>
> Hello Team,
> I have implemented the two-interface Shorewall on our network. Previously
> it was working properly but suddenly its stop working. Whenever we tried to
> browse any site (blocked/allowed) , it say Connection timeout.
> I am attaching the shorewall-dump output and would like to request you to
> please help in this matter.
>
> --
> Best Regards,
> Yogesh Phatak.
> Email ID : [email protected]
> Cell : + 91 98233 00724
> http://picasaweb.google.com/yoogesh
>
> -----------------------------
> Before you start some work, always ask yourself three questions - Why am I
> doing it, What the results might be and Will I be successful. Only when you
> think deeply
> and find satisfactory answers to these questions, go ahead.
> -----------------------------
>
Shorewall 4.4.22.3 Dump at visionIBM.localdomain - Tue Oct 11 18:30:18 IST 2011
Counters reset Tue Oct 11 18:22:58 IST 2011
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:67
359 39201 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
49 3101 net2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0
223 29004 loc2fw all -- eth1 * 0.0.0.0/0 0.0.0.0/0
4 200 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
93 7552 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 net2loc all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
85 6897 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
8 1597 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
4 200 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
11 3919 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
145 13996 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4
Chain Drop (2 references)
pkts bytes target prot opt in out source destination
41 2525 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113 /* Auth */
41 2525 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11 /* Needed ICMP types */
0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain Invalid (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
Chain NotSyn (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
Chain Reject (3 references)
pkts bytes target prot opt in out source destination
104 11471 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:113 /* Auth */
104 11471 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmp type 11 /* Needed ICMP types */
0 0 Invalid all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 NotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain dynamic (5 references)
pkts bytes target prot opt in out source destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
8 1597 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
78 5340 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
7 1557 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
223 29004 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:10000 /* Webmin */
223 29004 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth1 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:995
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:587
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.0.219 tcp dpt:80 /* Web */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.0.219 tcp dpt:80 /* Web */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
75.101.166.91 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
75.101.166.91 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
75.101.166.91 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
202.87.40.98 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3389 /* RDP */
0 0 ACCEPT all -- * * 0.0.0.0/0
59.163.10.66
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3389
0 0 ACCEPT tcp -- * * 0.0.0.0/0
50.56.91.160 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
50.56.91.160 tcp dpt:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 50.56.93.14
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
174.143.191.12 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
202.71.152.175 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
122.181.161.236 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
111.93.128.101 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
124.7.137.26 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
98.129.229.171 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
203.94.209.19 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
203.94.209.18 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 75.98.93.51
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.205.110.27 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.208.5.17
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.208.5.2
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.208.5.18
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 74.208.5.5
tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
74.208.3.226 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.205.110.27 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
208.115.32.42 tcp dpt:80
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:loc2net:ACCEPT:'
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
41 2525 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
8 576 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:10000
41 2525 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain sfilter (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:sfilter:DROP:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Log (/var/log/messages)
Oct 11 16:29:41 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27808 DF PROTO=TCP
SPT=37755 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 16:29:47 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27809 DF PROTO=TCP
SPT=37755 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 16:29:59 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.19 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=30269 DF PROTO=TCP
SPT=33765 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 16:30:02 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.19 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=30270 DF PROTO=TCP
SPT=33765 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 16:30:08 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.19 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=30271 DF PROTO=TCP
SPT=33765 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 16:35:45 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.34
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37752 DF PROTO=TCP
SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 16:35:48 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.34
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37753 DF PROTO=TCP
SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 16:35:54 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.34
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37754 DF PROTO=TCP
SPT=36841 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:00:20 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63979 DF PROTO=TCP
SPT=56832 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:00:23 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63980 DF PROTO=TCP
SPT=56832 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:00:29 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63981 DF PROTO=TCP
SPT=56832 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:06:27 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.34
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=18373 DF PROTO=TCP
SPT=51424 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:06:30 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.34
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=18374 DF PROTO=TCP
SPT=51424 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:06:36 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.34
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=18375 DF PROTO=TCP
SPT=51424 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:31:02 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35681 DF PROTO=TCP
SPT=45275 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:31:05 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35682 DF PROTO=TCP
SPT=45275 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 17:31:11 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35683 DF PROTO=TCP
SPT=45275 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 18:01:43 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17296 DF PROTO=TCP
SPT=38441 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 18:01:46 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17297 DF PROTO=TCP
SPT=38441 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 11 18:01:52 loc2net:ACCEPT:IN=eth1 OUT=eth0 SRC=192.168.0.27
DST=203.94.209.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=17298 DF PROTO=TCP
SPT=38441 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
NAT Table
Chain PREROUTING (policy ACCEPT 184 packets, 18290 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 39 packets, 5883 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * * 192.168.122.0/24
!192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24
!192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24
!192.168.122.0/24
49 3321 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
49 3321 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 393 packets, 44894 bytes)
pkts bytes target prot opt in out source destination
393 44894 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 393 packets, 44894 bytes)
pkts bytes target prot opt in out source destination
393 44894 tcin all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xffffff00
0 0 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 130 packets, 14050 bytes)
pkts bytes target prot opt in out source destination
130 14050 tcout all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 133 packets, 13245 bytes)
pkts bytes target prot opt in out source destination
133 13245 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0
Chain tcfor (1 references)
pkts bytes target prot opt in out source destination
Chain tcin (1 references)
pkts bytes target prot opt in out source destination
Chain tcout (1 references)
pkts bytes target prot opt in out source destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source destination
Raw Table
Chain PREROUTING (policy ACCEPT 393 packets, 44894 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 130 packets, 14050 bytes)
pkts bytes target prot opt in out source destination
Conntrack Table (9 out of 65536)
ipv4 2 udp 17 17 src=192.168.0.2 dst=192.168.0.255 sport=59518
dport=111 packets=1 bytes=164 [UNREPLIED] src=192.168.0.255 dst=192.168.0.2
sport=111 dport=59518 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
ipv4 2 udp 17 0 src=192.168.0.188 dst=192.168.0.255 sport=138
dport=138 packets=1 bytes=229 [UNREPLIED] src=192.168.0.255 dst=192.168.0.188
sport=138 dport=138 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
ipv4 2 udp 17 5 src=192.168.0.56 dst=192.168.0.255 sport=137 dport=137
packets=3 bytes=234 [UNREPLIED] src=192.168.0.255 dst=192.168.0.56 sport=137
dport=137 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
ipv4 2 unknown 2 158 src=192.168.1.2 dst=224.0.0.22 packets=2 bytes=80
[UNREPLIED] src=224.0.0.22 dst=192.168.1.2 packets=0 bytes=0 mark=0 secmark=0
zone=0 use=2
ipv4 2 udp 17 22 src=192.168.0.251 dst=192.168.0.255 sport=137
dport=137 packets=2 bytes=156 [UNREPLIED] src=192.168.0.255 dst=192.168.0.251
sport=137 dport=137 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
ipv4 2 unknown 2 160 src=192.168.0.5 dst=224.0.0.22 packets=2 bytes=80
[UNREPLIED] src=224.0.0.22 dst=192.168.0.5 packets=0 bytes=0 mark=0 secmark=0
zone=0 use=2
ipv4 2 udp 17 22 src=192.168.0.250 dst=192.168.0.255 sport=137
dport=137 packets=2 bytes=156 [UNREPLIED] src=192.168.0.255 dst=192.168.0.250
sport=137 dport=137 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
ipv4 2 udp 17 19 src=192.168.0.105 dst=192.168.0.255 sport=137
dport=137 packets=24 bytes=1872 [UNREPLIED] src=192.168.0.255 dst=192.168.0.105
sport=137 dport=137 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
ipv4 2 udp 17 18 src=192.168.0.59 dst=192.168.0.255 sport=137
dport=137 packets=3 bytes=234 [UNREPLIED] src=192.168.0.255 dst=192.168.0.59
sport=137 dport=137 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
inet 192.168.0.5/24 brd 192.168.0.255 scope global eth1
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
6368 56 0 0 0 0
TX: bytes packets errors dropped carrier collsns
6368 56 0 0 0 0
2: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 02:21:5e:67:8a:fd brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
11830 182 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1836 10 0 0 0 0
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:21:5e:67:8a:fa brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
13370 91 0 0 0 34
TX: bytes packets errors dropped carrier collsns
16649 157 0 0 0 0
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:21:5e:67:8a:fb brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
183907 2608 0 0 0 16
TX: bytes packets errors dropped carrier collsns
6643 32 0 0 0 0
5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
link/ether 8a:f6:9e:43:df:b5 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
Bridges
bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
Per-IP Counters
iptaccount is not installed
/proc
/proc/version = Linux version 2.6.35.13-92.fc14.i686
([email protected]) (gcc version 4.5.1 20100924 (Red Hat
4.5.1-4) (GCC) ) #1 SMP Sat May 21 17:39:42 UTC 2011
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/usb0/proxy_arp = 0
/proc/sys/net/ipv4/conf/usb0/arp_filter = 0
/proc/sys/net/ipv4/conf/usb0/arp_ignore = 0
/proc/sys/net/ipv4/conf/usb0/rp_filter = 0
/proc/sys/net/ipv4/conf/usb0/log_martians = 1
/proc/sys/net/ipv4/conf/virbr0/proxy_arp = 0
/proc/sys/net/ipv4/conf/virbr0/arp_filter = 0
/proc/sys/net/ipv4/conf/virbr0/arp_ignore = 0
/proc/sys/net/ipv4/conf/virbr0/rp_filter = 0
/proc/sys/net/ipv4/conf/virbr0/log_martians = 1
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
broadcast 192.168.1.0 dev eth0 proto kernel scope link src 192.168.1.2
broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.5
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.1.2 dev eth0 proto kernel scope host src 192.168.1.2
local 192.168.122.1 dev virbr0 proto kernel scope host src 192.168.122.1
broadcast 192.168.122.0 dev virbr0 proto kernel scope link src 192.168.122.1
broadcast 192.168.1.255 dev eth0 proto kernel scope link src 192.168.1.2
broadcast 192.168.0.0 dev eth1 proto kernel scope link src 192.168.0.5
local 192.168.0.5 dev eth1 proto kernel scope host src 192.168.0.5
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.122.255 dev virbr0 proto kernel scope link src
192.168.122.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
192.168.1.2 dev eth1 proto static scope link
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 1
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.5 metric 1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
default via 192.168.1.1 dev eth0 proto static
ARP
? (192.168.1.1) at 00:19:36:0d:13:f8 [ether] on eth0
Modules
iptable_mangle 1235 1
iptable_nat 3945 1
iptable_raw 1054 0
ipt_addrtype 1471 4
ipt_ah 1706 0
ipt_CLUSTERIP 5358 0
ipt_ecn 1045 0
ipt_ECN 1389 0
ipt_LOG 4243 2
ipt_MASQUERADE 1765 4
ipt_NETMAP 1290 0
ipt_REDIRECT 1282 0
ipt_ULOG 7765 0
nf_conntrack_amanda 2020 1 nf_nat_amanda
nf_conntrack_ftp 9047 1 nf_nat_ftp
nf_conntrack_h323 50922 1 nf_nat_h323
nf_conntrack_irc 3901 1 nf_nat_irc
nf_conntrack_netbios_ns 1126 0
nf_conntrack_netlink 13629 0
nf_conntrack_pptp 8896 1 nf_nat_pptp
nf_conntrack_proto_gre 4994 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 8616 0
nf_conntrack_sane 4069 0
nf_conntrack_sip 16222 1 nf_nat_sip
nf_conntrack_tftp 3417 1 nf_nat_tftp
nf_nat 16298 12
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda 802 0
nf_nat_ftp 1663 0
nf_nat_h323 6802 0
nf_nat_irc 1320 0
nf_nat_pptp 3507 0
nf_nat_proto_gre 2040 1 nf_nat_pptp
nf_nat_sip 4443 0
nf_nat_snmp_basic 6627 0
nf_nat_tftp 680 0
nf_tproxy_core 1791 1 xt_TPROXY,[permanent]
xt_CLASSIFY 707 0
xt_comment 684 22
xt_connlimit 2556 0
xt_connmark 1480 0
xt_dccp 1557 0
xt_dscp 1278 0
xt_DSCP 1674 0
xt_hashlimit 5512 0
xt_helper 1011 0
xt_iprange 1715 0
xt_length 884 0
xt_limit 1254 0
xt_mac 764 0
xt_mark 879 1
xt_multiport 2048 4
xt_NFLOG 817 0
xt_NFQUEUE 1583 0
xt_owner 846 0
xt_physdev 1398 0
xt_pkttype 768 0
xt_policy 1922 0
xt_realm 710 0
xt_recent 6622 0
xt_tcpmss 1069 0
xt_time 1573 0
xt_TPROXY 1722 0
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Extended Connection Tracking Match Support: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Extended MARK Target 2: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Realm Match: Available
Helper Match: Available
Connlimit Match: Available
Time Match: Available
Goto Support: Available
LOGMARK Target: Not available
IPMARK Target: Not available
LOG Target: Available
Persistent SNAT: Available
TPROXY Target: Available
FLOW Classifier: Available
fwmark route mask: Available
Mark in any table: Available
Header Match: Not available
ACCOUNT Target: Not available
AUDIT Target: Not available
ipset V5: Not available
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN 979/rpcbind
tcp 0 0 0.0.0.0:10000 0.0.0.0:*
LISTEN 2078/perl
tcp 0 0 192.168.122.1:53 0.0.0.0:*
LISTEN 2062/dnsmasq
tcp 0 0 192.168.0.5:53 0.0.0.0:*
LISTEN 1089/named
tcp 0 0 192.168.1.2:53 0.0.0.0:*
LISTEN 1089/named
tcp 0 0 127.0.0.1:53 0.0.0.0:*
LISTEN 1089/named
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 1891/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 1910/sendmail: acce
tcp 0 0 0.0.0.0:52953 0.0.0.0:*
LISTEN 1118/rpc.statd
tcp 0 0 127.0.0.1:953 0.0.0.0:*
LISTEN 1089/named
tcp 0 0 :::35503 :::*
LISTEN 1118/rpc.statd
tcp 0 0 :::111 :::*
LISTEN 979/rpcbind
tcp 0 0 :::80 :::*
LISTEN 1949/httpd
tcp 0 0 :::22 :::*
LISTEN 1891/sshd
tcp 0 0 ::1:953 :::*
LISTEN 1089/named
tcp 0 0 :::443 :::*
LISTEN 1949/httpd
udp 0 0 0.0.0.0:870 0.0.0.0:*
1118/rpc.statd
udp 0 0 192.168.122.1:53 0.0.0.0:*
2062/dnsmasq
udp 0 0 192.168.0.5:53 0.0.0.0:*
1089/named
udp 0 0 192.168.1.2:53 0.0.0.0:*
1089/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
1089/named
udp 0 0 0.0.0.0:67 0.0.0.0:*
2062/dnsmasq
udp 0 0 0.0.0.0:57929 0.0.0.0:*
1118/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:*
979/rpcbind
udp 0 0 0.0.0.0:35515 0.0.0.0:*
1038/avahi-daemon:
udp 0 0 0.0.0.0:728 0.0.0.0:*
979/rpcbind
udp 0 0 0.0.0.0:5353 0.0.0.0:*
1038/avahi-daemon:
udp 0 0 0.0.0.0:783 0.0.0.0:*
901/portreserve
udp 0 0 0.0.0.0:10000 0.0.0.0:*
2078/perl
udp 0 0 :::111 :::*
979/rpcbind
udp 0 0 :::728 :::*
979/rpcbind
udp 0 0 :::37618 :::*
1118/rpc.statd
Traffic Control
Device usb0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 1836 bytes 10 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 16649 bytes 157 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 6643 bytes 32 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
TC Filters
Device usb0:
Device eth0:
Device eth1: ------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
