 9 Oct 2003 15:25:33 -0700 (PDT) >X-Message-Info: JGTYoYF78jGbp9xMFRJbDDCh66YuJ1VS >In-Reply-To: <Law9-F34xyPyF1BcI3E000006bf@hotmail.com> >References: <Law9-F34xyPyF1BcI3E000006bf@hotmail.com> >Organization: Message-Id: <1065738332.25240.107.camel@wookie.shorewall.net> >X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) Return-Path: >teastep@shorewall.net >X-OriginalArrivalTime: 09 Oct 2003 22:35:17.0395 (UTC) >FILETIME=[9D30C630:01C38EB5] > >On Thu, 2003-10-09 at 15:14, ether bunny wrote: > > 1K pardons > > > > (policy) > > net all DROP info > > all all REJECT info > > > > > > (interface) > > net eth0 155.229.27.255 > > loc eth1 192.168.1.231 > > dmz eth2 192.168.100.1 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > shorewall status > status.out (attached) > > > >It looks like your default gateway is returning "net unreachable" to any >connection attempt through it. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_________________________________________________________________ Get a FREE computer virus scan online from McAfee. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 -------------- next part -------------- [H[2JShorewall-1.4.2 Status at graendal - Thu Oct 9 09:32:27 PDT 2003 Counters reset Thu Oct 9 07:38:44 PDT 2003 Chain INPUT (policy DROP 2 packets, 128 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 399 45360 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 64 7028 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 2581 186K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 40 9660 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 1 packets, 60 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 94 8308 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 680 48189 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 1329 101K eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 399 45360 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 37 3108 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 2674 1257K fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 541 57280 fw2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (8 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 208 28286 common all -- * * 0.0.0.0/0 0.0.0.0/0 122 11647 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 122 11647 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 60 5694 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 29 6517 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 2 152 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 2 110 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * 0.0.0.0/0 155.229.27.255 0 0 DROP all -- * * 0.0.0.0/0 192.168.1.231 0 0 DROP all -- * * 0.0.0.0/0 192.168.100.1 Chain dmz2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 40 9660 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2loc (1 references) pkts bytes target prot opt in out source destination 721 54519 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 16 1688 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:975 50 3000 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:978 378 31752 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:977 157 9420 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:980 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32772 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dmz2net (1 references) pkts bytes target prot opt in out source destination 6 330 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 1 72 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dynamic (6 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 94 8308 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 9 1904 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 85 6404 net2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 64 7028 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 64 7028 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 680 48189 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 9 515 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 671 47674 loc2dmz all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 2581 186K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 2581 186K loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth2_fwd (1 references) pkts bytes target prot opt in out source destination 1329 101K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 7 402 dmz2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 1322 100K dmz2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth2_in (1 references) pkts bytes target prot opt in out source destination 40 9660 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 40 9660 dmz2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2dmz (1 references) pkts bytes target prot opt in out source destination 531 56176 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 10 1104 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2loc (1 references) pkts bytes target prot opt in out source destination 2091 1206K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 14 890 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 28 3140 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:975 7 420 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:978 419 35196 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32773 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:977 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:980 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 112 10543 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 37 3108 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination Chain loc2dmz (1 references) pkts bytes target prot opt in out source destination 668 47446 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:977 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:980 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32772 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:8080 0 0 ACCEPT tcp -- * * 192.168.1.0/24 192.168.100.10 state NEW tcp dpt:21 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 2529 178K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 3 168 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10000 3 408 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 46 6979 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 7 395 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 2 120 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (3 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 16 3352 common all -- * * 0.0.0.0/0 0.0.0.0/0 1 404 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 1 404 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2dmz (1 references) pkts bytes target prot opt in out source destination 56 4160 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 7 644 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 7 364 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.2 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.2 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.2 state NEW tcp dpt:53 8 544 ACCEPT udp -- * * 0.0.0.0/0 192.168.100.2 state NEW udp dpt:53 6 288 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:8080 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.100.10 state NEW tcp dpt:21 1 404 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 46 3936 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 15 2948 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 9 1904 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.202 state NEW tcp dpt:8080 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:9000 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain newnotsyn (14 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (10 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 206 28176 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain shorewall (0 references) pkts bytes target prot opt in out source destination Oct 9 08:32:54 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37083 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.36.148.17 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:32:56 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37084 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=202.12.27.33 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:33:00 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37085 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.10 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:33:02 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37086 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.4 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:33:06 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37087 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=202.12.27.33 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:33:08 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=37088 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.203.230.10 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 08:33:12 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37089 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.4 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 08:33:18 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=37094 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.203.230.10 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 09:07:28 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=55640 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.4 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=65 ] Oct 9 09:07:34 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=55641 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.203.230.10 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=65 ] Oct 9 09:07:38 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=95 TOS=0x00 PREC=0xC0 TTL=64 ID=55642 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=198.41.0.4 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=47 ] Oct 9 09:07:40 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=113 TOS=0x00 PREC=0xC0 TTL=64 ID=55643 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=128.63.2.53 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=65 ] Oct 9 09:07:44 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=95 TOS=0x00 PREC=0xC0 TTL=64 ID=55644 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.203.230.10 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=47 ] Oct 9 09:07:46 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=55645 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.33.4.12 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 09:07:50 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=95 TOS=0x00 PREC=0xC0 TTL=64 ID=55646 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=128.63.2.53 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=47 ] Oct 9 09:07:52 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=55647 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.5.5.241 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 09:07:56 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=55648 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.33.4.12 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 09:07:58 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=55649 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.112.36.4 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] Oct 9 09:08:02 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=84 TOS=0x00 PREC=0xC0 TTL=64 ID=55651 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=192.5.5.241 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=36 ] Oct 9 09:08:04 all2all:REJECT:IN= OUT=eth1 SRC=192.168.1.231 DST=192.168.1.200 LEN=102 TOS=0x00 PREC=0xC0 TTL=64 ID=55652 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.200 DST=193.0.14.129 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=54 ] NAT Table Chain PREROUTING (policy ACCEPT 2268 packets, 218K bytes) pkts bytes target prot opt in out source destination 677 75541 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 663 74205 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 169 15310 loc_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 1208 packets, 95791 bytes) pkts bytes target prot opt in out source destination 3 192 eth0_out all -- * eth0 0.0.0.0/0 0.0.0.0/0 2 120 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 511 packets, 43420 bytes) pkts bytes target prot opt in out source destination Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 14 1336 DNAT all -- * * 0.0.0.0/0 155.229.27.54 to:192.168.100.10 Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 2 120 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 192.168.100.0/24 0.0.0.0/0 0 0 SNAT all -- * * 192.168.1.0/24 0.0.0.0/0 to:155.229.27.55 Chain eth0_out (1 references) pkts bytes target prot opt in out source destination 1 72 SNAT all -- * * 192.168.100.10 0.0.0.0/0 to:155.229.27.54 Chain loc_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 155.229.27.54 tcp dpt:80 to:192.168.100.10 0 0 DNAT tcp -- * * 0.0.0.0/0 155.229.27.54 tcp dpt:443 to:192.168.100.10 0 0 DNAT tcp -- * * 0.0.0.0/0 155.229.27.54 tcp dpt:8080 to:192.168.100.10 0 0 DNAT tcp -- * * 192.168.1.0/24 155.229.27.54 tcp dpt:21 to:192.168.100.10 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 7 364 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.100.2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.100.2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:635 to:192.168.1.202:8080 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:192.168.100.2 6 407 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:192.168.100.2 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:192.168.100.10 Mangle Table Chain PREROUTING (policy ACCEPT 8374 packets, 678K bytes) pkts bytes target prot opt in out source destination 5972 485K pretos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 4112 packets, 332K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 3000 packets, 229K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4622 packets, 1473K bytes) pkts bytes target prot opt in out source destination 3652 1363K outtos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 7255 packets, 1668K bytes) pkts bytes target prot opt in out source destination Chain outtos (1 references) pkts bytes target prot opt in out source destination 763 976K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 1168 216K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 Chain pretos (1 references) pkts bytes target prot opt in out source destination 1806 130K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 726 55544 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 2904 209K TOS tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 TOS set 0x00 tcp 6 431999 ESTABLISHED src=192.168.1.102 dst=192.168.1.231 sport=32788 dport=22 src=192.168.1.231 dst=192.168.1.102 sport=22 dport=32788 [ASSURED] use=1 udp 17 167 src=192.168.1.231 dst=192.168.1.200 sport=32772 dport=975 src=192.168.1.200 dst=192.168.1.231 sport=975 dport=32772 [ASSURED] use=1 tcp 6 425856 ESTABLISHED src=192.168.1.102 dst=192.168.100.10 sport=32787 dport=22 src=192.168.100.10 dst=192.168.1.102 sport=22 dport=32787 [ASSURED] use=1 udp 17 17 src=192.168.1.231 dst=192.168.1.200 sport=911 dport=111 src=192.168.1.200 dst=192.168.1.231 sport=111 dport=911 use=1 udp 17 17 src=192.168.1.231 dst=192.168.1.200 sport=912 dport=111 src=192.168.1.200 dst=192.168.1.231 sport=111 dport=912 use=1 udp 17 26 src=192.168.1.231 dst=192.168.1.200 sport=990 dport=975 src=192.168.1.200 dst=192.168.1.231 sport=975 dport=990 use=1 udp 17 26 src=192.168.1.231 dst=192.168.1.200 sport=991 dport=975 src=192.168.1.200 dst=192.168.1.231 sport=975 dport=991 use=1 udp 17 150 src=192.168.100.2 dst=192.168.1.200 sport=33125 dport=975 src=192.168.1.200 dst=192.168.100.2 sport=975 dport=33125 [ASSURED] use=1 tcp 6 10 SYN_SENT src=192.168.100.2 dst=192.168.1.200 sport=804 dport=111 [UNREPLIED] src=192.168.1.200 dst=192.168.100.2 sport=111 dport=804 use=1 tcp 6 69 SYN_SENT src=192.168.100.2 dst=192.168.1.200 sport=806 dport=111 [UNREPLIED] src=192.168.1.200 dst=192.168.100.2 sport=111 dport=806 use=1 udp 17 0 src=192.168.100.2 dst=192.168.1.200 sport=732 dport=111 src=192.168.1.200 dst=192.168.100.2 sport=111 dport=732 use=1 udp 17 0 src=192.168.100.2 dst=192.168.1.200 sport=733 dport=111 src=192.168.1.200 dst=192.168.100.2 sport=111 dport=733 use=1 udp 17 20 src=192.168.100.2 dst=192.168.1.200 sport=734 dport=975 src=192.168.1.200 dst=192.168.100.2 sport=975 dport=734 use=1 tcp 6 425669 ESTABLISHED src=192.168.1.101 dst=192.168.1.231 sport=3122 dport=22 src=192.168.1.231 dst=192.168.1.101 sport=22 dport=3122 [ASSURED] use=1 tcp 6 428165 ESTABLISHED src=192.168.1.101 dst=192.168.1.231 sport=3221 dport=22 src=192.168.1.231 dst=192.168.1.101 sport=22 dport=3221 [ASSURED] use=1
Homer Parker
2003-Oct-09 21:17 UTC
[Shorewall-users] shorewall problem following power outage
On Fri, 10 Oct 2003 03:29:23 +0000 "ether bunny" <ethrbunny@hotmail.com> wrote....> The fact is that using this linksys box I can connect to the net - this > seems like my network connection is ok.. could I have a faulty NIC?I just replaced a Via Mini-ITX board that got hit *through* the cable modem.. Didn''t hurt the cable modem at all.. So, anything is possible.. --- Homer Parker /"\ ASCII Ribbon Campaign \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net / \ Respect for open standards "Bill Gates reports on security progress made and the challenges ahead." -- Microsoft''s Homepage, on the day an SQL Server bug crippled large sections of the Internet.