Hello!
I've the following set-up
RemoteClient1 (Win Vista), RemoteClient2 (Win XP) do both connect to
my OpenVPN box. They can talk to each other, using their 172.16.1.x
tun0 Address on the server.
The server itself (Ubuntu gutsy, OpenVPN: 2.0.9-8, shorewall:3.4.4-1)
has 1 NIC that connects the machine to
a) a DSL-router (forwards several ports to this linux machine,
including the OpenVPN-port)
b) another WinXP client (192.168.1.10) over that DSL-router
the server's eth0 interface is 192.168.1.11, the router has
192.168.1.249
The server also has a tun0 interface (172.16.1.1), due to its OpenVPN
capability.
The server can connect to 192.168.1.10, 192.168.1.249 on any port.
RemoteClient1 can connect to RemoteClient2 on any port. The
RemoteClients can also request data from 172.16.1.1 and 192.168.1.11.
However, they can neither connect to 192.168.1.249 or 192.168.1.10 on
any port. Also, they cannot use 172.16.1.1 -> 192.168.1.11 ->
192.168.1.249 as DefaultGW, if that option is given via OpenVPN.
I tried to follow the instructions on
http://www.shorewall.net/OPENVPN.html as well as on
http://www.shorewall.net/VPNBasics.html .
Still, it doesn't work.
Before using shorewall, I used firehol. There, the following commands
worked; with shorewall they don't (neither with shorewall running nor
with it being disabled):
## Settings for openVPN:
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i eth0 -j ACCEPT
iptables -A FORWARD -d 172.16.1.0/24 -i lo -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
# for DefaultGW operations of OpenVPN:
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE
[EMAIL PROTECTED]:/root$ sudo /sbin/shorewall version
3.4.4
[EMAIL PROTECTED]:/root$ sudo ip addr show
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:80:64:be:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.11/24 brd 192.168.1.255 scope global eth0
inet6 fe80::201:80ff:fe64:be5f/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen
100
link/[65534]
inet 172.16.1.1 peer 172.16.1.2/32 scope global tun0
[EMAIL PROTECTED]:/root$ sudo ip route show
172.16.1.2 dev tun0 proto kernel scope link src 172.16.1.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.11
172.16.1.0/24 via 172.16.1.2 dev tun0
default via 192.168.1.249 dev eth0 metric 100
[EMAIL PROTECTED]:/root$
I included a shorewall -dump in the attached file (I tried to zip it,
but the mail was returned by the server ... so it's not zipped now -
sorry).
Hope you can help me out; please write, if you have any further
questions / requests.
Thanks a lot and have a nice day.
Bye,
StefanShorewall 3.4.4 Dump at server - Di 12. Feb 00:07:18 CET 2008
Counters reset Mo 11. Feb 12:43:40 CET 2008
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
296 33080 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
17891 2330K eth0_in 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 tun0_in 0 -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_fwd 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0
6 288 tun0_fwd 0 -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
296 33080 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
19162 2995K eth0_out 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
296 24840 tun0_out 0 -- * tun0 0.0.0.0/0 0.0.0.0/0
0 0 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (2 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
603 130K dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
1 40 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
296 24840 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
296 24840 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
1 60 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain all2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
296 24840 Reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
296 24840 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
296 24840 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
602 130K DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
1 40 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2all 0 -- * tun0 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
827 144K dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
827 144K smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
10 3300 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
17160 2185K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
17881 2327K net2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
19162 2995K fw2net 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
18960 2962K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:21
202 33711 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logflags:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2all (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Drop 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
17064 2186K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 reject icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 8
190 9124 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21
12 588 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
12 604 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21
603 130K Drop 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:'
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (12 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
1 60 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
295 24780 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain road2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain road2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
6 288 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG 0 -- * * 192.168.1.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 192.168.1.255 0.0.0.0/0
0 0 LOG 0 -- * * 255.255.255.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG 0 -- * * 224.0.0.0/4 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0
Chain tcpflags (2 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp spt:0 flags:0x17/0x02
Chain tun0_fwd (1 references)
pkts bytes target prot opt in out source destination
6 288 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
6 288 road2net 0 -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * tun0 0.0.0.0/0 0.0.0.0/0
Chain tun0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
0 0 road2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain tun0_out (1 references)
pkts bytes target prot opt in out source destination
296 24840 all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0
Log (/var/log/messages)
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:47:42 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=43629
SEQ=1
Feb 11 20:48:01 all2all:REJECT:IN= OUT=tun0 SRC=172.16.1.1 DST=172.16.1.14
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=45503 DF PROTO=TCP SPT=60964 DPT=5900
WINDOW=5840 RES=0x00 SYN URGP=0
NAT Table
Chain PREROUTING (policy ACCEPT 706 packets, 113K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 126 packets, 19204 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 419 packets, 43908 bytes)
pkts bytes target prot opt in out source destination
Mangle Table
Chain PREROUTING (policy ACCEPT 18193 packets, 2363K bytes)
pkts bytes target prot opt in out source destination
18193 2363K tcpre 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 18187 packets, 2363K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 6 packets, 288 bytes)
pkts bytes target prot opt in out source destination
6 288 tcfor 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 108K packets, 14M bytes)
pkts bytes target prot opt in out source destination
19754 3053K tcout 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 19578 packets, 3057K bytes)
pkts bytes target prot opt in out source destination
19578 3057K tcpost 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
Conntrack Table
tcp 6 431992 ESTABLISHED src=78.48.39.9 dst=192.168.1.11 sport=1247
dport=22 packets=583 bytes=38868 src=192.168.1.11 dst=78.48.39.9 sport=22
dport=1247 packets=572 bytes=163296 [ASSURED] mark=0 secmark=0 use=1
udp 17 169 src=192.168.1.11 dst=195.50.140.114 sport=32769 dport=53
packets=4 bytes=270 src=195.50.140.114 dst=192.168.1.11 sport=53 dport=32769
packets=4 bytes=411 [ASSURED] mark=0 secmark=0 use=1
tcp 6 94 TIME_WAIT src=192.168.1.11 dst=140.211.166.43 sport=51796
dport=80 packets=7 bytes=1613 src=140.211.166.43 dst=192.168.1.11 sport=80
dport=51796 packets=5 bytes=983 [ASSURED] mark=0 secmark=0 use=1
tcp 6 431998 ESTABLISHED src=78.48.39.9 dst=192.168.1.11 sport=1388
dport=22 packets=62 bytes=5584 src=192.168.1.11 dst=78.48.39.9 sport=22
dport=1388 packets=58 bytes=7268 [ASSURED] mark=0 secmark=0 use=2
tcp 6 91 TIME_WAIT src=192.168.1.11 dst=141.30.3.82 sport=54045 dport=80
packets=39 bytes=2220 src=141.30.3.82 dst=192.168.1.11 sport=80 dport=54045
packets=47 bytes=65265 [ASSURED] mark=0 secmark=0 use=1
IP Configuration
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:80:64:be:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.11/24 brd 192.168.1.255 scope global eth0
inet6 fe80::201:80ff:fe64:be5f/64 scope link
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen
100
link/[65534]
inet 172.16.1.1 peer 172.16.1.2/32 scope global tun0
IP Stats
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
34239 314 0 0 0 0
TX: bytes packets errors dropped carrier collsns
34239 314 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:80:64:be:5f brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
114626605 142409 0 0 0 0
TX: bytes packets errors dropped carrier collsns
15243008 107949 0 0 0 0
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen
100
link/[65534]
RX: bytes packets errors dropped overrun mcast
288 6 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
/proc
/proc/version = Linux version 2.6.22-14-generic ([EMAIL PROTECTED]) (gcc
version 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)) #1 SMP Fri Feb 1
04:59:50 UTC 2008
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 1
/proc/sys/net/ipv4/conf/default/log_martians = 0
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 1
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 0
/proc/sys/net/ipv4/conf/tun0/proxy_arp = 0
/proc/sys/net/ipv4/conf/tun0/arp_filter = 0
/proc/sys/net/ipv4/conf/tun0/arp_ignore = 0
/proc/sys/net/ipv4/conf/tun0/rp_filter = 1
/proc/sys/net/ipv4/conf/tun0/log_martians = 0
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
broadcast 192.168.1.0 dev eth0 proto kernel scope link src 192.168.1.11
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.1.255 dev eth0 proto kernel scope link src 192.168.1.11
local 192.168.1.11 dev eth0 proto kernel scope host src 192.168.1.11
local 172.16.1.1 dev tun0 proto kernel scope host src 172.16.1.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
172.16.1.2 dev tun0 proto kernel scope link src 172.16.1.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.11
172.16.1.0/24 via 172.16.1.2 dev tun0
default via 192.168.1.249 dev eth0 metric 100
ARP
? (192.168.1.249) auf 00:13:49:9F:3F:5C [ether] auf eth0
Modules
iptable_filter 3968 1
iptable_mangle 3840 1
iptable_nat 8708 0
iptable_raw 3328 0
ip_tables 13924 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype 2816 0
ipt_ah 2944 0
ipt_CLUSTERIP 9988 0
ipt_ecn 3200 0
ipt_ECN 3968 0
ipt_iprange 2816 0
ipt_LOG 7552 12
ipt_MASQUERADE 4608 0
ipt_NETMAP 2944 0
ipt_owner 2944 0
ipt_recent 10392 0
ipt_REDIRECT 2944 0
ipt_REJECT 5760 4
ipt_SAME 3328 0
ipt_tos 2560 0
ipt_TOS 3200 0
ipt_ttl 2816 0
ipt_TTL 3328 0
ipt_ULOG 9988 0
nf_conntrack 65288 29
ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 6016 1 nf_nat_amanda
nf_conntrack_ftp 11136 1 nf_nat_ftp
nf_conntrack_h323 51804 1 nf_nat_h323
nf_conntrack_ipv4 19724 15 iptable_nat
nf_conntrack_irc 8088 1 nf_nat_irc
nf_conntrack_netbios_ns 3968 0
nf_conntrack_netlink 27648 0
nf_conntrack_pptp 8064 1 nf_nat_pptp
nf_conntrack_proto_gre 6912 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 9736 0
nf_conntrack_sip 10900 1 nf_nat_sip
nf_conntrack_tftp 6676 1 nf_nat_tftp
nf_nat 20140 14
ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat
nf_nat_amanda 3328 0
nf_nat_ftp 4352 0
nf_nat_h323 8704 0
nf_nat_irc 3712 0
nf_nat_pptp 4736 0
nf_nat_proto_gre 3844 1 nf_nat_pptp
nf_nat_sip 5760 0
nf_nat_snmp_basic 11268 0
nf_nat_tftp 2816 0
xt_CLASSIFY 2816 0
xt_comment 2816 0
xt_connmark 3200 0
xt_CONNMARK 4096 0
xt_conntrack 3840 0
xt_dccp 4484 0
xt_hashlimit 11276 0
xt_helper 3712 0
xt_length 2816 0
xt_limit 3584 0
xt_mac 2816 0
xt_mark 2816 0
xt_MARK 3328 0
xt_multiport 4224 4
xt_NFLOG 3072 0
xt_NFQUEUE 2944 0
xt_physdev 3600 0
xt_pkttype 2816 4
xt_policy 4736 0
xt_state 3456 13
xt_tcpmss 3200 0
xt_tcpudp 4224 28
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Traffic Control
Device eth0:
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 15243114 bytes 107950 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device tun0:
qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
TC Filters
Device eth0:
Device tun0:
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
