Sorry... should have read the guideline more closely.
Attached the output of "shorewall dump".
Regards,
Thomas
Am 18.03.2016 um 06:36 schrieb Tom Eastep:
On 03/17/2016 02:55 AM, c.mo...@web.de wrote:
Hi,
I fixed the issue after applying your recommendation.
Basically the configuration is now aligned with this guide "Shorewall
and Multiple Internet Connections - A Complete Working Example"
(http://shorewall.net/MultiISP.html).
However I'm now facing an issue that I cannot access internet (=
interface 'net') from any client in subnetA 10.0.0.0/24.
Any client in subnetB 192.168.178.0/24 has full access to internet.
I'm not sure if this is related to routing or rules, but I defined
identical rules for subnetA and subnetB.
Question:
What do you need to continue supporting me?
The output of 'shorewall dump' collected as described at
http://www.shorewall.net/support.htm#Guidelines
-Tom
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Shorewall 5.0.4 Dump at pc4-svp - Sa 19. Mär 09:05:25 CET 2016
Shorewall is running
State:Started (Mi 16. Mär 20:30:45 CET 2016) from /etc/shorewall/
(/var/lib/shorewall/firewall compiled by Shorewall version 5.0.4)
Counters reset Mi 16. Mär 20:30:45 CET 2016
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
207K 46M vmbr2_in all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
334K 123M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
217K 26M vmbr0_in all -- vmbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 vpn-fw all -- tun+ * 0.0.0.0/0 0.0.0.0/0
3329 253K dmz-fw all -- vmbr1 * 0.0.0.0/0 0.0.0.0/0
122K 47M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 vmbr2_fwd all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
114 4980 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
2772 144K vmbr0_fwd all -- vmbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 vpn_frwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 dmz_frwd all -- vmbr1 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
177K 85M ACCEPT all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
4063 281K ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
187K 13M vmbr0_out all -- * vmbr0 0.0.0.0/0 0.0.0.0/0
126K 48M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
18944 2203K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
1745 62820 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type ANYCAST
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
1625 302K all -- * * 0.0.0.0/0 0.0.0.0/0
1625 302K Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
2 192 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
21 1927 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
5 204 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain Reject (9 references)
pkts bytes target prot opt in out source destination
22922 2235K all -- * * 0.0.0.0/0 0.0.0.0/0
22922 2235K Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain all-all (7 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
16850 1840K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
17 1020 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:all-all:REJECT:"
17 1020 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-fw (1 references)
pkts bytes target prot opt in out source destination
3329 253K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 4505,4506
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
3329 253K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
130.89.148.12 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
195.20.242.89 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
87.230.23.19 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
198.199.77.106 tcp dpt:80
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 dmz-all all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
0 0 dmz-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 dmz-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 dmz-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr1 0.0.0.0/0 0.0.0.0/0
Chain dynamic (10 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0
[goto]
114 4980 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
114 4980 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
114 4980 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
114 4980 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
327K 117M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
327K 117M smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
326K 117M ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
4082 5954K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
7867 6519K net-fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fb-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 /* HTTP, HTTPS */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.178.121 0.0.0.0/0
tcp dpt:5938
0 0 ACCEPT tcp -- * * 192.168.178.48 0.0.0.0/0
tcp dpt:5938
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain fb_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 fb-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fb-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 all-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 0.0.0.0/0
Chain loc-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
20 1200 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443,143 /* HTTP, HTTPS, IMAP */
9 756 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
2743 142K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
2743 142K reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
2771 144K loc-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
1 60 loc-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 all-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1625 302K Drop all -- * * 0.0.0.0/0 0.0.0.0/0
1070 126K LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:net-all:DROP:"
1070 126K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
9 448 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,587,993
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.1.0.4
tcp dpt:25 limit: avg 5/sec burst 10
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net-fw (2 references)
pkts bytes target prot opt in out source destination
13039 13M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
188 8284 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
65 3000 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
40 1602 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
1625 302K net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net-loc (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
105 4532 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.0.0.2
multiport dports 80,443 limit: avg 5/sec burst 10
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net_frwd (2 references)
pkts bytes target prot opt in out source destination
0 0 ~comb2 all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
105 4532 net-loc all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 net-loc all -- * vmbr0 0.0.0.0/0 224.0.0.0/4
0 0 ~comb2 all -- * tun+ 0.0.0.0/0 0.0.0.0/0
9 448 net-dmz all -- * vmbr1 0.0.0.0/0 0.0.0.0/0
Chain reject (18 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
83 4080 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
2742 142K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain sfilter (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain sha-lh-e52c5ec6c1ad735c7d95 (0 references)
pkts bytes target prot opt in out source destination
Chain sha-rh-1d5ee9ee6a46761766f5 (0 references)
pkts bytes target prot opt in out source destination
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
527 174K RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0
[goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0
[goto]
Chain tcpflags (12 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp spt:0 flags:0x17/0x02
Chain vmbr0_fwd (1 references)
pkts bytes target prot opt in out source destination
2772 144K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
21 1260 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
2772 144K loc_frwd all -- * * 10.0.0.0/24 0.0.0.0/0
Chain vmbr0_in (1 references)
pkts bytes target prot opt in out source destination
25124 1561K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
214K 25M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0 0.0.0.0/0
udp dpts:67:68
217K 26M ~comb1 all -- * * 10.0.0.0/24 0.0.0.0/0
Chain vmbr0_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
187K 13M ACCEPT all -- * * 0.0.0.0/0 10.0.0.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0
255.255.255.255
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
Chain vmbr2_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 192.168.178.0/24 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 192.168.178.0/24 0.0.0.0/0
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fb_frwd all -- * * 192.168.178.0/24 0.0.0.0/0
0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vmbr2_in (1 references)
pkts bytes target prot opt in out source destination
38594 3234K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
38065 3060K smurfs all -- * * 192.168.178.0/24 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
38594 3234K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
186K 38M tcpflags tcp -- * * 192.168.178.0/24 0.0.0.0/0
190K 44M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
200K 39M ~comb1 all -- * * 192.168.178.0/24 0.0.0.0/0
7090 7180K net-fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain vpn-dmz (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,587,993
0 0 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain vpn-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain vpn_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * tun+ 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all-all all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 all-all all -- * vmbr0 0.0.0.0/0 224.0.0.0/4
0 0 vpn-dmz all -- * vmbr1 0.0.0.0/0 0.0.0.0/0
Chain ~comb0 (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,587,993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:2200:2299
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain ~comb1 (2 references)
pkts bytes target prot opt in out source destination
354K 60M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53 /* DNS */
3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 53,2214 /* DNS and others */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
2775 167K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8006
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 443,5900:5999
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
43560 2614K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 4505,4506
16850 1840K all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain ~comb2 (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Log (/var/log/messages)
Mar 19 05:41:50 net-all:DROP:IN=eth0 OUT= SRC=188.0.172.202 DST=217.8.50.86
LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=8965 DF PROTO=TCP SPT=53433 DPT=23
WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 05:42:08 net-all:DROP:IN=eth0 OUT= SRC=61.183.15.180 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=103 ID=256 PROTO=TCP SPT=6000 DPT=3389
WINDOW=16384 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 05:51:38 net-all:DROP:IN=eth0 OUT= SRC=216.218.206.111 DST=217.8.50.86
LEN=68 TOS=0x00 PREC=0x00 TTL=52 ID=7880 DF PROTO=UDP SPT=45755 DPT=111 LEN=48
MARK=0x10000
Mar 19 05:55:57 net-all:DROP:IN=eth0 OUT= SRC=41.38.113.43 DST=217.8.50.86
LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=61530 DF PROTO=TCP SPT=46581 DPT=23
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 05:58:41 net-all:DROP:IN=eth0 OUT= SRC=179.39.5.55 DST=217.8.50.86
LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=3820 DF PROTO=TCP SPT=49760 DPT=23
WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 06:00:42 net-all:DROP:IN=eth0 OUT= SRC=122.3.47.144 DST=217.8.50.86
LEN=56 TOS=0x00 PREC=0x00 TTL=51 ID=8980 DF PROTO=TCP SPT=37409 DPT=23
WINDOW=5808 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 06:00:45 net-all:DROP:IN=eth0 OUT= SRC=122.3.47.144 DST=217.8.50.86
LEN=56 TOS=0x00 PREC=0x00 TTL=51 ID=8981 DF PROTO=TCP SPT=37409 DPT=23
WINDOW=5808 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 06:02:48 net-all:DROP:IN=eth0 OUT= SRC=124.103.160.173 DST=217.8.50.86
LEN=48 TOS=0x00 PREC=0x00 TTL=45 ID=11880 PROTO=UDP SPT=24933 DPT=24016 LEN=28
MARK=0x10000
Mar 19 06:03:11 net-all:DROP:IN=eth0 OUT= SRC=192.187.96.242 DST=217.8.50.86
LEN=437 TOS=0x00 PREC=0x00 TTL=49 ID=33436 DF PROTO=UDP SPT=5076 DPT=5060
LEN=417 MARK=0x10000
Mar 19 06:11:43 net-all:DROP:IN=eth0 OUT= SRC=121.183.238.228 DST=217.8.50.86
LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=23366 PROTO=UDP SPT=57096 DPT=24016 LEN=28
MARK=0x10000
Mar 19 06:21:49 net-all:DROP:IN=eth0 OUT= SRC=211.224.194.171 DST=217.8.50.86
LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=44888 DF PROTO=TCP SPT=1864 DPT=23
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 06:55:05 net-all:DROP:IN=eth0 OUT= SRC=185.94.111.1 DST=217.8.50.86
LEN=68 TOS=0x00 PREC=0x00 TTL=239 ID=54321 PROTO=UDP SPT=34855 DPT=111 LEN=48
MARK=0x10000
Mar 19 07:03:40 net-all:DROP:IN=eth0 OUT= SRC=186.226.48.23 DST=217.8.50.86
LEN=52 TOS=0x00 PREC=0x00 TTL=40 ID=35813 DF PROTO=TCP SPT=34108 DPT=23
WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 07:03:43 net-all:DROP:IN=eth0 OUT= SRC=186.226.48.23 DST=217.8.50.86
LEN=52 TOS=0x00 PREC=0x00 TTL=40 ID=35814 DF PROTO=TCP SPT=34108 DPT=23
WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 07:32:44 net-all:DROP:IN=eth0 OUT= SRC=64.125.239.201 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=54321 PROTO=TCP SPT=45793 DPT=91
WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 07:49:45 net-all:DROP:IN=eth0 OUT= SRC=71.6.165.200 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=48237 PROTO=TCP SPT=31632 DPT=10000
WINDOW=1815 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 08:08:29 net-all:DROP:IN=eth0 OUT= SRC=46.246.29.224 DST=217.8.50.86
LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=44876 DF PROTO=TCP SPT=2251 DPT=23
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 08:44:58 net-all:DROP:IN=eth0 OUT= SRC=115.231.222.14 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=64316 DPT=3128
WINDOW=15500 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 08:44:58 net-all:DROP:IN=eth0 OUT= SRC=115.231.222.14 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=64316 DPT=8080
WINDOW=15500 RES=0x00 SYN URGP=0 MARK=0x10000
Mar 19 09:01:14 all-all:REJECT:IN=vmbr2 OUT= SRC=192.168.178.48
DST=192.168.178.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61293 DF PROTO=TCP
SPT=51560 DPT=9000 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x20000
NAT Table
Chain PREROUTING (policy ACCEPT 5 packets, 236 bytes)
pkts bytes target prot opt in out source destination
1354 159K UPnP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
49420 3775K UPnP all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
48893 3602K RETURN all -- vmbr2 * 192.168.178.0/24 0.0.0.0/0
1354 159K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
527 174K net_dnat all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 2 packets, 120 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3329 253K SNAT all -- * vmbr1 10.1.0.0/24 0.0.0.0/0
to:10.1.0.1
Chain UPnP (2 references)
pkts bytes target prot opt in out source destination
Chain net_dnat (2 references)
pkts bytes target prot opt in out source destination
99 4172 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 to:10.0.0.2
5 252 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 to:10.1.0.4
Mangle Table
Chain PREROUTING (policy ACCEPT 137 packets, 15547 bytes)
pkts bytes target prot opt in out source destination
897K 243M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
4923 634K routemark all -- eth0 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
52801 4229K routemark all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
Chain INPUT (policy ACCEPT 135 packets, 15467 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2886 149K MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xfffcffff
Chain OUTPUT (policy ACCEPT 93 packets, 50182 bytes)
pkts bytes target prot opt in out source destination
494K 145M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
Chain POSTROUTING (policy ACCEPT 93 packets, 50182 bytes)
pkts bytes target prot opt in out source destination
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
4923 634K MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x10000/0x30000
52801 4229K MARK all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x20000/0x30000
57724 4863K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
mark match ! 0x0/0x30000 CONNMARK save mask 0x30000
Raw Table
Chain PREROUTING (policy ACCEPT 137 packets, 15547 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
1 60 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
2 80 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
8892 699K CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
3 120 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
119 52161 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
9 778 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
5 212 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Chain OUTPUT (policy ACCEPT 93 packets, 50182 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Conntrack Table (18 out of 262144)
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
inet 217.8.50.86/26 brd 255.255.255.255 scope global eth0
valid_lft forever preferred_lft forever
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
inet 10.0.0.1/24 brd 10.0.0.255 scope global vmbr0
valid_lft forever preferred_lft forever
6: vmbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
group default
inet 10.1.0.1/24 brd 10.1.0.255 scope global vmbr1
valid_lft forever preferred_lft forever
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
inet 192.168.178.14/24 brd 192.168.178.255 scope global vmbr2
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
47247809 122402 0 0 0 0
TX: bytes packets errors dropped carrier collsns
47247809 122402 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
mode DEFAULT group default qlen 1000
link/ether 74:d4:35:1a:f6:0f brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
500028215 6123819 101 0 0 0
TX: bytes packets errors dropped carrier collsns
523378 6031 0 0 0 0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master
vmbr1 state DOWN mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master
vmbr2 state UP mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
347300192 632840 0 0 0 71877
TX: bytes packets errors dropped carrier collsns
137792650 440191 0 0 0 0
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default
link/ether fe:87:16:37:69:e3 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
25601023 221153 0 0 0 0
TX: bytes packets errors dropped carrier collsns
15820127 189466 0 0 0 0
6: vmbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
mode DEFAULT group default
link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default
link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
75349429 475982 0 109355 0 0
TX: bytes packets errors dropped carrier collsns
87998608 186892 0 0 0 0
8: tap121i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr2 state UNKNOWN mode DEFAULT group default qlen 500
link/ether 3a:f5:07:aa:c9:ac brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
43941022 201634 0 0 0 0
TX: bytes packets errors dropped carrier collsns
66470777 294904 0 0 0 0
10: veth103i0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:87:16:37:69:e3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
RX: bytes packets errors dropped overrun mcast
27379303 206510 0 0 0 0
TX: bytes packets errors dropped carrier collsns
14938653 180116 0 0 0 0
14: veth112i0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:de:f1:22:91:4a brd ff:ff:ff:ff:ff:ff link-netnsid 2
RX: bytes packets errors dropped overrun mcast
2741160 9630 0 0 0 0
TX: bytes packets errors dropped carrier collsns
809606 10227 0 0 0 0
26: veth109i0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master vmbr2 state UP mode DEFAULT group default qlen 1000
link/ether fe:48:96:0f:d9:89 brd ff:ff:ff:ff:ff:ff link-netnsid 1
RX: bytes packets errors dropped overrun mcast
1486269 18739 0 0 0 0
TX: bytes packets errors dropped carrier collsns
20188452 124457 0 0 0 0
Bridges
bridge name bridge id STP enabled interfaces
vmbr0 8000.fe87163769e3 no veth103i0
veth112i0
vmbr1 8000.001517919cb8 no eth1
vmbr2 8000.001517919cb9 no eth2
tap121i0
veth109i0
Routing Rules
0: from all lookup local
999: from all lookup main
1000: from 10.0.0.0/24 lookup um_business
1000: from 10.1.0.0/24 lookup um_business
1000: from 192.168.178.14 lookup um_private
10000: from all fwmark 0x10000/0x30000 lookup um_business
10001: from all fwmark 0x20000/0x30000 lookup um_private
11000: from all iif vmbr1 lookup um_business
32765: from all lookup balance
32767: from all lookup default
Table balance:
default nexthop via 217.8.50.65 dev eth0 weight 2 nexthop via 192.168.178.1 dev
vmbr2 weight 1
Table default:
Table local:
local 217.8.50.86 dev eth0 proto kernel scope host src 217.8.50.86
local 192.168.178.14 dev vmbr2 proto kernel scope host src 192.168.178.14
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.1.0.1 dev vmbr1 proto kernel scope host src 10.1.0.1
local 10.0.0.1 dev vmbr0 proto kernel scope host src 10.0.0.1
broadcast 217.8.50.64 dev eth0 proto kernel scope link src 217.8.50.86
broadcast 217.8.50.127 dev eth0 proto kernel scope link src 217.8.50.86
broadcast 192.168.178.255 dev vmbr2 proto kernel scope link src 192.168.178.14
broadcast 192.168.178.0 dev vmbr2 proto kernel scope link src 192.168.178.14
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.1.0.255 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
broadcast 10.1.0.0 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
broadcast 10.0.0.255 dev vmbr0 proto kernel scope link src 10.0.0.1
broadcast 10.0.0.0 dev vmbr0 proto kernel scope link src 10.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
217.8.50.65 dev eth0 scope link src 217.8.50.86
192.168.178.1 dev vmbr2 scope link src 192.168.178.14
217.8.50.64/26 dev eth0 proto kernel scope link src 217.8.50.86
192.168.178.0/24 dev vmbr2 proto kernel scope link src 192.168.178.14
10.1.0.0/24 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
10.0.0.0/24 dev vmbr0 proto kernel scope link src 10.0.0.1
blackhole 192.168.0.0/16
blackhole 172.16.0.0/12
blackhole 10.0.0.0/8
Table um_business:
217.8.50.65 dev eth0 scope link src 217.8.50.86
default via 217.8.50.65 dev eth0 src 217.8.50.86
Table um_private:
192.168.178.1 dev vmbr2 scope link src 192.168.178.14
default via 192.168.178.1 dev vmbr2 src 192.168.178.14
Per-IP Counters
iptaccount is not installed
NF Accounting
Events
/proc
/proc/version = Linux version 4.2.8-1-pve (root@elsa) (gcc version 4.9.2
(Debian 4.9.2-10) ) #1 SMP Fri Feb 26 16:37:36 CET 2016
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 1
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 0
/proc/sys/net/ipv4/conf/eth2/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/tap121i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/tap121i0/arp_filter = 0
/proc/sys/net/ipv4/conf/tap121i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/tap121i0/rp_filter = 0
/proc/sys/net/ipv4/conf/tap121i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth103i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth103i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth103i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth103i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth103i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth109i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth109i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth109i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth109i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth109i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth112i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth112i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth112i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth112i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth112i0/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr0/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr0/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr0/arp_ignore = 0
/proc/sys/net/ipv4/conf/vmbr0/rp_filter = 1
/proc/sys/net/ipv4/conf/vmbr0/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr1/proxy_arp = 1
/proc/sys/net/ipv4/conf/vmbr1/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr1/arp_ignore = 0
/proc/sys/net/ipv4/conf/vmbr1/rp_filter = 0
/proc/sys/net/ipv4/conf/vmbr1/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr2/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr2/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr2/arp_ignore = 1
/proc/sys/net/ipv4/conf/vmbr2/rp_filter = 0
/proc/sys/net/ipv4/conf/vmbr2/log_martians = 1
ARP
? (10.0.0.2) auf <unvollständig> auf vmbr0
? (192.168.178.1) auf c8:0e:14:de:97:70 [ether] auf vmbr2
? (192.168.178.34) auf 32:37:30:32:62:61 [ether] auf vmbr2
? (10.0.0.9) auf 32:62:39:33:65:64 [ether] auf vmbr0
? (10.1.0.4) auf <unvollständig> auf vmbr1
? (10.0.0.3) auf 32:65:65:39:30:35 [ether] auf vmbr0
? (192.168.178.48) auf 58:94:6b:a4:2a:cc [ether] auf vmbr2
? (192.168.178.41) auf 00:1a:4d:47:b3:48 [ether] auf vmbr2
? (217.8.50.65) auf 00:01:5c:23:8e:01 [ether] auf eth0
? (192.168.178.33) auf 66:66:30:65:66:30 [ether] auf vmbr2
? (10.0.0.10) auf 62:66:39:39:35:34 [ether] auf vmbr0
Modules
ip_set 45056 2 ip_set_hash_ip,xt_set
ip_set_hash_ip 32768 0
iptable_filter 16384 2
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
ip_tables 28672 4
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_MASQUERADE 16384 0
ipt_REJECT 16384 4
ipt_rpfilter 16384 0
nf_conntrack 106496 32
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_conntrack_proto_udplite,nf_nat,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda 16384 3 nf_nat_amanda
nf_conntrack_broadcast 16384 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 20480 3 nf_nat_ftp
nf_conntrack_h323 77824 5 nf_nat_h323
nf_conntrack_ipv4 20480 65
nf_conntrack_irc 16384 3 nf_nat_irc
nf_conntrack_netbios_ns 16384 2
nf_conntrack_netlink 36864 0
nf_conntrack_pptp 20480 3 nf_nat_pptp
nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 20480 0
nf_conntrack_proto_udplite 16384 0
nf_conntrack_sane 16384 2
nf_conntrack_sip 28672 3 nf_nat_sip
nf_conntrack_snmp 16384 3 nf_nat_snmp_basic
nf_conntrack_tftp 16384 3 nf_nat_tftp
nf_defrag_ipv4 16384 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 36864 1 xt_TPROXY
nf_log_common 16384 1 nf_log_ipv4
nf_log_ipv4 16384 7
nf_nat 24576 11
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_nat_amanda 16384 0
nf_nat_ftp 16384 0
nf_nat_h323 20480 0
nf_nat_ipv4 16384 1 iptable_nat
nf_nat_irc 16384 0
nf_nat_masquerade_ipv4 16384 1 ipt_MASQUERADE
nf_nat_pptp 16384 0
nf_nat_proto_gre 16384 1 nf_nat_pptp
nf_nat_sip 20480 0
nf_nat_snmp_basic 20480 0
nf_nat_tftp 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
xt_addrtype 16384 5
xt_AUDIT 16384 0
xt_CHECKSUM 16384 0
xt_CLASSIFY 16384 0
xt_comment 16384 22
xt_connlimit 16384 0
xt_connmark 16384 3
xt_conntrack 16384 39
xt_CT 16384 22
xt_dscp 16384 0
xt_DSCP 16384 0
xt_hashlimit 20480 0
xt_helper 16384 0
xt_iprange 16384 0
xt_length 16384 0
xt_limit 16384 2
xt_LOG 16384 7
xt_mark 16384 6
xt_multiport 16384 17
xt_nat 16384 3
xt_nfacct 16384 0
xt_NFLOG 16384 0
xt_NFQUEUE 16384 0
xt_owner 16384 0
xt_physdev 16384 0
xt_pkttype 16384 0
xt_policy 16384 0
xt_realm 16384 0
xt_recent 20480 1
xt_set 16384 0
xt_statistic 16384 0
xt_tcpmss 16384 0
xt_TCPMSS 16384 0
xt_tcpudp 16384 60
xt_time 16384 0
xt_TPROXY 20480 0
Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
AUDIT Target (AUDIT_TARGET): Available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
Capabilities Version (CAPVERSION): 50004
Checksum Target (CHECKSUM_TARGET): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Connmark Match (CONNMARK_MATCH): Available
CONNMARK Target (CONNMARK): Available
CT Target (CT_TARGET): Available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Extended CONNMARK Target (XCONNMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended MARK Target (XMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP-0 Helper: Not available
FTP Helper: Available
fwmark route mask (FWMARK_RT_MASK): Available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Available
Iface Match (IFACE_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IP range Match(IPRANGE_MATCH): Available
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available
iptables -S (IPTABLES_S): Available
iptables --wait option (WAIT_OPTION): Available
IRC-0 Helper: Not available
IRC Helper: Available
Kernel Version (KERNELVERSION): 40208
LOGMARK Target (LOGMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
Netbios_ns Helper: Available
New tos Match (NEW_TOS_MATCH): Available
NFAcct Match: Available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Packet length Match (LENGTH_MATCH): Available
Packet Mangling (MANGLE_ENABLED): Available
Packet Type Match (USEPKTTYPE): Available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Physdev Match (PHYSDEV_MATCH): Available
Policy Match (POLICY_MATCH): Available
PPTP Helper: Available
Rawpost Table (RAWPOST_TABLE): Not available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Available
Recent Match "--reap" option (REAP_OPTION): Available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Available
RPFilter Match (RPFILTER_MATCH): Available
SANE-0 Helper: Not available
SANE Helper: Available
SIP-0 Helper: Not available
SIP Helper: Available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP-0 Helper: Not available
TFTP Helper: Available
Time Match (TIME_MATCH): Available
TPROXY Target (TPROXY_TARGET): Available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Not available
Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port
udp UNCONN 0 0 *:514 *:*
users:(("rsyslogd",pid=1389,fd=6))
udp UNCONN 0 0 *:58084 *:*
users:(("rpc.statd",pid=1165,fd=8))
udp UNCONN 0 0 *:841 *:*
users:(("rpcbind",pid=1101,fd=7))
udp UNCONN 0 0 127.0.0.1:917 *:*
users:(("rpc.statd",pid=1165,fd=5))
udp UNCONN 0 0 *:29983 *:*
users:(("dhclient",pid=555,fd=20))
udp UNCONN 0 0 *:40808 *:*
users:(("systemd-timesyn",pid=497,fd=13))
udp UNCONN 0 0 *:68 *:*
users:(("dhclient",pid=555,fd=6))
udp UNCONN 0 0 *:111 *:*
users:(("rpcbind",pid=1101,fd=6))
udp UNCONN 0 0 192.168.178.14:123 *:*
users:(("ntpd",pid=1390,fd=22))
udp UNCONN 0 0 10.1.0.1:123 *:*
users:(("ntpd",pid=1390,fd=21))
udp UNCONN 0 0 10.0.0.1:123 *:*
users:(("ntpd",pid=1390,fd=20))
udp UNCONN 0 0 217.8.50.86:123 *:*
users:(("ntpd",pid=1390,fd=19))
udp UNCONN 0 0 127.0.0.1:123 *:*
users:(("ntpd",pid=1390,fd=18))
udp UNCONN 0 0 *:123 *:*
users:(("ntpd",pid=1390,fd=16))
tcp LISTEN 0 100 10.0.0.1:4505 *:*
users:(("salt-master",pid=1604,fd=14))
tcp LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1536,fd=12))
tcp LISTEN 0 100 10.0.0.1:4506 *:*
users:(("salt-master",pid=1612,fd=22))
tcp LISTEN 0 128 *:8006 *:*
users:(("pveproxy",pid=28576,fd=6),("pveproxy
worker",pid=8389,fd=6),("pveproxy worker",pid=8388,fd=6),("pveproxy
worker",pid=8387,fd=6))
tcp LISTEN 0 128 *:2214 *:*
users:(("sshd",pid=1273,fd=3))
tcp LISTEN 0 5 127.0.0.1:5900 *:*
users:(("lxc-console",pid=13897,fd=4),("dtach",pid=13896,fd=4))
tcp LISTEN 0 5 127.0.0.1:5901 *:*
users:(("lxc-console",pid=24956,fd=4),("dtach",pid=24955,fd=4))
tcp LISTEN 0 128 *:111 *:*
users:(("rpcbind",pid=1101,fd=8))
tcp LISTEN 0 5 127.0.0.1:7634 *:*
users:(("hddtemp",pid=1450,fd=0))
tcp LISTEN 0 128 127.0.0.1:85 *:*
users:(("pvedaemon worke",pid=8359,fd=6),("pvedaemon
worke",pid=8358,fd=6),("pvedaemon
worke",pid=8357,fd=6),("pvedaemon",pid=1582,fd=6))
tcp LISTEN 0 128 *:60949 *:*
users:(("rpc.statd",pid=1165,fd=9))
tcp LISTEN 0 128 *:3128 *:*
users:(("spiceproxy",pid=28600,fd=6),("spiceproxy work",pid=8392,fd=6))
tcp ESTAB 0 0 10.0.0.1:4505 10.0.0.10:59284
users:(("salt-master",pid=1604,fd=16))
tcp ESTAB 0 0 192.168.178.14:55966
192.168.178.34:2209 users:(("ssh",pid=15878,fd=3))
tcp ESTAB 0 0 192.168.178.14:2214
192.168.178.48:35806
users:(("sshd",pid=31279,fd=3),("sshd",pid=31121,fd=3))
tcp ESTAB 0 0 10.0.0.1:52976 10.0.0.3:2203
users:(("ssh",pid=15663,fd=3))
tcp ESTAB 0 0 10.0.0.1:58896 10.0.0.10:2210
users:(("ssh",pid=30234,fd=3))
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users