> I have a remote location and acces via vpn without problems
> even i can conect a localmachine using dnat, for conect her
> but i wanna connect to router for acces to him but it dont work
>
> rules
> ?SECTION ALL
> ?SECTION ESTABLISHED
> ?SECTION RELATED
> ?SECTION INVALID
> ?SECTION UNTRACKED
> ?SECTION NEW
>
> Invalid(DROP) net all tcp
> DNS(ACCEPT) $FW net
> SSH(ACCEPT) loc $FW
> SSH(ACCEPT) vpn $FW
>
> Ping(ACCEPT) loc $FW
>
>
> Ping(DROP) net $FW
>
> ACCEPT $FW loc icmp
> ACCEPT $FW net icmp
> ACCEPT vpn all all
> DNS(ACCEPT) loc $FW
> SSH(ACCEPT) net $FW TCP
>
> DNAT vpn loc:10.1.3.2 tcp 6000 #this work
> DNAT vpn net:192.168.1.1 tcp 80 - &tun0 # this
not work
> (end of rules)
> from a remote localtion i get this
> nmap 10.0.8.4 # (vpn adress)
>
> Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 10:18 CEST
> Nmap scan report for 10.0.8.4
> Host is up (0.17s latency).
> Not shown: 996 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 53/tcp open domain
> 80/tcp filtered http
> 6000/tcp open X11
>
> Nmap done: 1 IP address (1 host up) scanned in 13.33 seconds
>
>
> this is my shorewall dump
>
>
> Shorewall 5.0.4 Dump at figueres - Thu Apr 21 08:38:17 UTC 2016
>
> Shorewall is running
> State:Started (Thu Apr 21 08:16:32 UTC 2016) from /etc/shorewall/
(/var/lib/shorewall/firewall compiled by Shorewall version 5.0.4)
>
> Counters reset Thu Apr 21 08:16:32 UTC 2016
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
destination
> 35155 45M net-fw all -- wlan0 * 0.0.0.0/0
0.0.0.0/0
> 0 0 ~comb0 all -- eth0 * 0.0.0.0/0
0.0.0.0/0
> 4422 265K ~comb0 all -- tun0 * 0.0.0.0/0
0.0.0.0/0
> 1654 148K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
> 0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
> 0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
destination
> 23 1316 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
> 0 0 net_frwd all -- wlan0 * 0.0.0.0/0
0.0.0.0/0
> 4 176 loc_frwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
> 25 1380 vpn_frwd all -- tun0 * 0.0.0.0/0
0.0.0.0/0
> 0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
> 0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
>
> Chain OUTPUT (policy ACCEPT 13731 packets, 1423K bytes)
> pkts bytes target prot opt in out source
destination
>
> Chain Broadcast (2 references)
> pkts bytes target prot opt in out source
destination
> 4 974 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
>
> Chain Drop (2 references)
> pkts bytes target prot opt in out source
destination
> 4 974 all -- * * 0.0.0.0/0
0.0.0.0/0
> 4 974 Broadcast all -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 11 /* Needed ICMP types */
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
> 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445 /* SMB */
> 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* SMB */
> 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
> 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445 /* SMB */
> 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900 /* UPnP */
> 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02
> 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 /* Late DNS Replies */
>
> Chain Reject (2 references)
> pkts bytes target prot opt in out source
destination
> 0 0 all -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 Broadcast all -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 11 /* Needed ICMP types */
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
> 0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445 /* SMB */
> 0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* SMB */
> 0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
> 0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445 /* SMB */
> 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900 /* UPnP */
> 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02
> 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 /* Late DNS Replies */
>
> Chain dynamic (5 references)
> pkts bytes target prot opt in out source
destination
>
> Chain loc_frwd (1 references)
> pkts bytes target prot opt in out source
destination
> 0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 0 0 smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 4 176 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 ACCEPT all -- * wlan0 0.0.0.0/0
0.0.0.0/0
> 4 176 ACCEPT all -- * tun0 0.0.0.0/0
0.0.0.0/0
>
> Chain logdrop (0 references)
> pkts bytes target prot opt in out source
destination
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain logflags (7 references)
> pkts bytes target prot opt in out source
destination
> 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain logreject (0 references)
> pkts bytes target prot opt in out source
destination
> 0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain net-fw (1 references)
> pkts bytes target prot opt in out source
destination
> 16 1454 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 16 1454 smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
> 30582 45M tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
> 35139 45M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 12 480 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
> 0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8 /* Ping */
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 /* SSH */
> 4 974 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net-fw:DROP:"
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain net-loc (1 references)
> pkts bytes target prot opt in out source
destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
> 0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net-loc:DROP:"
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain net-vpn (1 references)
> pkts bytes target prot opt in out source
destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
> 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain net_frwd (1 references)
> pkts bytes target prot opt in out source
destination
> 0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 0 0 smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 0 0 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 net-loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
> 0 0 net-vpn all -- * tun0 0.0.0.0/0
0.0.0.0/0
>
> Chain reject (7 references)
> pkts bytes target prot opt in out source
destination
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match src-type BROADCAST
> 0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
> 0 0 DROP 2 -- * * 0.0.0.0/0
0.0.0.0/0
> 0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
> 0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
> 0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
> 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
>
> Chain sha-lh-5228655fddc23881908d (0 references)
> pkts bytes target prot opt in out source
destination
>
> Chain sha-rh-1b095798417d2c7f6fc5 (0 references)
> pkts bytes target prot opt in out source
destination
>
> Chain shorewall (0 references)
> pkts bytes target prot opt in out source
destination
> 0 0 all -- * * 0.0.0.0/0
0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask:
255.255.255.255
>
> Chain smurflog (2 references)
> pkts bytes target prot opt in out source
destination
> 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
> 0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Chain smurfs (5 references)
> pkts bytes target prot opt in out source
destination
> 0 0 RETURN all -- * * 0.0.0.0
0.0.0.0/0
> 0 0 smurflog all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
> 0 0 smurflog all -- * * 224.0.0.0/4
0.0.0.0/0 [goto]
>
> Chain tcpflags (5 references)
> pkts bytes target prot opt in out source
destination
> 0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x3F/0x29
> 0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x3F/0x00
> 0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x06/0x06
> 0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x05/0x05
> 0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x03/0x03
> 0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x19/0x09
> 0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02
>
> Chain vpn_frwd (1 references)
> pkts bytes target prot opt in out source
destination
> 19 1140 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 19 1140 smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 25 1380 tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
> 15 900 ACCEPT all -- * wlan0 0.0.0.0/0
0.0.0.0/0
> 10 480 ACCEPT all -- * eth0 0.0.0.0/0
0.0.0.0/0
>
> Chain ~comb0 (2 references)
> pkts bytes target prot opt in out source
destination
> 2198 132K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 2198 132K smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
> 4422 265K tcpflags tcp -- * * 0.0.0.0/0
0.0.0.0/0
> 4422 265K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
>
> Log (/var/log/shorewall)
>
>
> NAT Table
>
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
destination
> 2214 133K vpn_dnat all -- tun0 * 0.0.0.0/0
0.0.0.0/0
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
destination
>
> Chain OUTPUT (policy ACCEPT 60 packets, 3853 bytes)
> pkts bytes target prot opt in out source
destination
>
> Chain POSTROUTING (policy ACCEPT 60 packets, 3853 bytes)
> pkts bytes target prot opt in out source
destination
> 0 0 MASQUERADE all -- * wlan0 10.1.3.0/24
0.0.0.0/0
>
> Chain vpn_dnat (1 references)
> pkts bytes target prot opt in out source
destination
> 4 240 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6000 to:10.1.3.2
> 12 720 DNAT tcp -- * * 0.0.0.0/0
10.0.8.4 tcp dpt:80 to:192.168.1.1
>
> Mangle Table
>
> Chain PREROUTING (policy ACCEPT 17398 packets, 21M bytes)
> pkts bytes target prot opt in out source
destination
>
> Chain INPUT (policy ACCEPT 17398 packets, 21M bytes)
> pkts bytes target prot opt in out source
destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
destination
> 29 1556 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK and 0xffffff00
>
> Chain OUTPUT (policy ACCEPT 13787 packets, 1455K bytes)
> pkts bytes target prot opt in out source
destination
>
> Chain POSTROUTING (policy ACCEPT 13787 packets, 1455K bytes)
> pkts bytes target prot opt in out source
destination
>
> Raw Table
>
> Chain PREROUTING (policy ACCEPT 17380 packets, 21M bytes)
> pkts bytes target prot opt in out source
destination
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:10080 CT helper amanda
> 2 120 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1719 CT helper RAS
> 2 120 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1720 CT helper Q.931
> 2 120 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6667 CT helper irc
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137 CT helper netbios-ns
> 2 120 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 CT helper pptp
> 2 120 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6566 CT helper sane
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 CT helper sip
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:161 CT helper snmp
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:69 CT helper tftp
>
> Chain OUTPUT (policy ACCEPT 13775 packets, 1451K bytes)
> pkts bytes target prot opt in out source
destination
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:10080 CT helper amanda
> 0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1719 CT helper RAS
> 0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1720 CT helper Q.931
> 0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6667 CT helper irc
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137 CT helper netbios-ns
> 0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 CT helper pptp
> 0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6566 CT helper sane
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 CT helper sip
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:161 CT helper snmp
> 0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:69 CT helper tftp
>
> Conntrack Table (42 out of 59048)
>
> udp 17 34 src=192.168.1.128 dst=8.8.4.4 sport=51096 dport=53
src=8.8.4.4 dst=192.168.1.128 sport=53 dport=51096 [ASSURED] mark=0 use=2
> tcp 6 82115 ESTABLISHED src=10.0.8.5 dst=10.0.8.2 sport=53600
dport=22 src=10.0.8.2 dst=10.0.8.5 sport=22 dport=53600 [ASSURED] mark=0
use=2
> udp 17 35 src=192.168.1.128 dst=8.8.4.4 sport=46085 dport=53
src=8.8.4.4 dst=192.168.1.128 sport=53 dport=46085 [ASSURED] mark=0 use=2
> udp 17 34 src=192.168.1.128 dst=8.8.8.8 sport=52008 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=52008 [ASSURED] mark=0 use=2
> tcp 6 96 TIME_WAIT src=192.168.1.128 dst=107.6.170.212 sport=46058
dport=80 src=107.6.170.212 dst=192.168.1.128 sport=80 dport=46058 [ASSURED]
mark=0 use=2
> tcp 6 431976 ESTABLISHED src=10.0.8.2 dst=10.0.8.4 sport=50492
dport=22 src=10.0.8.4 dst=10.0.8.2 sport=22 dport=50492 [ASSURED] mark=0
use=2
> udp 17 35 src=192.168.1.128 dst=8.8.8.8 sport=50537 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=50537 [ASSURED] mark=0 use=2
> udp 17 34 src=192.168.1.128 dst=8.8.8.8 sport=57981 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=57981 [ASSURED] mark=0 use=2
> udp 17 56 src=192.168.1.128 dst=8.8.8.8 sport=39412 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=39412 [ASSURED] mark=0 use=2
> udp 17 34 src=192.168.1.128 dst=8.8.4.4 sport=57759 dport=53
src=8.8.4.4 dst=192.168.1.128 sport=53 dport=57759 [ASSURED] mark=0 use=2
> udp 17 156 src=192.168.1.128 dst=8.8.8.8 sport=45573 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=45573 [ASSURED] mark=0 use=2
> tcp 6 299 ESTABLISHED src=10.0.8.2 dst=10.0.8.4 sport=42786 dport=22
src=10.0.8.4 dst=10.0.8.2 sport=22 dport=42786 [ASSURED] mark=0 use=2
> udp 17 34 src=192.168.1.128 dst=8.8.8.8 sport=50023 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=50023 [ASSURED] mark=0 use=2
> udp 17 179 src=192.168.1.128 dst=83.58.186.174 sport=35976
dport=1194 src=83.58.186.174 dst=192.168.1.128 sport=1194 dport=35976
[ASSURED] mark=0 use=2
> udp 17 34 src=192.168.1.128 dst=8.8.4.4 sport=58363 dport=53
src=8.8.4.4 dst=192.168.1.128 sport=53 dport=58363 [ASSURED] mark=0 use=2
> udp 17 47 src=192.168.1.128 dst=8.8.8.8 sport=49717 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=49717 [ASSURED] mark=0 use=2
> udp 17 60 src=192.168.1.128 dst=8.8.8.8 sport=40745 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=40745 [ASSURED] mark=0 use=2
> udp 17 35 src=192.168.1.128 dst=8.8.8.8 sport=56320 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=56320 [ASSURED] mark=0 use=2
> udp 17 34 src=192.168.1.128 dst=8.8.8.8 sport=57200 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=57200 [ASSURED] mark=0 use=2
> udp 17 34 src=192.168.1.128 dst=8.8.8.8 sport=38250 dport=53
src=8.8.8.8 dst=192.168.1.128 sport=53 dport=38250 [ASSURED] mark=0 use=2
>
> IP Configuration
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP group default qlen 1000
> inet 10.1.3.1/24 brd 10.1.3.255 scope global eth0
> valid_lft forever preferred_lft forever
> 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
> inet 192.168.1.128/24 brd 192.168.1.255 scope global wlan0
> valid_lft forever preferred_lft forever
> 14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UNKNOWN group default qlen 100
> inet 10.0.8.4/24 brd 10.0.8.255 scope global tun0
> valid_lft forever preferred_lft forever
>
> IP Stats
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> RX: bytes packets errors dropped overrun mcast
> 2088685 23936 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 2088685 23936 0 0 0 0
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state
UP mode DEFAULT group default qlen 1000
> link/ether b8:27:eb:85:6d:c7 brd ff:ff:ff:ff:ff:ff
> RX: bytes packets errors dropped overrun mcast
> 1347876 17666 0 17533 0 0
> TX: bytes packets errors dropped carrier collsns
> 16669 238 0 0 0 0
> 3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
mode DORMANT group default qlen 1000
> link/ether 40:a5:ef:03:0c:09 brd ff:ff:ff:ff:ff:ff
> RX: bytes packets errors dropped overrun mcast
> 500782585 632015 0 1728480 0 0
> TX: bytes packets errors dropped carrier collsns
> 63799000 475756 0 1 0 0
> 14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
fq_codel state UNKNOWN mode DEFAULT group default qlen 100
> link/none
> RX: bytes packets errors dropped overrun mcast
> 2373469 37288 0 0 0 0
> TX: bytes packets errors dropped carrier collsns
> 3120873 33949 0 180 0 0
>
> Routing Rules
>
> 0: from all lookup local
> 32766: from all lookup main
> 32767: from all lookup default
>
> Table default:
>
>
> Table local:
>
> local 192.168.1.128 dev wlan0 proto kernel scope host src 192.168.1.128
> local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
> local 10.1.3.1 dev eth0 proto kernel scope host src 10.1.3.1
> local 10.0.8.4 dev tun0 proto kernel scope host src 10.0.8.4
> broadcast 192.168.1.255 dev wlan0 proto kernel scope link src
192.168.1.128
> broadcast 192.168.1.0 dev wlan0 proto kernel scope link src 192.168.1.128
> broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
> broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
> broadcast 10.1.3.255 dev eth0 proto kernel scope link src 10.1.3.1
> broadcast 10.1.3.0 dev eth0 proto kernel scope link src 10.1.3.1
> broadcast 10.0.8.255 dev tun0 proto kernel scope link src 10.0.8.4
> broadcast 10.0.8.0 dev tun0 proto kernel scope link src 10.0.8.4
> local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
>
> Table main:
>
> 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.128 metric
303
> 10.1.3.0/24 dev eth0 proto kernel scope link src 10.1.3.1
> 10.1.1.0/24 via 10.0.8.1 dev tun0
> 10.0.8.0/24 dev tun0 proto kernel scope link src 10.0.8.4
> default via 192.168.1.1 dev wlan0 src 192.168.1.128 metric 303
>
> Per-IP Counters
>
> iptaccount is not installed
>
> NF Accounting
>
> No NF Accounting defined (nfacct not found)
>
> Events
>
>
> /proc
>
> /proc/version = Linux version 4.1.19-5-ARCH (builduser@leming) (gcc
version 5.3.0 (GCC) ) #1 SMP Tue Mar 15 19:59:28 MDT 2016
> /proc/sys/net/ipv4/ip_forward = 1
> /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
> /proc/sys/net/ipv4/conf/all/proxy_arp = 0
> /proc/sys/net/ipv4/conf/all/arp_filter = 0
> /proc/sys/net/ipv4/conf/all/arp_ignore = 0
> /proc/sys/net/ipv4/conf/all/rp_filter = 0
> /proc/sys/net/ipv4/conf/all/log_martians = 0
> /proc/sys/net/ipv4/conf/default/proxy_arp = 0
> /proc/sys/net/ipv4/conf/default/arp_filter = 0
> /proc/sys/net/ipv4/conf/default/arp_ignore = 0
> /proc/sys/net/ipv4/conf/default/rp_filter = 0
> /proc/sys/net/ipv4/conf/default/log_martians = 1
> /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
> /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
> /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
> /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
> /proc/sys/net/ipv4/conf/eth0/log_martians = 1
> /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
> /proc/sys/net/ipv4/conf/lo/arp_filter = 0
> /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
> /proc/sys/net/ipv4/conf/lo/rp_filter = 0
> /proc/sys/net/ipv4/conf/lo/log_martians = 1
> /proc/sys/net/ipv4/conf/tun0/proxy_arp = 0
> /proc/sys/net/ipv4/conf/tun0/arp_filter = 0
> /proc/sys/net/ipv4/conf/tun0/arp_ignore = 0
> /proc/sys/net/ipv4/conf/tun0/rp_filter = 1
> /proc/sys/net/ipv4/conf/tun0/log_martians = 1
> /proc/sys/net/ipv4/conf/wlan0/proxy_arp = 0
> /proc/sys/net/ipv4/conf/wlan0/arp_filter = 0
> /proc/sys/net/ipv4/conf/wlan0/arp_ignore = 0
> /proc/sys/net/ipv4/conf/wlan0/rp_filter = 1
> /proc/sys/net/ipv4/conf/wlan0/log_martians = 1
>
> ARP
>
> ? (192.168.1.131) at cc:3a:61:69:75:4b [ether] on wlan0
> ? (192.168.1.1) at d8:b6:b7:02:90:aa [ether] on wlan0
> ? (10.1.3.2) at 00:50:c2:09:2f:19 [ether] on eth0
>
> Modules
>
> ip_tables 12167 4
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
> ipt_MASQUERADE 1047 1
> ipt_REJECT 1395 4
> ipt_rpfilter 1776 0
> iptable_filter 1541 1
> iptable_mangle 1548 1
> iptable_nat 1632 1
> iptable_raw 1339 1
> nf_conntrack 99551 21
xt_CT,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_nat,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
> nf_conntrack_amanda 2736 2
> nf_conntrack_broadcast 1243 2
nf_conntrack_netbios_ns,nf_conntrack_snmp
> nf_conntrack_ftp 6757 2
> nf_conntrack_h323 45920 4
> nf_conntrack_ipv4 13517 41
> nf_conntrack_irc 4273 2
> nf_conntrack_netbios_ns 1206 2
> nf_conntrack_pptp 5153 2
> nf_conntrack_proto_gre 4393 1 nf_conntrack_pptp
> nf_conntrack_sane 3866 2
> nf_conntrack_sip 21331 2
> nf_conntrack_snmp 1588 2
> nf_conntrack_tftp 3732 2
> nf_defrag_ipv4 1597 2 xt_TPROXY,nf_conntrack_ipv4
> nf_defrag_ipv6 14975 1 xt_TPROXY
> nf_log_common 4109 1 nf_log_ipv4
> nf_log_ipv4 4566 6
> nf_nat 15211 3 nf_nat_ipv4,xt_nat,nf_nat_masquerade_ipv4
> nf_nat_ipv4 5473 1 iptable_nat
> nf_nat_masquerade_ipv4 2733 1 ipt_MASQUERADE
> nf_reject_ipv4 3031 1 ipt_REJECT
> xt_CHECKSUM 1177 0
> xt_CLASSIFY 954 0
> xt_CT 4047 22
> xt_DSCP 1872 0
> xt_LOG 1240 6
> xt_NFLOG 1052 0
> xt_NFQUEUE 2484 0
> xt_TCPMSS 3106 1
> xt_TPROXY 4709 0
> xt_addrtype 2691 5
> xt_comment 863 18
> xt_connlimit 5311 0
> xt_connmark 1670 0
> xt_conntrack 2947 18
> xt_dscp 1536 0
> xt_hashlimit 8186 0
> xt_helper 1270 0
> xt_iprange 1496 0
> xt_length 1119 0
> xt_mark 1082 1
> xt_multiport 1676 4
> xt_nat 1636 2
> xt_owner 1285 0
> xt_physdev 1752 0
> xt_pkttype 1003 0
> xt_policy 2540 0
> xt_realm 905 0
> xt_recent 8646 1
> xt_statistic 1274 0
> xt_tcpmss 1328 0
> xt_tcpudp 2130 45
> xt_time 2277 0
>
> Shorewall has detected the following iptables/netfilter capabilities:
> ACCOUNT Target (ACCOUNT_TARGET): Not available
> AUDIT Target (AUDIT_TARGET): Not available
> Address Type Match (ADDRTYPE): Available
> Amanda Helper: Available
> Arptables JF (ARPTABLESJF): Not available
> Basic Ematch (BASIC_EMATCH): Available
> Basic Filter (BASIC_FILTER): Available
> CLASSIFY Target (CLASSIFY_TARGET): Available
> CONNMARK Target (CONNMARK): Available
> CT Target (CT_TARGET): Available
> Capabilities Version (CAPVERSION): 50004
> Checksum Target (CHECKSUM_TARGET): Available
> Comments (COMMENTS): Available
> Condition Match (CONDITION_MATCH): Not available
> Connection Tracking Match (CONNTRACK_MATCH): Available
> Connlimit Match (CONNLIMIT_MATCH): Available
> Connmark Match (CONNMARK_MATCH): Available
> DSCP Match (DSCP_MATCH): Available
> DSCP Target (DSCP_TARGET): Available
> Enhanced Multi-port Match (EMULIPORT): Available
> Extended CONNMARK Target (XCONNMARK): Available
> Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH):
Available
> Extended Connmark Match (XCONNMARK_MATCH): Available
> Extended MARK Target (XMARK): Available
> Extended MARK Target 2 (EXMARK): Available
> Extended Multi-port Match (XMULIPORT): Available
> Extended REJECT (ENHANCED_REJECT): Available
> FLOW Classifier (FLOW_FILTER): Available
> FTP Helper: Available
> FTP-0 Helper: Not available
> Geo IP Match (GEOIP_MATCH): Not available
> Goto Support (GOTO_TARGET): Available
> H323 Helper: Available
> Hashlimit Match (HASHLIMIT_MATCH): Available
> Header Match (HEADER_MATCH): Not available
> Helper Match (HELPER_MATCH): Available
> IMQ Target (IMQ_TARGET): Not available
> IP range Match(IPRANGE_MATCH): Available
> IPMARK Target (IPMARK_TARGET): Not available
> IPP2P Match (IPP2P_MATCH): Not available
> IRC Helper: Available
> IRC-0 Helper: Not available
> Iface Match (IFACE_MATCH): Not available
> Kernel Version (KERNELVERSION): 40119
> LOG Target (LOG_TARGET): Available
> LOGMARK Target (LOGMARK_TARGET): Not available
> MARK Target (MARK): Available
> MASQUERADE Target (MASQUERADE_TGT): Available
> Mangle FORWARD Chain (MANGLE_FORWARD): Available
> Mark in the filter table (MARK_ANYWHERE): Available
> Multi-port Match (MULTIPORT): Available
> NAT (NAT_ENABLED): Available
> NFAcct Match: Not available
> NFLOG Target (NFLOG_TARGET): Available
> NFQUEUE Target (NFQUEUE_TARGET): Available
> Netbios_ns Helper: Available
> New tos Match (NEW_TOS_MATCH): Available
> Owner Match (OWNER_MATCH): Available
> Owner Name Match (OWNER_NAME_MATCH): Available
> PPTP Helper: Available
> Packet Mangling (MANGLE_ENABLED): Available
> Packet Type Match (USEPKTTYPE): Available
> Packet length Match (LENGTH_MATCH): Available
> Persistent SNAT (PERSISTENT_SNAT): Available
> Physdev Match (PHYSDEV_MATCH): Available
> Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
> Policy Match (POLICY_MATCH): Available
> RPFilter Match (RPFILTER_MATCH): Available
> Raw Table (RAW_TABLE): Available
> Rawpost Table (RAWPOST_TABLE): Not available
> Realm Match (REALM_MATCH): Available
> Recent Match "--reap" option (REAP_OPTION): Available
> Recent Match (RECENT_MATCH): Available
> Repeat match (KLUDGEFREE): Available
> SANE Helper: Available
> SANE-0 Helper: Not available
> SIP Helper: Available
> SIP-0 Helper: Not available
> SNMP Helper: Available
> Statistic Match (STATISTIC_MATCH): Available
> TARPIT Target (TARPIT_TARGET): Not available
> TCPMSS Match (TCPMSS_MATCH): Available
> TCPMSS Target (TCPMSS_TARGET): Available
> TFTP Helper: Available
> TFTP-0 Helper: Not available
> TPROXY Target (TPROXY_TARGET): Available
> Time Match (TIME_MATCH): Available
> UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
> ULOG Target (ULOG_TARGET): Not available
> fwmark route mask (FWMARK_RT_MASK): Available
> ipset V5 (IPSET_V5): Not available
> iptables --wait option (WAIT_OPTION): Available
> iptables -S (IPTABLES_S): Available
>
> Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port
> tcp LISTEN 0 128 *:5355
*:* users:(("systemd-resolve",pid=320,fd=15))
> tcp LISTEN 0 5 *:53
*:* users:(("dnsmasq",pid=326,fd=7))
> tcp LISTEN 0 128 *:22
*:* users:(("sshd",pid=321,fd=3))
> tcp ESTAB 0 5748 10.0.8.4:22 10.0.8.2:42786
users:(("sshd",pid=9688,fd=3))
> tcp TIME-WAIT 0 0 192.168.1.128:46058
107.6.170.212:80
> tcp ESTAB 0 0 10.0.8.4:22 10.0.8.2:50492
users:(("sshd",pid=10821,fd=3))
>
> Traffic Control
>
> Device eth0:
> qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1526
target 5.0ms interval 100.0ms ecn
> Sent 14693 bytes 238 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
> new_flows_len 0 old_flows_len 0
>
>
> Device wlan0:
> qdisc mq 0: root
> Sent 50503698 bytes 475803 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> qdisc fq_codel 0: parent :1 limit 10240p flows 1024 quantum 1514 target
5.0ms interval 100.0ms ecn
> Sent 23934 bytes 176 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
> new_flows_len 0 old_flows_len 0
> qdisc fq_codel 0: parent :2 limit 10240p flows 1024 quantum 1514 target
5.0ms interval 100.0ms ecn
> Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
> new_flows_len 0 old_flows_len 0
> qdisc fq_codel 0: parent :3 limit 10240p flows 1024 quantum 1514 target
5.0ms interval 100.0ms ecn
> Sent 50479764 bytes 475627 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> maxpacket 319 drop_overlimit 0 new_flow_count 7 ecn_mark 0
> new_flows_len 1 old_flows_len 0
> qdisc fq_codel 0: parent :4 limit 10240p flows 1024 quantum 1514 target
5.0ms interval 100.0ms ecn
> Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
> new_flows_len 0 old_flows_len 0
>
> class mq :1 root
> Sent 23934 bytes 176 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> class mq :2 root
> Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> class mq :3 root
> Sent 50479764 bytes 475627 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> class mq :4 root
> Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> class fq_codel :3cc parent none
> (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> deficit 1387 count 0 lastcount 0 ldelay 5us
>
> Device tun0:
> qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1500
target 5.0ms interval 100.0ms ecn
> Sent 3164781 bytes 34175 pkt (dropped 0, overlimits 0 requeues 0)
> backlog 0b 0p requeues 0
> maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0
> new_flows_len 0 old_flows_len 0
>
>
>
> TC Filters
>
> Device eth0:
>
> Device wlan0:
>
> Device tun0:
>
>
> --
> Eduard Vidal i Tulsà
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
