Hello Tom,
I have no doubts in your analysis of the dump.
However, I have no idea about the right conclusions.
You're pointing to some rules stating "no rule matches the traffic".
This confirms my assumption, but I'm not sure what to configure.
These are the current rules for ping/traceroute:
## Drop ping access from net
Ping(DROP) net all
## Permit ping access
Ping(ACCEPT) $FW all
Ping(ACCEPT) loc,fb all
## Permit ICMP access
ACCEPT $FW all icmp
ACCEPT loc,fb all icmp
(There are no more rules related to ping/icmp.)
I would like to ping/traceroute from fb to loc and vice versa, but then
/shorewall check/ reports an error (ERROR: Rules may not override a NONE
policy /usr/share/shorewall/macro.Ping (line 9)).
Now, here are my findings:
Source: $FW (=pc4-svp),
Dest: any client in fb
ping works, traceroute fails
root@pc4-svp:/etc/shorewall# ping 192.168.178.121
PING 192.168.178.121 (192.168.178.121) 56(84) bytes of data.
64 bytes from 192.168.178.121: icmp_seq=1 ttl=128 time=0.239 ms
64 bytes from 192.168.178.121: icmp_seq=2 ttl=128 time=0.114 ms
64 bytes from 192.168.178.121: icmp_seq=3 ttl=128 time=0.169 ms
^C
--- 192.168.1.121 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.114/0.174/0.239/0.051 ms
root@pc4-svp:/etc/shorewall# traceroute 192.168.178.121
traceroute to 192.168.178.121 (192.168.178.121), 30 hops max, 60 byte
packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 *^C
Source: any client in fb
Dest: any client in loc
ping fails, traceroute fails
thomas@pc8-nb:~$ sudo ping 10.0.0.253
PING 10.0.0.253 (10.0.0.253) 56(84) bytes of data.
From 192.168.178.1: icmp_seq=244 Redirect Host(New nexthop: 192.168.178.10)
From 192.168.178.1: icmp_seq=544 Redirect Host(New nexthop: 192.168.178.10)
From 192.168.178.1: icmp_seq=844 Redirect Host(New nexthop: 192.168.178.10)
^C
--- 10.0.0.253 ping statistics ---
1129 packets transmitted, 0 received, 100% packet loss, time 1128038ms
thomas@pc8-nb:~$ sudo traceroute 10.0.0.253
traceroute to 10.0.0.253 (10.0.0.253), 30 hops max, 60 byte packets
1 pc4-svp.whl.meilocal.net (192.168.178.10) 0.221 ms 0.206 ms 0.197 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * *^C
This can be seen in /var/log/messages, too.
Dump attached.
Regards,
Thomas
Am 29.06.2016 um 16:43 schrieb Tom Eastep:
> On 06/28/2016 12:03 AM, Thomas Schneider wrote:
> > Update: I have adjusted some rules as follows: ## Permit ping
> > access Ping(ACCEPT) loc,fb $FW Ping(ACCEPT) $FW
> > loc,fb Ping(ACCEPT) fb loc,dmz
>
> > ## Drop ping access from net Ping(DROP) net all
>
> > ## Permit ICMP access ACCEPT $FW loc,fb
> > icmp ACCEPT $FW net icmp
> > ACCEPT loc,fb net icmp ACCEPT
> > fb loc,dmz icmp
>
> > However, I can only ping host pc4-svp.whl.meilocal.net serving
> > Shorewall: 192.168.178.10 (aka 10.0.0.1 and 10.1.0.1).
> > http://up.picr.de/26014890cy.jpg
>
> > Any ping or traceroute to another server in 10.0.0.0/24 or
> > 10.1.0.0/24 fails after reaching 192.168.178.10. My conclusion is
> > that the static route configured in router is working, but then
> > communication is blocked on 192.168.178.10. thomas@pc8-nb:~$ sudo
> > traceroute 10.0.0.2 traceroute to 10.0.0.2 (10.0.0.2), 30 hops max,
> > 60 byte packets 1 pc4-svp.whl.meilocal.net (192.168.178.10) 0.243
> > ms 0.234 ms 0.231 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * *
> > * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * *
> > * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 *
> > * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27
> > * * * 28 * * * 29 * * * 30 * * * thomas@pc8-nb:~$ sudo ping
> > 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. From
> > 192.168.178.1: icmp_seq=124 Redirect Host(New nexthop:
> > 192.168.178.10) From 192.168.178.1: icmp_seq=424 Redirect Host(New
> > nexthop: 192.168.178.10)
>
>
> > Any advise?
>
> - From the dump, packets arriving on vmbr2 and to be forwarded go
> through the chain UMP_IF_fwd:
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 953 76428 UMP_IF_fwd all -- vmbr2 * 0.0.0.0/0
> 0.0.0.0/0
>
> Since the source IP is in 192.168.178.0/24, they are then passed
> through the chain fb_frwd
>
> Chain UMP_IF_fwd (1 references)
> pkts bytes target prot opt in out source
> destination
> 953 76428 dynamic all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 953 76428 smurfs all -- * * 192.168.178.0/24
> 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 953 76428 smurfs all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
> 0 0 tcpflags tcp -- * * 192.168.178.0/24
> 0.0.0.0/0
> 0 0 tcpflags tcp -- * * 0.0.0.0/0
> 0.0.0.0/0
> 953 76428 fb_frwd all -- * * 192.168.178.0/24
> 0.0.0.0/0
> 953 76428 net_frwd all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
> There, *no rule matches the traffic*. So the traffic now goes to net_frw
> d:
>
> Chain fb_frwd (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 fb-net all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 fb-net all -- * vmbr2 0.0.0.0/0
> 0.0.0.0/0
> 0 0 all-all all -- * tun+ 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ~comb0 all -- * vmbr1 0.0.0.0/0
> 10.1.0.0/24
> 0 0 ~comb0 all -- * vmbr1 0.0.0.0/0
> 224.0.0.0/4
>
> In net_frwd, traffic rouoted out of vmbr0 goes through the net-loc chain
> :
>
> Chain net_frwd (2 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ~comb2 all -- * vmbr2 0.0.0.0/0
> 192.168.178.0/24
> 0 0 ACCEPT all -- * eth0 0.0.0.0/0
> 0.0.0.0/0
> 0 0 ACCEPT all -- * vmbr2 0.0.0.0/0
> 0.0.0.0/0
> 118K 153M net-loc all -- * vmbr0 0.0.0.0/0
> 10.0.0.0/24
>
> There, ping is dropped.
>
> Chain net-loc (2 references)
> pkts bytes target prot opt in out source
> destination
> 117K 153M ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED,ESTABLISHED
> 0 0 DROP tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate INVALID
> 802 67368 DROP icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 icmptype 8 /* Ping */
> 52 2404 ACCEPT tcp -- eth0 * 0.0.0.0/0
> 10.0.0.2 multiport dports 80,443 limit: avg 5/sec burst 10
> 151 9060 net-all all -- * * 0.0.0.0/0
> 0.0.0.0/0 [goto]
>
> You appear to have no traceroute rules so traceroute requests get
> dropped in net-all, which you can clearly see from the Log section of
> the dump.
>
> -Tom
> >
------------------------------------------------------------------------------
> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in
San > Francisco, CA to explore cutting-edge tech and listen to tech
luminaries > present their vision of the future. This family event has
something for > everyone, including kids. Get more information and
register today. > http://sdm.link/attshape >
_______________________________________________ > Shorewall-users
mailing list > [email protected] >
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Shorewall 5.0.7.2 Dump at pc4-svp - Mi 29. Jun 22:12:33 CEST 2016
Shorewall is running
State:Started (Mi 29. Jun 22:12:16 CEST 2016) from /etc/shorewall/
(/var/lib/shorewall/firewall compiled by Shorewall version 5.0.7.2)
Counters reset Mi 29. Jun 22:12:16 CEST 2016
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
84 5676 UMP_IF_in all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
16 4896 UMB_IF_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 INT_IF_in all -- vmbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 vpn-fw all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 DMZ_IF_in all -- vmbr1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 UMP_IF_fwd all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
8 1000 UMB_IF_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
6 300 INT_IF_fwd all -- vmbr0 * 0.0.0.0/0 0.0.0.0/0
0 0 vpn_frwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0
2 100 DMZ_IF_fwd all -- vmbr1 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 38904 ACCEPT all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
2 140 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 INT_IF_out all -- * vmbr0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 DMZ_IF_out all -- * vmbr1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type BROADCAST
1 36 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match dst-type ANYCAST
Chain DMZ_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
2 100 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
2 100 dmz_frwd all -- * * 10.1.0.0/24 0.0.0.0/0
Chain DMZ_IF_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0 0.0.0.0/0
udp dpts:67:68
0 0 dmz-fw all -- * * 10.1.0.0/24 0.0.0.0/0
Chain DMZ_IF_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT all -- * * 0.0.0.0/0 10.1.0.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0
255.255.255.255
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
Chain Drop (1 references)
pkts bytes target prot opt in out source destination
1 40 all -- * * 0.0.0.0/0 0.0.0.0/0
1 40 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain INT_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
6 300 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 300 loc_frwd all -- * * 10.0.0.0/24 0.0.0.0/0
Chain INT_IF_in (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0 0.0.0.0/0
udp dpts:67:68
0 0 ~comb1 all -- * * 10.0.0.0/24 0.0.0.0/0
Chain INT_IF_out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
0 0 ACCEPT all -- * * 0.0.0.0/0 10.0.0.0/24
0 0 ACCEPT all -- * * 0.0.0.0/0
255.255.255.255
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
Chain Reject (10 references)
pkts bytes target prot opt in out source destination
1 36 all -- * * 0.0.0.0/0 0.0.0.0/0
1 36 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0
udp spt:53 /* Late DNS Replies */
Chain UMB_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * eth0 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
8 1000 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UMB_IF_in (1 references)
pkts bytes target prot opt in out source destination
14 4610 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
14 4610 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
13 4570 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpts:67:68
1 40 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
3 326 net-fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UMP_IF_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 192.168.178.0/24 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 192.168.178.0/24 0.0.0.0/0
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fb_frwd all -- * * 192.168.178.0/24 0.0.0.0/0
0 0 net_frwd all -- * * 0.0.0.0/0 0.0.0.0/0
Chain UMP_IF_in (1 references)
pkts bytes target prot opt in out source destination
1 36 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
1 36 smurfs all -- * * 192.168.178.0/24 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
1 36 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
83 5640 tcpflags tcp -- * * 192.168.178.0/24 0.0.0.0/0
83 5640 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
84 5676 ~comb1 all -- * * 192.168.178.0/24 0.0.0.0/0
0 0 net-fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain all-all (9 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1 36 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:all-all:REJECT:"
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 4505,4506
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-loc (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.3
tcp dpt:3306
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
2 100 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
130.89.148.12 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
195.20.242.89 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
87.230.23.19 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
198.199.77.106 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
134.109.228.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
212.211.132.250 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
129.143.116.113 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:11371
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain dmz_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dmz-all all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
2 100 dmz-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 dmz-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 dmz-loc all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 dmz-loc all -- * vmbr0 0.0.0.0/0 224.0.0.0/4
0 0 dmz-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
Chain dynamic (10 references)
pkts bytes target prot opt in out source destination
Chain fb-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 /* HTTP, HTTPS */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 192.168.178.121 0.0.0.0/0
tcp dpt:5938
0 0 ACCEPT tcp -- * * 192.168.178.48 0.0.0.0/0
tcp dpt:5938
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:11371
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain fb_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 fb-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fb-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 all-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain loc-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443,143 /* HTTP, HTTPS, IMAP */
6 300 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53 /* DNS */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:11371
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
6 300 loc-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 all-all all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 ~comb0 all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
1 40 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:net-all:DROP:"
1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-dmz (2 references)
pkts bytes target prot opt in out source destination
2 250 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,465,587,993
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.1.0.4
tcp dpt:25 limit: avg 5/sec burst 10
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net-fw (2 references)
pkts bytes target prot opt in out source destination
2 286 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
1 40 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net-loc (2 references)
pkts bytes target prot opt in out source destination
6 750 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.0.0.2
multiport dports 80,443 limit: avg 5/sec burst 10
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain net_frwd (2 references)
pkts bytes target prot opt in out source destination
0 0 ~comb2 all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
6 750 net-loc all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 net-loc all -- * vmbr0 0.0.0.0/0 224.0.0.0/4
0 0 ~comb2 all -- * tun+ 0.0.0.0/0 0.0.0.0/0
2 250 net-dmz all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 net-dmz all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain reject (19 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Chain sfilter (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:sfilter:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain sha-lh-67289397ce1ff24538d3 (0 references)
pkts bytes target prot opt in out source destination
Chain sha-rh-a548bd405956095b166d (0 references)
pkts bytes target prot opt in out source destination
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0
recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0
[goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0
[goto]
Chain tcpflags (12 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
[goto] tcp spt:0 flags:0x17/0x02
Chain vpn-dmz (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,465,587,993
0 0 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain vpn-fw (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain vpn-net (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:11371
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:11371
0 0 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain vpn_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all -- * tun+ 0.0.0.0/0 0.0.0.0/0
[goto]
0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 all-all all -- * vmbr2 0.0.0.0/0
192.168.178.0/24
0 0 vpn-net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 vpn-net all -- * vmbr2 0.0.0.0/0 0.0.0.0/0
0 0 all-all all -- * vmbr0 0.0.0.0/0 10.0.0.0/24
0 0 all-all all -- * vmbr0 0.0.0.0/0 224.0.0.0/4
0 0 vpn-dmz all -- * vmbr1 0.0.0.0/0 10.1.0.0/24
0 0 vpn-dmz all -- * vmbr1 0.0.0.0/0 224.0.0.0/4
Chain ~comb0 (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 143,25,80,443,465,587,993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpts:2200:2299
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain ~comb1 (2 references)
pkts bytes target prot opt in out source destination
83 5640 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:2214
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:8006
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 443,5900:5999
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0
multiport dports 4505,4506
1 36 all-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Chain ~comb2 (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
ctstate INVALID
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 net-all all -- * * 0.0.0.0/0 0.0.0.0/0
[goto]
Log (/var/log/messages)
Jun 29 22:04:56 all-all:REJECT:IN=vmbr2 OUT= SRC=192.168.178.49
DST=192.168.178.10 LEN=60 TOS=0x00 PREC=0x00 TTL=3 ID=26330 PROTO=UDP SPT=39975
DPT=33441 LEN=40 MARK=0x20000
Jun 29 22:04:56 all-all:REJECT:IN=vmbr2 OUT= SRC=192.168.178.49
DST=192.168.178.10 LEN=60 TOS=0x00 PREC=0x00 TTL=3 ID=26331 PROTO=UDP SPT=45159
DPT=33442 LEN=40 MARK=0x20000
Jun 29 22:04:56 all-all:REJECT:IN=vmbr2 OUT= SRC=192.168.178.49
DST=192.168.178.10 LEN=60 TOS=0x00 PREC=0x00 TTL=4 ID=26332 PROTO=UDP SPT=42367
DPT=33443 LEN=40 MARK=0x20000
Jun 29 22:04:56 all-all:REJECT:IN=vmbr2 OUT= SRC=192.168.178.49
DST=192.168.178.10 LEN=60 TOS=0x00 PREC=0x00 TTL=4 ID=26333 PROTO=UDP SPT=41049
DPT=33444 LEN=40 MARK=0x20000
Jun 29 22:05:18 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=5 ID=55896 PROTO=UDP SPT=46635
DPT=33449 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=22 ID=59951 PROTO=UDP SPT=47201
DPT=33502 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=23 ID=59952 PROTO=UDP SPT=53183
DPT=33503 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=23 ID=59953 PROTO=UDP SPT=35199
DPT=33504 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=23 ID=59954 PROTO=UDP SPT=55744
DPT=33505 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=24 ID=59955 PROTO=UDP SPT=57545
DPT=33506 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=24 ID=59956 PROTO=UDP SPT=38719
DPT=33507 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=24 ID=59957 PROTO=UDP SPT=60478
DPT=33508 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=25 ID=59958 PROTO=UDP SPT=37140
DPT=33509 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=25 ID=59959 PROTO=UDP SPT=44152
DPT=33510 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=25 ID=59960 PROTO=UDP SPT=40460
DPT=33511 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=26 ID=59962 PROTO=UDP SPT=56059
DPT=33513 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=26 ID=59963 PROTO=UDP SPT=50214
DPT=33514 LEN=40
Jun 29 22:05:38 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=27 ID=59965 PROTO=UDP SPT=43777
DPT=33516 LEN=40
Jun 29 22:06:54 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=9236 PROTO=UDP SPT=51893
DPT=33438 LEN=40
Jun 29 22:06:54 net-all:DROP:IN=vmbr2 OUT=vmbr0 SRC=192.168.178.49
DST=10.0.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=9237 PROTO=UDP SPT=57912
DPT=33439 LEN=40
NAT Table
Chain PREROUTING (policy ACCEPT 15 packets, 676 bytes)
pkts bytes target prot opt in out source destination
1 40 UPnP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
6 236 UPnP all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
6 236 RETURN all -- vmbr2 * 192.168.178.0/24 0.0.0.0/0
1 40 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 net_dnat all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 140 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 140 bytes)
pkts bytes target prot opt in out source destination
10 540 UMB_IF_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain UMB_IF_masq (1 references)
pkts bytes target prot opt in out source destination
6 300 SNAT all -- * * 10.0.0.0/24 0.0.0.0/0
to:217.8.xx.xx
2 100 SNAT all -- * * 10.1.0.0/24 0.0.0.0/0
to:217.8.xx.xx
Chain UPnP (2 references)
pkts bytes target prot opt in out source destination
Chain net_dnat (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
multiport dports 80,443 to:10.0.0.2
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:25 to:10.1.0.4
Mangle Table
Chain PREROUTING (policy ACCEPT 122 packets, 12224 bytes)
pkts bytes target prot opt in out source destination
122 12224 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
11 1326 routemark all -- eth0 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
6 236 routemark all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x30000
Chain INPUT (policy ACCEPT 101 packets, 10624 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 16 packets, 1400 bytes)
pkts bytes target prot opt in out source destination
16 1400 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK and 0xfffcffff
Chain OUTPUT (policy ACCEPT 68 packets, 39044 bytes)
pkts bytes target prot opt in out source destination
68 39044 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore mask 0x30000
Chain POSTROUTING (policy ACCEPT 84 packets, 40444 bytes)
pkts bytes target prot opt in out source destination
Chain routemark (2 references)
pkts bytes target prot opt in out source destination
11 1326 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x10000/0x30000
6 236 MARK all -- vmbr2 * 0.0.0.0/0 0.0.0.0/0
MARK xset 0x20000/0x30000
17 1562 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
mark match ! 0x0/0x30000 CONNMARK save mask 0x30000
Raw Table
Chain PREROUTING (policy ACCEPT 122 packets, 12224 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Chain OUTPUT (policy ACCEPT 68 packets, 39044 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6667 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:69 CT helper tftp
Conntrack Table (17 out of 262144)
udp 17 29 src=10.0.0.253 dst=78.42.43.41 sport=42075 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=42075 mark=65536 use=1
udp 17 29 src=10.0.0.252 dst=78.42.43.41 sport=40577 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=40577 mark=65536 use=1
udp 17 25 src=217.8.xx.xx dst=78.42.43.41 sport=35473 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=35473 mark=65536 use=1
udp 17 12 src=10.1.0.11 dst=78.42.43.41 sport=58642 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=58642 mark=65536 use=1
udp 17 28 src=10.0.0.2 dst=78.42.43.41 sport=50923 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=50923 mark=65536 use=1
udp 17 12 src=10.1.0.11 dst=78.42.43.41 sport=57977 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=57977 mark=65536 use=1
tcp 6 431999 ESTABLISHED src=192.168.178.49 dst=192.168.178.10 sport=58606
dport=2214 src=192.168.178.10 dst=192.168.178.49 sport=2214 dport=58606
[ASSURED] mark=131072 use=1
udp 17 25 src=217.8.xx.xx dst=78.42.43.41 sport=58907 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=58907 mark=65536 use=1
tcp 6 430447 ESTABLISHED src=10.0.0.1 dst=10.0.0.2 sport=56468 dport=2202
src=10.0.0.2 dst=10.0.0.1 sport=2202 dport=56468 [ASSURED] mark=0 use=1
tcp 6 430455 ESTABLISHED src=10.0.0.1 dst=10.0.0.253 sport=60490
dport=22253 src=10.0.0.253 dst=10.0.0.1 sport=22253 dport=60490 [ASSURED]
mark=0 use=1
udp 17 29 src=10.0.0.253 dst=78.42.43.41 sport=41111 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=41111 mark=65536 use=1
tcp 6 429185 ESTABLISHED src=10.1.0.1 dst=10.1.0.11 sport=42714 dport=2211
src=10.1.0.11 dst=10.1.0.1 sport=2211 dport=42714 [ASSURED] mark=0 use=1
udp 17 29 src=10.0.0.252 dst=78.42.43.41 sport=38269 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=38269 mark=65536 use=1
udp 17 28 src=10.120.192.1 dst=255.255.255.255 sport=67 dport=68
[UNREPLIED] src=255.255.255.255 dst=10.120.192.1 sport=68 dport=67 mark=65536
use=1
udp 17 28 src=10.0.0.2 dst=78.42.43.41 sport=36707 dport=53
src=78.42.43.41 dst=217.8.xx.xx sport=53 dport=36707 mark=65536 use=1
tcp 6 429149 ESTABLISHED src=10.0.0.1 dst=10.0.0.252 sport=56160
dport=22252 src=10.0.0.252 dst=10.0.0.1 sport=22252 dport=56160 [ASSURED]
mark=0 use=1
udp 17 7 src=10.1.0.1 dst=10.1.0.255 sport=123 dport=123 [UNREPLIED]
src=10.1.0.255 dst=10.1.0.1 sport=123 dport=123 mark=0 use=1
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
group default qlen 1000
inet 217.8.xx.xx/26 brd 255.255.255.255 scope global eth0
valid_lft forever preferred_lft forever
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default qlen 1000
inet 10.0.0.1/24 brd 10.0.0.255 scope global vmbr0
valid_lft forever preferred_lft forever
6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default qlen 1000
inet 10.1.0.1/24 brd 10.0.0.255 scope global vmbr1
valid_lft forever preferred_lft forever
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default qlen 1000
inet 192.168.178.10/24 brd 192.168.178.255 scope global vmbr2
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
153706777 320887 0 0 0 0
TX: bytes packets errors dropped carrier collsns
153706777 320887 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
mode DEFAULT group default qlen 1000
link/ether 74:d4:35:1a:f6:0f brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
13434114332 145362003 1491 0 0 0
TX: bytes packets errors dropped carrier collsns
81756536 1119098 0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master
vmbr2 state UP mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
4796742636 7653392 0 2 0 916726
TX: bytes packets errors dropped carrier collsns
1840562068 5607900 0 0 0 0
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master
vmbr1 state DOWN mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default qlen 1000
link/ether fe:03:ad:be:e0:9b brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
42025604 823784 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1447924558 1312606 0 0 0 0
6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b9 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
2028273 37956 0 0 0 0
TX: bytes packets errors dropped carrier collsns
92280940 58182 0 0 0 0
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
mode DEFAULT group default qlen 1000
link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
516268515 4278918 0 1708846 0 0
TX: bytes packets errors dropped carrier collsns
277014077 329024 0 0 0 0
18: tap123i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr2 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether c2:de:fd:4f:7e:70 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
172822745 1189802 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1703379807 4735265 0 0 0 0
19: tap121i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr2 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether ea:7f:f7:d0:d8:fb brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
466880154 1902015 0 0 0 0
TX: bytes packets errors dropped carrier collsns
637493059 2885227 0 0 0 0
25: veth102i0@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:03:ad:be:e0:9b brd ff:ff:ff:ff:ff:ff link-netnsid 0
RX: bytes packets errors dropped overrun mcast
15085906 242441 0 0 0 0
TX: bytes packets errors dropped carrier collsns
368401175 370535 0 0 0 0
27: veth101i0@if26: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:59:8e:51:59:6f brd ff:ff:ff:ff:ff:ff link-netnsid 1
RX: bytes packets errors dropped overrun mcast
14900169 240477 0 0 0 0
TX: bytes packets errors dropped carrier collsns
368177968 367535 0 0 0 0
31: veth100i0@if30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:73:e2:f2:bf:cd brd ff:ff:ff:ff:ff:ff link-netnsid 2
RX: bytes packets errors dropped overrun mcast
14864375 234146 0 0 0 0
TX: bytes packets errors dropped carrier collsns
363845182 361032 0 0 0 0
35: veth111i0@if34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
master vmbr1 state UP mode DEFAULT group default qlen 1000
link/ether fe:29:a5:8e:9b:27 brd ff:ff:ff:ff:ff:ff link-netnsid 3
RX: bytes packets errors dropped overrun mcast
2559657 37956 0 0 0 0
TX: bytes packets errors dropped carrier collsns
92280940 58182 0 0 0 0
Bridges
bridge name bridge id STP enabled interfaces
vmbr0 8000.fe03adbee09b no veth100i0
veth101i0
veth102i0
vmbr1 8000.001517919cb9 no eth2
veth111i0
vmbr2 8000.001517919cb8 no eth1
tap121i0
tap123i0
Routing Rules
0: from all lookup local
999: from all lookup main
1000: from 217.8.xx.xx lookup um_business
1000: from 192.168.178.10 lookup um_private
10000: from all fwmark 0x10000/0x30000 lookup um_business
10001: from all fwmark 0x20000/0x30000 lookup um_private
11000: from 10.1.0.1 lookup um_business
32765: from all lookup balance
32767: from all lookup default
Table balance:
default via 217.8.xx.xx dev eth0
Table default:
Table local:
local 217.8.xx.xx dev eth0 proto kernel scope host src 217.8.xx.xx
local 192.168.178.10 dev vmbr2 proto kernel scope host src 192.168.178.10
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.1.0.1 dev vmbr1 proto kernel scope host src 10.1.0.1
local 10.0.0.1 dev vmbr0 proto kernel scope host src 10.0.0.1
broadcast 217.8.xx.xx dev eth0 proto kernel scope link src 217.8.xx.xx
broadcast 217.8.xx.xx dev eth0 proto kernel scope link src 217.8.xx.xx
broadcast 192.168.178.255 dev vmbr2 proto kernel scope link src 192.168.178.10
broadcast 192.168.178.0 dev vmbr2 proto kernel scope link src 192.168.178.10
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.1.0.255 dev vmbr1 proto kernel scope link src 10.1.0.1
broadcast 10.1.0.0 dev vmbr1 proto kernel scope link src 10.1.0.1
broadcast 10.0.0.255 dev vmbr1 proto kernel scope link src 10.1.0.1
broadcast 10.0.0.255 dev vmbr0 proto kernel scope link src 10.0.0.1
broadcast 10.0.0.0 dev vmbr0 proto kernel scope link src 10.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
217.8.xx.xx dev eth0 scope link src 217.8.xx.xx
192.168.178.1 dev vmbr2 scope link src 192.168.178.10
217.8.xx.xx/26 dev eth0 proto kernel scope link src 217.8.xx.xx
192.168.178.0/24 dev vmbr2 proto kernel scope link src 192.168.178.10
10.1.0.0/24 dev vmbr1 proto kernel scope link src 10.1.0.1
10.0.0.0/24 dev vmbr0 proto kernel scope link src 10.0.0.1
blackhole 192.168.0.0/16
blackhole 172.16.0.0/12
blackhole 10.0.0.0/8
Table um_business:
217.8.xx.xx dev eth0 scope link src 217.8.xx.xx
default via 217.8.xx.xx dev eth0 src 217.8.xx.xx
Table um_private:
192.168.178.1 dev vmbr2 scope link src 192.168.178.10
default via 192.168.178.1 dev vmbr2 src 192.168.178.10
Per-IP Counters
iptaccount is not installed
NF Accounting
Events
/proc
/proc/version = Linux version 4.4.8-1-pve (root@elsa) (gcc version 4.9.2
(Debian 4.9.2-10) ) #1 SMP Tue May 17 16:14:08 CEST 2016
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 1
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 0
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth2/arp_filter = 0
/proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth2/rp_filter = 0
/proc/sys/net/ipv4/conf/eth2/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/tap121i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/tap121i0/arp_filter = 0
/proc/sys/net/ipv4/conf/tap121i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/tap121i0/rp_filter = 0
/proc/sys/net/ipv4/conf/tap121i0/log_martians = 1
/proc/sys/net/ipv4/conf/tap123i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/tap123i0/arp_filter = 0
/proc/sys/net/ipv4/conf/tap123i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/tap123i0/rp_filter = 0
/proc/sys/net/ipv4/conf/tap123i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth100i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth100i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth100i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth100i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth100i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth101i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth101i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth101i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth101i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth101i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth102i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth102i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth102i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth102i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth102i0/log_martians = 1
/proc/sys/net/ipv4/conf/veth111i0/proxy_arp = 0
/proc/sys/net/ipv4/conf/veth111i0/arp_filter = 0
/proc/sys/net/ipv4/conf/veth111i0/arp_ignore = 0
/proc/sys/net/ipv4/conf/veth111i0/rp_filter = 0
/proc/sys/net/ipv4/conf/veth111i0/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr0/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr0/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr0/arp_ignore = 0
/proc/sys/net/ipv4/conf/vmbr0/rp_filter = 1
/proc/sys/net/ipv4/conf/vmbr0/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr1/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr1/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr1/arp_ignore = 0
/proc/sys/net/ipv4/conf/vmbr1/rp_filter = 1
/proc/sys/net/ipv4/conf/vmbr1/log_martians = 1
/proc/sys/net/ipv4/conf/vmbr2/proxy_arp = 0
/proc/sys/net/ipv4/conf/vmbr2/arp_filter = 0
/proc/sys/net/ipv4/conf/vmbr2/arp_ignore = 1
/proc/sys/net/ipv4/conf/vmbr2/rp_filter = 0
/proc/sys/net/ipv4/conf/vmbr2/log_martians = 1
ARP
? (10.1.0.11) auf 62:62:62:31:64:62 [ether] auf vmbr1
? (10.0.0.2) auf 32:62:31:39:35:32 [ether] auf vmbr0
? (192.168.178.48) auf <unvollständig> auf vmbr2
? (192.168.178.253) auf <unvollständig> auf vmbr2
? (192.168.178.121) auf b6:36:4a:2a:0d:12 [ether] auf vmbr2
? (10.0.0.253) auf 66:30:33:61:63:62 [ether] auf vmbr0
? (192.168.178.1) auf c8:0e:14:de:97:70 [ether] auf vmbr2
? (10.1.0.4) auf <unvollständig> auf vmbr1
? (10.0.0.252) auf 32:66:37:65:32:36 [ether] auf vmbr0
? (10.0.0.11) auf 36:36:38:63:63:39 [ether] auf vmbr0
? (192.168.178.56) auf d8:90:e8:62:24:64 [ether] auf vmbr2
? (217.8.xx.xx) auf 00:01:5c:23:8e:01 [ether] auf eth0
? (192.168.178.49) auf f0:de:f1:42:30:19 [ether] auf vmbr2
Modules
ip_set 45056 2 ip_set_hash_ip,xt_set
ip_set_hash_ip 32768 0
iptable_filter 16384 1
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
ip_tables 28672 4
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_MASQUERADE 16384 0
ipt_REJECT 16384 4
ipt_rpfilter 16384 0
nf_conntrack 106496 32
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,nf_conntrack_proto_udplite,nf_nat,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda 16384 3 nf_nat_amanda
nf_conntrack_broadcast 16384 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 20480 3 nf_nat_ftp
nf_conntrack_h323 77824 5 nf_nat_h323
nf_conntrack_ipv4 16384 68
nf_conntrack_irc 16384 3 nf_nat_irc
nf_conntrack_netbios_ns 16384 2
nf_conntrack_netlink 36864 0
nf_conntrack_pptp 20480 3 nf_nat_pptp
nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 20480 0
nf_conntrack_proto_udplite 16384 0
nf_conntrack_sane 16384 2
nf_conntrack_sip 28672 3 nf_nat_sip
nf_conntrack_snmp 16384 3 nf_nat_snmp_basic
nf_conntrack_tftp 16384 3 nf_nat_tftp
nf_defrag_ipv4 16384 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 36864 1 xt_TPROXY
nf_log_common 16384 1 nf_log_ipv4
nf_log_ipv4 16384 7
nf_nat 24576 11
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_nat_amanda 16384 0
nf_nat_ftp 16384 0
nf_nat_h323 20480 0
nf_nat_ipv4 16384 1 iptable_nat
nf_nat_irc 16384 0
nf_nat_masquerade_ipv4 16384 1 ipt_MASQUERADE
nf_nat_pptp 16384 0
nf_nat_proto_gre 16384 1 nf_nat_pptp
nf_nat_sip 20480 0
nf_nat_snmp_basic 20480 0
nf_nat_tftp 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
xt_addrtype 16384 5
xt_AUDIT 16384 0
xt_CHECKSUM 16384 0
xt_CLASSIFY 16384 0
xt_comment 16384 27
xt_connlimit 16384 0
xt_connmark 16384 3
xt_conntrack 16384 42
xt_CT 16384 22
xt_dscp 16384 0
xt_DSCP 16384 0
xt_hashlimit 20480 0
xt_helper 16384 0
xt_iprange 16384 0
xt_length 16384 0
xt_limit 16384 2
xt_LOG 16384 7
xt_mark 16384 6
xt_multiport 16384 14
xt_nat 16384 4
xt_nfacct 16384 0
xt_NFLOG 16384 0
xt_NFQUEUE 16384 0
xt_owner 16384 0
xt_physdev 16384 0
xt_pkttype 16384 0
xt_policy 16384 0
xt_realm 16384 0
xt_recent 20480 1
xt_set 16384 0
xt_statistic 16384 0
xt_tcpmss 16384 0
xt_TCPMSS 16384 0
xt_tcpudp 16384 77
xt_time 16384 0
xt_TPROXY 20480 0
Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
AUDIT Target (AUDIT_TARGET): Available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
Capabilities Version (CAPVERSION): 50004
Checksum Target (CHECKSUM_TARGET): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Connmark Match (CONNMARK_MATCH): Available
CONNMARK Target (CONNMARK): Available
CT Target (CT_TARGET): Available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Extended CONNMARK Target (XCONNMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended MARK Target (XMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP-0 Helper: Not available
FTP Helper: Available
fwmark route mask (FWMARK_RT_MASK): Available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Available
Iface Match (IFACE_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IP range Match(IPRANGE_MATCH): Available
Ipset Match Counters (IPSET_MATCH_COUNTERS): Available
Ipset Match (IPSET_MATCH): Available
Ipset Match Nomatch (IPSET_MATCH_NOMATCH): Available
ipset V5 (IPSET_V5): Available
iptables -S (IPTABLES_S): Available
iptables --wait option (WAIT_OPTION): Available
IRC-0 Helper: Not available
IRC Helper: Available
Kernel Version (KERNELVERSION): 40408
LOGMARK Target (LOGMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
Netbios_ns Helper: Available
New tos Match (NEW_TOS_MATCH): Available
NFAcct Match: Available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Packet length Match (LENGTH_MATCH): Available
Packet Mangling (MANGLE_ENABLED): Available
Packet Type Match (USEPKTTYPE): Available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Physdev Match (PHYSDEV_MATCH): Available
Policy Match (POLICY_MATCH): Available
PPTP Helper: Available
Rawpost Table (RAWPOST_TABLE): Not available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Available
Recent Match "--reap" option (REAP_OPTION): Available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Available
RPFilter Match (RPFILTER_MATCH): Available
SANE-0 Helper: Not available
SANE Helper: Available
SIP-0 Helper: Not available
SIP Helper: Available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP-0 Helper: Not available
TFTP Helper: Available
Time Match (TIME_MATCH): Available
TPROXY Target (TPROXY_TARGET): Available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Not available
Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port
udp UNCONN 0 0 *:68 *:*
users:(("dhclient",pid=608,fd=6))
udp UNCONN 0 0 *:111 *:*
users:(("rpcbind",pid=1117,fd=6))
udp UNCONN 0 0 *:12408 *:*
users:(("dhclient",pid=608,fd=20))
udp UNCONN 0 0 192.168.178.10:123 *:*
users:(("ntpd",pid=1419,fd=22))
udp UNCONN 0 0 10.1.0.1:123 *:*
users:(("ntpd",pid=1419,fd=21))
udp UNCONN 0 0 10.0.0.1:123 *:*
users:(("ntpd",pid=1419,fd=20))
udp UNCONN 0 0 217.8.xx.xx:123 *:*
users:(("ntpd",pid=1419,fd=19))
udp UNCONN 0 0 127.0.0.1:123 *:*
users:(("ntpd",pid=1419,fd=18))
udp UNCONN 0 0 *:123 *:*
users:(("ntpd",pid=1419,fd=16))
udp UNCONN 0 0 *:855 *:*
users:(("rpcbind",pid=1117,fd=7))
udp UNCONN 0 0 127.0.0.1:937 *:*
users:(("rpc.statd",pid=1185,fd=5))
udp UNCONN 0 0 *:54410 *:*
users:(("rpc.statd",pid=1185,fd=8))
udp UNCONN 0 0 *:56947 *:*
users:(("systemd-timesyn",pid=559,fd=13))
tcp LISTEN 0 128 127.0.0.1:85 *:*
users:(("pvedaemon worke",pid=27713,fd=6),("pvedaemon
worke",pid=5690,fd=6),("pvedaemon
worke",pid=4751,fd=6),("pvedaemon",pid=1896,fd=6))
tcp LISTEN 0 128 *:3128 *:*
users:(("spiceproxy work",pid=4427,fd=6),("spiceproxy",pid=4426,fd=6))
tcp LISTEN 0 128 *:58936 *:*
users:(("rpc.statd",pid=1185,fd=9))
tcp LISTEN 0 100 10.0.0.1:4505 *:*
users:(("salt-master",pid=26573,fd=17))
tcp LISTEN 0 100 127.0.0.1:25 *:*
users:(("master",pid=1700,fd=12))
tcp LISTEN 0 100 10.0.0.1:4506 *:*
users:(("salt-master",pid=26636,fd=25))
tcp LISTEN 0 128 *:8006 *:*
users:(("pveproxy worker",pid=4411,fd=6),("pveproxy
worker",pid=4410,fd=6),("pveproxy
worker",pid=4409,fd=6),("pveproxy",pid=4408,fd=6))
tcp LISTEN 0 128 *:2214 *:*
users:(("sshd",pid=1296,fd=3))
tcp LISTEN 0 1 127.0.0.1:61000 *:*
users:(("kvm",pid=25295,fd=20))
tcp LISTEN 0 5 127.0.0.1:5900 *:*
users:(("lxc-console",pid=7556,fd=4),("dtach",pid=7555,fd=4))
tcp LISTEN 0 5 127.0.0.1:5901 *:*
users:(("lxc-console",pid=10794,fd=4),("dtach",pid=10793,fd=4))
tcp LISTEN 0 128 *:111 *:*
users:(("rpcbind",pid=1117,fd=8))
tcp LISTEN 0 5 127.0.0.1:7634 *:*
users:(("hddtemp",pid=1488,fd=0))
tcp ESTAB 0 0 192.168.178.10:2214
192.168.178.49:58606
users:(("sshd",pid=29966,fd=3),("sshd",pid=29917,fd=3))
tcp ESTAB 0 0 10.0.0.1:60490 10.0.0.253:22253
users:(("ssh",pid=8266,fd=3))
tcp ESTAB 0 0 10.0.0.1:56468 10.0.0.2:2202
users:(("ssh",pid=20250,fd=3))
tcp ESTAB 0 0 10.0.0.1:56160 10.0.0.252:22252
users:(("ssh",pid=9450,fd=3))
tcp ESTAB 0 0 10.1.0.1:42714 10.1.0.11:2211
users:(("ssh",pid=11535,fd=3))
Traffic Control
Device lo:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 77189170 bytes 1119098 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 1805604558 bytes 5607900 pkt (dropped 0, overlimits 0 requeues 194)
backlog 0b 0p requeues 194
Device eth2:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device vmbr0:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device vmbr1:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device vmbr2:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device tap123i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 1703379867 bytes 4735266 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device tap121i0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 637493119 bytes 2885228 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device veth102i0:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device veth101i0:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device veth100i0:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device veth111i0:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
TC Filters
Device lo:
Device eth0:
Device eth1:
Device eth2:
Device vmbr0:
Device vmbr1:
Device vmbr2:
Device tap123i0:
Device tap121i0:
Device veth102i0:
Device veth101i0:
Device veth100i0:
Device veth111i0:
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
