thr3ads.net - Shorewall users - Multiple IP´s in one Zone [Dec 2004]

If this information is useful, please help other people find it:
Share via:

Lars Bunse

2004-Dec-28 00:04 UTC

Multiple IP´s in one Zone

Hi everybody

I have a Problem with Masquerading from my local net (loc) to my VPN (loc2).
I can reach every Service from loc2 in loc, but I can''t get reach any
service from loc in loc2.
Has somebody an Idea where my mistake is ? 
Without shorewall, it was working.

Thanks for helping

Lars


Technical Information :

Shorewall 2.0.13
Suse 9.0

*177.177.77.X The first 3 Counts are changed for security

ip addr show
############################################################################
#########################
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
2: sit0@NONE: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0a:e4:09:d7:67 brd ff:ff:ff:ff:ff:ff
    inet 192.168.9.18/24 brd 192.168.9.255 scope global eth0
    inet6 fe80::20a:e4ff:fe09:d767/64 scope link
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:00:cb:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 177.177.77.10/29 brd 177.177.77.15 scope global eth1 (*)
    inet6 xxxxxxxxx scope link
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:00:cb:69:00:a8 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.2/30 brd 172.16.1.3 scope global eth2
    inet6 fe80::200:cbff:fe69:a8/64 scope link
 
############################################################################
######

ip route show
############################################################################
######
172.16.1.0/30 dev eth2  proto kernel  scope link  src 172.16.1.2
177.177.77.8/29 dev eth1  proto kernel  scope link  src 177.177.77.10 (*)
192.168.16.0/24 via 172.16.1.1 dev eth2
192.168.99.0/24 via 172.16.1.1 dev eth2
192.168.15.0/24 via 172.16.1.1 dev eth2
192.168.14.0/24 via 172.16.1.1 dev eth2
192.168.13.0/24 via 172.16.1.1 dev eth2
192.168.12.0/24 via 172.16.1.1 dev eth2
192.168.11.0/24 via 172.16.1.1 dev eth2
192.168.10.0/24 via 172.16.1.1 dev eth2
192.168.9.0/24 dev eth0  proto kernel  scope link  src 192.168.9.18 default
via 195.177.40.9 dev eth1
############################################################################
###

Masq
############################################################################
###
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth0                    eth2
eth2                    eth0
eth1                    eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
############################################################################
###

Zones
############################################################################
###
net     Net             Internet
loc     Local           Local networks
loc2    VPN             VPN 
############################################################################
###

Host
############################################################################
###
#ZONE           HOST(S)                         OPTIONS
loc2
eth2:172.16.1.0/30,192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.1
3.0/24,192.168.14.0/24,192.168.15.0/24,192.168.16.0/24,192.168.99.0/24
############################################################################
###

Interface
############################################################################
###
net             eth1            detect
loc             eth0            192.168.9.255           dhcp,routeback
-               eth2            detect
############################################################################
###


Agentur
V&V Medien
Lars Bunse
Müggenburg 40a
42277 Wuppertal
Tel:0202/7995300
http://www.vvmedien.com <http://www.vvmedien.com/> info@vvmedien.com
PGP-Verschlüsselung : http://pgp.vvmedien.com <http://pgp.vvmedien.com/>

Tom Eastep

2004-Dec-28 00:17 UTC

head link

Re: Multiple IP´s in one Zone

On Tue, 2004-12-28 at 01:04 +0100, Lars Bunse wrote:> Hi everybody
> 
> I have a Problem with Masquerading from my local net (loc) to my VPN
(loc2).
> I can reach every Service from loc2 in loc, but I can''t get reach
any
> service from loc in loc2.
> Has somebody an Idea where my mistake is ? 
> Without shorewall, it was working.
Can you please explain what you are trying to do here? Your Shorewall
configuration makes absolutely no sense.

For example, what reason do you have for masquerading between private
networks? To make up for laziness in setting up the routing?

Also, why are you listing all of those networks in the definition of
loc2? Why not just use the /etc/shorewall/interfaces file since it
appears that you only have one zone associated with eth2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Lars Bunse

2004-Dec-28 03:25 UTC

head link

AW: [Shorewall-users] Multiple IP´s in one Zone

Hi Tom 
Thanks for you''re answer.

I have a Network with 6 locations . You can see the structure here :
http://www.vvmedien.com/Images/shorewall.pdf
>For example, what reason do you have for masquerading between privatenetworks? To make up for laziness in setting up the routing?

Ok sorry that was an error in reasoning.
 I have stop masq between the local area . 

All routes where already set : (Take a look at ip route show)
>Also, why are you listing all of those networks in the definition of loc2?Why not just use the /etc/shorewall/interfaces file since it appears that
you >only have one zone associated with eth2.

Because I was trying the other way first but it was not working, so I
thought that might the right way .. But it doesn''t.
Now I have changed it back to :

################################################################
net             eth1            detect
loc             eth0            192.168.9.255           dhcp,routeback
loc2            eth2            detect          routeback,newnotsyn
################################################################



But nothing has changed : I can''t connect any Services from fw/loc in
the
loc2.

Thanks 
Lars

Agentur
V&V Medien
Lars Bunse
Müggenburg 40a
42277 Wuppertal
Tel:0202/7995300
http://www.vvmedien.com
info@vvmedien.com 
PGP-Verschlüsselung : http://pgp.vvmedien.com

Lars Bunse

2004-Dec-28 14:05 UTC

head link

Multiple IP´s in one Zone

Hi Tom
Thanks for you''re answer.

I have a Network with 6 locations . You can see the structure here :
http://www.vvmedien.com/Images/shorewall.pdf
>For example, what reason do you have for masquerading between privatenetworks? To make up for laziness in setting up the routing?

Ok sorry that was an error in reasoning.
 I have stop masq between the local area . 

All routes where already set : (Take a look at ip route show)
>Also, why are you listing all of those networks in the definition of loc2?Why not just use the /etc/shorewall/interfaces file since it appears that
you >only have one zone associated with eth2.

Because I was trying the other way first but it was not working, so I
thought that might the right way .. But it doesn''t.
Now I have changed it back to :

################################################################
net             eth1            detect
loc             eth0            192.168.9.255           dhcp,routeback
loc2            eth2            detect          routeback,newnotsyn
################################################################



But nothing has changed : I can''t connect any Services from fw/loc in
the
loc2.

Thanks
Lars


Agentur
V&V Medien
Lars Bunse
Müggenburg 40a
42277 Wuppertal
Tel:0202/7995300
http://www.vvmedien.com <http://www.vvmedien.com/> 
info@vvmedien.com
PGP-Verschlüsselung : http://pgp.vvmedien.com <http://pgp.vvmedien.com/>

Tom Eastep

2004-Dec-28 15:54 UTC

head link

Re: AW: Multiple IP´s in one Zone

On Tue, 2004-12-28 at 04:25 +0100, Lars Bunse wrote:> Hi Tom 
> Thanks for you''re answer.
> 
> I have a Network with 6 locations . You can see the structure here :
> http://www.vvmedien.com/Images/shorewall.pdf
> 
> >For example, what reason do you have for masquerading between private
> networks? To make up for laziness in setting up the routing?
> 
> Ok sorry that was an error in reasoning.
>  I have stop masq between the local area . 
> 
> All routes where already set : (Take a look at ip route show)
> 
> >Also, why are you listing all of those networks in the definition of
loc2?
> Why not just use the /etc/shorewall/interfaces file since it appears that
> you >only have one zone associated with eth2.
> 
> Because I was trying the other way first but it was not working, so I
> thought that might the right way .. But it doesn''t.
> Now I have changed it back to :
> 
> ################################################################
> net             eth1            detect
> loc             eth0            192.168.9.255           dhcp,routeback
> loc2            eth2            detect          routeback,newnotsyn
> ################################################################
> 
> 
> 
> But nothing has changed : I can''t connect any Services from fw/loc
in the
> loc2.
> 
Ok -- now please forward the information that I ask for at
http://shorewall.net/support.htm and I''ll try to help.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Lars Bunse

2004-Dec-30 17:26 UTC

head link

Multiple IP´s in one Zone

Hi Tom

Sorry for my late answer. I was out of Office for a couple of days.

For remember :
######
I have a Network with 8 locations . You can see the structure here :
http://www.vvmedien.com/Images/shorewall.pdf

All ip addresses are fixed (except 192.168.9.0/24 internal Network DHCP).
The VPN Tunnels are done by the routers.


It is not possible to connect any service (port) from loc and fw in the loc2
Zone (for example PC-Anywhere) 

Possible are 
Loc  - fw
Loc  - net (masq)
Loc2 - loc
Loc2 - fw

Thanks for helping

Lars Bunse

Technical stuff :

shorewall version
############################################################################
################
2.0.13
############################################################################
################

Linux
############################################################################
################
Suse 9.0 prof
############################################################################
################


ip addr show
############################################################################
################
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
2: sit0@NONE: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0a:e4:09:d7:67 brd ff:ff:ff:ff:ff:ff
    inet 192.168.9.18/24 brd 192.168.9.255 scope global eth0
    inet6 fe80::20a:e4ff:fe09:d767/64 scope link
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:00:cb:69:09:3f brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.10/29 brd xxx.xxx.xxx.15 scope global eth1
    inet6 XXXX::XXX:XXXX:XXXX:XXX/64 scope link
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:00:cb:69:00:a8 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.2/30 brd 172.16.1.3 scope global eth2
    inet6 fe80::200:cbff:fe69:a8/64 scope link
############################################################################
################

ip route show
############################################################################
################
172.16.1.0/30 dev eth2  proto kernel  scope link  src 172.16.1.2
xxx.xxx.xxx.8/29 dev eth1  proto kernel  scope link  src xxx.xxx.xxx.10
192.168.16.0/24 via 172.16.1.1 dev eth2
192.168.99.0/24 via 172.16.1.1 dev eth2
192.168.15.0/24 via 172.16.1.1 dev eth2
192.168.14.0/24 via 172.16.1.1 dev eth2
192.168.13.0/24 via 172.16.1.1 dev eth2
192.168.12.0/24 via 172.16.1.1 dev eth2
192.168.11.0/24 via 172.16.1.1 dev eth2
192.168.10.0/24 via 172.16.1.1 dev eth2
192.168.9.0/24 dev eth0  proto kernel  scope link  src 192.168.9.18
default via xxx.xxx.xxx.9 dev eth1
############################################################################
################

Interface

############################################################################
##
#ZONE            INTERFACE      BROADCAST       OPTIONS
net             eth1            detect
loc             eth0            192.168.9.255           dhcp,routeback
loc2            eth2            detect          routeback,newnotsyn
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
############################################################################
################


Masq

############################################################################
###
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth1                    eth0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
############################################################################
################

Policy
############################################################################
###
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              net             ACCEPT
fw              loc             ACCEPT
fw              loc2            ACCEPT
loc             loc2            ACCEPT
loc             loc             ACCEPT
loc             fw              ACCEPT
loc2            loc2            ACCEPT
loc2            loc             ACCEPT
loc2            fw              ACCEPT
net             all             DROP            info

#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT


#LAST LINE -- DO NOT REMOVE
############################################################################
################


Tos

############################################################################
##
#SOURCE DEST            PROTOCOL        SOURCE PORTS    DEST PORTS      TOS
all     all             tcp             -               22              16
all     all             tcp             22              -               16
all     all             tcp             -               21              16
all     all             tcp             21              -               16
all     all             tcp             20              -               8
all     all             tcp             -               20              8

############################################################################
################

Zones
#ZONE                   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
loc2    VPN             VPN- Aussenstellen
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
############################################################################
################

No changes to :
############################################################################
################
Accounting
Blacklist
Ecn
Hosts
Init
Initdone
Maclist
Modules
Nat
Netmap
Params
Proxyarp
Routestopped
shorewall.conf
Start
Stop
Stopped
Tcrules
Tunnels
############################################################################
################

Shorewall status
############################################################################
################

Shorewall-2.0.13 

Counters reset Thu Dec 30 15:38:17 CET 2004

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
18714 6825K ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0          
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 
17623 7551K eth1_in    all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          
 1809  142K eth0_in    all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          
  208 21096 eth2_in    all  --  eth2   *       0.0.0.0/0
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 
   99  4761 eth1_fwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          
  193 10527 eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          
   31  3018 eth2_fwd   all  --  eth2   *       0.0.0.0/0
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain OUTPUT (policy DROP 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source
destination         
18714 6825K ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0          
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 
   28  9184 ACCEPT     udp  --  *      eth0    0.0.0.0/0
0.0.0.0/0          udp dpts:67:68 
17080 1799K fw2net     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
 2209 2032K fw2loc     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
  351 53399 fw2loc2    all  --  *      eth2    0.0.0.0/0
0.0.0.0/0          
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain Drop (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   14   936 RejectAuth  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   14   936 dropBcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   14   936 dropInvalid  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   14   936 DropSMB    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   14   936 DropUPnP   all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   14   936 dropNotSyn  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   14   936 DropDNSrep  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain DropDNSrep (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp spt:53 

Chain DropSMB (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:445 

Chain DropUPnP (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:1900 

Chain Reject (4 references)
 pkts bytes target     prot opt in     out     source
destination         
   93  4464 RejectAuth  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   93  4464 dropBcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   93  4464 dropInvalid  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   93  4464 RejectSMB  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   93  4464 DropUPnP   all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   93  4464 dropNotSyn  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   93  4464 DropDNSrep  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain RejectAuth (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:113 

Chain RejectSMB (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:135 
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139 
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:139 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:445 

Chain all2all (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   93  4464 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   93  4464 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = broadcast 
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = multicast 

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp flags:!0x16/0x02 

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  102  4896 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID,NEW 
  165  7803 loc2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
    0     0 loc2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
   28  2724 loc2loc2   all  --  *      eth2    0.0.0.0/0
0.0.0.0/0          

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  360 56625 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID,NEW 
   28  9184 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:67:68 
 1781  133K loc2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID,NEW 
   99  4761 net2all    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
    0     0 net2all    all  --  *      eth2    0.0.0.0/0
0.0.0.0/0          

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   80  4104 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID,NEW 
17623 7551K net2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   16  1848 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID,NEW 
    0     0 all2all    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
   31  3018 loc22loc   all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
    0     0 loc22loc2  all  --  *      eth2    0.0.0.0/0
0.0.0.0/0          

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   40  5555 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID,NEW 
  208 21096 loc22fw    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 2161 2026K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   48  5580 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2loc2 (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  187 18231 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  164 35168 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source
destination         
16214 1747K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  866 52213 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain loc22fw (1 references)
 pkts bytes target     prot opt in     out     source
destination         
  168 15541 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   40  5555 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc22loc (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   15  1170 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   16  1848 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc22loc2 (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 1449 85295 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  332 47441 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2loc (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2loc2 (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   28  2724 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source
destination         
   63  2907 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    9   432 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          multiport dports 22,110,143,443,6002 
   93  4464 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source
destination         
   99  4761 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   14   936 Drop       all  --  *      *       0.0.0.0/0
0.0.0.0/0          
   14   936 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:''
   14   936 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination         
17543 7547K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   66  3168 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          multiport dports 22,110,143 
   14   936 net2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = broadcast 
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = multicast 
    0     0 DROP       all  --  *      *       xxx.xxx.xxx.15
0.0.0.0/0          
    0     0 DROP       all  --  *      *       192.168.9.255
0.0.0.0/0          
    0     0 DROP       all  --  *      *       172.16.1.3
0.0.0.0/0          
    0     0 DROP       all  --  *      *       255.255.255.255
0.0.0.0/0          
    0     0 DROP       all  --  *      *       224.0.0.0/4
0.0.0.0/0          
   93  4464 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-prohibited 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 LOG        all  --  *      *       xxx.xxx.xxx.15
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 
    0     0 DROP       all  --  *      *       xxx.xxx.xxx.15
0.0.0.0/0          
    0     0 LOG        all  --  *      *       192.168.9.255
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 
    0     0 DROP       all  --  *      *       192.168.9.255
0.0.0.0/0          
    0     0 LOG        all  --  *      *       172.16.1.3
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 
    0     0 DROP       all  --  *      *       172.16.1.3
0.0.0.0/0          
    0     0 LOG        all  --  *      *       255.255.255.255
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 
    0     0 DROP       all  --  *      *       255.255.255.255
0.0.0.0/0          
    0     0 LOG        all  --  *      *       224.0.0.0/4
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'' 
    0     0 DROP       all  --  *      *       224.0.0.0/4
0.0.0.0/0 


############################################################################
################





Agentur
V&V Medien
Lars Bunse
Müggenburg 40a
42277 Wuppertal
Tel:0202/7995300
http://www.vvmedien.com <<http://www.vvmedien.com/>> 
info@vvmedien.com
PGP-Verschlüsselung : http://pgp.vvmedien.com
<<http://pgp.vvmedien.com/>>

Possibly Parallel Threads

Search for more reasonably related threads

Shorewall users - Dec 2004 - Multiple IP´s in one Zone

Multiple IP´s in one Zone

Re: Multiple IP´s in one Zone

AW: [Shorewall-users] Multiple IP´s in one Zone

Multiple IP´s in one Zone

Re: AW: Multiple IP´s in one Zone

Multiple IP´s in one Zone

Possibly Parallel Threads