On Tue, 11 Mar 2003 23:29:57 +0100 Erich Titl <[EMAIL PROTECTED]> wrote....
> I have set up a simulation of such a set up recently, I used a cable to
> simulate the wireless segment (no wireless cards for the moment), but I
> believe this should not make a difference.
>
> You might want to show a detailed sketch of your system including
> routing, shorewall info, ipsec.conf .... you name it.
>
> Be sure to include all addresses of all interfaces in your set up.
I have tried alot of different configurations.. It started like this..
Internet - eth0 firewall eth1 - wireless - eth0 router eth1 - LAN2
| 10.0.1.0/24
LAN1 10.0.0.0/24
Firewall:
gw:~$ ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 02:00:07:e3:92:1e brd ff:ff:ff:ff:ff:ff
inet 208.191.32.34/29 brd 208.191.32.39 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:e0:18:26:a4:51 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global eth1
16: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:e0:18:26:a4:51 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global ipsec0
17: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
18: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
19: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
gw:/home/hparker# ip route
208.191.32.32/29 dev eth0 proto kernel scope link src 208.191.32.34
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.1
10.0.0.0/24 dev ipsec0 proto kernel scope link src 10.0.0.1
127.0.0.0/8 dev lo scope link
default via 208.191.32.33 dev eth0
gw:/home/hparker#
gw:/home/hparker# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret
conn plant
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.1
leftsubnet=10.0.0.0/24
# Right security gateway, subnet behind it, next hop toward left.
right=10.0.1.254
rightsubnet=10.0.1.254/24
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=add
gw:/home/hparker# ipchains -L -n
Chain input (policy REJECT):
target prot opt source destination ports
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 68 ->
67
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 68 ->
67
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 67 ->
68
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 67 ->
68
ACCEPT tcp ------ 0.0.0.0/0 208.191.32.34 * ->
80
REJECT icmp ----l- 0.0.0.0/0 208.191.32.34 5 ->
*
REJECT icmp ----l- 0.0.0.0/0 208.191.32.34 13 ->
*
REJECT icmp ----l- 0.0.0.0/0 208.191.32.34 14 ->
*
REJECT icmp ----l- 0.0.0.0/0 208.191.32.34 17 ->
*
REJECT icmp ----l- 0.0.0.0/0 208.191.32.34 18 ->
*
ACCEPT icmp ------ 0.0.0.0/0 208.191.32.34 * ->
*
REJECT all ----l- 10.0.0.0/24 0.0.0.0/0 n/a
REJECT all ----l- 10.0.0.0/8 0.0.0.0/0 n/a
REJECT all ----l- 192.168.0.0/16 0.0.0.0/0 n/a
REJECT all ----l- 240.0.0.0/5 0.0.0.0/0 n/a
REJECT all ----l- 248.0.0.0/5 0.0.0.0/0 n/a
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 * ->
2049
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 2049 ->
*
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 * ->
137
REJECT udp ------ 0.0.0.0/0 208.191.32.34 * ->
137
REJECT tcp ------ 0.0.0.0/0 208.191.32.39 * ->
137
REJECT udp ------ 0.0.0.0/0 208.191.32.39 * ->
137
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 * ->
138
REJECT udp ------ 0.0.0.0/0 208.191.32.34 * ->
138
REJECT tcp ------ 0.0.0.0/0 208.191.32.39 * ->
138
REJECT udp ------ 0.0.0.0/0 208.191.32.39 * ->
138
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 * ->
139
REJECT udp ------ 0.0.0.0/0 208.191.32.34 * ->
139
REJECT tcp ------ 0.0.0.0/0 208.191.32.39 * ->
139
REJECT udp ------ 0.0.0.0/0 208.191.32.39 * ->
139
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 * ->
445
REJECT udp ------ 0.0.0.0/0 208.191.32.34 * ->
445
REJECT udp ------ 0.0.0.0/0 208.191.32.39 * ->
445
REJECT tcp ------ 0.0.0.0/0 208.191.32.39 * ->
445
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 137 ->
*
REJECT udp ------ 0.0.0.0/0 208.191.32.34 137 ->
*
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 138 ->
*
REJECT udp ------ 0.0.0.0/0 208.191.32.34 138 ->
*
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 139 ->
*
REJECT udp ------ 0.0.0.0/0 208.191.32.34 139 ->
*
REJECT tcp ------ 0.0.0.0/0 208.191.32.34 445 ->
*
REJECT udp ------ 0.0.0.0/0 208.191.32.34 445 ->
*
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
113
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 113 ->
*
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 68 ->
*
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * ->
520
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
25
ACCEPT tcp ------ 208.191.32.28 208.191.32.34 * ->
21
ACCEPT tcp ------ 208.191.32.28 208.191.32.34 * ->
20
ACCEPT tcp ------ 208.191.32.28 208.191.32.34 * ->
22
ACCEPT tcp ------ 64.216.105.3 208.191.32.34 * ->
21
ACCEPT tcp ------ 64.216.105.3 208.191.32.34 * ->
20
ACCEPT tcp ------ 64.216.105.3 208.191.32.34 * ->
22
ACCEPT tcp ------ 64.216.105.91 208.191.32.34 * ->
21
ACCEPT tcp ------ 64.216.105.91 208.191.32.34 * ->
20
ACCEPT tcp ------ 64.216.105.91 208.191.32.34 * ->
22
ACCEPT all ------ 10.0.0.0/24 0.0.0.0/0 n/a
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT tcp !y---- 0.0.0.0/0 208.191.32.34 * ->
1024:65535
ACCEPT tcp ------ 0.0.0.0/0 208.191.32.34 20 ->
1024:65535
ACCEPT udp ------ 0.0.0.0/0 208.191.32.34 * ->
1024:65535
REJECT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy REJECT):
target prot opt source destination ports
MASQ all ------ 10.0.0.0/24 0.0.0.0/0 n/a
REJECT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy REJECT):
target prot opt source destination ports
ACCEPT all ------ 0.0.0.0/0 10.0.0.0/24 n/a
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
ACCEPT udp ------ 10.0.0.1 0.0.0.0/0 67 ->
68
ACCEPT tcp ------ 10.0.0.1 0.0.0.0/0 67 ->
68
ACCEPT tcp ------ 10.0.0.1 10.0.0.0/24 80 ->
*
ACCEPT tcp ------ 208.191.32.34 0.0.0.0/0 80 ->
*
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 113 ->
*
ACCEPT tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
113
ACCEPT tcp ------ 208.191.32.34 0.0.0.0/0 * ->
53
ACCEPT udp ------ 208.191.32.34 0.0.0.0/0 * ->
53
REJECT icmp ----l- 208.191.32.34 0.0.0.0/0 5 ->
*
REJECT icmp ----l- 208.191.32.34 0.0.0.0/0 11 ->
1
REJECT icmp ----l- 208.191.32.34 0.0.0.0/0 12 ->
*
REJECT icmp ----l- 208.191.32.34 0.0.0.0/0 13 ->
*
REJECT icmp ----l- 208.191.32.34 0.0.0.0/0 14 ->
*
REJECT icmp ----l- 208.191.32.34 0.0.0.0/0 17 ->
*
REJECT icmp ----l- 208.191.32.34 0.0.0.0/0 18 ->
*
ACCEPT icmp ------ 0.0.0.0/0 0.0.0.0/0 * ->
*
ACCEPT tcp ------ 208.191.32.34 0.0.0.0/0 25 ->
*
ACCEPT tcp ------ 208.191.32.34 208.191.32.28 21 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 208.191.32.28 20 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 208.191.32.28 22 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 64.216.105.3 21 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 64.216.105.3 20 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 64.216.105.3 22 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 64.216.105.91 21 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 64.216.105.91 20 ->
1024:65535
ACCEPT tcp ------ 208.191.32.34 64.216.105.91 22 ->
1024:65535
REJECT all ----l- 0.0.0.0/0 10.0.0.0/24 n/a
REJECT all ----l- 10.0.0.0/24 0.0.0.0/0 n/a
REJECT all ----l- 0.0.0.0/0 10.0.0.0/8 n/a
REJECT all ----l- 0.0.0.0/0 192.168.0.0/16 n/a
REJECT all ----l- 0.0.0.0/0 240.0.0.0/5 n/a
REJECT all ----l- 0.0.0.0/0 248.0.0.0/5 n/a
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 * ->
137
REJECT udp ------ 208.191.32.34 0.0.0.0/0 * ->
137
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 * ->
138
REJECT udp ------ 208.191.32.34 0.0.0.0/0 * ->
138
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 * ->
139
REJECT udp ------ 208.191.32.34 0.0.0.0/0 * ->
139
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 * ->
445
REJECT udp ------ 208.191.32.34 0.0.0.0/0 * ->
445
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 137 ->
*
REJECT udp ------ 208.191.32.34 0.0.0.0/0 137 ->
*
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 138 ->
*
REJECT udp ------ 208.191.32.34 0.0.0.0/0 138 ->
*
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 139 ->
*
REJECT udp ------ 208.191.32.34 0.0.0.0/0 139 ->
*
REJECT tcp ------ 208.191.32.34 0.0.0.0/0 445 ->
*
REJECT udp ------ 208.191.32.34 0.0.0.0/0 445 ->
*
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
111
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 111 ->
*
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
635
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 635 ->
*
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
1723
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
1723
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
1745
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
1745
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
2049
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 2049 ->
*
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
2049
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 2049 ->
*
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
5631
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
5631
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
5632
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
5632
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
6000:6063
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
6000:6063
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 500 ->
*
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
500
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 3306 ->
*
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 3456 ->
*
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
12345
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
12346
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
20034
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
31337
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 * ->
31338
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
5742
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
30303
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 * ->
40421
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 27665
-> *
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 27444
-> *
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 31335
-> *
REJECT tcp ----l- 208.191.32.34 0.0.0.0/0 20432
-> *
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 18753
-> *
REJECT udp ----l- 208.191.32.34 0.0.0.0/0 20433
-> *
ACCEPT tcp ------ 208.191.32.34 0.0.0.0/0
1024:65535 -> *
ACCEPT udp ------ 208.191.32.34 0.0.0.0/0
1024:65535 -> *
REJECT all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
Router:
# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:02:e3:15:ce:69 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.117/24 brd 10.0.0.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:63:c0:93:2a brd ff:ff:ff:ff:ff:ff
inet 10.0.1.254/24 brd 10.0.1.255 scope global eth1
5: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:02:e3:15:ce:69 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.117/24 brd 192.168.1.255 scope global ipsec0
6: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
7: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
8: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
# ip route
10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.254
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.117
10.0.0.0/24 dev ipsec0 proto kernel scope link src 10.0.0.117
default via 192.168.1.254 dev eth0
# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
conn office
left=10.0.1.254
leftsubnet=10.0.1.0/24
right=10.0.0.1
rightsubnet=10.0.0.0/24
auto=start
Shorewall-1.3.1 Status at firewall - Wed Mar 12 04:17:23 UTC 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- lo * 0.0.0.0/0
0.0.0.0/0
385 58816 eth0_in ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_in ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_in ah -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 eth0_fwd ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_fwd ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_fwd ah -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT udp -- * eth1 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
145 19908 fw2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 all2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 fw2gw ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (5 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (0 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x10/0x10
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x04/0x04
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0
10.0.0.255
0 0 DROP ah -- * * 0.0.0.0/0
10.0.1.255
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 net2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 net2all ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
385 58816 net2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 loc2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 loc2gw ah -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 loc2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2gw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
144 19838 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
1 70 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain gw2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 12
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 all2all ah -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 gw2loc ah -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2gw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
179 40600 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
204 18096 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT 51 -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
2 120 ACCEPT tcp -- * * 10.0.0.1 0.0.0.0/0
state NEW tcp dpt:22
179 40600 net2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (2 references)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 157 packets, 35329 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1 packets, 70 bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE ah -- * eth0 10.0.1.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1 packets, 70 bytes)
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 445 packets, 62488 bytes)
pkts bytes target prot opt in out source
destination
443 61832 pretos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 443 packets, 61832 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 290 packets, 44376 bytes)
pkts bytes target prot opt in out source
destination
290 44376 outtos ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 290 packets, 44376 bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
289 44306 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
263 21096 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 431999 ESTABLISHED src=10.0.0.1 dst=10.0.0.117 sport=53441
dport=22 src=10.0.0.117 dst=10.0.0.1 sport=22 dport=53441 [ASSURED] use=1
---
Homer Parker /"\ ASCII Ribbon Campaign
\ / No HTML/RTF in email
http://www.homershut.net x No Word docs in email
telnet://bbs.homershut.net / \ Respect for open standards
"Bill Gates reports on security progress made and the challenges ahead."
-- Microsoft's Homepage, on the day an SQL Server bug crippled large
sections of the Internet.
pgp00000.pgp
Description: PGP signature
