I checked //etc/shorewall/rules/ again and confirmed that everything is ok.
But I modified //etc/shorewall/interfaces /as follows:
root@pc4-svp:/# cat /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net UMB_IF -
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
net UMP_IF -
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
loc INT_IF -
dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
vpn TUN_IF+ - physical=tun+,ignore=1
dmz DMZ_IF -
dhcp,physical=$DMZ_IF,ignore=1,wait=5,routefilter,nets=10.1.0.0/24,routeback
Then I identified that another firewall service (PVE Firewall) is running.
I stopped this service, and now there are no DNS name resolution issues
anymore.
However, now I have a weired issue that apt update fails to access IPv6
addresses on clients loc (= 10.0.0.0/24) and dmz (=10.1.0.0/24):
Holen: 100 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/
testing/main iputils-ping amd64 3:20150815-2 [53,6 kB]
Holen: 101 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/
testing/main libisc-export95 amd64 1:9.9.5.dfsg-12.1 [138 kB]
Fehl http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main
isc-dhcp-client amd64 4.3.3-9
Verbindung mit ftp.tu-chemnitz.de:80 kann nicht aufgebaut werden
(2001:638:911:b0e:134:109:228:1). - connect (101: Das Netzwerk ist nicht
erreichbar) [IP: 2001:638:911:b0e:134:109:228:1 80]
Fehl http://ftp.tu-chemnitz.de/pub/linux/debian/debian/ unstable/main
isc-dhcp-common amd64 4.3.3-9
Verbindung mit ftp.tu-chemnitz.de:80 kann nicht aufgebaut werden
(2001:638:911:b0e:134:109:228:1). - connect (101: Das Netzwerk ist nicht
erreichbar) [IP: 2001:638:911:b0e:134:109:228:1 80]
Holen: 201 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/
testing/main iptables amd64 1.6.0-2 [291 kB]
Holen: 202 http://ftp.tu-chemnitz.de/pub/linux/debian/debian/
testing/main iputils-ping amd64 3:20150815-2 [53,6 kB]
Fehl http://repo.saltstack.com/apt/debian/8/amd64/latest/ jessie/main
salt-minion all 2015.8.8+ds-2
Verbindung mit repo.saltstack.com:80 kann nicht aufgebaut werden
(2604:a880:400:d0::2:e001). - connect (101: Das Netzwerk ist nicht
erreichbar) [IP: 2604:a880:400:d0::2:e001 80]
Fehl http://repo.saltstack.com/apt/debian/8/amd64/latest/ jessie/main
salt-common all 2015.8.8+ds-2
Verbindung mit repo.saltstack.com:80 kann nicht aufgebaut werden
(2604:a880:400:d0::2:e001). - connect (101: Das Netzwerk ist nicht
erreichbar) [IP: 2604:a880:400:d0::2:e001 80]
33% [Verbindung mit ftp.tu-chemnitz.de (134.109.228.1)]^C
This makes no sense to me, but it's reproducable.
What is needed to troubleshoot this issue?
Dump is attached after /shorewall reset/ to this email.
Regards,
Thomas
Am 03.04.2016 um 17:27 schrieb Tom Eastep:
On 04/03/2016 01:58 AM, Thomas Schneider wrote:
OK.
In the guide " Configuration Files Tips and Hints" you advise against
usage of DNS Names.
I have resolved the DNS names and I understand this article to highlight
the risk if the provider changes things on their hand.
However, I don't know how to mitigate this risk with a restrictive
rule-set in dmz that should only allow access to the update servers.
I have now modified masq config file accordingly:
root@pc4-svp:/etc/shorewall# cat masq
#INTERFACE SOURCE ADDRESS
UMB_IF 10.0.0.0/24 217.8.50.86
UMB_IF 10.1.0.0/24 217.8.50.86
However, I believe I should then correct interfaces config file and set
proxyarp=0 for zone dmz.
Would you recommend to set the same options for zone dmz as configured
for zone loc (adjusting nets=10.1.0.0/24)?
root@pc4-svp:/etc/shorewall# cat interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net UMB_IF -
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
net UMP_IF -
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
loc INT_IF -
dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
vpn TUN_IF+ - physical=tun+,ignore=1
dmz DMZ_IF -
routeback,proxyarp=1,required,wait=30
After shorewall reset I have started apt update on a different client in
loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) and collected the attached dump.
The dump still shows no DNS rules loc->net and dmz->net
By the way:
When creating dump file, I get this output indicating an issue with file
/proc/net/nf_conntrack:
root@pc4-svp:/home/thomas# shorewall dump > shorewall_dump.txt
grep: /proc/net/nf_conntrack: Datei oder Verzeichnis nicht gefunden
This file does neither exist on my Debian 8 server nor on my Debian Sid
notebook.
Install the conntrack package.
-Tom
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Shorewall 5.0.7.2 Dump at pc4-svp - Mo 4. Apr 01:15:36 CEST 2016
Shorewall is running
State:Started (Mo 4. Apr 01:12:13 CEST 2016) from /etc/shorewall/
(/var/lib/shorewall/firewall compiled by Shorewall version 5.0.7.2)
Counters reset Mo 4. Apr 01:12:13 CEST 2016
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2206 467K UMP_IF_in all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
311 108K UMB_IF_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
1062 222K INT_IF_in all -- vmbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 vpn-fw all -- tun+ * 0.0.0.0/0 0.0.0.0/0
340 75128 DMZ_IF_in all -- vmbr1 * 0.0.0.0/0 0.0.0.0/0
701 620K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 UMP_IF_fwd all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
46292 89M UMB_IF_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
24480 1343K INT_IF_fwd all -- vmbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 vpn_frwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0
445 35484 DMZ_IF_fwd all -- vmbr1 * 0.0.0.0/0 0.0.0.0/0
2 120 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
2 120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
2 120 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1736 1475K ACCEPT all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
5 356 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
1005 55688 INT_IF_out all -- * vmbr0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
354 18864 DMZ_IF_out all -- * vmbr1 0.0.0.0/0 0.0.0.0/0
701 620K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
10 1416 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
1 36 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type ANYCAST
Chain DMZ_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
46 2880 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
421 33922 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
445 35484 dmz_frwd all -- * * 10.1.0.0/24 0.0.0.0/0
Chain DMZ_IF_in (1 references)
pkts bytes target prot opt in out source destination
3 228 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
337 74900 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0 0.0.0.0/0
udp dpts:67:68
340 75128 dmz-fw all -- * * 10.1.0.0/24 0.0.0.0/0
Chain DMZ_IF_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
354 18864 ACCEPT all -- * * 0.0.0.0/0 10.1.0.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0
255.255.255.255
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
7 400 all -- * * 0.0.0.0/0 0.0.0.0/0
7 400 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain INT_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
92 5286 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
24434 1340K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
24480 1343K loc_frwd all -- * * 10.0.0.0/24 0.0.0.0/0
Chain INT_IF_in (1 references)
pkts bytes target prot opt in out source destination
23 1428 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
1059 222K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0 0.0.0.0/0
udp dpts:67:68
1062 222K ~comb1 all -- * * 10.0.0.0/24 0.0.0.0/0
Chain INT_IF_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
1005 55688 ACCEPT all -- * * 0.0.0.0/0 10.0.0.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0
255.255.255.255
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
Chain Reject (9 references)
pkts bytes target prot opt in out source destination
14 1632 all -- * * 0.0.0.0/0 0.0.0.0/0
14 1632 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain UMB_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
46250 89M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
46292 89M net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UMB_IF_in (1 references)
pkts bytes target prot opt in out source destination
306 108K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
306 108K smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
299 107K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
7 400 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
12 1048 net-fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UMP_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 192.168.178.0/24 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 192.168.178.0/24 0.0.0.0/0
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fb_frwd all -- * * 192.168.178.0/24 0.0.0.0/0
0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UMP_IF_in (1 references)
pkts bytes target prot opt in out source destination
45 3396 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
45 3396 smurfs all -- * * 192.168.178.0/24 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
45 3396 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
2196 466K tcpflags tcp -- * * 192.168.178.0/24 0.0.0.0/0
2196 466K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
2204 467K ~comb1 all -- * * 192.168.178.0/24 0.0.0.0/0
2 286 net-fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all-all (7 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
8 1224 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:all-all:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-fw (1 references)
pkts bytes target prot opt in out source destination
337 74900 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 4505,4506
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
3 228 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-net (2 references)
pkts bytes target prot opt in out source destination
399 32604 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
20 1320 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
130.89.148.12 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
195.20.242.89 tcp dpt:80
7 420 ACCEPT tcp -- * * 0.0.0.0/0
87.230.23.19 tcp dpt:80
1 60 ACCEPT tcp -- * * 0.0.0.0/0
198.199.77.106 tcp dpt:80
1 60 ACCEPT tcp -- * * 0.0.0.0/0
134.109.228.1 tcp dpt:80
7 420 ACCEPT tcp -- * * 0.0.0.0/0
212.211.132.250 tcp dpt:80
7 420 ACCEPT tcp -- * * 0.0.0.0/0
129.143.116.113 tcp dpt:80
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1 60 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
1 60 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dmz-all all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
428 34431 dmz-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
15 933 dmz-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 dmz-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
Chain dynamic (10 references)
pkts bytes target prot opt in out source destination
Chain fb-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 /* HTTP, HTTPS */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.178.121 0.0.0.0/0
tcp dpt:5938
0 0 ACCEPT tcp -- * * 192.168.178.48 0.0.0.0/0
tcp dpt:5938
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain fb_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 fb-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fb-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 all-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain loc-net (2 references)
pkts bytes target prot opt in out source destination
24388 1337K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
59 3308 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443,143 /* HTTP, HTTPS, IMAP */
33 1978 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53 /* DNS */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
24448 1341K loc-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
32 1852 loc-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 all-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-all (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
7 400 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
7 400 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:net-all:DROP:"
7 400 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-dmz (2 references)
pkts bytes target prot opt in out source destination
595 1083K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,465,587,993
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.1.0.4
tcp dpt:25 limit: avg 5/sec burst 10
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net-fw (2 references)
pkts bytes target prot opt in out source destination
7 934 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
7 400 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net_frwd (2 references)
pkts bytes target prot opt in out source destination
0 0 ~comb2 all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
45697 88M ~comb2 all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 ~comb2 all -- * vmbr0 0.0.0.0/0 224.0.0.0/4
0 0 ~comb2 all -- * tun+ 0.0.0.0/0 0.0.0.0/0
595 1083K net-dmz all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 net-dmz all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain reject (18 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
3 180 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain sfilter (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain sha-lh-e1f33498bedb03fae1ee (0 references)
pkts bytes target prot opt in out source destination
Chain sha-rh-5c3809318b9e43d6ceb5 (0 references)
pkts bytes target prot opt in out source destination
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0
[goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0
[goto]
Chain tcpflags (12 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp spt:0 flags:0x17/0x02
Chain vpn-dmz (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,465,587,993
0 0 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain vpn-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain vpn_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * tun+ 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all-all all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 all-all all -- * vmbr0 0.0.0.0/0 224.0.0.0/4
0 0 vpn-dmz all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 vpn-dmz all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain ~comb0 (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,465,587,993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:2200:2299
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain ~comb1 (2 references)
pkts bytes target prot opt in out source destination
3198 684K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:2214
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
40 2400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8006
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 443,5900:5999
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
20 1200 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 4505,4506
8 1224 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain ~comb2 (4 references)
pkts bytes target prot opt in out source destination
45697 88M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Log (/var/log/messages)
Apr 4 00:06:52 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29423 DF PROTO=TCP SPT=53480 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:08:52 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=31786 DF PROTO=TCP SPT=53500 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:10:52 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35035 DF PROTO=TCP SPT=53512 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:12:52 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=13328 DF PROTO=TCP SPT=53528 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:12:59 net-all:DROP:IN=eth0 OUT= SRC=46.161.40.120 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=49431 PROTO=TCP SPT=58689 DPT=3389
WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000
Apr 4 00:13:28 net-all:DROP:IN=eth0 OUT= SRC=158.255.2.12 DST=217.8.50.86
LEN=437 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=5060 DPT=5060 LEN=417
MARK=0x10000
Apr 4 00:16:52 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62383 DF PROTO=TCP SPT=53556 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:20:52 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46365 DF PROTO=TCP SPT=53622 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:21:25 net-all:DROP:IN=eth0 OUT= SRC=108.59.4.203 DST=217.8.50.86
LEN=424 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=5061 DPT=5060 LEN=404
MARK=0x10000
Apr 4 00:22:53 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=56014 DF PROTO=TCP SPT=53640 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:35:53 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=34284 DF PROTO=TCP SPT=53830 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:36:40 net-all:DROP:IN=eth0 OUT= SRC=191.251.59.38 DST=217.8.50.86
LEN=52 TOS=0x00 PREC=0x00 TTL=44 ID=44679 DF PROTO=TCP SPT=50862 DPT=23
WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x10000
Apr 4 00:36:53 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22610 DF PROTO=TCP SPT=53848 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 00:44:45 net-all:DROP:IN=eth0 OUT= SRC=209.126.110.5 DST=217.8.50.86
LEN=439 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=5331 DPT=7080 LEN=419
MARK=0x10000
Apr 4 00:56:54 net-all:DROP:IN=eth0 OUT= SRC=183.60.48.25 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP SPT=12210 DPT=23 WINDOW=8192
RES=0x00 SYN URGP=0 MARK=0x10000
Apr 4 00:58:13 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=64023 DF PROTO=TCP SPT=50920 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
Apr 4 01:12:30 net-all:DROP:IN=eth0 OUT= SRC=112.5.144.36 DST=217.8.50.86
LEN=60 TOS=0x00 PREC=0xE0 TTL=45 ID=44330 DF PROTO=TCP SPT=40353 DPT=23
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000
Apr 4 01:12:32 net-all:DROP:IN=eth0 OUT= SRC=112.5.144.36 DST=217.8.50.86
LEN=60 TOS=0x00 PREC=0xE0 TTL=45 ID=44332 DF PROTO=TCP SPT=40353 DPT=23
WINDOW=5840 RES=0x00 SYN URGP=0 MARK=0x10000
Apr 4 01:12:40 net-all:DROP:IN=eth0 OUT= SRC=111.248.60.167 DST=217.8.50.86
LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=256 DF PROTO=TCP SPT=12200 DPT=29081
WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x10000
Apr 4 01:14:13 FORWARD:REJECT:IN=vmbr1 OUT=vmbr0 SRC=10.1.0.4 DST=10.0.0.3
LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=5898 DF PROTO=TCP SPT=51294 DPT=3306
WINDOW=29200 RES=0x00 SYN URGP=0
NAT Table
Chain PREROUTING (policy ACCEPT 126 packets, 8142 bytes)
pkts bytes target prot opt in out source destination
7 400 UPnP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
50 3596 UPnP all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
50 3596 RETURN all -- vmbr2 * 192.168.178.0/24 0.0.0.0/0
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 to:10.1.0.4
0 0 net_dnat all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 60 packets, 3600 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27 packets, 1840 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 46 packets, 2921 bytes)
pkts bytes target prot opt in out source destination
35 2161 UMB_IF_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain UMB_IF_masq (1 references)
pkts bytes target prot opt in out source destination
23 1366 SNAT all -- * * 10.0.0.0/24 0.0.0.0/0
to:217.8.50.86
7 439 SNAT all -- * * 10.1.0.0/24 0.0.0.0/0
to:217.8.50.86
Chain UPnP (2 references)
pkts bytes target prot opt in out source destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 to:10.1.0.4
Mangle Table
Chain PREROUTING (policy ACCEPT 75842 packets, 92M bytes)
pkts bytes target prot opt in out source destination
75842 92M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
42 3674 routemark all -- eth0 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
55 4110 routemark all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
Chain INPUT (policy ACCEPT 4620 packets, 1493K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 71217 packets, 90M bytes)
pkts bytes target prot opt in out source destination
71217 90M MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xfffcffff
Chain OUTPUT (policy ACCEPT 3801 packets, 2170K bytes)
pkts bytes target prot opt in out source destination
3801 2170K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
Chain POSTROUTING (policy ACCEPT 75021 packets, 93M bytes)
pkts bytes target prot opt in out source destination
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
42 3674 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x10000/0x30000
55 4110 MARK all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x20000/0x30000
97 7784 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
mark match ! 0x0/0x30000 CONNMARK save mask 0x30000
Raw Table
Chain PREROUTING (policy ACCEPT 75842 packets, 92M bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Chain OUTPUT (policy ACCEPT 3801 packets, 2170K bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Conntrack Table (70 out of 262144)
tcp 6 42 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=57330 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57330 [ASSURED] mark=0 use=1
tcp 6 72 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=57364 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57364 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=192.168.178.48 dst=192.168.178.14 sport=35588
dport=2214 src=192.168.178.14 dst=192.168.178.48 sport=2214 dport=35588
[ASSURED] mark=131072 use=1
tcp 6 32 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39456 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39456 [ASSURED] mark=0 use=1
tcp 6 102 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=57376 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57376 [ASSURED] mark=0 use=1
tcp 6 99 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55218
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55218
[ASSURED] mark=131072 use=1
udp 17 81 src=10.1.0.4 dst=78.42.43.41 sport=49328 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=49328 [ASSURED] mark=65536 use=1
tcp 6 44 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55196
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55196
[ASSURED] mark=131072 use=1
tcp 6 12 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=57328 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57328 [ASSURED] mark=0 use=1
tcp 6 22 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39454 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39454 [ASSURED] mark=0 use=1
udp 17 0 src=10.1.0.1 dst=10.1.0.255 sport=123 dport=123 [UNREPLIED]
src=10.1.0.255 dst=10.1.0.1 sport=123 dport=123 mark=0 use=1
tcp 6 92 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39484 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39484 [ASSURED] mark=0 use=1
udp 17 119 src=10.0.0.3 dst=78.42.43.41 sport=36547 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=36547 [ASSURED] mark=65536 use=1
tcp 6 12 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=57318 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57318 [ASSURED] mark=0 use=1
udp 17 129 src=10.0.0.3 dst=82.212.62.41 sport=51852 dport=53
src=82.212.62.41 dst=217.8.50.86 sport=53 dport=51852 [ASSURED] mark=65536 use=1
tcp 6 9 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55176
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55176
[ASSURED] mark=131072 use=1
tcp 6 12 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39442 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39442 [ASSURED] mark=0 use=1
tcp 6 99 SYN_SENT src=10.1.0.4 dst=129.143.116.113 sport=55096 dport=80
[UNREPLIED] src=129.143.116.113 dst=10.1.0.4 sport=80 dport=55096 mark=0 use=1
tcp 6 90 SYN_SENT src=10.0.0.3 dst=129.143.116.113 sport=48666 dport=80
[UNREPLIED] src=129.143.116.113 dst=10.0.0.3 sport=80 dport=48666 mark=0 use=2
udp 17 81 src=10.1.0.4 dst=82.212.62.41 sport=35152 dport=53
src=82.212.62.41 dst=217.8.50.86 sport=53 dport=35152 [ASSURED] mark=65536 use=1
tcp 6 99 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55214
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55214
[ASSURED] mark=131072 use=1
tcp 6 14 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55182
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55182
[ASSURED] mark=131072 use=1
tcp 6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=57378 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57378 [ASSURED] mark=0 use=1
tcp 6 104 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55208
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55208
[ASSURED] mark=131072 use=1
tcp 6 44 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55184
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55184
[ASSURED] mark=131072 use=1
tcp 6 99 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55216
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55216
[ASSURED] mark=131072 use=1
udp 17 158 src=10.0.0.11 dst=82.212.62.41 sport=38400 dport=53
src=82.212.62.41 dst=217.8.50.86 sport=53 dport=38400 [ASSURED] mark=65536 use=1
tcp 6 17 CLOSE_WAIT src=10.0.0.3 dst=198.199.77.106 sport=50762 dport=80
src=198.199.77.106 dst=217.8.50.86 sport=80 dport=50762 [ASSURED] mark=65536
use=1
tcp 6 62 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39470 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39470 [ASSURED] mark=0 use=1
tcp 6 82 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39482 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39482 [ASSURED] mark=0 use=1
tcp 6 69 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55204
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55204
[ASSURED] mark=131072 use=1
tcp 6 39 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55190
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55190
[ASSURED] mark=131072 use=1
tcp 6 39 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55192
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55192
[ASSURED] mark=131072 use=1
udp 17 96 src=10.1.0.4 dst=78.42.43.41 sport=56271 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=56271 [ASSURED] mark=65536 use=1
tcp 6 69 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55206
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55206
[ASSURED] mark=131072 use=1
tcp 6 14 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55168
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55168
[ASSURED] mark=131072 use=1
tcp 6 112 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39492 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39492 [ASSURED] mark=0 use=1
tcp 6 104 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55220
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55220
[ASSURED] mark=131072 use=1
udp 17 13 src=10.0.0.11 dst=82.212.62.41 sport=41264 dport=53
src=82.212.62.41 dst=217.8.50.86 sport=53 dport=41264 [ASSURED] mark=65536 use=1
tcp 6 42 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39464 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39464 [ASSURED] mark=0 use=1
udp 17 3 src=10.0.0.11 dst=78.42.43.41 sport=36786 dport=53 [UNREPLIED]
src=78.42.43.41 dst=10.0.0.11 sport=53 dport=36786 mark=0 use=1
tcp 6 24 CLOSE_WAIT src=10.0.0.3 dst=134.109.228.1 sport=48862 dport=80
src=134.109.228.1 dst=217.8.50.86 sport=80 dport=48862 [ASSURED] mark=65536
use=1
udp 17 76 src=10.1.0.4 dst=78.42.43.41 sport=34874 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=34874 [ASSURED] mark=65536 use=1
tcp 6 14 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55180
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55180
[ASSURED] mark=131072 use=1
tcp 6 102 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39490 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39490 [ASSURED] mark=0 use=1
tcp 6 9 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55174
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55174
[ASSURED] mark=131072 use=1
tcp 6 431999 ESTABLISHED src=192.168.178.48 dst=192.168.178.14 sport=55224
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55224
[ASSURED] mark=131072 use=1
tcp 6 72 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=57352 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57352 [ASSURED] mark=0 use=1
udp 17 29 src=10.120.192.1 dst=255.255.255.255 sport=67 dport=68
[UNREPLIED] src=255.255.255.255 dst=10.120.192.1 sport=68 dport=67 mark=65536
use=1
tcp 6 74 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55212
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55212
[ASSURED] mark=131072 use=1
tcp 6 84 SYN_SENT src=10.1.0.4 dst=87.230.23.19 sport=47408 dport=80
[UNREPLIED] src=87.230.23.19 dst=10.1.0.4 sport=80 dport=47408 mark=0 use=1
tcp 6 84 SYN_SENT src=10.1.0.4 dst=212.211.132.250 sport=55856 dport=80
[UNREPLIED] src=212.211.132.250 dst=10.1.0.4 sport=80 dport=55856 mark=0 use=1
tcp 6 102 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=57366 dport=85
src=127.0.0.1 dst=127.0.0.1 sport=85 dport=57366 [ASSURED] mark=0 use=1
tcp 6 69 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55202
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55202
[ASSURED] mark=131072 use=1
tcp 6 9 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55178
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55178
[ASSURED] mark=131072 use=1
udp 17 123 src=10.0.0.11 dst=78.42.43.41 sport=56791 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=56791 [ASSURED] mark=65536 use=1
tcp 6 74 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55194
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55194
[ASSURED] mark=131072 use=1
tcp 6 72 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39480 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39480 [ASSURED] mark=0 use=1
tcp 6 39 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55188
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55188
[ASSURED] mark=131072 use=2
udp 17 93 src=10.0.0.11 dst=78.42.43.41 sport=39172 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=39172 [ASSURED] mark=65536 use=1
tcp 6 2 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39436 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39436 [ASSURED] mark=0 use=1
tcp 6 431999 ESTABLISHED src=10.1.0.1 dst=10.1.0.4 sport=47274 dport=2204
src=10.1.0.4 dst=10.1.0.1 sport=2204 dport=47274 [ASSURED] mark=0 use=1
tcp 6 52 TIME_WAIT src=10.0.0.3 dst=10.0.0.1 sport=39466 dport=4506
src=10.0.0.1 dst=10.0.0.3 sport=4506 dport=39466 [ASSURED] mark=0 use=1
udp 17 3 src=217.8.50.86 dst=129.70.132.34 sport=33792 dport=123
src=129.70.132.34 dst=217.8.50.86 sport=123 dport=33792 mark=65536 use=1
udp 17 81 src=10.1.0.4 dst=78.42.43.41 sport=42643 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=42643 [ASSURED] mark=65536 use=1
tcp 6 74 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55210
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55210
[ASSURED] mark=131072 use=1
tcp 6 431999 ESTABLISHED src=10.0.0.1 dst=10.0.0.3 sport=45058 dport=2203
src=10.0.0.3 dst=10.0.0.1 sport=2203 dport=45058 [ASSURED] mark=0 use=1
tcp 6 44 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55198
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55198
[ASSURED] mark=131072 use=1
tcp 6 104 TIME_WAIT src=192.168.178.48 dst=192.168.178.14 sport=55222
dport=8006 src=192.168.178.14 dst=192.168.178.48 sport=8006 dport=55222
[ASSURED] mark=131072 use=1
udp 17 124 src=10.0.0.3 dst=78.42.43.41 sport=58250 dport=53
src=78.42.43.41 dst=217.8.50.86 sport=53 dport=58250 [ASSURED] mark=65536 use=1
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
inet 217.8.50.86/26 brd 255.255.255.255 scope global eth0
valid_lft forever preferred_lft forever
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
inet 10.0.0.1/24 brd 10.0.0.255 scope global vmbr0
valid_lft forever preferred_lft forever
6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
inet 10.1.0.1/24 brd 10.0.0.255 scope global vmbr1
valid_lft forever preferred_lft forever
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default
inet 192.168.178.14/24 brd 192.168.178.255 scope global vmbr2
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
4734622 5371 0 0 0 0
TX: bytes packets errors dropped carrier collsns
4734622 5371 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
mode DEFAULT group default qlen 1000
link/ether 74:d4:35:1a:f6:0f brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
100541734 114667 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2017762 27092 0 0 0 0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master
vmbr1 state DOWN mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master
vmbr2 state UP mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
3993887 15548 0 0 0 348
TX: bytes packets errors dropped carrier collsns
9051660 12035 0 0 0 0
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default
link/ether fe:39:b5:b7:87:54 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
1990537 29273 0 0 0 0
TX: bytes packets errors dropped carrier collsns
94338869 51338 0 0 0 0
6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default
link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
234100 1641 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1201121 1708 0 0 0 0
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default
link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
3614933 15287 0 838 0 0
TX: bytes packets errors dropped carrier collsns
8853334 10183 0 0 0 0
8: tap121i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr2 state UNKNOWN mode DEFAULT group default qlen 500
link/ether 32:53:7d:72:f4:7b brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
56892 482 0 0 0 0
TX: bytes packets errors dropped carrier collsns
186726 1426 0 0 0 0
10: veth103i0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:39:b5:b7:87:54 brd ff:ff:ff:ff:ff:ff link-netnsid 0
RX: bytes packets errors dropped overrun mcast
2390882 29113 0 0 0 0
TX: bytes packets errors dropped carrier collsns
94326296 51215 0 0 0 0
12: veth104i0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master vmbr1 state UP mode DEFAULT group default qlen 1000
link/ether fe:46:da:c2:ee:ef brd ff:ff:ff:ff:ff:ff link-netnsid 1
RX: bytes packets errors dropped overrun mcast
257074 1641 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1201769 1716 0 0 0 0
14: veth111i0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:a5:cd:9a:3c:85 brd ff:ff:ff:ff:ff:ff link-netnsid 2
RX: bytes packets errors dropped overrun mcast
9477 160 0 0 0 0
TX: bytes packets errors dropped carrier collsns
15551 158 0 0 0 0
Bridges
bridge name bridge id STP enabled interfaces
vmbr0 8000.fe39b5b78754 no veth103i0
veth111i0
vmbr1 8000.001517919cb8 no eth1
veth104i0
vmbr2 8000.001517919cb9 no eth2
tap121i0
Routing Rules
0: from all lookup local
999: from all lookup main
1000: from 217.8.50.86 lookup um_business
1000: from 192.168.178.14 lookup um_private
10000: from all fwmark 0x10000/0x30000 lookup um_business
10001: from all fwmark 0x20000/0x30000 lookup um_private
11000: from 10.1.0.1 lookup um_business
32765: from all lookup balance
32767: from all lookup default
Table balance:
default nexthop via 217.8.50.65 dev eth0 weight 2 nexthop via 192.168.178.1 dev
vmbr2 weight 1
Table default:
Table local:
local 217.8.50.86 dev eth0 proto kernel scope host src 217.8.50.86
local 192.168.178.14 dev vmbr2 proto kernel scope host src 192.168.178.14
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.1.0.1 dev vmbr1 proto kernel scope host src 10.1.0.1
local 10.0.0.1 dev vmbr0 proto kernel scope host src 10.0.0.1
broadcast 217.8.50.64 dev eth0 proto kernel scope link src 217.8.50.86
broadcast 217.8.50.127 dev eth0 proto kernel scope link src 217.8.50.86
broadcast 192.168.178.255 dev vmbr2 proto kernel scope link src 192.168.178.14
broadcast 192.168.178.0 dev vmbr2 proto kernel scope link src 192.168.178.14
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.1.0.255 dev vmbr1 proto kernel scope link src 10.1.0.1
broadcast 10.1.0.0 dev vmbr1 proto kernel scope link src 10.1.0.1
broadcast 10.0.0.255 dev vmbr1 proto kernel scope link src 10.1.0.1
broadcast 10.0.0.255 dev vmbr0 proto kernel scope link src 10.0.0.1
broadcast 10.0.0.0 dev vmbr0 proto kernel scope link src 10.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
217.8.50.65 dev eth0 scope link src 217.8.50.86
192.168.178.1 dev vmbr2 scope link src 192.168.178.14
217.8.50.64/26 dev eth0 proto kernel scope link src 217.8.50.86
192.168.178.0/24 dev vmbr2 proto kernel scope link src 192.168.178.14
10.1.0.0/24 dev vmbr1 proto kernel scope link src 10.1.0.1
10.0.0.0/24 dev vmbr0 proto kernel scope link src 10.0.0.1
blackhole 192.168.0.0/16
blackhole 172.16.0.0/12
blackhole 10.0.0.0/8
Table um_business:
217.8.50.65 dev eth0 scope link src 217.8.50.86
default via 217.8.50.65 dev eth0 src 217.8.50.86
Table um_private:
192.168.178.1 dev vmbr2 scope link src 192.168.178.14
default via 192.168.178.1 dev vmbr2 src 192.168.178.14
Per-IP Counters
iptaccount is not installed
NF Accounting
Events
/proc
/proc/version = Linux version 4.2.8-1-pve (root@elsa) (gcc version 4.9.2
(Debian 4.9.2-10) ) #1 SMP Sat Mar 19 10:44:29 CET 2016
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 1
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 0
/proc/sys/net/ipv4/conf/eth2/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/tap121i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/tap121i0/arp_filter = 0
/proc/sys/net/ipv4/conf/tap121i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/tap121i0/rp_filter = 0
/proc/sys/net/ipv4/conf/tap121i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth103i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth103i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth103i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth103i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth103i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth104i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth104i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth104i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth104i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth104i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth111i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth111i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth111i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth111i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth111i0/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr0/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr0/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr0/arp_ignore = 0
/proc/sys/net/ipv4/conf/vmbr0/rp_filter = 1
/proc/sys/net/ipv4/conf/vmbr0/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr1/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr1/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr1/arp_ignore = 0
/proc/sys/net/ipv4/conf/vmbr1/rp_filter = 1
/proc/sys/net/ipv4/conf/vmbr1/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr2/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr2/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr2/arp_ignore = 1
/proc/sys/net/ipv4/conf/vmbr2/rp_filter = 0
/proc/sys/net/ipv4/conf/vmbr2/log_martians = 1
ARP
? (10.0.0.11) auf 36:36:38:63:63:39 [ether] auf vmbr0
? (192.168.178.48) auf 58:94:6b:a4:2a:cc [ether] auf vmbr2
? (10.0.0.3) auf 32:65:65:39:30:35 [ether] auf vmbr0
? (10.1.0.4) auf 66:62:62:66:65:62 [ether] auf vmbr1
? (217.8.50.65) auf 00:01:5c:23:8e:01 [ether] auf eth0
? (192.168.178.1) auf c8:0e:14:de:97:70 [ether] auf vmbr2
Modules
ip_set 45056 2 ip_set_hash_ip,xt_set
ip_set_hash_ip 32768 0
iptable_filter 16384 2
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
ip_tables 28672 4
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_MASQUERADE 16384 0
ipt_REJECT 16384 4
ipt_rpfilter 16384 0
nf_conntrack 106496 32
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_conntrack_proto_udplite,nf_nat,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda 16384 3 nf_nat_amanda
nf_conntrack_broadcast 16384 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 20480 3 nf_nat_ftp
nf_conntrack_h323 77824 5 nf_nat_h323
nf_conntrack_ipv4 20480 63
nf_conntrack_irc 16384 3 nf_nat_irc
nf_conntrack_netbios_ns 16384 2
nf_conntrack_netlink 36864 0
nf_conntrack_pptp 20480 3 nf_nat_pptp
nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 20480 0
nf_conntrack_proto_udplite 16384 0
nf_conntrack_sane 16384 2
nf_conntrack_sip 28672 3 nf_nat_sip
nf_conntrack_snmp 16384 3 nf_nat_snmp_basic
nf_conntrack_tftp 16384 3 nf_nat_tftp
nf_defrag_ipv4 16384 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 36864 1 xt_TPROXY
nf_log_common 16384 1 nf_log_ipv4
nf_log_ipv4 16384 7
nf_nat 24576 11
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_nat_amanda 16384 0
nf_nat_ftp 16384 0
nf_nat_h323 20480 0
nf_nat_ipv4 16384 1 iptable_nat
nf_nat_irc 16384 0
nf_nat_masquerade_ipv4 16384 1 ipt_MASQUERADE
nf_nat_pptp 16384 0
nf_nat_proto_gre 16384 1 nf_nat_pptp
nf_nat_sip 20480 0
nf_nat_snmp_basic 20480 0
nf_nat_tftp 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
xt_addrtype 16384 5
xt_AUDIT 16384 0
xt_CHECKSUM 16384 0
xt_CLASSIFY 16384 0
xt_comment 16384 26
xt_connlimit 16384 0
xt_connmark 16384 3
xt_conntrack 16384 37
xt_CT 16384 22
xt_dscp 16384 0
xt_DSCP 16384 0
xt_hashlimit 20480 0
xt_helper 16384 0
xt_iprange 16384 0
xt_length 16384 0
xt_limit 16384 1
xt_LOG 16384 7
xt_mark 16384 6
xt_multiport 16384 17
xt_nat 16384 4
xt_nfacct 16384 0
xt_NFLOG 16384 0
xt_NFQUEUE 16384 0
xt_owner 16384 0
xt_physdev 16384 0
xt_pkttype 16384 0
xt_policy 16384 0
xt_realm 16384 0
xt_recent 20480 1
xt_set 16384 0
xt_statistic 16384 0
xt_tcpmss 16384 0
xt_TCPMSS 16384 0
xt_tcpudp 16384 69
xt_time 16384 0
xt_TPROXY 20480 0
Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
AUDIT Target (AUDIT_TARGET): Available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
Capabilities Version (CAPVERSION): 50004
Checksum Target (CHECKSUM_TARGET): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Connmark Match (CONNMARK_MATCH): Available
CONNMARK Target (CONNMARK): Available
CT Target (CT_TARGET): Available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Extended CONNMARK Target (XCONNMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended MARK Target (XMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP-0 Helper: Not available
FTP Helper: Available
fwmark route mask (FWMARK_RT_MASK): Available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Available
Iface Match (IFACE_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IP range Match(IPRANGE_MATCH): Available
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available
iptables -S (IPTABLES_S): Available
iptables --wait option (WAIT_OPTION): Available
IRC-0 Helper: Not available
IRC Helper: Available
Kernel Version (KERNELVERSION): 40208
LOGMARK Target (LOGMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
Netbios_ns Helper: Available
New tos Match (NEW_TOS_MATCH): Available
NFAcct Match: Available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Packet length Match (LENGTH_MATCH): Available
Packet Mangling (MANGLE_ENABLED): Available
Packet Type Match (USEPKTTYPE): Available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Physdev Match (PHYSDEV_MATCH): Available
Policy Match (POLICY_MATCH): Available
PPTP Helper: Available
Rawpost Table (RAWPOST_TABLE): Not available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Available
Recent Match "--reap" option (REAP_OPTION): Available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Available
RPFilter Match (RPFILTER_MATCH): Available
SANE-0 Helper: Not available
SANE Helper: Available
SIP-0 Helper: Not available
SIP Helper: Available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP-0 Helper: Not available
TFTP Helper: Available
Time Match (TIME_MATCH): Available
TPROXY Target (TPROXY_TARGET): Available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Not available
Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port
udp UNCONN 0 0 *:514 *:*
users:(("rsyslogd",pid=1289,fd=6))
udp UNCONN 0 0 *:801 *:*
users:(("rpcbind",pid=1060,fd=7))
udp UNCONN 0 0 127.0.0.1:890 *:*
users:(("rpc.statd",pid=1138,fd=5))
udp UNCONN 0 0 *:33792 *:*
users:(("systemd-timesyn",pid=493,fd=13))
udp UNCONN 0 0 *:54955 *:*
users:(("rpc.statd",pid=1138,fd=8))
udp UNCONN 0 0 *:7928 *:*
users:(("dhclient",pid=553,fd=20))
udp UNCONN 0 0 *:68 *:*
users:(("dhclient",pid=553,fd=6))
udp UNCONN 0 0 *:111 *:*
users:(("rpcbind",pid=1060,fd=6))
udp UNCONN 0 0 192.168.178.14:123 *:*
users:(("ntpd",pid=1290,fd=22))
udp UNCONN 0 0 10.1.0.1:123 *:*
users:(("ntpd",pid=1290,fd=21))
udp UNCONN 0 0 10.0.0.1:123 *:*
users:(("ntpd",pid=1290,fd=20))
udp UNCONN 0 0 217.8.50.86:123 *:*
users:(("ntpd",pid=1290,fd=19))
udp UNCONN 0 0 127.0.0.1:123 *:*
users:(("ntpd",pid=1290,fd=18))
udp UNCONN 0 0 *:123 *:*
users:(("ntpd",pid=1290,fd=16))
tcp LISTEN 0 128 *:3128 *:*
users:(("spiceproxy work",pid=1971,fd=6),("spiceproxy",pid=1970,fd=6))
tcp LISTEN 0 100 10.0.0.1:4505 *:*
users:(("salt-master",pid=2017,fd=14))
tcp LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1614,fd=12))
tcp LISTEN 0 100 10.0.0.1:4506 *:*
users:(("salt-master",pid=2025,fd=22))
tcp LISTEN 0 128 *:39652 *:*
users:(("rpc.statd",pid=1138,fd=9))
tcp LISTEN 0 128 *:8006 *:*
users:(("pveproxy worker",pid=28154,fd=6),("pveproxy
worker",pid=1889,fd=6),("pveproxy
worker",pid=1888,fd=6),("pveproxy",pid=1886,fd=6))
tcp LISTEN 0 128 *:2214 *:*
users:(("sshd",pid=1230,fd=3))
tcp LISTEN 0 128 *:111 *:*
users:(("rpcbind",pid=1060,fd=8))
tcp LISTEN 0 5 127.0.0.1:7634 *:*
users:(("hddtemp",pid=1382,fd=0))
tcp LISTEN 0 128 127.0.0.1:85 *:*
users:(("pvedaemon worke",pid=1840,fd=6),("pvedaemon
worke",pid=1839,fd=6),("pvedaemon
worke",pid=1838,fd=6),("pvedaemon",pid=1837,fd=6))
tcp TIME-WAIT 0 0 192.168.178.14:8006
192.168.178.48:55210
tcp ESTAB 0 0 10.1.0.1:47274 10.1.0.4:2204
users:(("ssh",pid=22230,fd=3))
tcp ESTAB 0 0 127.0.0.1:85 127.0.0.1:57378
users:(("pvedaemon worke",pid=1838,fd=9))
tcp ESTAB 0 0 192.168.178.14:8006
192.168.178.48:55224 users:(("pveproxy worker",pid=1889,fd=14))
tcp TIME-WAIT 0 0 192.168.178.14:8006
192.168.178.48:55212
tcp TIME-WAIT 0 0 192.168.178.14:8006
192.168.178.48:55194
tcp TIME-WAIT 0 0 127.0.0.1:57366 127.0.0.1:85
tcp TIME-WAIT 0 0 127.0.0.1:57352 127.0.0.1:85
tcp TIME-WAIT 0 0 192.168.178.14:8006
192.168.178.48:55208
tcp TIME-WAIT 0 0 127.0.0.1:57364 127.0.0.1:85
tcp TIME-WAIT 0 0 192.168.178.14:8006
192.168.178.48:55222
tcp ESTAB 0 0 127.0.0.1:57378 127.0.0.1:85
users:(("pveproxy worker",pid=1889,fd=17))
tcp ESTAB 0 0 192.168.178.14:2214
192.168.178.48:35588
users:(("sshd",pid=1815,fd=3),("sshd",pid=1801,fd=3))
tcp ESTAB 0 0 10.0.0.1:45058 10.0.0.3:2203
users:(("ssh",pid=22389,fd=3))
tcp TIME-WAIT 0 0 127.0.0.1:57376 127.0.0.1:85
tcp TIME-WAIT 0 0 192.168.178.14:8006
192.168.178.48:55220
Traffic Control
Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 1909136 bytes 27092 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth2:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 9001372 bytes 12036 pkt (dropped 0, overlimits 0 requeues 1)
backlog 0b 0p requeues 1
Device tap121i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 186726 bytes 1426 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device veth103i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 95514362 bytes 69216 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device veth104i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 1217345 bytes 1952 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device veth111i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 15551 bytes 158 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
TC Filters
Device eth0:
Device eth1:
Device eth2:
Device tap121i0:
Device veth103i0:
Device veth104i0:
Device veth111i0:
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
