thr3ads.net - Shorewall users - Problems with Proxy ARP [Jan 2011]

If this information is useful, please help other people find it:
Share via:

Marcus Limosani

2011-Jan-09 15:59 UTC

Problems with Proxy ARP

I am not sure when it happened, but at some point, a ProxyARP''d server
I have running in my network is no longer visible either internally or
externally.

I am running Shorewall 4.4.9 on a Gentoo box.

The relelvant config files are as follows

INTERFACES file

#ZONE  INTERFACE          BROADCAST       OPTIONS
net     ppp0            -         
dhcp,tcpflags,nosmurfs,routefilter,proxyarp,routeback,blacklist
loc     eth1            detect         
tcpflags,nosmurfs,routefilter,proxyarp,routeback,blacklist


POLICIES
###############################################################################
#SOURCE                             DEST                      POLICY            
LOG LEVEL           LIMIT:BURST

loc                          net                         ACCEPT
net                         all                            DROP                 
info
# THE FOLLOWING POLICY MUST BE LAST
all                            all                            REJECT            
info

FIREWALL RULES - relevant to the ProxyArp''d address
# Hosting Box
ACCEPT:info       net         loc:203.36.xx.xxx              tcp         
20,21,22,25,53,80,110,143,443,993,995
ACCEPT:info       net         loc:203.36.xx.xxx              udp        53
ACCEPT:info       net:202.124.xxx.xxx/29 loc:203.36.xx.xxx              tcp
ACCEPT:info       net:202.124.xxx.xxx/29 loc:203.36.xx.xxx              udp

ACCEPT:info       net         loc:203.36.75.210              tcp         
20,21,22,25,53,80,110,143,443,993,995
ACCEPT:info       net         loc:203.36.75.210              udp        53

SHOREWALL CONF File
###############################################################################
#
# Shorewall version 4.0 - Sample shorewall.conf for two-interface
#                         configuration.
# Copyright (C) 2006,2007 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
# For information about the settings in this file, type "man
shorewall.conf"
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################
#                                    S T A R T U P   E N A B L E D
###############################################################################

STARTUP_ENABLED=Yes

###############################################################################
#                                           V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#                              C O M P I L E R
#      (setting this to ''perl'' requires installation of
Shorewall-perl)
###############################################################################

SHOREWALL_COMPILER
###############################################################################
#                                                    L O G G I N G
###############################################################################

LOGFILE=/var/log/messages

STARTUP_LOG
LOG_VERBOSITY
LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE
LOGBURST
LOGALLNEW
BLACKLIST_LOGLEVEL
MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=Yes

###############################################################################
#             L O C A T I O N      O F       F I L E S   A N D   D I R E C T O R
I E S
###############################################################################

IPTABLES
IP
TC
IPSET
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK
MODULESDIR
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE
IPSECFILE=zones

LOCKFILE
###############################################################################
#                             D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RSH_COMMAND=''ssh ${root}@${system} ${command}''
RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}''

###############################################################################
#                                             F I R E W A L L       O P T I O N
S
###############################################################################

IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIXDISABLE_IPV6=No
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter
MACLIST_TTLSAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=No
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOADAUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
USE_DEFAULT_RT=No
RESTORE_DEFAULT_ROUTE=Yes
AUTOMAKE=No
WIDE_TC_MARKS=Yes

###############################################################################
#                                             P A C K E T   D I S P O S I T I O
N
###############################################################################

BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE


I am loathe to upgrade for the sake of upgrading, as things have previously gone
wrong, and other than this (which is atm rather a big problem) everything else
is operating ok.

Hoping someone might see a hole in my config as to why the arp''d system
cannot reach the external network, or be reached.





------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Tom Eastep

2011-Jan-09 16:53 UTC

head link

Re: Problems with Proxy ARP

On 1/9/11 7:59 AM, Marcus Limosani wrote:> I am not sure when it happened, but at some point, a ProxyARP’d server I
> have running in my network is no longer visible either internally or
> externally.
Please post the output of ''shorewall dump''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Marcus Limosani

2011-Jan-10 00:19 UTC

head link

Re: Problems with Proxy ARP

Hi Tom,

Here is the output of ''shorewall dump''
2nd Try - first got stopped due to size, so I am removing a lot of the blacklist
section

Thanks.

-----------------

Shorewall 4.4.9 Dump at gateway - Mon Jan 10 07:54:20 EST 2011

Counters reset Sat Dec 18 11:13:00 EST 2010

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1591K  162M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
1156K  128M net2fw     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
 469K   37M loc2fw     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
   48  3820 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
   42  1512 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto]

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  36M 2563M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
  10M  553M TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
 359M  355G net_frwd   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
 186M   62G loc_frwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto]

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 269K   26M fw2net     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
 111K   59M fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
   48  3820 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto]

Chain %SSHKnock (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 recent: CHECK name: SSH side: source LOG flags 0 level 6 prefix
`Shorewall:SSHKnock:ACCEPT:''
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:!22 LOG flags 0 level 6 prefix `Shorewall:SSHKnock:DROP:''
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 recent: CHECK seconds: 60 name: SSH side: source
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:632 recent: REMOVE name: SSH side: source
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:633 recent: SET name: SSH side: source
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:634 recent: REMOVE name: SSH side: source

Chain Drop (2 references)
 pkts bytes target     prot opt in     out     source               destination
1233K  132M            all  --  *      *       0.0.0.0/0            0.0.0.0/0
    8   396 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113 /* Auth */
1233K  132M dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    1   120 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 3 code 4 /* Needed ICMP types */
  668 37511 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 11 /* Needed ICMP types */
1232K  132M dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 135,445 /* SMB */
   91  7098 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:137 dpts:1024:65535 /* SMB */
57034 2803K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 135,139,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900 /* UPnP */
 219K   12M dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
  160 31031 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 /* Late DNS Replies */

Chain Reject (6 references)
 pkts bytes target     prot opt in     out     source               destination
   42  1512            all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:113 /* Auth */
   42  1512 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 3 code 4 /* Needed ICMP types */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 11 /* Needed ICMP types */
    0     0 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 135,445 /* SMB */
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:137:139 /* SMB */
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:137 dpts:1024:65535 /* SMB */
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 135,139,445 /* SMB */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1900 /* UPnP */
    0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp spt:53 /* Late DNS Replies */

Chain blacklst (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       95.216.0.0/15        0.0.0.0/0
* There is more stuff here - removed for message size*

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ADDRTYPE match dst-type BROADCAST
   42  1512 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination
34955 3530K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination
 3015 1095K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp flags:!0x17/0x02

Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
82731   56M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
28162 2719K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:fw2loc:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto]

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
 261K   26M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpt:53 /* DNS */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:53 /* DNS */
 7928  578K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    2   120 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:fw2net:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto]

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
 435K   35M blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
 435K   35M smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
41850 2440K tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
34500 2043K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
 2470  148K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp dpt:22 /* SSH */
 2489  189K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8 /* Ping */
 430K   34M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:loc2fw:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto]

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination
 183M   62G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
2982K  272M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain loc_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
3101K  318M blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
3101K  318M smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
 118M   24G tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
 186M   62G loc2net    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
 121K   46M ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain log2 (13 references)
 pkts bytes target     prot opt in     out     source               destination
86456 5994K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2loc:ACCEPT:''
86456 5994K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logflags (5 references)
 pkts bytes target     prot opt in     out     source               destination
  153  9944 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:''
  153  9944 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
1156K  128M blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
1155K  128M smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
udp dpts:67:68
 230K   14M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
   38  3192 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
  302 18471 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
icmp type 8 /* Ping */
  159  8988 %SSHKnock  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
multiport dports 22,632,633,634
1155K  128M Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
1116K  123M LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:''
1116K  123M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination
 326M  352G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate RELATED,ESTABLISHED
 9918  475K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.9 
tcp dpt:3389
    3   136 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.25
tcp dpt:4899 ctorigdst 165.228.58.71
 8198  503K log2       tcp  --  *      *       0.0.0.0/0            192.168.0.2 
[goto] multiport dports 25,80,143,443,465,587,993,1723
  105  4832 log2       tcp  --  *      *       0.0.0.0/0            192.168.0.3 
[goto] tcp dpt:3389
 1930  112K log2       tcp  --  *      *       0.0.0.0/0            192.168.0.4 
[goto] multiport dports 80,443,9000
 1918  111K log2       tcp  --  *      *       0.0.0.0/0            192.168.0.5 
[goto] multiport dports 80,443,4662,6000,7777,45631,49160:49300
    0     0 log2       udp  --  *      *       0.0.0.0/0            192.168.0.5 
[goto] udp dpt:4672
  302 17424 log2       tcp  --  *      *       0.0.0.0/0            192.168.0.6 
[goto] multiport dports 80,443
    0     0 log2       tcp  --  *      *       202.124.246.88/29    192.168.0.5 
[goto] tcp dpt:22
 1610 85776 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.7 
multiport dports 80,443 ctorigdst 203.35.162.45
18276 1069K log2       tcp  --  *      *       0.0.0.0/0           
203.36.75.209       [goto] multiport dports
20,21,22,25,53,80,110,143,443,993,995
55533 4167K log2       udp  --  *      *       0.0.0.0/0           
203.36.75.209       [goto] udp dpt:53
    0     0 log2       tcp  --  *      *       202.124.246.88/29   
203.36.75.209       [goto]
    0     0 log2       udp  --  *      *       202.124.246.88/29   
203.36.75.209       [goto]
  194 10268 log2       tcp  --  *      *       0.0.0.0/0           
203.36.75.210       [goto] multiport dports
20,21,22,25,53,80,110,143,443,993,995
    0     0 log2       udp  --  *      *       0.0.0.0/0           
203.36.75.210       [goto] udp dpt:53
78497 4247K Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0
20740 1364K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net2loc:DROP:''
20740 1364K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain net_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination
  33M 2245M blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
  33M 2245M smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ctstate INVALID,NEW
 250M  335G tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
  33M 2234M ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
 326M  352G net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain reject (13 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
ADDRTYPE match src-type BROADCAST
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0
    8   396 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain smurflog (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain smurfs (4 references)
 pkts bytes target     prot opt in     out     source               destination
 3250 1136K RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0
    0     0 smurflog   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto] ADDRTYPE match src-type BROADCAST
    0     0 smurflog   all  --  *      *       224.0.0.0/4          0.0.0.0/0   
[goto]

Chain tcpflags (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto] tcp flags:0x3F/0x29
   85  6120 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto] tcp flags:0x3F/0x00
    1    40 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto] tcp flags:0x06/0x06
    1    40 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto] tcp flags:0x03/0x03
   66  3744 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto] tcp spt:0 flags:0x17/0x02

Log (/var/log/messages)

Jan 10 07:22:51 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=218.30.15.215 DST=192.168.0.5
LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=55810 DF PROTO=TCP SPT=53119 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
Jan 10 07:22:51 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=218.30.15.215 DST=192.168.0.2
LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=34104 DF PROTO=TCP SPT=52582 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
Jan 10 07:22:51 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=218.30.15.215 DST=192.168.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=44998 DF PROTO=TCP SPT=43981 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
Jan 10 07:25:28 net2fw:DROP:IN=ppp0 OUT= SRC=122.9.56.186 DST=165.228.58.71
LEN=40 TOS=0x00 PREC=0x00 TTL=94 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384
RES=0x00 SYN URGP=0
Jan 10 07:26:07 net_dnat:DNAT:IN=ppp0 OUT= SRC=207.46.13.99 DST=203.35.162.45
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=16241 DF PROTO=TCP SPT=16055 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0
Jan 10 07:29:26 net2fw:DROP:IN=ppp0 OUT= SRC=222.186.24.98 DST=165.228.58.71
LEN=40 TOS=0x00 PREC=0x00 TTL=99 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384
RES=0x00 SYN URGP=0
Jan 10 07:29:30 net2fw:DROP:IN=ppp0 OUT= SRC=61.164.117.77 DST=165.228.58.71
LEN=40 TOS=0x00 PREC=0x00 TTL=99 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384
RES=0x00 SYN URGP=0
Jan 10 07:36:22 net2loc:ACCEPT:IN=ppp0 OUT=eth1 SRC=1.144.207.87 DST=192.168.0.2
LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=16211 DF PROTO=TCP SPT=59560 DPT=443
WINDOW=65535 RES=0x00 SYN URGP=0
Jan 10 07:37:56 net2fw:DROP:IN=ppp0 OUT= SRC=116.255.144.111 DST=165.228.58.71
LEN=40 TOS=0x00 PREC=0x00 TTL=103 ID=256 PROTO=TCP SPT=6000 DPT=1433
WINDOW=16384 RES=0x00 SYN URGP=0
Jan 10 07:39:47 net2loc:ACCEPT:IN=ppp0 OUT=eth1 SRC=216.99.131.76
DST=192.168.0.2 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=55950 DF PROTO=TCP SPT=59744
DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 10 07:40:17 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=64.21.234.194 DST=192.168.0.6
LEN=61 TOS=0x00 PREC=0x00 TTL=110 ID=12198 PROTO=ICMP TYPE=8 CODE=0 ID=3
SEQ=45354
Jan 10 07:40:19 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=64.21.234.194 DST=192.168.0.6
LEN=61 TOS=0x00 PREC=0x00 TTL=110 ID=12351 PROTO=ICMP TYPE=8 CODE=0 ID=3
SEQ=16683
Jan 10 07:46:21 net2fw:DROP:IN=ppp0 OUT= SRC=129.192.196.5 DST=165.228.58.71
LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=37329 DF PROTO=TCP SPT=54339 DPT=23
WINDOW=49640 RES=0x00 SYN URGP=0
Jan 10 07:46:25 net2fw:DROP:IN=ppp0 OUT= SRC=129.192.196.5 DST=165.228.58.71
LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=37330 DF PROTO=TCP SPT=54339 DPT=23
WINDOW=49640 RES=0x00 SYN URGP=0
Jan 10 07:48:06 net_dnat:DNAT:IN=ppp0 OUT= SRC=207.46.13.99 DST=203.35.162.45
LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=6825 DF PROTO=TCP SPT=10940 DPT=80
WINDOW=8192 RES=0x00 SYN URGP=0
Jan 10 07:48:24 net2loc:ACCEPT:IN=ppp0 OUT=eth1 SRC=110.22.254.185
DST=192.168.0.2 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=54144 DF PROTO=TCP SPT=63214
DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 10 07:49:40 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=64.21.234.194 DST=192.168.0.4
LEN=61 TOS=0x00 PREC=0x00 TTL=110 ID=49099 PROTO=ICMP TYPE=8 CODE=0 ID=3
SEQ=29879
Jan 10 07:49:42 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=64.21.234.194 DST=192.168.0.4
LEN=61 TOS=0x00 PREC=0x00 TTL=110 ID=49241 PROTO=ICMP TYPE=8 CODE=0 ID=3
SEQ=64695
Jan 10 07:53:29 net2loc:DROP:IN=ppp0 OUT=eth1 SRC=85.127.115.161 DST=192.168.0.2
LEN=61 TOS=0x00 PREC=0x00 TTL=105 ID=1014 PROTO=ICMP TYPE=8 CODE=0 ID=768
SEQ=16876
Jan 10 07:53:54 net_dnat:DNAT:IN=ppp0 OUT= SRC=211.154.255.57 DST=165.228.58.71
LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=17128 DF PROTO=TCP SPT=2198 DPT=3389
WINDOW=65535 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 4235K packets, 425M bytes)
 pkts bytes target     prot opt in     out     source               destination
4326K  430M nat_in     all  --  *      *       0.0.0.0/0            0.0.0.0/0
4246K  426M dnat       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 606K packets, 50M bytes)
 pkts bytes target     prot opt in     out     source               destination
2889K  280M nat_out    all  --  *      *       0.0.0.0/0            0.0.0.0/0
2598K  253M ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 26 packets, 1718 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
1708K  166M net_dnat   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain log0 (1 references)
 pkts bytes target     prot opt in     out     source               destination
 9900  469K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net_dnat:DNAT:''
 9900  469K DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
to:192.168.0.9

Chain log1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    3   136 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net_dnat:DNAT:''
    3   136 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
to:192.168.0.25

Chain log3 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  668 36180 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 6 prefix `Shorewall:net_dnat:DNAT:''
  668 36180 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
to:192.168.0.7

Chain nat_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
15717  826K DNAT       all  --  *      *       0.0.0.0/0           
203.35.162.46       to:192.168.0.3
17914 1040K DNAT       all  --  *      *       0.0.0.0/0           
203.35.162.41       to:192.168.0.2
17290  998K DNAT       all  --  *      *       0.0.0.0/0           
203.35.162.42       to:192.168.0.5
 8757  471K DNAT       all  --  *      *       0.0.0.0/0           
203.35.162.43       to:192.168.0.6
19985 1040K DNAT       all  --  *      *       0.0.0.0/0           
203.35.162.44       to:192.168.0.4

Chain nat_out (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       192.168.0.3          0.0.0.0/0   
to:203.35.162.46
 153K   10M SNAT       all  --  *      *       192.168.0.2          0.0.0.0/0   
to:203.35.162.41
29534 1772K SNAT       all  --  *      *       192.168.0.5          0.0.0.0/0   
to:203.35.162.42
    0     0 SNAT       all  --  *      *       192.168.0.6          0.0.0.0/0   
to:203.35.162.43
   75  4551 SNAT       all  --  *      *       192.168.0.4          0.0.0.0/0   
to:203.35.162.44

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination
 9900  469K log0       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
[goto] tcp dpt:3389
    3   136 log1       tcp  --  *      *       0.0.0.0/0           
165.228.58.71       [goto] tcp dpt:4899
  668 36180 log3       tcp  --  *      *       0.0.0.0/0           
203.35.162.45       [goto] multiport dports 80,443

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
2099K  218M MASQUERADE  all  --  *      *       192.168.0.0/24       0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 547M packets, 417G bytes)
 pkts bytes target     prot opt in     out     source               destination
 547M  417G tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 1625K packets, 164M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 545M packets, 417G bytes)
 pkts bytes target     prot opt in     out     source               destination
 545M  417G MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
MARK and 0x0
 545M  417G tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 387K packets, 86M bytes)
 pkts bytes target     prot opt in     out     source               destination
 387K   86M tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 546M packets, 417G bytes)
 pkts bytes target     prot opt in     out     source               destination
 546M  417G tcpost     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination

Raw Table

Chain PREROUTING (policy ACCEPT 547M packets, 417G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 387K packets, 86M bytes)
 pkts bytes target     prot opt in     out     source               destination

Conntrack Table (63 out of 32768)

udp      17 20 src=190.25.242.179 dst=203.36.75.209 sport=33006 dport=53
packets=53 bytes=3710 [UNREPLIED] src=203.36.75.209 dst=190.25.242.179 sport=53
dport=33006 packets=0 bytes=0 mark=0 use=2
udp      17 168 src=192.168.0.28 dst=199.108.3.4 sport=63318 dport=9875
packets=5385 bytes=173699 src=199.108.3.4 dst=165.228.58.71 sport=9875
dport=63318 packets=601 bytes=67347 [ASSURED] mark=0 use=2
tcp      6 431648 ESTABLISHED src=110.22.254.185 dst=203.35.162.41 sport=63214
dport=443 packets=10 bytes=1449 src=192.168.0.2 dst=110.22.254.185 sport=443
dport=63214 packets=6 bytes=3121 [ASSURED] mark=0 use=2
tcp      6 45 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30453 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30453
packets=5 bytes=556 [ASSURED] mark=0 use=2
udp      17 28 src=192.168.0.11 dst=255.255.255.255 sport=17784 dport=17784
packets=1 bytes=55 [UNREPLIED] src=255.255.255.255 dst=192.168.0.11 sport=17784
dport=17784 packets=0 bytes=0 mark=0 use=2
tcp      6 46 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30454 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30454
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 40 SYN_SENT src=89.231.219.191 dst=203.35.162.40 sport=2807 dport=445
packets=116 bytes=6960 [UNREPLIED] src=203.35.162.40 dst=89.231.219.191
sport=445 dport=2807 packets=0 bytes=0 mark=0 use=2
tcp      6 429921 ESTABLISHED src=192.168.0.28 dst=114.141.200.85 sport=63310
dport=22 packets=964 bytes=82292 src=114.141.200.85 dst=165.228.58.71 sport=22
dport=63310 packets=857 bytes=199836 [ASSURED] mark=0 use=2
tcp      6 47 TIME_WAIT src=192.168.0.2 dst=204.2.160.233 sport=30455 dport=80
packets=5 bytes=592 src=204.2.160.233 dst=203.35.162.41 sport=80 dport=30455
packets=5 bytes=557 [ASSURED] mark=0 use=2
tcp      6 40 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30449 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30449
packets=5 bytes=556 [ASSURED] mark=0 use=2
tcp      6 53 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30459 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30459
packets=5 bytes=556 [ASSURED] mark=0 use=2
tcp      6 370387 ESTABLISHED src=49.197.170.251 dst=203.35.162.41 sport=62667
dport=443 packets=1 bytes=52 [UNREPLIED] src=192.168.0.2 dst=49.197.170.251
sport=443 dport=62667 packets=0 bytes=0 mark=0 use=2
tcp      6 24 TIME_WAIT src=192.168.0.5 dst=184.73.179.154 sport=34766 dport=80
packets=7 bytes=831 src=184.73.179.154 dst=203.35.162.42 sport=80 dport=34766
packets=7 bytes=3433 [ASSURED] mark=0 use=2
tcp      6 431864 ESTABLISHED src=192.168.0.2 dst=204.2.160.26 sport=30411
dport=80 packets=6 bytes=444 src=204.2.160.26 dst=203.35.162.41 sport=80
dport=30411 packets=5 bytes=3387 [ASSURED] mark=0 use=2
tcp      6 431999 ESTABLISHED src=192.168.0.28 dst=192.168.0.254 sport=63877
dport=22 packets=355 bytes=31468 src=192.168.0.254 dst=192.168.0.28 sport=22
dport=63877 packets=373 bytes=142893 [ASSURED] mark=0 use=2
udp      17 143 src=192.168.0.28 dst=199.108.3.4 sport=65454 dport=9875
packets=4904 bytes=158508 src=199.108.3.4 dst=165.228.58.71 sport=9875
dport=65454 packets=695 bytes=58992 [ASSURED] mark=0 use=2
tcp      6 37 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30447 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30447
packets=5 bytes=556 [ASSURED] mark=0 use=2
tcp      6 431986 ESTABLISHED src=192.168.0.2 dst=216.52.233.237 sport=29706
dport=443 packets=2281 bytes=134208 src=216.52.233.237 dst=203.35.162.41
sport=443 dport=29706 packets=1143 bytes=89193 [ASSURED] mark=0 use=2
tcp      6 35 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30446 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30446
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 63 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30468 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30468
packets=5 bytes=556 [ASSURED] mark=0 use=2
tcp      6 57 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30462 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30462
packets=5 bytes=556 [ASSURED] mark=0 use=2
udp      17 165 src=192.168.0.28 dst=199.108.3.4 sport=63314 dport=9875
packets=5391 bytes=173895 src=199.108.3.4 dst=165.228.58.71 sport=9875
dport=63314 packets=611 bytes=72102 [ASSURED] mark=0 use=2
tcp      6 431990 ESTABLISHED src=192.168.0.28 dst=216.52.233.237 sport=52324
dport=443 packets=10533 bytes=617148 src=216.52.233.237 dst=165.228.58.71
sport=443 dport=52324 packets=5273 bytes=407016 [ASSURED] mark=0 use=2
tcp      6 61 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30467 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30467
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 64 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30469 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30469
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 54 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30460 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30460
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 68 SYN_SENT src=219.81.166.162 dst=203.35.162.45 sport=2377 dport=445
packets=102 bytes=4896 [UNREPLIED] src=203.35.162.45 dst=219.81.166.162
sport=445 dport=2377 packets=0 bytes=0 mark=0 use=2
udp      17 28 src=192.168.0.11 dst=255.255.255.255 sport=57742 dport=3483
packets=1 bytes=65 [UNREPLIED] src=255.255.255.255 dst=192.168.0.11 sport=3483
dport=57742 packets=0 bytes=0 mark=0 use=2
tcp      6 4 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30437 dport=80
packets=5 bytes=484 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30437
packets=5 bytes=472 [ASSURED] mark=0 use=2
tcp      6 431358 ESTABLISHED src=192.168.0.22 dst=17.149.36.208 sport=49508
dport=5223 packets=965 bytes=84510 src=17.149.36.208 dst=165.228.58.71
sport=5223 dport=49508 packets=520 bytes=48464 [ASSURED] mark=0 use=2
udp      17 179 src=192.168.0.28 dst=199.108.3.59 sport=59828 dport=1350
packets=67700 bytes=3875363 src=199.108.3.59 dst=165.228.58.71 sport=1350
dport=59828 packets=144395 bytes=18309738 [ASSURED] mark=0 use=2
tcp      6 431782 ESTABLISHED src=192.168.0.23 dst=72.14.203.188 sport=55614
dport=5228 packets=308 bytes=22470 src=72.14.203.188 dst=165.228.58.71
sport=5228 dport=55614 packets=343 bytes=29865 [ASSURED] mark=0 use=2
tcp      6 43 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30451 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30451
packets=5 bytes=556 [ASSURED] mark=0 use=2
tcp      6 25 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30440 dport=80
packets=29 bytes=1506 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30440
packets=52 bytes=72134 [ASSURED] mark=0 use=2
tcp      6 43 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30452 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30452
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 431967 ESTABLISHED src=192.168.0.2 dst=206.51.26.124 sport=49733
dport=3101 packets=4903 bytes=224561 src=206.51.26.124 dst=203.35.162.41
sport=3101 dport=49733 packets=2457 bytes=125318 [ASSURED] mark=0 use=2
tcp      6 431987 ESTABLISHED src=192.168.0.27 dst=216.52.233.213 sport=50087
dport=443 packets=9605 bytes=678015 src=216.52.233.213 dst=165.228.58.71
sport=443 dport=50087 packets=4802 bytes=428510 [ASSURED] mark=0 use=2
tcp      6 49 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30456 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30456
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 430922 ESTABLISHED src=1.144.207.87 dst=203.35.162.41 sport=59560
dport=443 packets=9 bytes=1381 src=192.168.0.2 dst=1.144.207.87 sport=443
dport=59560 packets=6 bytes=3121 [ASSURED] mark=0 use=2
tcp      6 41 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30450 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30450
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 34 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30445 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30445
packets=5 bytes=556 [ASSURED] mark=0 use=2
tcp      6 429445 ESTABLISHED src=192.168.0.28 dst=202.124.246.90 sport=63760
dport=22 packets=1191 bytes=86324 src=202.124.246.90 dst=165.228.58.71 sport=22
dport=63760 packets=1524 bytes=516700 [ASSURED] mark=0 use=2
tcp      6 51 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30458 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30458
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 58 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30465 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30465
packets=5 bytes=559 [ASSURED] mark=0 use=2
udp      17 179 src=192.168.0.28 dst=199.108.3.59 sport=51843 dport=1350
packets=84905 bytes=4870402 src=199.108.3.59 dst=165.228.58.71 sport=1350
dport=51843 packets=180191 bytes=23983695 [ASSURED] mark=0 use=2
tcp      6 5 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30439 dport=80
packets=5 bytes=484 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30439
packets=5 bytes=472 [ASSURED] mark=0 use=2
tcp      6 61 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30466 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30466
packets=5 bytes=556 [ASSURED] mark=0 use=2
udp      17 179 src=192.168.0.28 dst=199.108.3.59 sport=51842 dport=1350
packets=85148 bytes=4877252 src=199.108.3.59 dst=165.228.58.71 sport=1350
dport=51842 packets=179807 bytes=23886100 [ASSURED] mark=0 use=2
tcp      6 38 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30448 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30448
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 56 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30461 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30461
packets=5 bytes=556 [ASSURED] mark=0 use=2
tcp      6 50 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30457 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30457
packets=5 bytes=556 [ASSURED] mark=0 use=2
udp      17 170 src=192.168.0.28 dst=199.108.3.4 sport=63322 dport=9875
packets=5380 bytes=173532 src=199.108.3.4 dst=165.228.58.71 sport=9875
dport=63322 packets=605 bytes=68440 [ASSURED] mark=0 use=2
tcp      6 431864 ESTABLISHED src=192.168.0.2 dst=204.2.160.33 sport=30412
dport=80 packets=4 bytes=474 src=204.2.160.33 dst=203.35.162.41 sport=80
dport=30412 packets=3 bytes=613 [ASSURED] mark=0 use=2
tcp      6 2 TIME_WAIT src=192.168.0.2 dst=204.2.160.233 sport=30434 dport=80
packets=8 bytes=712 src=204.2.160.233 dst=203.35.162.41 sport=80 dport=30434
packets=11 bytes=11228 [ASSURED] mark=0 use=2
udp      17 18 src=192.168.0.5 dst=255.255.255.255 sport=3483 dport=3483
packets=1 bytes=44 [UNREPLIED] src=255.255.255.255 dst=192.168.0.5 sport=3483
dport=3483 packets=0 bytes=0 mark=0 use=2
tcp      6 4 TIME_WAIT src=192.168.0.2 dst=204.2.160.233 sport=30435 dport=80
packets=5 bytes=592 src=204.2.160.233 dst=203.35.162.41 sport=80 dport=30435
packets=5 bytes=557 [ASSURED] mark=0 use=2
udp      17 179 src=192.168.0.28 dst=199.108.3.59 sport=59775 dport=1350
packets=62724 bytes=3583933 src=199.108.3.59 dst=165.228.58.71 sport=1350
dport=59775 packets=134843 bytes=17173372 [ASSURED] mark=0 use=2
udp      17 169 src=192.168.0.28 dst=199.108.3.4 sport=63326 dport=9875
packets=5379 bytes=173502 src=199.108.3.4 dst=165.228.58.71 sport=9875
dport=63326 packets=601 bytes=67661 [ASSURED] mark=0 use=2
udp      17 179 src=192.168.0.28 dst=199.108.15.115 sport=53935 dport=1429
packets=58507 bytes=3793046 src=199.108.15.115 dst=165.228.58.71 sport=1429
dport=53935 packets=54724 bytes=4412875 [ASSURED] mark=0 use=2
tcp      6 26 TIME_WAIT src=192.168.0.2 dst=204.2.160.33 sport=30442 dport=80
packets=8 bytes=718 src=204.2.160.33 dst=203.35.162.41 sport=80 dport=30442
packets=11 bytes=11349 [ASSURED] mark=0 use=2
tcp      6 431760 ESTABLISHED src=192.168.0.28 dst=202.124.246.90 sport=63252
dport=22 packets=130976 bytes=5547620 src=202.124.246.90 dst=165.228.58.71
sport=22 dport=63252 packets=348853 bytes=50418032 [ASSURED] mark=0 use=2
tcp      6 32 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30444 dport=80
packets=5 bytes=598 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30444
packets=5 bytes=559 [ASSURED] mark=0 use=2
tcp      6 31 TIME_WAIT src=192.168.0.2 dst=204.2.160.59 sport=30443 dport=80
packets=5 bytes=592 src=204.2.160.59 dst=203.35.162.41 sport=80 dport=30443
packets=5 bytes=556 [ASSURED] mark=0 use=2

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth1
191: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc
pfifo_fast state UNKNOWN qlen 3
    inet 165.228.58.71 peer 165.228.0.1/32 scope global ppp0
    inet 169.254.146.101/16 brd 169.254.255.255 scope global ppp0

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast
    3820       48       0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    3820       48       0       0       0       0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:0c:29:d8:d3:f9 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    1896565495 360659122 634     0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    366824949  219810960 0       0       0       0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:0c:29:d8:d3:03 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast
    588391538  188068415 2150    0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    535734912  326540417 0       0       0       0
191: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc
pfifo_fast state UNKNOWN qlen 3
    link/ppp
    RX: bytes  packets  errors  dropped overrun mcast
    4289167488 224406372 0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    2874417684 115692197 0       5       0       0

/proc

   /proc/version = Linux version 2.6.31-gentoo-r6 (root@gateway) (gcc version
4.1.2 (Gentoo 4.1.2 p1.0.2)) #4 SMP Sat Mar 13 13:37:59 EST 2010
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 1
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1
   /proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/ppp0/arp_filter = 0
   /proc/sys/net/ipv4/conf/ppp0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/ppp0/rp_filter = 0
   /proc/sys/net/ipv4/conf/ppp0/log_martians = 1

Routing Rules

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Table local:

local 192.168.0.254 dev eth1  proto kernel  scope host  src 192.168.0.254
broadcast 192.168.0.255 dev eth1  proto kernel  scope link  src 192.168.0.254
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
broadcast 169.254.0.0 dev ppp0  proto kernel  scope link  src 169.254.146.101
local 169.254.146.101 dev ppp0  proto kernel  scope host  src 169.254.146.101
broadcast 192.168.0.0 dev eth1  proto kernel  scope link  src 192.168.0.254
broadcast 169.254.255.255 dev ppp0  proto kernel  scope link  src
169.254.146.101
local 165.228.58.71 dev ppp0  proto kernel  scope host  src 165.228.58.71
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1

Table main:

165.228.0.1 dev ppp0  proto kernel  scope link  src 165.228.58.71
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.254
169.254.0.0/16 dev ppp0  proto kernel  scope link  src 169.254.146.101
127.0.0.0/8 dev lo  scope link
default via 165.228.0.1 dev ppp0

ARP

? (192.168.0.19) at dc:2b:61:a6:58:35 [ether] on eth1
? (192.168.0.9) at 00:0c:29:0c:3a:6a [ether] on eth1
? (192.168.0.2) at 00:21:5a:fd:ba:a9 [ether] on eth1
? (192.168.0.23) at 38:e7:d8:b5:06:ce [ether] on eth1
? (192.168.0.28) at 80:ee:73:00:b4:1a [ether] on eth1
? (192.168.0.5) at 00:1d:60:48:6c:30 [ether] on eth1
? (192.168.0.27) at d4:9a:20:d8:87:b8 [ether] on eth1

Modules

ipt_CLUSTERIP           5824  0
ipt_ECN                 2076  0
ipt_MASQUERADE          2172  1
ipt_NETMAP              1500  0
ipt_REDIRECT            1500  0
ipt_ULOG                6628  0
ipt_addrtype            2044  3
ipt_ah                  1372  0
ipt_ecn                 1596  0
iptable_mangle          2268  1
iptable_nat             4252  1
iptable_raw             1756  0
nf_conntrack           53016  30
ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,xt_connlimit,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_state,xt_connmark,xt_conntrack,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda     3452  1 nf_nat_amanda
nf_conntrack_ftp        6176  1 nf_nat_ftp
nf_conntrack_h323      43400  1 nf_nat_h323
nf_conntrack_ipv4      11592  25 iptable_nat,nf_nat
nf_conntrack_irc        4768  1 nf_nat_irc
nf_conntrack_netbios_ns     2140  0
nf_conntrack_netlink    15132  0
nf_conntrack_pptp       5088  1 nf_nat_pptp
nf_conntrack_proto_gre     4576  1 nf_conntrack_pptp
nf_conntrack_proto_sctp     6660  0
nf_conntrack_sane       4120  0
nf_conntrack_sip       14672  1 nf_nat_sip
nf_conntrack_tftp       3856  1 nf_nat_tftp
nf_defrag_ipv4          1564  1 nf_conntrack_ipv4
nf_nat                 14608  12
ipt_REDIRECT,ipt_NETMAP,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,ipt_MASQUERADE,iptable_nat
nf_nat_amanda           1564  0
nf_nat_ftp              2300  0
nf_nat_h323             5532  0
nf_nat_irc              1820  0
nf_nat_pptp             2652  0
nf_nat_proto_gre        1856  1 nf_nat_pptp
nf_nat_sip              5084  0
nf_nat_snmp_basic       8068  0
nf_nat_tftp             1308  0
xt_CLASSIFY             1308  0
xt_MARK                 1788  1
xt_NFLOG                1404  0
xt_NFQUEUE              1916  0
xt_TCPMSS               2780  1
xt_comment              1276  23
xt_connlimit            3620  0
xt_connmark             1916  0
xt_conntrack            3708  22
xt_dccp                 2500  0
xt_dscp                 2076  0
xt_hashlimit            7852  0
xt_helper               1724  0
xt_iprange              2108  0
xt_length               1500  0
xt_limit                2016  0
xt_mac                  1340  0
xt_mark                 1468  0
xt_multiport            2556  13
xt_owner                2204  0
xt_pkttype              1340  0
xt_policy               2588  0
xt_realm                1244  0
xt_recent               8544  5
xt_state                1756  0
xt_tcpmss               1692  0
xt_time                 2300  0

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Extended Connection Tracking Match Support: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Not available
   Physdev-is-bridged Support: Not available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Not available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Extended MARK Target 2: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available
   Realm Match: Available
   Helper Match: Available
   Connlimit Match: Available
   Time Match: Available
   Goto Support: Available
   LOGMARK Target: Not available
   IPMARK Target: Not available
   LOG Target: Available
   Persistent SNAT: Not available
   TPROXY Target: Not available
   FLOW Classifier: Available

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
PID/Program name
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN    
4472/perl
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN    
4145/sshd
tcp        0      0 192.168.0.254:22        192.168.0.28:63877     
ESTABLISHED17185/1
udp        0      0 0.0.0.0:10000           0.0.0.0:*                         
4472/perl
udp        0      0 169.254.146.101:68      0.0.0.0:*                         
27392/dhcpcd

Traffic Control

Device eth0:
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 69086302503 bytes 219810970 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0


Device eth1:
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 357018021462 bytes 326540426 pkt (dropped 0, overlimits 0 requeues 92501)
 rate 0bit 0pps backlog 0b 0p requeues 92501


Device ppp0:
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 7169385621 bytes 115692208 pkt (dropped 0, overlimits 0 requeues 1)
 rate 0bit 0pps backlog 0b 0p requeues 1



TC Filters

Device eth0:

Device eth1:

Device ppp0:



------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Marcus Limosani

2011-Jan-10 08:41 UTC

head link

Re: Problems with Proxy ARP

Shorewall dump - Try number 3

I don''t think it liked the large message.



------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Tom Eastep

2011-Jan-10 18:18 UTC

head link

Re: Problems with Proxy ARP

On 1/10/11 12:41 AM, Marcus Limosani wrote:> Shorewall dump - Try number 3
I don''t see any opportunities in this configuration to use Proxy ARP.
There are only two interfaces: ppp0 (which doesn''t use ARP) and eth1.
So
whatever problem you are seeing, it is not related to Proxy ARP.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Marcus Limosani

2011-Jan-10 21:25 UTC

head link

Re: Problems with Proxy ARP

Thanks for your reply Tom.

This configuration though has at one point worked with ProxyARP.

Nothing with the machine itself has changed, only the version of Shorewall.

I will have to investigate further.


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, 11 January 2011 5:18 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Problems with Proxy ARP

On 1/10/11 12:41 AM, Marcus Limosani wrote:> Shorewall dump - Try number 3
I don''t see any opportunities in this configuration to use Proxy ARP.
There are only two interfaces: ppp0 (which doesn''t use ARP) and eth1.
So whatever problem you are seeing, it is not related to Proxy ARP.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Tom Eastep

2011-Jan-10 22:39 UTC

head link

Re: Problems with Proxy ARP

On 1/10/11 1:25 PM, Marcus Limosani wrote:> Thanks for your reply Tom.
> 
> This configuration though has at one point worked with ProxyARP.
> 
> Nothing with the machine itself has changed, only the version of Shorewall.
> 
> I will have to investigate further.
If you tell us exactly what "doesn''t work", we may be able to
help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Marcus Limosani

2011-Jan-11 05:49 UTC

head link

Re: Problems with Proxy ARP

The machine is a virtual machine running on a VMWare system.

It had previously been accessible from inside and outside of the internal
network.

I could ping the IP address, which is 203.36.75.209 from within the internal
network, and access the services operating on the server from outside.

Presently, there is no access to this internally or externally, and the virtual
machine itself can not reach any IP''s outside itself.

I am unsure what else to tell you.

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, 11 January 2011 9:40 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Problems with Proxy ARP

On 1/10/11 1:25 PM, Marcus Limosani wrote:> Thanks for your reply Tom.
> 
> This configuration though has at one point worked with ProxyARP.
> 
> Nothing with the machine itself has changed, only the version of Shorewall.
> 
> I will have to investigate further.
If you tell us exactly what "doesn''t work", we may be able to
help.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Tom Eastep

2011-Jan-11 15:00 UTC

head link

Re: Problems with Proxy ARP

On 1/10/11 9:49 PM, Marcus Limosani wrote:> The machine is a virtual machine running on a VMWare system.
> 
> It had previously been accessible from inside and outside of the internal
network.
> 
> I could ping the IP address, which is 203.36.75.209 from within the
internal network, and access the services operating on the server from outside.
> 
> Presently, there is no access to this internally or externally, and the
virtual machine itself can not reach any IP''s outside itself.
> 
> I am unsure what else to tell you.
You can start by telling where the virtual machine is. Is it running on
the firewall system? On a local node? Somewhere else???

If it is running on a local system, then you need to add a route to the
machine out of eth1. That has nothing to do with Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Gaining the trust of online customers is vital for the success of any company
that requires sensitive data to be transmitted over the Web.   Learn how to 
best implement a security strategy that keeps consumers'' information
secure
and instills the confidence they need to proceed with transactions.
http://p.sf.net/sfu/oracle-sfdevnl

Shorewall users - Jan 2011 - Problems with Proxy ARP

Problems with Proxy ARP

Re: Problems with Proxy ARP

Re: Problems with Proxy ARP

Re: Problems with Proxy ARP

Re: Problems with Proxy ARP

Re: Problems with Proxy ARP

Re: Problems with Proxy ARP

Re: Problems with Proxy ARP

Re: Problems with Proxy ARP