Hello All,
I'm trying to use Shorewall for my amateur radio over IP station and
home VoIP network.
My IP connection is via a ADSL PPPOE modem on one Ethernet interface and
my local network on another. Initially I am just trying to get a web
server and Asterisk server working. I am running Centos 5.1 on the
firewall server.
With the attached set up (I followed the guidelines and examples to the
best of my ability), I can reach the web server but the port 5060 SIP
services fail to register through the firewall; I get a SIP registration
timeout. Is it legitimate to use Wireshark on the same machine to look
at the interfaces with Shorewall running? When I do, it doesn't look
like port 5060 traffic on the LAN is making it to the WAN.
All is well if I revert back to my trusty dd-wrt-54-gl. I'd like to get
the Shorewall firewall working so I can pass it on to the Asterisk
community and enjoy its features.
I couldn't bring myself to let my mail client mangle the dump. I hope
the attached file makes it.
Thanks,
Steve Henke
Shorewall 4.0.11 Dump at ronnie - Wed May 28 17:51:31 EDT 2008
Shorewall-shell 4.0.11
Counters reset Wed May 28 17:44:39 EDT 2008
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 252 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
51 5040 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
40 2388 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
11576 1300K ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
11957 1309K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 252 ppp0_out all -- * ppp0 0.0.0.0/0 0.0.0.0/0
28 3133 eth0_out all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fw2fw all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain Reject (4 references)
pkts bytes target prot opt in out source destination
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53
Chain all2all (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
374 26959 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
11957 1309K loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
12 1758 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
51 5040 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_out (1 references)
pkts bytes target prot opt in out source destination
28 3133 fw2loc all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
27 3080 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
1 53 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
39 3282 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
12 1758 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
11583 1282K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 137,445
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139
374 26959 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
3 252 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
11551 1298K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
2 124 ACCEPT tcp -- * * 0.0.0.0/0
10.25.163.220 tcp dpt:2525
4 240 ACCEPT tcp -- * * 0.0.0.0/0
10.25.163.220 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.25.163.220 udp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.25.163.220 tcp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.25.163.220 udp dpt:443
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.25.163.210 udp dpt:4561
19 760 ACCEPT udp -- * * 0.0.0.0/0
10.25.163.210 udp dpt:4569
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.25.163.210 udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.25.163.210 udp dpts:10000:20000
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.25.163.221 udp dpts:2074:2093
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.25.163.221 tcp dpts:15425:15427
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.25.163.7
tcp dpt:1194
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.25.163.7
udp dpt:1194
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.25.163.211 tcp dpt:5500
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.25.163.211 tcp dpt:5810
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.25.163.224 tcp dpt:22
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
25 1124 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
11576 1300K net2loc all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID,NEW
3 252 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_out (1 references)
pkts bytes target prot opt in out source destination
3 252 fw2net all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (13 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PKTTYPE = multicast
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 10.25.163.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 10.25.163.255 0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
Log (/var/log/messages)
May 28 16:43:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=209.160.72.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54586
DF PROTO=TCP SPT=40200 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:43:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=209.160.72.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=21045
DF PROTO=TCP SPT=44770 DPT=10000 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=204.13.249.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=31799
DF PROTO=TCP SPT=33648 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=208.78.68.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17881 DF
PROTO=TCP SPT=58642 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=208.78.69.70 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46231 DF
PROTO=TCP SPT=55507 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=63.208.196.105 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=26681
DF PROTO=TCP SPT=34170 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=204.13.250.51 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29003
DF PROTO=TCP SPT=43208 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=206.246.140.250 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22186
DF PROTO=TCP SPT=44617 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=203.194.18.195 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48116
DF PROTO=TCP SPT=48773 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=64.72.133.146 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=44560
DF PROTO=TCP SPT=44353 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=209.160.72.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=19450
DF PROTO=TCP SPT=50893 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 16:58:32 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=209.160.72.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33863
DF PROTO=TCP SPT=40636 DPT=10000 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:03:33 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=208.72.156.12 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=8108 DF
PROTO=TCP SPT=41834 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:13:52 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=63.208.196.105 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=52673
DF PROTO=TCP SPT=35109 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:13:52 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=204.13.250.51 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38395
DF PROTO=TCP SPT=36074 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:13:52 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=206.246.140.250 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60084
DF PROTO=TCP SPT=41033 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:13:52 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=203.194.18.195 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60674
DF PROTO=TCP SPT=36400 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:13:52 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=64.72.133.146 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9508 DF
PROTO=TCP SPT=58663 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:13:52 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=209.160.72.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=59360
DF PROTO=TCP SPT=45587 DPT=15428 WINDOW=5840 RES=0x00 SYN URGP=0
May 28 17:13:52 localhost Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
SRC=10.25.163.221 DST=209.160.72.104 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=39674
DF PROTO=TCP SPT=44131 DPT=10000 WINDOW=5840 RES=0x00 SYN URGP=0
NAT Table
Chain PREROUTING (policy ACCEPT 36 packets, 4511 bytes)
pkts bytes target prot opt in out source destination
6 364 net_dnat all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 10 packets, 669 bytes)
pkts bytes target prot opt in out source destination
29 3161 ppp0_masq all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4 packets, 305 bytes)
pkts bytes target prot opt in out source destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
2 124 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:2525 to:10.25.163.220
4 240 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:80 to:10.25.163.220
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:80 to:10.25.163.220
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:443 to:10.25.163.220
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:443 to:10.25.163.220
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4561 to:10.25.163.210
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4569 to:10.25.163.210
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 to:10.25.163.210
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:10000:20000 to:10.25.163.210
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:2074:2093 to:10.25.163.221
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:15425:15427 to:10.25.163.221
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1194 to:10.25.163.7
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1194 to:10.25.163.7
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5500 to:10.25.163.211
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:5810 to:10.25.163.211
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:32123 to:10.25.163.224:22
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
26 2909 MASQUERADE all -- * * 10.25.163.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 23606 packets, 2615K bytes)
pkts bytes target prot opt in out source destination
23599 2615K tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 54 packets, 5292 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 23552 packets, 2610K bytes)
pkts bytes target prot opt in out source destination
23545 2609K tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4845 packets, 1452K bytes)
pkts bytes target prot opt in out source destination
31 3385 tcout all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 23583 packets, 2613K bytes)
pkts bytes target prot opt in out source destination
23576 2613K tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
Conntrack Table
tcp 6 67 TIME_WAIT src=10.25.163.210 dst=70.167.14.121 sport=3743 dport=80
packets=5 bytes=570 src=70.167.14.121 dst=68.209.117.205 sport=80 dport=3743
packets=5 bytes=433 [ASSURED] mark=0 secmark=0 use=1
tcp 6 116 TIME_WAIT src=216.235.152.177 dst=68.209.117.205 sport=60466
dport=80 packets=6 bytes=382 src=10.25.163.220 dst=216.235.152.177 sport=80
dport=60466 packets=6 bytes=584 [ASSURED] mark=0 secmark=0 use=1
tcp 6 110 TIME_WAIT src=10.25.163.210 dst=70.167.14.121 sport=3745
dport=80 packets=5 bytes=570 src=70.167.14.121 dst=68.209.117.205 sport=80
dport=3745 packets=5 bytes=433 [ASSURED] mark=0 secmark=0 use=1
udp 17 146 src=69.61.83.156 dst=68.209.117.205 sport=4569 dport=4569
packets=140 bytes=5600 src=10.25.163.210 dst=69.61.83.156 sport=4569 dport=4569
packets=5 bytes=200 [ASSURED] mark=0 secmark=0 use=1
tcp 6 25 TIME_WAIT src=10.25.163.210 dst=70.167.14.121 sport=3741 dport=80
packets=5 bytes=570 src=70.167.14.121 dst=68.209.117.205 sport=80 dport=3741
packets=5 bytes=433 [ASSURED] mark=0 secmark=0 use=1
tcp 6 431838 ESTABLISHED src=10.25.163.7 dst=10.25.163.224 sport=46907
dport=22 packets=248 bytes=19168 src=10.25.163.224 dst=10.25.163.7 sport=22
dport=46907 packets=155 bytes=19492 [ASSURED] mark=0 secmark=0 use=1
udp 17 15 src=10.25.163.224 dst=10.25.163.220 sport=1026 dport=53
packets=2 bytes=125 src=10.25.163.220 dst=10.25.163.224 sport=53 dport=1026
packets=2 bytes=588 [ASSURED] mark=0 secmark=0 use=1
udp 17 3583 src=10.25.163.210 dst=69.90.155.70 sport=5060 dport=5060
packets=4 bytes=2544 src=69.90.155.70 dst=68.209.117.205 sport=5060 dport=5060
packets=8 bytes=2943 [ASSURED] mark=0 secmark=0 use=1
tcp 6 44 TIME_WAIT src=10.25.163.210 dst=70.167.14.121 sport=3742 dport=80
packets=6 bytes=517 src=70.167.14.121 dst=68.209.117.205 sport=80 dport=3742
packets=5 bytes=433 [ASSURED] mark=0 secmark=0 use=1
tcp 6 87 TIME_WAIT src=10.25.163.210 dst=70.167.14.121 sport=3744 dport=80
packets=6 bytes=517 src=70.167.14.121 dst=68.209.117.205 sport=80 dport=3744
packets=5 bytes=433 [ASSURED] mark=0 secmark=0 use=1
udp 17 173 src=10.25.163.7 dst=205.152.37.23 sport=33396 dport=53
packets=28 bytes=2106 src=205.152.37.23 dst=68.209.117.205 sport=53 dport=33396
packets=28 bytes=3442 [ASSURED] mark=0 secmark=0 use=1
tcp 6 3 TIME_WAIT src=10.25.163.210 dst=70.167.14.121 sport=3740 dport=80
packets=5 bytes=465 src=70.167.14.121 dst=68.209.117.205 sport=80 dport=3740
packets=5 bytes=433 [ASSURED] mark=0 secmark=0 use=1
tcp 6 431314 ESTABLISHED src=10.25.163.7 dst=10.25.163.224 sport=55387
dport=22 packets=1071 bytes=76272 src=10.25.163.224 dst=10.25.163.7 sport=22
dport=55387 packets=810 bytes=139036 [ASSURED] mark=0 secmark=0 use=1
udp 17 3585 src=10.25.163.210 dst=216.143.130.36 sport=5060 dport=5060
packets=11 bytes=6763 src=216.143.130.36 dst=68.209.117.205 sport=5060
dport=5060 packets=12 bytes=7108 [ASSURED] mark=0 secmark=0 use=1
udp 17 44 src=10.25.163.7 dst=205.152.144.23 sport=33396 dport=53
packets=4 bytes=305 src=205.152.144.23 dst=68.209.117.205 sport=53 dport=33396
packets=4 bytes=475 [ASSURED] mark=0 secmark=0 use=1
udp 17 179 src=10.25.163.210 dst=67.215.233.178 sport=4569 dport=4569
packets=11427 bytes=1260222 src=67.215.233.178 dst=68.209.117.205 sport=4569
dport=4569 packets=11367 bytes=1254422 [ASSURED] mark=0 secmark=0 use=1
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:ba:b5:48:5e brd ff:ff:ff:ff:ff:ff
inet 10.25.163.224/24 brd 10.25.163.255 scope global eth0
inet6 fe80::250:baff:feb5:485e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:55:18:ee:9e brd ff:ff:ff:ff:ff:ff
inet6 fe80::202:55ff:fe18:ee9e/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast
qlen 3
link/ppp
inet 68.209.117.205 peer 65.14.248.42/32 scope global ppp0
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
12759 119 0 0 0 0
TX: bytes packets errors dropped carrier collsns
12759 119 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:ba:b5:48:5e brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
2657208 26192 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2962356 16318 0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:55:18:ee:9e brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
1636264 12554 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1914009 15789 0 0 0 0
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast
qlen 3
link/ppp
RX: bytes packets errors dropped overrun mcast
1323068 11907 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1527912 15053 0 0 0 0
Bridges
bridge name bridge id STP enabled interfaces
PFKEY SPD
No SPD entries.
PFKEY SAD
No SAD entries.
/proc
/proc/version = Linux version 2.6.18-53.1.21.el5 ([EMAIL PROTECTED]) (gcc
version 4.1.2 20070626 (Red Hat 4.1.2-14)) #1 SMP Tue May 20 09:34:18 EDT 2008
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 0
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 0
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 0
/proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0
/proc/sys/net/ipv4/conf/ppp0/arp_filter = 0
/proc/sys/net/ipv4/conf/ppp0/arp_ignore = 0
/proc/sys/net/ipv4/conf/ppp0/rp_filter = 0
/proc/sys/net/ipv4/conf/ppp0/log_martians = 1
Routing Rules
0: from all lookup 255
32766: from all lookup main
32767: from all lookup default
Table 255:
local 10.25.163.224 dev eth0 proto kernel scope host src 10.25.163.224
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 68.209.117.205 dev ppp0 proto kernel scope host src 68.209.117.205
broadcast 10.25.163.0 dev eth0 proto kernel scope link src 10.25.163.224
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.25.163.255 dev eth0 proto kernel scope link src 10.25.163.224
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table default:
Table main:
65.14.248.42 dev ppp0 proto kernel scope link src 68.209.117.205
10.25.163.0/24 dev eth0 proto kernel scope link src 10.25.163.224
169.254.0.0/16 dev eth0 scope link
default dev ppp0 scope link
ARP
? (10.25.163.220) at 00:02:A5:CB:4C:94 [ether] on eth0
? (10.25.163.210) at 00:02:55:18:C4:25 [ether] on eth0
? (10.25.163.7) at 00:02:A5:CB:4C:94 [ether] on eth0
Modules
ip_conntrack 53025 24
ipt_MASQUERADE,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_sip,ip_conntrack_pptp,ip_conntrack_netbios_ns,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_amanda,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,ip_nat
ip_conntrack_amanda 8901 1 ip_nat_amanda
ip_conntrack_ftp 11697 1 ip_nat_ftp
ip_conntrack_h323 51677 1 ip_nat_h323
ip_conntrack_irc 10801 1 ip_nat_irc
ip_conntrack_netbios_ns 6977 0
ip_conntrack_pptp 15441 1 ip_nat_pptp
ip_conntrack_sip 11313 1 ip_nat_sip
ip_conntrack_tftp 8249 1 ip_nat_tftp
ip_nat 20973 12
ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,iptable_nat
ip_nat_amanda 6465 0
ip_nat_ftp 7361 0
ip_nat_h323 11201 0
ip_nat_irc 6721 0
ip_nat_pptp 9925 0
ip_nat_sip 8129 0
ip_nat_snmp_basic 13253 0
ip_nat_tftp 5953 0
iptable_filter 7105 1
iptable_mangle 6849 1
iptable_nat 11205 1
iptable_raw 6209 0
ip_tables 17029 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype 5953 0
ipt_ah 5953 0
ipt_CLUSTERIP 12357 0
ipt_dscp 5825 0
ipt_DSCP 6337 0
ipt_ecn 6337 0
ipt_ECN 7105 0
ipt_hashlimit 12745 0
ipt_iprange 5953 0
ipt_LOG 10177 9
ipt_MASQUERADE 7745 2
ipt_NETMAP 6209 0
ipt_owner 6081 0
ipt_recent 12497 0
ipt_REDIRECT 6209 0
ipt_REJECT 9537 4
ipt_SAME 6465 0
ipt_TCPMSS 8129 1
ipt_tos 5825 0
ipt_TOS 6337 0
ipt_ttl 5953 0
ipt_TTL 6337 0
ipt_ULOG 11717 0
xt_CLASSIFY 5953 0
xt_comment 5953 0
xt_connmark 6209 0
xt_CONNMARK 6465 0
xt_conntrack 6593 0
xt_dccp 7365 0
xt_helper 6593 0
xt_length 6081 0
xt_limit 6721 0
xt_mac 6081 0
xt_mark 5953 0
xt_MARK 6465 0
xt_multiport 7233 5
xt_NFQUEUE 6209 0
xt_physdev 6993 0
xt_pkttype 6081 4
xt_policy 7617 0
xt_state 6209 16
xt_tcpmss 6337 0
xt_tcpudp 7105 45
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Not available
MARK Target: Available
Extended MARK Target: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Traffic Control
Device eth0:
qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 2959468 bytes 16352 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device eth1:
qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 1918699 bytes 15824 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device ppp0:
qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
Sent 1531914 bytes 15086 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
TC Filters
Device eth0:
Device eth1:
Device ppp0:
---------------------------------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:ba:b5:48:5e brd ff:ff:ff:ff:ff:ff
inet 10.25.163.224/24 brd 10.25.163.255 scope global eth0
inet6 fe80::250:baff:feb5:485e/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:55:18:ee:9e brd ff:ff:ff:ff:ff:ff
inet6 fe80::202:55ff:fe18:ee9e/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast
qlen 3
link/ppp
inet 68.209.117.205 peer 65.14.248.42/32 scope global ppp0
65.14.248.42 dev ppp0 proto kernel scope link src 68.209.117.205
10.25.163.0/24 dev eth0 proto kernel scope link src 10.25.163.224
169.254.0.0/16 dev eth0 scope link
default dev ppp0 scope link
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
