Am 13.04.2011 16:25, schrieb Tom Eastep:
On 04/13/2011 03:45 AM, Jörg Kleuver wrote:FW$> cat providers ISP1 1 1 - ppp0 - track ISP1 1 1 - ppp0 - trackI don't believe that. The compiler would certainly generate an error with that configuration. Please: a) shorewall show -f capabilities> /etc/shorewall/caps b) tar -zcf shorewall.tgz /etc/shorewall c) Send me the shorewall.tgz tarball along with the output of 'shorewall dump' with the firewall started. -Tom
Hi Tom, attached are the tarball and the output from 'shorewall dump'. Regards Jörg Kleuver -- CISS TDI GmbH Jörg Kleuver CISS TDI GmbH Tel. +49 2642 97 80 28 Barbarossastraße 36 Fax. +49 2642 97 80 10 53489 Sinzig, Germany Sitz der Gesellschaft: Sinzig AG Koblenz, HR-Nummer 13357 Geschäftsführer: Dipl.-Math. Joachim Figura, Dipl.-Inform. Berthold Bärk
shorewall.tgz
Description: Binary data
Shorewall 4.4.11.6 Dump at fw-01 - Wed Apr 13 16:55:32 CEST 2011
Counters reset Wed Apr 13 16:55:10 CEST 2011
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
0 0 ppp0_in all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth3_in all -- eth3 * 0.0.0.0/0 0.0.0.0/0
0 0 trust2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
0 0 ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth3_fwd all -- eth3 * 0.0.0.0/0 0.0.0.0/0
0 0 trust2net all -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0
0 0 trust2net all -- eth0 eth3 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 fw2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 fw2net all -- * eth3 0.0.0.0/0 0.0.0.0/0
0 0 fw2trust all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain Drop (2 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113 /* Auth */
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11 /* Needed ICMP types */
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain Reject (7 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113 /* Auth */
0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11 /* Needed ICMP types */
0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain dropBcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain dynamic (2 references)
pkts bytes target prot opt in out source destination
Chain eth3_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2trust all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain eth3_in (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:fw2net:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain fw2trust (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:fw2trust:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2trust (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:net2trust:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2trust all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source destination
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (14 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Chain tcpflags (4 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp spt:0 flags:0x17/0x02
Chain trust2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:trust2fw:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain trust2net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:trust2net:REJECT:'
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Log (/var/log/messages)
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:32:23 fw2net:REJECT:IN= OUT=ppp0 SRC=10.67.15.1 DST=10.0.0.1 LEN=84
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=13355 SEQ=1
Apr 12 14:48:03 net2fw:DROP:IN=eth3 OUT= SRC=10.0.1.1 DST=10.0.1.10 LEN=48
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47312 SEQ=0
Apr 12 17:14:22 net2fw:DROP:IN=eth3 OUT= SRC=10.0.1.1 DST=10.0.1.10 LEN=48
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47312 SEQ=0
MARK=0x2
NAT Table
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Mangle Table
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
connmark match !0x0/0xff CONNMARK restore mask 0xff
0 0 routemark all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
0 0 routemark all -- eth3 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
0 0 tcpre all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 tcpre all -- eth3 * 0.0.0.0/0 0.0.0.0/0
0 0 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xffffff00
0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
connmark match !0x0/0xff CONNMARK restore mask 0xff
0 0 tcout all -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0xff
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
0 0 MARK all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
MARK set 0x1
0 0 MARK all -- eth3 * 0.0.0.0/0 0.0.0.0/0
MARK set 0x2
0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
mark match !0x0/0xff CONNMARK save mask 0xff
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (3 references)
pkts bytes target prot opt in out source destination
Raw Table
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Conntrack Table (1 out of 7796)
udp 17 45 src=10.0.1.10 dst=10.0.1.1 sport=68 dport=67 packets=2 bytes=656
src=10.0.1.1 dst=10.0.1.10 sport=67 dport=68 packets=3 bytes=984 [ASSURED]
mark=0 secmark=0 use=2
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
inet 10.100.200.1/32 scope global lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
inet 10.100.100.1/30 scope global eth0:1
inet 10.100.100.10/30 scope global eth0:2
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
inet 10.0.1.10/32 brd 10.0.1.10 scope global eth3
20: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast
state UNKNOWN qlen 3
inet 10.67.15.1 peer 10.0.0.1/32 scope global ppp0
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
328 2 0 0 0 0
TX: bytes packets errors dropped carrier collsns
328 2 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:50:56:bd:00:06 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
465466 5661 0 0 0 0
TX: bytes packets errors dropped carrier collsns
225866 2709 0 0 0 0
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:50:56:bd:00:0c brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
26828 424 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1104 14 0 0 0 0
4: eth2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:50:56:bd:00:0d brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
135684 2261 0 0 0 0
TX: bytes packets errors dropped carrier collsns
71016 2215 0 0 0 0
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:50:56:bd:00:0e brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
72982 506 0 0 0 0
TX: bytes packets errors dropped carrier collsns
67816 318 0 0 0 0
6: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noqueue state DOWN
link/ether 9e:17:6d:d8:41:25 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
140 2 0 0 0 0
20: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast
state UNKNOWN qlen 3
link/ppp
RX: bytes packets errors dropped overrun mcast
75 7 0 0 0 0
TX: bytes packets errors dropped carrier collsns
81 7 0 0 0 0
/proc
/proc/version = Linux version 2.6.32-5-686 (Debian 2.6.32-31)
([email protected]) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue Mar 8
21:36:00 UTC 2011
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 1
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/dummy0/proxy_arp = 0
/proc/sys/net/ipv4/conf/dummy0/arp_filter = 0
/proc/sys/net/ipv4/conf/dummy0/arp_ignore = 0
/proc/sys/net/ipv4/conf/dummy0/rp_filter = 1
/proc/sys/net/ipv4/conf/dummy0/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 1
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 1
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 1
/proc/sys/net/ipv4/conf/eth2/log_martians = 1
/proc/sys/net/ipv4/conf/eth3/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth3/arp_filter = 0
/proc/sys/net/ipv4/conf/eth3/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth3/rp_filter = 1
/proc/sys/net/ipv4/conf/eth3/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 1
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0
/proc/sys/net/ipv4/conf/ppp0/arp_filter = 0
/proc/sys/net/ipv4/conf/ppp0/arp_ignore = 0
/proc/sys/net/ipv4/conf/ppp0/rp_filter = 1
/proc/sys/net/ipv4/conf/ppp0/log_martians = 1
Routing Rules
0: from all lookup local
10000: from all fwmark 0x1/0xff lookup ISP1
10001: from all fwmark 0x2/0xff lookup ISP2
20000: from 10.67.15.1 lookup ISP1
20256: from 10.0.1.10 lookup ISP2
32766: from all lookup main
32767: from all lookup default
Table ISP1:
default dev ppp0 scope link
Table ISP2:
default dev eth3 scope link
Table default:
Table local:
broadcast 10.100.100.3 dev eth0 proto kernel scope link src 10.100.100.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.100.100.0 dev eth0 proto kernel scope link src 10.100.100.1
local 10.100.100.1 dev eth0 proto kernel scope host src 10.100.100.1
local 10.0.1.10 dev eth3 proto kernel scope host src 10.0.1.10
broadcast 10.0.1.10 dev eth3 proto kernel scope link src 10.0.1.10
local 10.100.100.10 dev eth0 proto kernel scope host src 10.100.100.10
broadcast 10.100.100.11 dev eth0 proto kernel scope link src 10.100.100.10
local 10.100.200.1 dev lo proto kernel scope host src 10.100.200.1
broadcast 10.100.100.8 dev eth0 proto kernel scope link src 10.100.100.10
local 10.67.15.1 dev ppp0 proto kernel scope host src 10.67.15.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
10.0.0.1 dev ppp0 proto kernel scope link src 10.67.15.1
10.0.1.1 dev eth3 scope link
10.100.100.0/30 dev eth0 proto kernel scope link src 10.100.100.1
10.100.100.8/30 dev eth0 proto kernel scope link src 10.100.100.10
10.168.0.0/16 metric 100
nexthop via 10.100.100.2 dev eth0 weight 1
nexthop via 10.100.100.9 dev eth0 weight 1
default
nexthop via 10.100.100.2 dev eth0 weight 1
nexthop via 10.100.100.9 dev eth0 weight 1
default dev ppp0 scope link
ARP
Modules
ip_tables 7690 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_CLUSTERIP 3982 0
ipt_ECN 1276 0
ipt_LOG 3570 10
ipt_MASQUERADE 1134 0
ipt_NETMAP 825 0
ipt_REDIRECT 803 0
ipt_REJECT 1517 4
ipt_ULOG 4645 1
ipt_addrtype 1345 2
ipt_ah 749 0
ipt_ecn 928 0
iptable_filter 1790 1
iptable_mangle 2325 1
iptable_nat 3551 0
iptable_raw 1471 0
nf_conntrack 38075 31
xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 1637 1 nf_nat_amanda
nf_conntrack_ftp 4272 1 nf_nat_ftp
nf_conntrack_h323 30924 1 nf_nat_h323
nf_conntrack_ipv4 7597 20 iptable_nat,nf_nat
nf_conntrack_irc 2535 1 nf_nat_irc
nf_conntrack_netbios_ns 914 0
nf_conntrack_netlink 11064 0
nf_conntrack_pptp 3077 1 nf_nat_pptp
nf_conntrack_proto_gre 2835 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 4754 0
nf_conntrack_sane 2672 0
nf_conntrack_sip 10718 1 nf_nat_sip
nf_conntrack_tftp 2321 1 nf_nat_tftp
nf_defrag_ipv4 779 2 xt_TPROXY,nf_conntrack_ipv4
nf_nat 10568 12
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda 828 0
nf_nat_ftp 1519 0
nf_nat_h323 4395 0
nf_nat_irc 1002 0
nf_nat_pptp 1702 0
nf_nat_proto_gre 869 1 nf_nat_pptp
nf_nat_sip 4440 0
nf_nat_snmp_basic 6381 0
nf_nat_tftp 702 0
nf_tproxy_core 1221 1 xt_TPROXY,[permanent]
xt_CLASSIFY 617 0
xt_CONNMARK 943 3
xt_DSCP 1451 0
xt_MARK 617 3
xt_NFLOG 718 0
xt_NFQUEUE 1565 0
xt_TPROXY 977 0
xt_comment 599 18
xt_connlimit 2323 0
xt_connmark 799 2
xt_conntrack 1955 12
xt_dccp 1507 0
xt_dscp 1123 0
xt_hashlimit 6157 0
xt_helper 879 0
xt_iprange 1049 0
xt_length 796 0
xt_limit 1088 0
xt_mac 675 0
xt_mark 613 5
xt_multiport 1775 4
xt_owner 747 0
xt_physdev 1228 0
xt_pkttype 683 0
xt_policy 1794 0
xt_realm 615 0
xt_recent 4885 0
xt_state 927 0
xt_tcpmss 1017 0
xt_tcpudp 1743 18
xt_time 1391 0
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Extended Connection Tracking Match Support: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Extended MARK Target 2: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Realm Match: Available
Helper Match: Available
Connlimit Match: Available
Time Match: Available
Goto Support: Available
LOGMARK Target: Not available
IPMARK Target: Not available
LOG Target: Available
Persistent SNAT: Available
TPROXY Target: Available
FLOW Classifier: Available
fwmark route mask: Available
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
15296/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:*
15264/dhclient
udp 0 0 10.67.15.1:123 0.0.0.0:*
15239/ntpd
udp 0 0 10.100.100.10:123 0.0.0.0:*
15239/ntpd
udp 0 0 10.100.100.1:123 0.0.0.0:*
15239/ntpd
udp 0 0 10.100.200.1:123 0.0.0.0:*
15239/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:*
15239/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:*
15239/ntpd
udp 0 0 127.0.0.1:161 0.0.0.0:*
1622/snmpd
udp6 0 0 :::123 :::*
15239/ntpd
Traffic Control
Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 225866 bytes 2709 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 1104 bytes 14 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device eth2:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 71054 bytes 2216 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device eth3:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 67816 bytes 318 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
Device ppp0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
TC Filters
Device eth0:
Device eth1:
Device eth2:
Device eth3:
Device ppp0:
------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
