Hi Tom,
It's looking good. See attached 'iptables -L' listings.
The diff is below, after I did a 'shorewall restart'. It looks like all
the chains are in place correctly now.
Many thanks,
Tony.
16d15
< ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
17a17
> ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
131c131
< Chain sha-lh-dc82ddbfc1ff233a2203 (0 references)
---
> Chain sha-lh-a0652eab941fa6c7eedb (0 references)
134c134
< Chain sha-rh-02fa7900a82998b95fdd (0 references)
---
> Chain sha-rh-e1f1a7a5a348ec6d419c (0 references)
On 28/10/2018 16:20, Tom Eastep wrote:
The attached patch should fix that. -Tom
Chain INPUT (policy DROP)
target prot opt source destination
~comb0 all -- anywhere anywhere
net-fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "INPUT DROP "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
dock_frwd all -- anywhere anywhere
net-dock all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "FORWARD REJECT "
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT udp -- anywhere 172.24.0.2 udp dpt:domain
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain dock_frwd (1 references)
target prot opt source destination
~comb0 all -- anywhere anywhere
~comb0 all -- anywhere anywhere
Chain dynamic (3 references)
target prot opt source destination
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info ip-options prefix "logflags DROP "
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net-dock (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
sfilter all -- anywhere anywhere [goto]
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-dock DROP "
DROP all -- anywhere anywhere
Chain net-fw (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ssh,2376 /* SSH and others */
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-fw DROP "
DROP all -- anywhere anywhere
Chain reject (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain sfilter (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "sfilter DROP "
DROP all -- anywhere anywhere
Chain sha-lh-a0652eab941fa6c7eedb (0 references)
target prot opt source destination
Chain sha-rh-e1f1a7a5a348ec6d419c (0 references)
target prot opt source destination
Chain shorewall (0 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name:
%CURRENTTIME side: source mask: 255.255.255.255
Chain tcpflags (3 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,RST/FIN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,PSH,ACK/FIN,PSH
logflags tcp -- anywhere anywhere [goto] tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
Chain ~comb0 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain INPUT (policy DROP)
target prot opt source destination
~comb0 all -- anywhere anywhere
net-fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "INPUT DROP "
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
dock_frwd all -- anywhere anywhere
net-dock all -- anywhere anywhere
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "FORWARD REJECT "
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain DOCKER (4 references)
target prot opt source destination
ACCEPT udp -- anywhere 172.24.0.2 udp dpt:domain
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:https
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain dock_frwd (1 references)
target prot opt source destination
~comb0 all -- anywhere anywhere
~comb0 all -- anywhere anywhere
Chain dynamic (3 references)
target prot opt source destination
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info ip-options prefix "logflags DROP "
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net-dock (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
sfilter all -- anywhere anywhere [goto]
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-dock DROP "
DROP all -- anywhere anywhere
Chain net-fw (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ssh,2376 /* SSH and others */
DROP all -- anywhere anywhere ADDRTYPE match
dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type ANYCAST
DROP all -- anywhere anywhere ADDRTYPE match
dst-type MULTICAST
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "net-fw DROP "
DROP all -- anywhere anywhere
Chain reject (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match
src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with
icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Chain sfilter (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: up to
1/sec burst 10 mode srcip LOG level info prefix "sfilter DROP "
DROP all -- anywhere anywhere
Chain sha-lh-dc82ddbfc1ff233a2203 (0 references)
target prot opt source destination
Chain sha-rh-02fa7900a82998b95fdd (0 references)
target prot opt source destination
Chain shorewall (0 references)
target prot opt source destination
all -- anywhere anywhere recent: SET name:
%CURRENTTIME side: source mask: 255.255.255.255
Chain tcpflags (3 references)
target prot opt source destination
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere [goto] tcp
flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,RST/FIN,RST
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere [goto] tcp
flags:FIN,PSH,ACK/FIN,PSH
logflags tcp -- anywhere anywhere [goto] tcp spt:0
flags:FIN,SYN,RST,ACK/SYN
Chain ~comb0 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED match-set blocked src
dynamic all -- anywhere anywhere ctstate
INVALID,NEW,UNTRACKED
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
