Hey everyone,
I have setup my bering 1.1 firewall with 3 NICs, one for external (eth0)
and the other two for a couple of small Windows Workgroups. Here's the
setup for the internal interfaces:
eth1 = wkgrp1 (192.168.1.0/24)
eth2 = wkgrp2 (192.168.2.0/24)
This seems to be working okay. I can get out from both subnets, resolv
names with dnscache, etc; but I can't see a host from one subnet to the
other. In other words, if I ping a host on wkgrp2 from a host on wkgrp1,
I get a "destination port unreachable" response. However, if I ping
192.168.2.254 from a host on wkgrp1, or 192.168.1.254 from a host on
wkgrp2, I get a response.
In shorewall, didn't define an additional zone for the second subnet, just
adding it to the existing loc subnet.
The following is the output from...
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:da:5a:1f:71 brd ff:ff:ff:ff:ff:ff
inet 140.142.207.130/24 brd 255.255.255.255 scope global eth0
inet 140.142.207.131/24 brd 255.255.255.255 scope global secondary eth0
inet 140.142.207.136/24 brd 255.255.255.255 scope global secondary eth0
inet 140.142.207.137/24 brd 255.255.255.255 scope global secondary eth0
inet 140.142.207.139/24 brd 255.255.255.255 scope global secondary eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:09:5b:1b:81:0e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:09:5b:1b:80:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.1.255 scope global eth2
ip route show
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
140.142.207.0/24 dev eth0 proto kernel scope link src 140.142.207.130
default via 140.142.207.100 dev eth0
shorewall status
Shorewall-1.4.2 Status at vilgw - Sat Nov 29 14:27:28 UTC 2003
Counters reset Sat Nov 29 14:05:49 UTC 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
3 238 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
205 21474 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1043 73946 eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
29 4221 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
2646 427K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
4627 374K eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
48 5040 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
3 238 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
58 4387 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
757 137K fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
50 6516 fw2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all2all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
131 16399 common all -- * * 0.0.0.0/0 0.0.0.0/0
52 5280 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
52 5280 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
102 3768 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
128 15402 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.1.255
0 0 DROP all -- * * 0.0.0.0/0 192.168.1.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
2646 427K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
14 1418 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
2642 427K net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
4 638 net2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
205 21474 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
65 4765 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0
state NEW
205 21474 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
4627 374K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
4623 374K loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
4 240 loc2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
1043 73946 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
1043 73946 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
48 5040 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
48 5040 loc2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 loc2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
29 4221 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
29 4221 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (2 references)
pkts bytes target prot opt in out source destination
807 144K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
16 1696 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:53
42 2691 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (2 references)
pkts bytes target prot opt in out source destination
985 66552 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
3 196 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW udp dpt:53
4 240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:80
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp dpt:22
79 11119 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2loc (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.18
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.18
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2
state NEW tcp dpt:22
52 5280 all2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (2 references)
pkts bytes target prot opt in out source destination
4567 370K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
16 1600 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
40 2400 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
177 9711 common all -- * * 0.0.0.0/0 0.0.0.0/0
128 5428 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
128 5428 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
42 13181 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
163 8293 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (2 references)
pkts bytes target prot opt in out source destination
2632 426K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.1.18
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.1.20
icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.1.2
icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.18
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.18
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.18
state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.18
state NEW tcp dpts:5000:6000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2
state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 128.95.48.15 192.168.1.20
state NEW udp dpt:111
0 0 ACCEPT tcp -- * * 128.95.48.15 192.168.1.20
state NEW tcp dpt:111
0 0 ACCEPT udp -- * * 128.95.48.15 192.168.1.20
state NEW udp dpt:1023
0 0 ACCEPT udp -- * * 128.95.48.15 192.168.1.20
state NEW udp dpt:2049
0 0 ACCEPT tcp -- * * 12.235.186.124 192.168.2.12
state NEW tcp dpt:21
0 0 ACCEPT tcp -- * * 12.235.186.124 192.168.2.12
state NEW tcp dpt:3389
14 1418 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (9 references)
pkts bytes target prot opt in out source destination
16 1600 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
180 20682 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Nov 29 14:25:31 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39242 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:25:46 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39246 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:25:54 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.21 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=373 PROTO=UDP SPT=1027 DPT=161 LEN=85
Nov 29 14:25:54 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.24 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=695 PROTO=UDP SPT=1026 DPT=161 LEN=85
Nov 29 14:25:57 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.45 DST=140.142.207.255
LEN=40 TOS=0x00 PREC=0x00 TTL=30 ID=17394 PROTO=UDP SPT=1040 DPT=2301 LEN=20
Nov 29 14:25:58 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39249 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:26:00 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.24 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=696 PROTO=UDP SPT=1026 DPT=161 LEN=85
Nov 29 14:26:01 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.21 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=374 PROTO=UDP SPT=1027 DPT=161 LEN=85
Nov 29 14:26:06 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.24 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=697 PROTO=UDP SPT=1026 DPT=161 LEN=85
Nov 29 14:26:07 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.21 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=375 PROTO=UDP SPT=1027 DPT=161 LEN=85
Nov 29 14:26:10 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39254 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:26:12 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.24 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=698 PROTO=UDP SPT=1026 DPT=161 LEN=85
Nov 29 14:26:13 all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.21 DST=192.168.1.1
LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=376 PROTO=UDP SPT=1027 DPT=161 LEN=85
Nov 29 14:26:23 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39259 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:26:35 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39268 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:26:48 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39271 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:26:57 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.45 DST=140.142.207.255
LEN=40 TOS=0x00 PREC=0x00 TTL=30 ID=17481 PROTO=UDP SPT=1040 DPT=2301 LEN=20
Nov 29 14:27:01 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39277 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:27:13 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39281 PROTO=ICMP TYPE=9 CODE=0
Nov 29 14:27:28 net2all:DROP:IN=eth0 OUT= SRC=140.142.207.100 DST=140.142.207.255
LEN=36 TOS=0x00 PREC=0x00 TTL=255 ID=39293 PROTO=ICMP TYPE=9 CODE=0
NAT Table
Chain PREROUTING (policy ACCEPT 270 packets, 26430 bytes)
pkts bytes target prot opt in out source destination
284 27848 nat_in all -- * * 0.0.0.0/0 0.0.0.0/0
119 11700 loc_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0
76 9195 loc_dnat all -- eth2 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 44 packets, 2831 bytes)
pkts bytes target prot opt in out source destination
84 5231 nat_out all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc_snat all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 loc_snat all -- * eth2 0.0.0.0/0 0.0.0.0/0
82 5091 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 44 packets, 2831 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
40 2400 SNAT all -- * * 192.168.1.0/24 0.0.0.0/0
to:140.142.207.130
0 0 SNAT all -- * * 192.168.2.0/24 0.0.0.0/0
to:140.142.207.130
Chain loc_dnat (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 140.142.207.137
tcp dpt:80 to:192.168.1.18
0 0 DNAT tcp -- * * 0.0.0.0/0 140.142.207.137
tcp dpt:22 to:192.168.1.18
0 0 DNAT tcp -- * * 0.0.0.0/0 140.142.207.136
tcp dpt:22 to:192.168.1.2
Chain loc_snat (2 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.1.18
tcp dpt:80 to:192.168.1.254
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.1.18
tcp dpt:80 to:192.168.1.254
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.1.18
tcp dpt:22 to:192.168.1.254
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.1.18
tcp dpt:22 to:192.168.1.254
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.1.2
tcp dpt:22 to:192.168.1.254
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.1.2
tcp dpt:22 to:192.168.1.254
Chain nat_in (1 references)
pkts bytes target prot opt in out source destination
4 638 DNAT all -- * * 0.0.0.0/0 140.142.207.131
to:192.168.2.12
4 312 DNAT all -- * * 0.0.0.0/0 140.142.207.136
to:192.168.1.2
3 234 DNAT all -- * * 0.0.0.0/0 140.142.207.137
to:192.168.1.18
3 234 DNAT all -- * * 0.0.0.0/0 140.142.207.139
to:192.168.1.20
Chain nat_out (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.2.12 0.0.0.0/0
to:140.142.207.131
0 0 SNAT all -- * * 192.168.1.2 0.0.0.0/0
to:140.142.207.136
0 0 SNAT all -- * * 192.168.1.18 0.0.0.0/0
to:140.142.207.137
0 0 SNAT all -- * * 192.168.1.20 0.0.0.0/0
to:140.142.207.139
Mangle Table
Chain PREROUTING (policy ACCEPT 8611 packets, 907K bytes)
pkts bytes target prot opt in out source destination
89 6953 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
state NEW
8611 907K pretos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 1280 packets, 99879 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 7321 packets, 807K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 868 packets, 148K bytes)
pkts bytes target prot opt in out source destination
868 148K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 8107 packets, 947K bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 logdrop all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 198.18.0.0/15
0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
742 136K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
5340 403K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22 TOS set 0x10
2386 319K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:20 TOS set 0x08
tcp 6 431999 ESTABLISHED src=192.168.1.4 dst=192.168.1.254 sport=32803 dport=22
src=192.168.1.254 dst=192.168.1.4 sport=22 dport=32803 [ASSURED] use=1
tcp 6 431968 ESTABLISHED src=192.168.1.4 dst=140.142.15.38 sport=32804 dport=22
src=140.142.15.38 dst=140.142.207.130 sport=22 dport=32804 [ASSURED] use=1
Thanks,
Stefan
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
