I have problem getting answer on http request from all my local subnets
but not from local subnet.
Ping and requests on ports 21 22 23 25 110 works fine.
I logged port 80 in rules files and I got
accept entry same for local subnet and other subnets.
Local subnet is 192.168.6
Dec 29 09:52:40 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0
OUTMAC=00:09:6b:07:ca:cc:00:10:b5:fa:bd:71:08:00 SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP
SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Other subnet
Dec 29 09:53:36 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0
OUTMAC=00:09:6b:07:ca:cc:42:00:00:00:00:81:08:00 SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF
PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
While I got reply on browser in local subnet, on browser on other subnet
I got infinite wait (glasshour cursor).
If I add policy loc fw ACCEPT in policy file everything works fine
There is output from Shorewall status command:
[H[2JShorewall-2.0.8 Status at zinfsrv2.dubrovnik.hr - Sri Pro 29
10:03:40 CET 2004
Counters reset Wed Dec 29 08:24:12 CET 2004
Chain INPUT (policy DROP 3 packets, 389 bytes)
pkts bytes target prot opt in out source
destination
4654 821K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
378 104K ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
12201 1546K eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
90 4252 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
142 94271 ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
525 46518 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 2 packets, 224 bytes)
pkts bytes target prot opt in out source
destination
4654 821K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
533 51169 fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
1354 133K fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source
destination
11 1240 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
1 132 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
1997 321K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (4 references)
pkts bytes target prot opt in out source
destination
2130 335K RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
2126 335K dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
2126 335K dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
2089 333K RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
2058 327K DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
61 6542 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
60 5042 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
4 228 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
22 5782 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
6 288 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
3 144 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain all2all (4 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2130 335K Reject all -- * * 0.0.0.0/0
0.0.0.0/0
59 4910 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
59 4910 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
37 1652 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
1 1500 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
398 27444 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
451 36103 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
194 26995 loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
331 19523 ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
11690 1485K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
353 31627 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
12201 1546K loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
692 97326 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:446
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:523
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1080
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2401
3 180 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5300
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5801
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5901
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6000
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6001
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:50000
46 4531 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 53,177,443,513
55 12868 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,139,445
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
551 16436 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
3 1604 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
337 36604 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
94 5640 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
46 3345 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
21 1764 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
35 3816 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
511 60618 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
7 328 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
7 328 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
7 336 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports
21,22,23,25,53,110,523,1080,2401,10000,50000
33 3696 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 53,177,443,513
9560 1151K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,139,445
7 642 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
30 6088 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
2046 323K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
127 19074 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
20 960 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
1 57 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
46 6904 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 4 level 6 prefix
`Shorewall:logflags:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source
destination
142 94271 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
11 1240 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
11 1240 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
367 102K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
11 1240 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 rfc1918 all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 rfc1918 all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
142 94271 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
142 94271 net2all all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
11 1240 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
11 1240 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
145 66247 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
378 104K net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 DROP all -- * * 192.168.6.255
0.0.0.0/0
0 0 DROP all -- * * 195.29.202.159
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
23 1140 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
71 10212 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 192.168.2.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 LOG all -- * * 192.168.6.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.6.255
0.0.0.0/0
0 0 LOG all -- * * 195.29.202.159
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 195.29.202.159
0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
Chain tcpflags (4 references)
pkts bytes target prot opt in out source
destination
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:0 flags:0x16/0x02
Dec 29 09:48:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8549 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:50:03 net2all:DROP:IN=ppp0 OUT= SRC=203.198.111.109
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=37731 DF
PROTO=TCP SPT=2902 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 29 09:50:11 all2all:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.6.5
DST=195.29.202.253 LEN=31 TOS=0x00 PREC=0x00 TTL=127 ID=879 PROTO=UDP
SPT=13991 DPT=13991 LEN=11
Dec 29 09:51:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8551 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:52:40 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP
SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 29 09:53:36 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF
PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 29 09:54:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8553 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:55:08 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46981 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:55:10 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=47100 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:55:14 all2all:REJECT:IN=eth0 OUT= SRC=192.168.6.110
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=11264 DF PROTO=TCP
SPT=54217 DPT=397 WINDOW=32768 RES=0x00 SYN URGP=0
Dec 29 09:55:15 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=47333 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:57:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8555 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:58:06 net2all:DROP:IN=ppp0 OUT= SRC=204.9.65.156
DST=83.131.133.47 LEN=404 TOS=0x00 PREC=0x00 TTL=119 ID=18526 PROTO=UDP
SPT=4941 DPT=1434 LEN=384
Dec 29 10:00:04 all2all:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.6.5
DST=195.29.202.253 LEN=31 TOS=0x00 PREC=0x00 TTL=127 ID=54127 PROTO=UDP
SPT=13991 DPT=13991 LEN=11
Dec 29 10:00:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8557 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 10:00:27 net2all:DROP:IN=ppp0 OUT= SRC=60.196.56.118
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=48501 DF
PROTO=TCP SPT=3858 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 29 10:00:30 net2all:DROP:IN=ppp0 OUT= SRC=60.196.56.118
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=57632 DF
PROTO=TCP SPT=3858 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 29 10:01:57 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=61039 DF PROTO=TCP
SPT=1269 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 29 10:02:09 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10172 DF
PROTO=TCP SPT=1061 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 29 10:03:12 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8559 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
NAT Table
Chain PREROUTING (policy ACCEPT 287K packets, 35M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 8723 packets, 382K bytes)
pkts bytes target prot opt in out source
destination
91 5894 ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8828 packets, 412K bytes)
pkts bytes target prot opt in out source
destination
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * * 195.29.202.128/27
0.0.0.0/0
0 0 MASQUERADE all -- * * 195.29.202.0/25
0.0.0.0/0
20 969 MASQUERADE all -- * * 192.168.6.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.4.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.3.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.2.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.11.0/24
0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 602K packets, 221M bytes)
pkts bytes target prot opt in out source
destination
46983 6169K pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 2044K packets, 390M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 539K packets, 437M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 37155 packets, 6116K bytes)
pkts bytes target prot opt in out source
destination
6581 1009K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1445K packets, 711M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
171 7955 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
4 208 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
175 7229 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 347779 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43845
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43845 [ASSURED]
use=1
tcp 6 82138 ESTABLISHED src=195.29.107.219 dst=195.29.202.130
sport=1571 dport=25 src=195.29.202.130 dst=195.29.107.219 sport=25
dport=1571 [ASSURED] use=1
udp 17 17 src=192.168.2.78 dst=192.168.2.255 sport=138 dport=138
[UNREPLIED] src=192.168.2.255 dst=192.168.2.78 sport=138 dport=138 use=1
tcp 6 118983 ESTABLISHED src=217.71.49.169 dst=195.29.202.130
sport=3621 dport=25 src=195.29.202.130 dst=217.71.49.169 sport=25
dport=3621 [ASSURED] use=1
udp 17 23 src=195.29.202.129 dst=195.29.202.159 sport=138 dport=138
[UNREPLIED] src=195.29.202.159 dst=195.29.202.129 sport=138 dport=138 use=1
tcp 6 98212 ESTABLISHED src=195.29.102.72 dst=195.29.202.130
sport=1654 dport=25 src=195.29.202.130 dst=195.29.102.72 sport=25
dport=1654 [ASSURED] use=1
tcp 6 63 TIME_WAIT src=192.168.6.82 dst=192.168.6.82 sport=47166
dport=5353 src=192.168.6.82 dst=192.168.6.82 sport=5353 dport=47166
[ASSURED] use=1
tcp 6 338493 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3072 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3072 [ASSURED] use=1
tcp 6 338683 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3079 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3079 [ASSURED] use=1
tcp 6 216770 ESTABLISHED src=83.30.213.130 dst=195.29.202.130
sport=1773 dport=25 src=195.29.202.130 dst=83.30.213.130 sport=25
dport=1773 [ASSURED] use=1
tcp 6 18 TIME_WAIT src=195.29.202.130 dst=195.29.202.131
sport=47165 dport=5300 src=195.29.202.131 dst=195.29.202.130 sport=5300
dport=47165 [ASSURED] use=1
tcp 6 338873 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3091 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3091 [ASSURED] use=1
tcp 6 37 TIME_WAIT src=192.168.6.5 dst=192.168.6.82 sport=1269
dport=80 src=192.168.6.82 dst=192.168.6.5 sport=80 dport=1269 [ASSURED]
use=1
tcp 6 266339 ESTABLISHED src=195.29.108.124 dst=195.29.202.130
sport=1405 dport=25 src=195.29.202.130 dst=195.29.108.124 sport=25
dport=1405 [ASSURED] use=1
tcp 6 348030 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43504
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43504 [ASSURED]
use=1
tcp 6 431676 ESTABLISHED src=192.168.6.2 dst=192.168.2.49
sport=1037 dport=23 [UNREPLIED] src=192.168.2.49 dst=192.168.6.2
sport=23 dport=1037 use=1
tcp 6 425314 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3109 dport=80 src=143.127.8.50 dst=83.131.133.20 sport=80
dport=3109 [ASSURED] use=1
udp 17 0 src=192.168.6.82 dst=192.168.6.255 sport=513 dport=513
[UNREPLIED] src=192.168.6.255 dst=192.168.6.82 sport=513 dport=513 use=1
tcp 6 370612 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43506
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43506 [ASSURED]
use=1
tcp 6 431898 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43518
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43518 [ASSURED]
use=1
tcp 6 424453 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43497
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43497 [ASSURED]
use=1
tcp 6 425209 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3093 dport=80 src=143.127.8.50 dst=83.131.133.47 sport=80
dport=3093 [ASSURED] use=1
tcp 6 424519 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43492
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43492 [ASSURED]
use=1
tcp 6 426336 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43521
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43521 [ASSURED]
use=1
tcp 6 428216 ESTABLISHED src=192.168.6.6 dst=195.29.202.49
sport=1040 dport=23 [UNREPLIED] src=195.29.202.49 dst=192.168.6.6
sport=23 dport=1040 use=1
tcp 6 424592 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43499
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43499 [ASSURED]
use=1
udp 17 28 src=192.168.2.49 dst=192.168.2.255 sport=137 dport=137
[UNREPLIED] src=192.168.2.255 dst=192.168.2.49 sport=137 dport=137 use=1
tcp 6 338304 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3065 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3065 [ASSURED] use=1
udp 17 28 src=192.168.2.49 dst=192.168.2.255 sport=138 dport=138
[UNREPLIED] src=192.168.2.255 dst=192.168.2.49 sport=138 dport=138 use=1
tcp 6 431340 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43523
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43523 [ASSURED]
use=1
tcp 6 73 TIME_WAIT src=192.168.4.4 dst=195.29.202.130 sport=1061
dport=80 src=195.29.202.130 dst=192.168.4.4 sport=80 dport=1061
[ASSURED] use=1
tcp 6 424550 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43539
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43539 [ASSURED]
use=1
IP Configuration
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:09:6b:07:ca:cc brd ff:ff:ff:ff:ff:ff
inet 192.168.6.82/24 brd 192.168.6.255 scope global eth0
inet 192.168.2.111/24 brd 192.168.2.255 scope global eth0:1
inet 195.29.202.130/27 brd 195.29.202.159 scope global eth0:2
inet6 fe80::209:6bff:fe07:cacc/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ff07:cacc/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:06:29:c9:3c:39 brd ff:ff:ff:ff:ff:ff
inet6 fe80::206:29ff:fec9:3c39/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ffc9:3c39/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
6: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
58: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 83.131.133.47 peer 172.29.252.11/32 scope global ppp0
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table local:
local 83.131.133.47 dev ppp0 proto kernel scope host src 83.131.133.47
broadcast 192.168.6.255 dev eth0 proto kernel scope link src
192.168.6.82
broadcast 195.29.202.159 dev eth0 proto kernel scope link src
195.29.202.130
broadcast 192.168.2.255 dev eth0 proto kernel scope link src
192.168.2.111
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.2.111 dev eth0 proto kernel scope host src 192.168.2.111
broadcast 192.168.6.0 dev eth0 proto kernel scope link src 192.168.6.82
local 192.168.6.82 dev eth0 proto kernel scope host src 192.168.6.82
broadcast 192.168.2.0 dev eth0 proto kernel scope link src 192.168.2.111
local 195.29.202.130 dev eth0 proto kernel scope host src 195.29.202.130
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 195.29.202.128 dev eth0 proto kernel scope link src
195.29.202.130
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
172.29.252.11 dev ppp0 proto kernel scope link src 83.131.133.47
195.29.202.128/27 dev eth0 proto kernel scope link src 195.29.202.130
195.29.202.0/25 via 192.168.6.110 dev eth0
192.168.6.0/24 dev eth0 scope link
192.168.4.0/24 via 192.168.6.110 dev eth0
192.168.3.0/24 via 192.168.6.110 dev eth0
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.111
192.168.1.0/24 via 192.168.6.110 dev eth0
192.168.11.0/24 via 192.168.6.3 dev eth0
127.0.0.0/8 dev lo scope link
default via 172.29.252.11 dev ppp0
Table default:
Regards Baldo Franic
Hello Bob Yes it is. Fw is 192.168.6.82 and everything is OK from 192.168.6 subnet, but from 192.168.4 it is not port 80). I have defined norfc1918 on ppp0 (net zone) but not on eth0 (loc zone) Baldo
I have problem getting answer on http request from all my local subnets
but not from local subnet.
Ping and requests on ports 21 22 23 25 110 works fine.
I logged port 80 in rules files and I got
accept entry same for local subnet and other subnets.
Local subnet is 192.168.6
Dec 29 09:52:40 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0
OUTMAC=00:09:6b:07:ca:cc:00:10:b5:fa:bd:71:08:00 SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP
SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Other subnet
Dec 29 09:53:36 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0
OUTMAC=00:09:6b:07:ca:cc:42:00:00:00:00:81:08:00 SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF
PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
While I got reply on browser in local subnet, on browser on other subnet
I got infinite wait (glasshour cursor).
If I add policy loc fw ACCEPT in policy file everything works fine
There is output from Shorewall status command:
[H[2JShorewall-2.0.8 Status at zinfsrv2.dubrovnik.hr - Sri Pro 29
10:03:40 CET 2004
Counters reset Wed Dec 29 08:24:12 CET 2004
Chain INPUT (policy DROP 3 packets, 389 bytes)
pkts bytes target prot opt in out source
destination
4654 821K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
378 104K ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
12201 1546K eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
90 4252 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
142 94271 ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
525 46518 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 2 packets, 224 bytes)
pkts bytes target prot opt in out source
destination
4654 821K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
533 51169 fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
1354 133K fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source
destination
11 1240 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
1 132 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
1997 321K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (4 references)
pkts bytes target prot opt in out source
destination
2130 335K RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
2126 335K dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
2126 335K dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
2089 333K RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
2058 327K DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
61 6542 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
60 5042 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
4 228 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
22 5782 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
6 288 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
3 144 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain all2all (4 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2130 335K Reject all -- * * 0.0.0.0/0
0.0.0.0/0
59 4910 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
59 4910 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
37 1652 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
1 1500 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
398 27444 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
451 36103 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
194 26995 loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
331 19523 ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
11690 1485K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
353 31627 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
12201 1546K loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
692 97326 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:446
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:523
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1080
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2401
3 180 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5300
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5801
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5901
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6000
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6001
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:50000
46 4531 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 53,177,443,513
55 12868 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,139,445
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
551 16436 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
3 1604 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
337 36604 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
94 5640 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
46 3345 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
21 1764 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
35 3816 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
511 60618 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
7 328 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
7 328 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
7 336 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports
21,22,23,25,53,110,523,1080,2401,10000,50000
33 3696 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 53,177,443,513
9560 1151K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,139,445
7 642 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
30 6088 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
2046 323K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
127 19074 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
20 960 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
1 57 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
46 6904 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 4 level 6 prefix
`Shorewall:logflags:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source
destination
142 94271 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
11 1240 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
11 1240 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
367 102K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
11 1240 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 rfc1918 all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 rfc1918 all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
142 94271 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
142 94271 net2all all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
11 1240 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
11 1240 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
145 66247 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
378 104K net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 DROP all -- * * 192.168.6.255
0.0.0.0/0
0 0 DROP all -- * * 195.29.202.159
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
23 1140 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
71 10212 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 192.168.2.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 LOG all -- * * 192.168.6.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.6.255
0.0.0.0/0
0 0 LOG all -- * * 195.29.202.159
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 195.29.202.159
0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
Chain tcpflags (4 references)
pkts bytes target prot opt in out source
destination
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:0 flags:0x16/0x02
Dec 29 09:48:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8549 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:50:03 net2all:DROP:IN=ppp0 OUT= SRC=203.198.111.109
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=37731 DF
PROTO=TCP SPT=2902 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 29 09:50:11 all2all:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.6.5
DST=195.29.202.253 LEN=31 TOS=0x00 PREC=0x00 TTL=127 ID=879 PROTO=UDP
SPT=13991 DPT=13991 LEN=11
Dec 29 09:51:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8551 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:52:40 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP
SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 29 09:53:36 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF
PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 29 09:54:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8553 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:55:08 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46981 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:55:10 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=47100 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:55:14 all2all:REJECT:IN=eth0 OUT= SRC=192.168.6.110
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=11264 DF PROTO=TCP
SPT=54217 DPT=397 WINDOW=32768 RES=0x00 SYN URGP=0
Dec 29 09:55:15 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=47333 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:57:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8555 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:58:06 net2all:DROP:IN=ppp0 OUT= SRC=204.9.65.156
DST=83.131.133.47 LEN=404 TOS=0x00 PREC=0x00 TTL=119 ID=18526 PROTO=UDP
SPT=4941 DPT=1434 LEN=384
Dec 29 10:00:04 all2all:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.6.5
DST=195.29.202.253 LEN=31 TOS=0x00 PREC=0x00 TTL=127 ID=54127 PROTO=UDP
SPT=13991 DPT=13991 LEN=11
Dec 29 10:00:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8557 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 10:00:27 net2all:DROP:IN=ppp0 OUT= SRC=60.196.56.118
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=48501 DF
PROTO=TCP SPT=3858 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 29 10:00:30 net2all:DROP:IN=ppp0 OUT= SRC=60.196.56.118
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=57632 DF
PROTO=TCP SPT=3858 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 29 10:01:57 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=61039 DF PROTO=TCP
SPT=1269 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 29 10:02:09 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10172 DF
PROTO=TCP SPT=1061 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 29 10:03:12 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8559 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
NAT Table
Chain PREROUTING (policy ACCEPT 287K packets, 35M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 8723 packets, 382K bytes)
pkts bytes target prot opt in out source
destination
91 5894 ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8828 packets, 412K bytes)
pkts bytes target prot opt in out source
destination
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * * 195.29.202.128/27
0.0.0.0/0
0 0 MASQUERADE all -- * * 195.29.202.0/25
0.0.0.0/0
20 969 MASQUERADE all -- * * 192.168.6.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.4.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.3.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.2.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.11.0/24
0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 602K packets, 221M bytes)
pkts bytes target prot opt in out source
destination
46983 6169K pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 2044K packets, 390M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 539K packets, 437M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 37155 packets, 6116K bytes)
pkts bytes target prot opt in out source
destination
6581 1009K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1445K packets, 711M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
171 7955 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
4 208 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
175 7229 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 347779 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43845
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43845 [ASSURED]
use=1
tcp 6 82138 ESTABLISHED src=195.29.107.219 dst=195.29.202.130
sport=1571 dport=25 src=195.29.202.130 dst=195.29.107.219 sport=25
dport=1571 [ASSURED] use=1
udp 17 17 src=192.168.2.78 dst=192.168.2.255 sport=138 dport=138
[UNREPLIED] src=192.168.2.255 dst=192.168.2.78 sport=138 dport=138 use=1
tcp 6 118983 ESTABLISHED src=217.71.49.169 dst=195.29.202.130
sport=3621 dport=25 src=195.29.202.130 dst=217.71.49.169 sport=25
dport=3621 [ASSURED] use=1
udp 17 23 src=195.29.202.129 dst=195.29.202.159 sport=138 dport=138
[UNREPLIED] src=195.29.202.159 dst=195.29.202.129 sport=138 dport=138 use=1
tcp 6 98212 ESTABLISHED src=195.29.102.72 dst=195.29.202.130
sport=1654 dport=25 src=195.29.202.130 dst=195.29.102.72 sport=25
dport=1654 [ASSURED] use=1
tcp 6 63 TIME_WAIT src=192.168.6.82 dst=192.168.6.82 sport=47166
dport=5353 src=192.168.6.82 dst=192.168.6.82 sport=5353 dport=47166
[ASSURED] use=1
tcp 6 338493 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3072 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3072 [ASSURED] use=1
tcp 6 338683 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3079 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3079 [ASSURED] use=1
tcp 6 216770 ESTABLISHED src=83.30.213.130 dst=195.29.202.130
sport=1773 dport=25 src=195.29.202.130 dst=83.30.213.130 sport=25
dport=1773 [ASSURED] use=1
tcp 6 18 TIME_WAIT src=195.29.202.130 dst=195.29.202.131
sport=47165 dport=5300 src=195.29.202.131 dst=195.29.202.130 sport=5300
dport=47165 [ASSURED] use=1
tcp 6 338873 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3091 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3091 [ASSURED] use=1
tcp 6 37 TIME_WAIT src=192.168.6.5 dst=192.168.6.82 sport=1269
dport=80 src=192.168.6.82 dst=192.168.6.5 sport=80 dport=1269 [ASSURED]
use=1
tcp 6 266339 ESTABLISHED src=195.29.108.124 dst=195.29.202.130
sport=1405 dport=25 src=195.29.202.130 dst=195.29.108.124 sport=25
dport=1405 [ASSURED] use=1
tcp 6 348030 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43504
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43504 [ASSURED]
use=1
tcp 6 431676 ESTABLISHED src=192.168.6.2 dst=192.168.2.49
sport=1037 dport=23 [UNREPLIED] src=192.168.2.49 dst=192.168.6.2
sport=23 dport=1037 use=1
tcp 6 425314 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3109 dport=80 src=143.127.8.50 dst=83.131.133.20 sport=80
dport=3109 [ASSURED] use=1
udp 17 0 src=192.168.6.82 dst=192.168.6.255 sport=513 dport=513
[UNREPLIED] src=192.168.6.255 dst=192.168.6.82 sport=513 dport=513 use=1
tcp 6 370612 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43506
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43506 [ASSURED]
use=1
tcp 6 431898 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43518
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43518 [ASSURED]
use=1
tcp 6 424453 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43497
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43497 [ASSURED]
use=1
tcp 6 425209 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3093 dport=80 src=143.127.8.50 dst=83.131.133.47 sport=80
dport=3093 [ASSURED] use=1
tcp 6 424519 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43492
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43492 [ASSURED]
use=1
tcp 6 426336 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43521
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43521 [ASSURED]
use=1
tcp 6 428216 ESTABLISHED src=192.168.6.6 dst=195.29.202.49
sport=1040 dport=23 [UNREPLIED] src=195.29.202.49 dst=192.168.6.6
sport=23 dport=1040 use=1
tcp 6 424592 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43499
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43499 [ASSURED]
use=1
udp 17 28 src=192.168.2.49 dst=192.168.2.255 sport=137 dport=137
[UNREPLIED] src=192.168.2.255 dst=192.168.2.49 sport=137 dport=137 use=1
tcp 6 338304 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3065 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3065 [ASSURED] use=1
udp 17 28 src=192.168.2.49 dst=192.168.2.255 sport=138 dport=138
[UNREPLIED] src=192.168.2.255 dst=192.168.2.49 sport=138 dport=138 use=1
tcp 6 431340 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43523
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43523 [ASSURED]
use=1
tcp 6 73 TIME_WAIT src=192.168.4.4 dst=195.29.202.130 sport=1061
dport=80 src=195.29.202.130 dst=192.168.4.4 sport=80 dport=1061
[ASSURED] use=1
tcp 6 424550 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43539
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43539 [ASSURED]
use=1
IP Configuration
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:09:6b:07:ca:cc brd ff:ff:ff:ff:ff:ff
inet 192.168.6.82/24 brd 192.168.6.255 scope global eth0
inet 192.168.2.111/24 brd 192.168.2.255 scope global eth0:1
inet 195.29.202.130/27 brd 195.29.202.159 scope global eth0:2
inet6 fe80::209:6bff:fe07:cacc/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ff07:cacc/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:06:29:c9:3c:39 brd ff:ff:ff:ff:ff:ff
inet6 fe80::206:29ff:fec9:3c39/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ffc9:3c39/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
6: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
58: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 83.131.133.47 peer 172.29.252.11/32 scope global ppp0
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table local:
local 83.131.133.47 dev ppp0 proto kernel scope host src 83.131.133.47
broadcast 192.168.6.255 dev eth0 proto kernel scope link src
192.168.6.82
broadcast 195.29.202.159 dev eth0 proto kernel scope link src
195.29.202.130
broadcast 192.168.2.255 dev eth0 proto kernel scope link src
192.168.2.111
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.2.111 dev eth0 proto kernel scope host src 192.168.2.111
broadcast 192.168.6.0 dev eth0 proto kernel scope link src 192.168.6.82
local 192.168.6.82 dev eth0 proto kernel scope host src 192.168.6.82
broadcast 192.168.2.0 dev eth0 proto kernel scope link src 192.168.2.111
local 195.29.202.130 dev eth0 proto kernel scope host src 195.29.202.130
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 195.29.202.128 dev eth0 proto kernel scope link src
195.29.202.130
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
172.29.252.11 dev ppp0 proto kernel scope link src 83.131.133.47
195.29.202.128/27 dev eth0 proto kernel scope link src 195.29.202.130
195.29.202.0/25 via 192.168.6.110 dev eth0
192.168.6.0/24 dev eth0 scope link
192.168.4.0/24 via 192.168.6.110 dev eth0
192.168.3.0/24 via 192.168.6.110 dev eth0
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.111
192.168.1.0/24 via 192.168.6.110 dev eth0
192.168.11.0/24 via 192.168.6.3 dev eth0
127.0.0.0/8 dev lo scope link
default via 172.29.252.11 dev ppp0
Table default:
Regards Baldo Franic
bfranic wrote:> I have problem getting answer on http request from all my local subnets > but not from local subnet. > > Ping and requests on ports 21 22 23 25 110 works fine. > > I logged port 80 in rules files and I got > accept entry same for local subnet and other subnets. > > Local subnet is 192.168.6Hello, your first phrase is a little confusing. Please check it. Anyway let my try guessing. Do you have the norfc1918 option defined on your network interface ? Bob
I have problem getting answer on http request from all my subnets in
intranet(192.168.2 192.168.3 192.168.4 ...) but not from local
subnet(192.168.6). Firewall machine with apache is 192.168.6.82 .
Ping and requests on ports 21 22 23 25 110 works fine.
I logged port 80 in rules files and I got
accept entry same for local subnet and other subnets.
Local subnet is 192.168.6
Dec 29 09:52:40 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0
OUTMAC=00:09:6b:07:ca:cc:00:10:b5:fa:bd:71:08:00 SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP
SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Other subnet
Dec 29 09:53:36 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0
OUTMAC=00:09:6b:07:ca:cc:42:00:00:00:00:81:08:00 SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF
PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
While I got reply on browser in local subnet, on browser on other subnet
I got infinite wait (glasshour cursor).
If I add policy loc fw ACCEPT in policy file everything works fine
There is output from Shorewall status command:
[H[2JShorewall-2.0.8 Status at zinfsrv2.dubrovnik.hr - Sri Pro 29
10:03:40 CET 2004
Counters reset Wed Dec 29 08:24:12 CET 2004
Chain INPUT (policy DROP 3 packets, 389 bytes)
pkts bytes target prot opt in out source
destination
4654 821K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
378 104K ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
12201 1546K eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:INPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
90 4252 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
142 94271 ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
525 46518 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 2 packets, 224 bytes)
pkts bytes target prot opt in out source
destination
4654 821K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
533 51169 fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
1354 133K fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:''
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source
destination
11 1240 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
1 132 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
1997 321K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (4 references)
pkts bytes target prot opt in out source
destination
2130 335K RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
2126 335K dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
2126 335K dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
2089 333K RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
2058 327K DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
61 6542 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
60 5042 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
4 228 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
22 5782 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
6 288 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
3 144 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain all2all (4 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
2130 335K Reject all -- * * 0.0.0.0/0
0.0.0.0/0
59 4910 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:''
59 4910 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
37 1652 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
1 1500 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
398 27444 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
451 36103 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
194 26995 loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
331 19523 ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
11690 1485K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
353 31627 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
12201 1546K loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
692 97326 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23
2 120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:446
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:523
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1080
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2401
3 180 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5300
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5801
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5901
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6000
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6001
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:10000
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:50000
46 4531 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 53,177,443,513
55 12868 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,139,445
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
551 16436 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
3 1604 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
337 36604 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
94 5640 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
46 3345 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
21 1764 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
35 3816 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
511 60618 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
7 328 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
7 328 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 LOG flags 0 level 6 prefix
`Shorewall:loc2fw:ACCEPT:''
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
7 336 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports
21,22,23,25,53,110,523,1080,2401,10000,50000
33 3696 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 53,177,443,513
9560 1151K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 137,139,445
7 642 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535
30 6088 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
2046 323K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
127 19074 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
20 960 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
1 57 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
46 6904 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 4 level 6 prefix
`Shorewall:logflags:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source
destination
142 94271 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
11 1240 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
11 1240 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:net2all:DROP:''
11 1240 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
367 102K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 21,22,25,53,80,110,443
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
11 1240 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 rfc1918 all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 rfc1918 all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
142 94271 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
142 94271 net2all all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
11 1240 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
11 1240 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
145 66247 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
378 104K net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 DROP all -- * * 192.168.6.255
0.0.0.0/0
0 0 DROP all -- * * 195.29.202.159
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
23 1140 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
71 10212 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:rfc1918:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 192.168.2.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.2.255
0.0.0.0/0
0 0 LOG all -- * * 192.168.6.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 192.168.6.255
0.0.0.0/0
0 0 LOG all -- * * 195.29.202.159
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 195.29.202.159
0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
Chain tcpflags (4 references)
pkts bytes target prot opt in out source
destination
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:0 flags:0x16/0x02
Dec 29 09:48:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8549 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:50:03 net2all:DROP:IN=ppp0 OUT= SRC=203.198.111.109
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=37731 DF
PROTO=TCP SPT=2902 DPT=9898 WINDOW=16384 RES=0x00 SYN URGP=0
Dec 29 09:50:11 all2all:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.6.5
DST=195.29.202.253 LEN=31 TOS=0x00 PREC=0x00 TTL=127 ID=879 PROTO=UDP
SPT=13991 DPT=13991 LEN=11
Dec 29 09:51:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8551 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:52:40 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP
SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 29 09:53:36 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF
PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 29 09:54:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8553 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:55:08 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=46981 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:55:10 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=47100 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:55:14 all2all:REJECT:IN=eth0 OUT= SRC=192.168.6.110
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=11264 DF PROTO=TCP
SPT=54217 DPT=397 WINDOW=32768 RES=0x00 SYN URGP=0
Dec 29 09:55:15 net2all:DROP:IN=ppp0 OUT= SRC=83.131.131.215
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=47333 DF
PROTO=TCP SPT=1405 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
Dec 29 09:57:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8555 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 09:58:06 net2all:DROP:IN=ppp0 OUT= SRC=204.9.65.156
DST=83.131.133.47 LEN=404 TOS=0x00 PREC=0x00 TTL=119 ID=18526 PROTO=UDP
SPT=4941 DPT=1434 LEN=384
Dec 29 10:00:04 all2all:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.6.5
DST=195.29.202.253 LEN=31 TOS=0x00 PREC=0x00 TTL=127 ID=54127 PROTO=UDP
SPT=13991 DPT=13991 LEN=11
Dec 29 10:00:11 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8557 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
Dec 29 10:00:27 net2all:DROP:IN=ppp0 OUT= SRC=60.196.56.118
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=48501 DF
PROTO=TCP SPT=3858 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 29 10:00:30 net2all:DROP:IN=ppp0 OUT= SRC=60.196.56.118
DST=83.131.133.47 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=57632 DF
PROTO=TCP SPT=3858 DPT=12345 WINDOW=64240 RES=0x00 SYN URGP=0
Dec 29 10:01:57 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.6.5
DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=61039 DF PROTO=TCP
SPT=1269 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 29 10:02:09 loc2fw:ACCEPT:IN=eth0 OUT= SRC=192.168.4.4
DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10172 DF
PROTO=TCP SPT=1061 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 29 10:03:12 all2all:REJECT:IN= OUT=ppp0 SRC=83.131.133.47
DST=172.29.252.11 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=8559 DF PROTO=UDP
SPT=513 DPT=513 LEN=92
NAT Table
Chain PREROUTING (policy ACCEPT 287K packets, 35M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 8723 packets, 382K bytes)
pkts bytes target prot opt in out source
destination
91 5894 ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8828 packets, 412K bytes)
pkts bytes target prot opt in out source
destination
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * * 195.29.202.128/27
0.0.0.0/0
0 0 MASQUERADE all -- * * 195.29.202.0/25
0.0.0.0/0
20 969 MASQUERADE all -- * * 192.168.6.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.4.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.3.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.2.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 192.168.11.0/24
0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 602K packets, 221M bytes)
pkts bytes target prot opt in out source
destination
46983 6169K pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 2044K packets, 390M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 539K packets, 437M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 37155 packets, 6116K bytes)
pkts bytes target prot opt in out source
destination
6581 1009K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 1445K packets, 711M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
171 7955 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
4 208 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
175 7229 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 347779 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43845
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43845 [ASSURED]
use=1
tcp 6 82138 ESTABLISHED src=195.29.107.219 dst=195.29.202.130
sport=1571 dport=25 src=195.29.202.130 dst=195.29.107.219 sport=25
dport=1571 [ASSURED] use=1
udp 17 17 src=192.168.2.78 dst=192.168.2.255 sport=138 dport=138
[UNREPLIED] src=192.168.2.255 dst=192.168.2.78 sport=138 dport=138 use=1
tcp 6 118983 ESTABLISHED src=217.71.49.169 dst=195.29.202.130
sport=3621 dport=25 src=195.29.202.130 dst=217.71.49.169 sport=25
dport=3621 [ASSURED] use=1
udp 17 23 src=195.29.202.129 dst=195.29.202.159 sport=138 dport=138
[UNREPLIED] src=195.29.202.159 dst=195.29.202.129 sport=138 dport=138 use=1
tcp 6 98212 ESTABLISHED src=195.29.102.72 dst=195.29.202.130
sport=1654 dport=25 src=195.29.202.130 dst=195.29.102.72 sport=25
dport=1654 [ASSURED] use=1
tcp 6 63 TIME_WAIT src=192.168.6.82 dst=192.168.6.82 sport=47166
dport=5353 src=192.168.6.82 dst=192.168.6.82 sport=5353 dport=47166
[ASSURED] use=1
tcp 6 338493 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3072 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3072 [ASSURED] use=1
tcp 6 338683 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3079 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3079 [ASSURED] use=1
tcp 6 216770 ESTABLISHED src=83.30.213.130 dst=195.29.202.130
sport=1773 dport=25 src=195.29.202.130 dst=83.30.213.130 sport=25
dport=1773 [ASSURED] use=1
tcp 6 18 TIME_WAIT src=195.29.202.130 dst=195.29.202.131
sport=47165 dport=5300 src=195.29.202.131 dst=195.29.202.130 sport=5300
dport=47165 [ASSURED] use=1
tcp 6 338873 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3091 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3091 [ASSURED] use=1
tcp 6 37 TIME_WAIT src=192.168.6.5 dst=192.168.6.82 sport=1269
dport=80 src=192.168.6.82 dst=192.168.6.5 sport=80 dport=1269 [ASSURED]
use=1
tcp 6 266339 ESTABLISHED src=195.29.108.124 dst=195.29.202.130
sport=1405 dport=25 src=195.29.202.130 dst=195.29.108.124 sport=25
dport=1405 [ASSURED] use=1
tcp 6 348030 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43504
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43504 [ASSURED]
use=1
tcp 6 431676 ESTABLISHED src=192.168.6.2 dst=192.168.2.49
sport=1037 dport=23 [UNREPLIED] src=192.168.2.49 dst=192.168.6.2
sport=23 dport=1037 use=1
tcp 6 425314 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3109 dport=80 src=143.127.8.50 dst=83.131.133.20 sport=80
dport=3109 [ASSURED] use=1
udp 17 0 src=192.168.6.82 dst=192.168.6.255 sport=513 dport=513
[UNREPLIED] src=192.168.6.255 dst=192.168.6.82 sport=513 dport=513 use=1
tcp 6 370612 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43506
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43506 [ASSURED]
use=1
tcp 6 431898 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43518
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43518 [ASSURED]
use=1
tcp 6 424453 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43497
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43497 [ASSURED]
use=1
tcp 6 425209 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3093 dport=80 src=143.127.8.50 dst=83.131.133.47 sport=80
dport=3093 [ASSURED] use=1
tcp 6 424519 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43492
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43492 [ASSURED]
use=1
tcp 6 426336 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43521
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43521 [ASSURED]
use=1
tcp 6 428216 ESTABLISHED src=192.168.6.6 dst=195.29.202.49
sport=1040 dport=23 [UNREPLIED] src=195.29.202.49 dst=192.168.6.6
sport=23 dport=1040 use=1
tcp 6 424592 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43499
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43499 [ASSURED]
use=1
udp 17 28 src=192.168.2.49 dst=192.168.2.255 sport=137 dport=137
[UNREPLIED] src=192.168.2.255 dst=192.168.2.49 sport=137 dport=137 use=1
tcp 6 338304 ESTABLISHED src=192.168.6.11 dst=143.127.8.50
sport=3065 dport=80 src=143.127.8.50 dst=83.131.142.104 sport=80
dport=3065 [ASSURED] use=1
udp 17 28 src=192.168.2.49 dst=192.168.2.255 sport=138 dport=138
[UNREPLIED] src=192.168.2.255 dst=192.168.2.49 sport=138 dport=138 use=1
tcp 6 431340 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43523
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43523 [ASSURED]
use=1
tcp 6 73 TIME_WAIT src=192.168.4.4 dst=195.29.202.130 sport=1061
dport=80 src=195.29.202.130 dst=192.168.4.4 sport=80 dport=1061
[ASSURED] use=1
tcp 6 424550 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=43539
dport=8009 src=127.0.0.1 dst=127.0.0.1 sport=8009 dport=43539 [ASSURED]
use=1
IP Configuration
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:09:6b:07:ca:cc brd ff:ff:ff:ff:ff:ff
inet 192.168.6.82/24 brd 192.168.6.255 scope global eth0
inet 192.168.2.111/24 brd 192.168.2.255 scope global eth0:1
inet 195.29.202.130/27 brd 195.29.202.159 scope global eth0:2
inet6 fe80::209:6bff:fe07:cacc/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ff07:cacc/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:06:29:c9:3c:39 brd ff:ff:ff:ff:ff:ff
inet6 fe80::206:29ff:fec9:3c39/64 scope link
valid_lft forever preferred_lft forever
inet6 ff02::1:ffc9:3c39/128 scope global
valid_lft forever preferred_lft forever
inet6 ff02::1/128 scope global
valid_lft forever preferred_lft forever
6: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
58: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
link/ppp
inet 83.131.133.47 peer 172.29.252.11/32 scope global ppp0
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table local:
local 83.131.133.47 dev ppp0 proto kernel scope host src 83.131.133.47
broadcast 192.168.6.255 dev eth0 proto kernel scope link src
192.168.6.82
broadcast 195.29.202.159 dev eth0 proto kernel scope link src
195.29.202.130
broadcast 192.168.2.255 dev eth0 proto kernel scope link src
192.168.2.111
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.2.111 dev eth0 proto kernel scope host src 192.168.2.111
broadcast 192.168.6.0 dev eth0 proto kernel scope link src 192.168.6.82
local 192.168.6.82 dev eth0 proto kernel scope host src 192.168.6.82
broadcast 192.168.2.0 dev eth0 proto kernel scope link src 192.168.2.111
local 195.29.202.130 dev eth0 proto kernel scope host src 195.29.202.130
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 195.29.202.128 dev eth0 proto kernel scope link src
195.29.202.130
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
172.29.252.11 dev ppp0 proto kernel scope link src 83.131.133.47
195.29.202.128/27 dev eth0 proto kernel scope link src 195.29.202.130
195.29.202.0/25 via 192.168.6.110 dev eth0
192.168.6.0/24 dev eth0 scope link
192.168.4.0/24 via 192.168.6.110 dev eth0
192.168.3.0/24 via 192.168.6.110 dev eth0
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.111
192.168.1.0/24 via 192.168.6.110 dev eth0
192.168.11.0/24 via 192.168.6.3 dev eth0
127.0.0.0/8 dev lo scope link
default via 172.29.252.11 dev ppp0
Table default:
Regards Baldo Franic
On Wed, 2004-12-29 at 11:36 +0100, bfranic wrote:> I have problem getting answer on http request from all my local subnets > but not from local subnet. > > Ping and requests on ports 21 22 23 25 110 works fine. > > I logged port 80 in rules files and I got > accept entry same for local subnet and other subnets. > > Local subnet is 192.168.6 > Dec 29 09:52:40 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0 OUT> MAC=00:09:6b:07:ca:cc:00:10:b5:fa:bd:71:08:00 SRC=192.168.6.5 > DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP > SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > Other subnet > Dec 29 09:53:36 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0 OUT> MAC=00:09:6b:07:ca:cc:42:00:00:00:00:81:08:00 SRC=192.168.4.4 > DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF > PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 > > While I got reply on browser in local subnet, on browser on other subnet > I got infinite wait (glasshour cursor). > > If I add policy loc fw ACCEPT in policy file everything works fine >Try setting CLAMPMSS=Yes in shorewall.conf. Note that all of the multi-interface QuickStart Guides recommend that you do that when your internet interface is via PPPoE, PPTP, etc... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-12-29 at 11:08 -0800, Tom Eastep wrote:> On Wed, 2004-12-29 at 11:36 +0100, bfranic wrote: > > I have problem getting answer on http request from all my local subnets > > but not from local subnet. > > > > Ping and requests on ports 21 22 23 25 110 works fine. > > > > I logged port 80 in rules files and I got > > accept entry same for local subnet and other subnets. > > > > Local subnet is 192.168.6 > > Dec 29 09:52:40 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0 OUT> > MAC=00:09:6b:07:ca:cc:00:10:b5:fa:bd:71:08:00 SRC=192.168.6.5 > > DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP > > SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > Other subnet > > Dec 29 09:53:36 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0 OUT> > MAC=00:09:6b:07:ca:cc:42:00:00:00:00:81:08:00 SRC=192.168.4.4 > > DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF > > PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > While I got reply on browser in local subnet, on browser on other subnet > > I got infinite wait (glasshour cursor). > > > > If I add policy loc fw ACCEPT in policy file everything works fine > > > > Try setting CLAMPMSS=Yes in shorewall.conf. Note that all of the > multi-interface QuickStart Guides recommend that you do that when your > internet interface is via PPPoE, PPTP, etc...Oops -- sorry, my search string was wrong; I see that you are setting CLAMPMSS. This still looks like an MTU problem though... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2004-12-29 at 11:12 -0800, Tom Eastep wrote:> On Wed, 2004-12-29 at 11:08 -0800, Tom Eastep wrote: > > On Wed, 2004-12-29 at 11:36 +0100, bfranic wrote: > > > I have problem getting answer on http request from all my local subnets > > > but not from local subnet. > > > > > > Ping and requests on ports 21 22 23 25 110 works fine. > > > > > > I logged port 80 in rules files and I got > > > accept entry same for local subnet and other subnets. > > > > > > Local subnet is 192.168.6 > > > Dec 29 09:52:40 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0 OUT> > > MAC=00:09:6b:07:ca:cc:00:10:b5:fa:bd:71:08:00 SRC=192.168.6.5 > > > DST=192.168.6.82 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=9327 DF PROTO=TCP > > > SPT=1267 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 > > > > > > Other subnet > > > Dec 29 09:53:36 zinfsrv2 kernel: Shorewall:loc2fw:ACCEPT:IN=eth0 OUT> > > MAC=00:09:6b:07:ca:cc:42:00:00:00:00:81:08:00 SRC=192.168.4.4 > > > DST=195.29.202.130 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10071 DF > > > PROTO=TCP SPT=1060 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 > > > > > > While I got reply on browser in local subnet, on browser on other subnet > > > I got infinite wait (glasshour cursor). > > > > > > If I add policy loc fw ACCEPT in policy file everything works fine > > > > > > > Try setting CLAMPMSS=Yes in shorewall.conf. Note that all of the > > multi-interface QuickStart Guides recommend that you do that when your > > internet interface is via PPPoE, PPTP, etc... > > Oops -- sorry, my search string was wrong; I see that you are setting > CLAMPMSS. This still looks like an MTU problem though...Note that the TCP session DOES GET ESTABLISHED: tcp 6 73 TIME_WAIT src=192.168.4.4 dst=195.29.202.130 sport=1061 dport=80 src=195.29.202.130 dst=192.168.4.4 sport=80 dport=1061 [ASSURED] use=1 Have you tried looking at the traffic to/from 192.168.4.4 with tcpdump or ethereal while you are trying to load web pages? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom I will try tcpdump tomorow morning when I''ll come to office. Can you tell me one more thing: Why if I add policy "loc fw ACCEPT" in policy file everything works fine? Baldo
On Wed, 2004-12-29 at 22:56 +0100, Baldo Franic wrote:> Thanks Tom > > I will try tcpdump tomorow morning when I''ll come to office. > Can you tell me one more thing: Why if I add policy "loc fw ACCEPT" in > policy file everything works fine?If I knew that, I would tell you what rule your are missing.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Can you help me and give me a clue about rule I am missing? Baldo Tom Eastep wrote:> On Wed, 2004-12-29 at 22:56 +0100, Baldo Franic wrote: > > Thanks Tom > > > > I will try tcpdump tomorow morning when I''ll come to office. > > Can you tell me one more thing: Why if I add policy "loc fw ACCEPT" in > > policy file everything works fine? > > If I knew that, I would tell you what rule your are missing.... > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Tom
It will be nice if you tell me about rule that i''m missing.
There is dump of machine with infinite wait on web server answer:
[root@zinfsrv2 shorewall]# tcpdump host 192.168.4.4 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
09:22:05.290448 IP (tos 0x0, ttl 127, id 189, offset 0, flags [DF],
length: 48) 192.168.4.4.1046 > zinfsrv2.dubrovnik.hr.http: S [tcp sum
ok] 4156093759:4156093759(0) win 65535 <mss 1460,nop,nop,sackOK>
09:22:05.290565 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
length: 48) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: S [tcp sum
ok] 2285684451:2285684451(0) ack 4156093760 win 5840 <mss
1460,nop,nop,sackOK>
09:22:05.297378 IP (tos 0x0, ttl 127, id 190, offset 0, flags [DF],
length: 40) 192.168.4.4.1046 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 1:1(0) ack 1 win 65535
09:22:05.331534 IP (tos 0x0, ttl 127, id 191, offset 0, flags [DF],
length: 496) 192.168.4.4.1046 > zinfsrv2.dubrovnik.hr.http: P 1:457(456)
ack 1 win 65535
09:22:05.331596 IP (tos 0x0, ttl 64, id 36345, offset 0, flags [DF],
length: 40) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: . [tcp sum
ok] 1:1(0) ack 457 win 6432
09:22:06.099407 IP (tos 0x0, ttl 64, id 36346, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: .
1:1461(1460) ack 457 win 6432
09:22:06.099427 IP (tos 0x0, ttl 64, id 36347, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: .
1461:2921(1460) ack 457 win 6432
09:22:09.098108 IP (tos 0x0, ttl 64, id 36348, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: .
1:1461(1460) ack 457 win 6432
09:22:15.097185 IP (tos 0x0, ttl 64, id 36349, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: .
1:1461(1460) ack 457 win 6432
09:22:21.169313 IP (tos 0x0, ttl 64, id 36350, offset 0, flags [DF],
length: 158) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: FP
2921:3039(118) ack 457 win 6432
09:22:21.177728 IP (tos 0x0, ttl 127, id 194, offset 0, flags [DF],
length: 52) 192.168.4.4.1046 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 457:457(0) ack 1 win 65535 <nop,nop,sack sack 1 {2921:3040} >
09:22:27.095368 IP (tos 0x0, ttl 64, id 36351, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: .
1:1461(1460) ack 457 win 6432
09:22:51.091729 IP (tos 0x0, ttl 64, id 36352, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1046: .
1:1461(1460) ack 457 win 6432
13 packets captured
13 packets received by filter
0 packets dropped by kernel
There is dump of same machine afer ading policy "loc fw accept" and
correct answer:
[root@zinfsrv2 shorewall]# tcpdump host 192.168.4.4 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
09:31:21.220985 arp who-has 192.168.4.80 tell 192.168.4.4
09:31:21.227627 IP (tos 0x0, ttl 127, id 280, offset 0, flags [DF],
length: 48) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: S [tcp sum
ok] 4294909877:4294909877(0) win 65535 <mss 1460,nop,nop,sackOK>
09:31:21.227732 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
length: 48) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: S [tcp sum
ok] 2873796315:2873796315(0) ack 4294909878 win 5840 <mss
1460,nop,nop,sackOK>
09:31:21.234497 IP (tos 0x0, ttl 127, id 281, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 1:1(0) ack 1 win 65535
09:31:21.241236 IP (tos 0x0, ttl 127, id 282, offset 0, flags [DF],
length: 496) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: P 1:457(456)
ack 1 win 65535
09:31:21.241282 IP (tos 0x0, ttl 64, id 25039, offset 0, flags [DF],
length: 40) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: . [tcp sum
ok] 1:1(0) ack 457 win 6432
09:31:21.555110 IP (tos 0x0, ttl 64, id 25040, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: .
1:1461(1460) ack 457 win 6432
09:31:21.555130 IP (tos 0x0, ttl 64, id 25041, offset 0, flags [DF],
length: 1500) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: .
1461:2921(1460) ack 457 win 6432
09:31:21.569081 IP (tos 0x0, ttl 64, id 25042, offset 0, flags [DF],
length: 1492) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: .
1:1453(1452) ack 457 win 6432
09:31:21.569102 IP (tos 0x0, ttl 64, id 25043, offset 0, flags [DF],
length: 48) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: . [tcp sum
ok] 1453:1461(8) ack 457 win 6432
09:31:21.599110 IP (tos 0x0, ttl 127, id 283, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 457:457(0) ack 1461 win 65535
09:31:21.599150 IP (tos 0x0, ttl 64, id 25044, offset 0, flags [DF],
length: 1492) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: .
1461:2913(1452) ack 457 win 6432
09:31:21.599162 IP (tos 0x0, ttl 64, id 25045, offset 0, flags [DF],
length: 158) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: P
2921:3039(118) ack 457 win 6432
09:31:21.627360 IP (tos 0x0, ttl 127, id 284, offset 0, flags [DF],
length: 52) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 457:457(0) ack 2913 win 64083 <nop,nop,sack sack 1 {2921:3039} >
09:31:21.627423 IP (tos 0x0, ttl 64, id 25046, offset 0, flags [DF],
length: 48) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: . [tcp sum
ok] 2913:2921(8) ack 457 win 6432
09:31:21.634172 IP (tos 0x0, ttl 127, id 285, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 457:457(0) ack 3039 win 65535
09:31:21.685277 IP (tos 0x0, ttl 127, id 290, offset 0, flags [DF],
length: 569) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: P
457:986(529) ack 3039 win 65535
09:31:21.685340 IP (tos 0x0, ttl 64, id 25047, offset 0, flags [DF],
length: 40) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: . [tcp sum
ok] 3039:3039(0) ack 986 win 7504
09:31:21.685301 IP (tos 0x0, ttl 127, id 298, offset 0, flags [DF],
length: 48) 192.168.4.4.1048 > zinfsrv2.dubrovnik.hr.http: S [tcp sum
ok] 104355:104355(0) win 65535 <mss 1460,nop,nop,sackOK>
09:31:21.685411 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
length: 48) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1048: S [tcp sum
ok] 2874488858:2874488858(0) ack 104356 win 5840 <mss 1460,nop,nop,sackOK>
09:31:21.693332 IP (tos 0x0, ttl 127, id 299, offset 0, flags [DF],
length: 40) 192.168.4.4.1048 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 1:1(0) ack 1 win 65535
09:31:21.701082 IP (tos 0x0, ttl 127, id 300, offset 0, flags [DF],
length: 568) 192.168.4.4.1048 > zinfsrv2.dubrovnik.hr.http: P 1:529(528)
ack 1 win 65535
09:31:21.701132 IP (tos 0x0, ttl 64, id 61637, offset 0, flags [DF],
length: 40) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1048: . [tcp sum
ok] 1:1(0) ack 529 win 6432
09:31:21.851243 IP (tos 0x0, ttl 64, id 25048, offset 0, flags [DF],
length: 316) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: P
3039:3315(276) ack 986 win 7504
09:31:21.868448 IP (tos 0x0, ttl 64, id 61638, offset 0, flags [DF],
length: 317) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1048: P 1:278(277)
ack 529 win 6432
09:31:21.870320 IP (tos 0x0, ttl 127, id 305, offset 0, flags [DF],
length: 570) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: P
986:1516(530) ack 3315 win 65259
09:31:21.870377 IP (tos 0x0, ttl 64, id 25049, offset 0, flags [DF],
length: 40) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: . [tcp sum
ok] 3315:3315(0) ack 1516 win 8576
09:31:21.915799 IP (tos 0x0, ttl 64, id 25050, offset 0, flags [DF],
length: 316) zinfsrv2.dubrovnik.hr.http > 192.168.4.4.1047: P
3315:3591(276) ack 1516 win 8576
09:31:22.058147 IP (tos 0x0, ttl 127, id 310, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 1516:1516(0) ack 3591 win 64983
09:31:22.058783 IP (tos 0x0, ttl 127, id 311, offset 0, flags [DF],
length: 40) 192.168.4.4.1048 > zinfsrv2.dubrovnik.hr.http: . [tcp sum
ok] 529:529(0) ack 278 win 65258
30 packets captured
30 packets received by filter
0 packets dropped by kernel
Baldo
On Sat, 2005-01-01 at 22:45 +0100, Baldo Franic wrote:> Tom > > It will be nice if you tell me about rule that i''m missing. > > There is dump of machine with infinite wait on web server answer: > > [root@zinfsrv2 shorewall]# tcpdump host 192.168.4.4 -vva) I don''t look at tcpdump output unless "-n" is specified. ''zinfsrv2.dubrovnik.hr'' is absolutely meaningless to me. b) Please give me some context about what I am looking at: - what zone is 192.168.4.4 in? - what zone is the server in? - what system is the tcpdump output captured on? c) Please also send along the output of "shorewall status" as an attachment so I don''t have to dig back through a week of email trying to reconstruct what your configuration looks like. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom
192.168.4.4 is in "loc" zone
192.168.6.82 is "fw" zone.
tcpdump output is captured on 192.168.6.82 .
Browser on 192.168.4.4 to web server on 192.168.6.82 has infinite wait.
After I add policy "loc fw ACCEPT" in policy file everything works
fine?
Here is dump on 192.168.4.4 with infinite wait for web server on
192.168.6.82 :
[root@zinfsrv2 shorewall]# tcpdump host 192.168.4.4 -nvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
23:22:05.290448 IP (tos 0x0, ttl 127, id 189, offset 0, flags [DF],
length: 48) 192.168.4.4.1046 > 192.168.6.82.80: S [tcp sum ok]
4156093759:4156093759(0) win 65535 <mss 1460,nop,nop,sackOK>
23:22:05.290565 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
length: 48) 192.168.6.82.80 > 192.168.4.4.1046: S [tcp sum ok]
2285684451:2285684451(0) ack 4156093760 win 5840 <mss 1460,nop,nop,sackOK>
23:22:05.297378 IP (tos 0x0, ttl 127, id 190, offset 0, flags [DF],
length: 40) 192.168.4.4.1046 > 192.168.6.82.80: . [tcp sum ok] 1:1(0)
ack 1 win 65535
23:22:05.331534 IP (tos 0x0, ttl 127, id 191, offset 0, flags [DF],
length: 496) 192.168.4.4.1046 > 192.168.6.82.80: P 1:457(456) ack 1 win
65535
23:22:05.331596 IP (tos 0x0, ttl 64, id 36345, offset 0, flags [DF],
length: 40) 192.168.6.82.80 > 192.168.4.4.1046: . [tcp sum ok] 1:1(0)
ack 457 win 6432
23:22:06.099407 IP (tos 0x0, ttl 64, id 36346, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1046: . 1:1461(1460) ack 457
win 6432
23:22:06.099427 IP (tos 0x0, ttl 64, id 36347, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1046: . 1461:2921(1460) ack
457 win 6432
23:22:09.098108 IP (tos 0x0, ttl 64, id 36348, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1046: . 1:1461(1460) ack 457
win 6432
23:22:15.097185 IP (tos 0x0, ttl 64, id 36349, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1046: . 1:1461(1460) ack 457
win 6432
23:22:21.169313 IP (tos 0x0, ttl 64, id 36350, offset 0, flags [DF],
length: 158) 192.168.6.82.80 > 192.168.4.4.1046: FP 2921:3039(118) ack
457 win 6432
23:22:21.177728 IP (tos 0x0, ttl 127, id 194, offset 0, flags [DF],
length: 52) 192.168.4.4.1046 > 192.168.6.82.80: . [tcp sum ok]
457:457(0) ack 1 win 65535 <nop,nop,sack sack 1 {2921:3040} >
23:22:27.095368 IP (tos 0x0, ttl 64, id 36351, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1046: . 1:1461(1460) ack 457
win 6432
23:22:51.091729 IP (tos 0x0, ttl 64, id 36352, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1046: . 1:1461(1460) ack 457
win 6432
13 packets captured
13 packets received by filter
0 packets dropped by kernel
Here is dump on 192.168.4.4 to afer ading policy "loc fw accept" and
correct answer:
[root@zinfsrv2 shorewall]# tcpdump host 192.168.4.4 -nvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
23:31:21.220985 arp who-has 192.168.4.80 tell 192.168.4.4
23:31:21.227627 IP (tos 0x0, ttl 127, id 280, offset 0, flags [DF],
length: 48) 192.168.4.4.1047 > 192.168.6.82.80: S [tcp sum ok]
4294909877:4294909877(0) win 65535 <mss 1460,nop,nop,sackOK>
23:31:21.227732 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
length: 48) 192.168.6.82.80 > 192.168.4.4.1047: S [tcp sum ok]
2873796315:2873796315(0) ack 4294909878 win 5840 <mss 1460,nop,nop,sackOK>
23:31:21.234497 IP (tos 0x0, ttl 127, id 281, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > 192.168.6.82.80: . [tcp sum ok] 1:1(0)
ack 1 win 65535
23:31:21.241236 IP (tos 0x0, ttl 127, id 282, offset 0, flags [DF],
length: 496) 192.168.4.4.1047 > 192.168.6.82.80: P 1:457(456) ack 1 win
65535
23:31:21.241282 IP (tos 0x0, ttl 64, id 25039, offset 0, flags [DF],
length: 40) 192.168.6.82.80 > 192.168.4.4.1047: . [tcp sum ok] 1:1(0)
ack 457 win 6432
23:31:21.555110 IP (tos 0x0, ttl 64, id 25040, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1047: . 1:1461(1460) ack 457
win 6432
23:31:21.555130 IP (tos 0x0, ttl 64, id 25041, offset 0, flags [DF],
length: 1500) 192.168.6.82.80 > 192.168.4.4.1047: . 1461:2921(1460) ack
457 win 6432
23:31:21.569081 IP (tos 0x0, ttl 64, id 25042, offset 0, flags [DF],
length: 1492) 192.168.6.82.80 > 192.168.4.4.1047: . 1:1453(1452) ack 457
win 6432
23:31:21.569102 IP (tos 0x0, ttl 64, id 25043, offset 0, flags [DF],
length: 48) 192.168.6.82.80 > 192.168.4.4.1047: . [tcp sum ok]
1453:1461(8) ack 457 win 6432
23:31:21.599110 IP (tos 0x0, ttl 127, id 283, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > 192.168.6.82.80: . [tcp sum ok]
457:457(0) ack 1461 win 65535
23:31:21.599150 IP (tos 0x0, ttl 64, id 25044, offset 0, flags [DF],
length: 1492) 192.168.6.82.80 > 192.168.4.4.1047: . 1461:2913(1452) ack
457 win 6432
23:31:21.599162 IP (tos 0x0, ttl 64, id 25045, offset 0, flags [DF],
length: 158) 192.168.6.82.80 > 192.168.4.4.1047: P 2921:3039(118) ack
457 win 6432
23:31:21.627360 IP (tos 0x0, ttl 127, id 284, offset 0, flags [DF],
length: 52) 192.168.4.4.1047 > 192.168.6.82.80: . [tcp sum ok]
457:457(0) ack 2913 win 64083 <nop,nop,sack sack 1 {2921:3039} >
23:31:21.627423 IP (tos 0x0, ttl 64, id 25046, offset 0, flags [DF],
length: 48) 192.168.6.82.80 > 192.168.4.4.1047: . [tcp sum ok]
2913:2921(8) ack 457 win 6432
23:31:21.634172 IP (tos 0x0, ttl 127, id 285, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > 192.168.6.82.80: . [tcp sum ok]
457:457(0) ack 3039 win 65535
23:31:21.685277 IP (tos 0x0, ttl 127, id 290, offset 0, flags [DF],
length: 569) 192.168.4.4.1047 > 192.168.6.82.80: P 457:986(529) ack 3039
win 65535
23:31:21.685340 IP (tos 0x0, ttl 64, id 25047, offset 0, flags [DF],
length: 40) 192.168.6.82.80 > 192.168.4.4.1047: . [tcp sum ok]
3039:3039(0) ack 986 win 7504
23:31:21.685301 IP (tos 0x0, ttl 127, id 298, offset 0, flags [DF],
length: 48) 192.168.4.4.1048 > 192.168.6.82.80: S [tcp sum ok]
104355:104355(0) win 65535 <mss 1460,nop,nop,sackOK>
23:31:21.685411 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
length: 48) 192.168.6.82.80 > 192.168.4.4.1048: S [tcp sum ok]
2874488858:2874488858(0) ack 104356 win 5840 <mss 1460,nop,nop,sackOK>
23:31:21.693332 IP (tos 0x0, ttl 127, id 299, offset 0, flags [DF],
length: 40) 192.168.4.4.1048 > 192.168.6.82.80: . [tcp sum ok] 1:1(0)
ack 1 win 65535
23:31:21.701082 IP (tos 0x0, ttl 127, id 300, offset 0, flags [DF],
length: 568) 192.168.4.4.1048 > 192.168.6.82.80: P 1:529(528) ack 1 win
65535
23:31:21.701132 IP (tos 0x0, ttl 64, id 61637, offset 0, flags [DF],
length: 40) 192.168.6.82.80 > 192.168.4.4.1048: . [tcp sum ok] 1:1(0)
ack 529 win 6432
23:31:21.851243 IP (tos 0x0, ttl 64, id 25048, offset 0, flags [DF],
length: 316) 192.168.6.82.80 > 192.168.4.4.1047: P 3039:3315(276) ack
986 win 7504
23:31:21.868448 IP (tos 0x0, ttl 64, id 61638, offset 0, flags [DF],
length: 317) 192.168.6.82.80 > 192.168.4.4.1048: P 1:278(277) ack 529
win 6432
23:31:21.870320 IP (tos 0x0, ttl 127, id 305, offset 0, flags [DF],
length: 570) 192.168.4.4.1047 > 192.168.6.82.80: P 986:1516(530) ack
3315 win 65259
23:31:21.870377 IP (tos 0x0, ttl 64, id 25049, offset 0, flags [DF],
length: 40) 192.168.6.82.80 > 192.168.4.4.1047: . [tcp sum ok]
3315:3315(0) ack 1516 win 8576
23:31:21.915799 IP (tos 0x0, ttl 64, id 25050, offset 0, flags [DF],
length: 316) 192.168.6.82.80 > 192.168.4.4.1047: P 3315:3591(276) ack
1516 win 8576
23:31:22.058147 IP (tos 0x0, ttl 127, id 310, offset 0, flags [DF],
length: 40) 192.168.4.4.1047 > 192.168.6.82.80: . [tcp sum ok]
1516:1516(0) ack 3591 win 64983
23:31:22.058783 IP (tos 0x0, ttl 127, id 311, offset 0, flags [DF],
length: 40) 192.168.4.4.1048 > 192.168.6.82.80: . [tcp sum ok]
529:529(0) ack 278 win 65258
30 packets captured
30 packets received by filter
0 packets dropped by kernel
Baldo
On Sun, 2 Jan 2005, Baldo Franic wrote:> Tom > > 192.168.4.4 is in "loc" zone > 192.168.6.82 is "fw" zone. > tcpdump output is captured on 192.168.6.82 . > > Browser on 192.168.4.4 to web server on 192.168.6.82 has infinite wait. After > I add policy "loc fw ACCEPT" in policy file everything works fine? >Which kernel version are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 2 Jan 2005, Baldo Franic wrote:> Tom > > 192.168.4.4 is in "loc" zone > 192.168.6.82 is "fw" zone. > tcpdump output is captured on 192.168.6.82 . > > Browser on 192.168.4.4 to web server on 192.168.6.82 has infinite wait. After > I add policy "loc fw ACCEPT" in policy file everything works fine? >It appears that there is a router between the firewall and 192.168.4.4. The important difference in the two cases is that the server switches to using 1492-byte packets in the good case. If I''m right about the router then I suggest that you add: ACCEPT loc:<router ip> fw icmp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 1 Jan 2005, Tom Eastep wrote:> On Sun, 2 Jan 2005, Baldo Franic wrote: > > > Tom > > > > 192.168.4.4 is in "loc" zone > > 192.168.6.82 is "fw" zone. > > tcpdump output is captured on 192.168.6.82 . > > > > Browser on 192.168.4.4 to web server on 192.168.6.82 has infinite wait. After > > I add policy "loc fw ACCEPT" in policy file everything works fine? > > > > It appears that there is a router between the firewall and 192.168.4.4. > The important difference in the two cases is that the server switches to > using 1492-byte packets in the good case. > > If I''m right about the router then I suggest that you add: > > ACCEPT loc:<router ip> fw icmp >And if that doesn''t work, then try: ACCEPT loc all icmp fragmentation-needed -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2005-01-01 at 15:34 -0800, Tom Eastep wrote:> > > > If I''m right about the router then I suggest that you add: > > > > ACCEPT loc:<router ip> fw icmp > > > > And if that doesn''t work, then try: > > ACCEPT loc all icmp fragmentation-needed >I should also mention that 2.2.0 RC3 should work for you without any extra rules. It unconditionally allows fragmentation-needed packets provided that you use the default Drop and Reject actions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key