[Shorewall-newbies] Shorewall 1.4.8 Debian setup problems

Michel D'Astous mdastous at cqmail.net
Sat Dec 13 10:37:01 PST 2003


Hello, and thank you for helping me, i really appreciate it.

OK...
- I don't know if eht1 has an static ip address, how can I verify this?

- If I put the line:
eth0                   eth1
in masq file, I cannot start shorewall even if box B is offline.

He is the last 10 lines of `shorewall debug start`:
++ ip route show dev eth1
++ read address rest
+ subnets=
+ '[' -z '' ']'
+ fatal_error 'Unable to determine the routes through interface eth1'
+ echo '   Error: Unable to determine the routes through interface eth1'
   Error: Unable to determine the routes through interface eth1
+ '[' start = check ']'
+ stop_firewall
+ set +x

At this point point ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:c8:72:9e brd ff:ff:ff:ff:ff:ff
    inet 66.130.132.35/24 brd 255.255.255.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:50:fc:c3:5e:b3 brd ff:ff:ff:ff:ff:ff
5: tunl0 at NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0 at NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0

So I modified the masq file back to:
eth0                    192.168.1.0/24
and started shorewall and lauched ip addr show (box B online):

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:c8:72:9e brd ff:ff:ff:ff:ff:ff
    inet 66.130.132.35/24 brd 255.255.255.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:50:fc:c3:5e:b3 brd ff:ff:ff:ff:ff:ff
5: tunl0 at NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0 at NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0

then I lauched: shorewall clear.
ip addr show (box B online):
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:c8:72:9e brd ff:ff:ff:ff:ff:ff
    inet 66.130.132.35/24 brd 255.255.255.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:50:fc:c3:5e:b3 brd ff:ff:ff:ff:ff:ff
5: tunl0 at NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0 at NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0
I can tell you if i'm able to communicate with box B, because I dont know what
is box B's ip address.

ip addr show (box B offline):
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:c8:72:9e brd ff:ff:ff:ff:ff:ff
    inet 66.130.132.35/24 brd 255.255.255.255 scope global eth0
3: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:50:fc:c3:5e:b3 brd ff:ff:ff:ff:ff:ff
5: tunl0 at NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
6: gre0 at NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0

Here is the contain of my interfaces file:
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          dhcp,routefilter,norfc1918
loc     eth1            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I don know if it matters but I'm able to ping 192.168.100.1 on box A.

Could give me some information on how to connect box B to box A.

Thank you.


Quoting Alex Martin <shorewall at rettc.com>:

> Hello,
> Without box b online, and with the masq file like so: "eth0 eth1"
> Does shorewall start up fine?
>
> Does eth1 have a static ip?
>
> If the above answers are yes, I believe that you have an ip conflict.
> Check you ip's and netmasks of both box a and b.
>
> OR, with after running "shorewall clear" (to remove all iptables
> entries) can you communicate normally between A and B with B online?
>
> You should learn the "ip" utility:
> $ ip addr show
>
> What does the above command say about eth1 when box b is not online?
>
> Also,
> Do you have "dhcp" and "rfc1918" set as options for eth0 in the
> interfaces file?
>
> Alex Martin
> http://www.rettc.com
>
>
>
>
> Michel D'Astous wrote:
>
> > Hi,
> >
> > I'm having problems to setup my firewall with shorewall, here are the
> details:
> > fresh install of Debian Sarge
> > linux 2.4.23 compiled with options explained on
> http://shorewall.net/kernel.htm
> > 2 ethernet cards well detected by kernel.
> >
> > Network setup: box A (firewall) connected to a modem-cable(DHCP) on
> interface
> > eth0 and connected to box B (cross-over cable) on interface eth1.
> >
> > Setup based on Two-interface HOWTO and Sample config-files v1.4.8.
> >
> > The problems:
> > When lauching /etc/init.d/shorewall start, I get (box B online):
> >
> > Masqueraded Subnets and Hosts:
> >    Error: Unable to determine the routes through interface eth1
> >
> > So I modified /etc/shorewall/masq from:
> > eth0                    eth1
> > to:
> > eth0                  192.168.1.0/24
> >
> > and shorewall started fine.
> >
> > But I don't see any ip address when running `ifconfig eth1` and i dont know
> how
> > to test my network.
> >
> >>From this point, what should i do?
> > Could you tell me how to configure my linux box B to connect box A?
> >
> > File joined: status.txt
> >
> > Thanks in advance!
> > --
> > Michel D'Astous
> > mdastous at cqmail.net
> >
> >
> > ------------------------------------------------------------------------
> >
> > Shorewall-1.4.8 Status at fw - Fri Dec 12 18:58:02 EST 2003
> >
> > Counters reset Fri Dec 12 18:53:07 EST 2003
> >
> > Chain INPUT (policy DROP 5 packets, 1600 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 DROP      !icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           state INVALID
> >   267  133K eth0_in    all  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 eth1_in    all  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
> >     0     0 reject     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain FORWARD (policy DROP 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 DROP      !icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           state INVALID
> >     0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
> >     0     0 reject     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 ACCEPT     all  --  *      lo      0.0.0.0/0
> 0.0.0.0/0
> >     0     0 DROP      !icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           state INVALID
> >     0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0           udp dpts:67:68
> >   153 12288 fw2net     all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0
> >     0     0 fw2loc     all  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0
> >     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
> >     0     0 reject     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain all2all (2 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> >     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp flags:!0x16/0x02
> >     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
> >     0     0 reject     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain common (5 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 icmpdef    icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 reject     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:135
> >     0     0 reject     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpts:137:139
> >     0     0 reject     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:445
> >     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:139
> >     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:445
> >     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:135
> >     0     0 DROP       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpt:1900
> >     0     0 DROP       all  --  *      *       0.0.0.0/0
> 255.255.255.255
> >     0     0 DROP       all  --  *      *       0.0.0.0/0
> 224.0.0.0/4
> >     0     0 reject     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:113
> >     0     0 DROP       udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp spt:53 state NEW
> >     0     0 DROP       all  --  *      *       0.0.0.0/0
> 255.255.255.255
> >
> > Chain dynamic (4 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Chain eth0_fwd (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW
> >     0     0 rfc1918    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW
> >     0     0 net2all    all  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain eth0_in (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >   163 54079 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW
> >   139 52243 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           udp dpts:67:68
> >    24  1836 rfc1918    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW
> >   123 80344 net2fw     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain eth1_fwd (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW
> >     0     0 loc2net    all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain eth1_in (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 dynamic    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW
> >     0     0 loc2fw     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain fw2loc (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> >     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp flags:!0x16/0x02
> >     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           icmp type 8
> >     0     0 all2all    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain fw2net (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >   113  9141 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> >     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp flags:!0x16/0x02
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:53
> >     1    63 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW udp dpt:53
> >    31  2604 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           icmp type 8
> >     8   480 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain icmpdef (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Chain loc2fw (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> >     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp flags:!0x16/0x02
> >     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp dpt:22
> >     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           icmp type 8
> >     0     0 all2all    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain loc2net (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> >     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp flags:!0x16/0x02
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain logdrop (58 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     5   140 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
> >     5   140 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain net2all (2 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> >     0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp flags:!0x16/0x02
> >     0     0 common     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >     0     0 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
> >     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain net2fw (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >   104 78648 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> >     1    40 newnotsyn  tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state NEW tcp flags:!0x16/0x02
> >    18  1656 ACCEPT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           icmp type 8
> >     0     0 net2all    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain newnotsyn (7 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     1    40 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:'
> >     1    40 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain reject (11 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 REJECT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           reject-with tcp-reset
> >     0     0 REJECT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-port-unreachable
> >     0     0 REJECT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-host-unreachable
> >     0     0 REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           reject-with icmp-host-prohibited
> >
> > Chain rfc1918 (2 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 RETURN     all  --  *      *       255.255.255.255
> 0.0.0.0/0
> >     0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 255.255.255.255
> >     0     0 DROP       all  --  *      *       169.254.0.0/16
> 0.0.0.0/0
> >     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 169.254.0.0/16
> >     0     0 logdrop    all  --  *      *       172.16.0.0/12
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 172.16.0.0/12
> >     0     0 logdrop    all  --  *      *       192.0.2.0/24
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 192.0.2.0/24
> >     0     0 logdrop    all  --  *      *       192.168.0.0/16
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 192.168.0.0/16
> >     0     0 logdrop    all  --  *      *       0.0.0.0/7
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 0.0.0.0/7
> >     0     0 logdrop    all  --  *      *       2.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 2.0.0.0/8
> >     0     0 logdrop    all  --  *      *       5.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 5.0.0.0/8
> >     0     0 logdrop    all  --  *      *       7.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 7.0.0.0/8
> >     5   140 logdrop    all  --  *      *       10.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 10.0.0.0/8
> >     0     0 logdrop    all  --  *      *       23.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 23.0.0.0/8
> >     0     0 logdrop    all  --  *      *       27.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 27.0.0.0/8
> >     0     0 logdrop    all  --  *      *       31.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 31.0.0.0/8
> >     0     0 logdrop    all  --  *      *       36.0.0.0/7
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 36.0.0.0/7
> >     0     0 logdrop    all  --  *      *       39.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 39.0.0.0/8
> >     0     0 logdrop    all  --  *      *       41.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 41.0.0.0/8
> >     0     0 logdrop    all  --  *      *       42.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 42.0.0.0/8
> >     0     0 logdrop    all  --  *      *       49.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 49.0.0.0/8
> >     0     0 logdrop    all  --  *      *       50.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 50.0.0.0/8
> >     0     0 logdrop    all  --  *      *       58.0.0.0/7
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 58.0.0.0/7
> >     0     0 logdrop    all  --  *      *       70.0.0.0/7
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 70.0.0.0/7
> >     0     0 logdrop    all  --  *      *       72.0.0.0/5
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 72.0.0.0/5
> >     0     0 logdrop    all  --  *      *       83.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 83.0.0.0/8
> >     0     0 logdrop    all  --  *      *       84.0.0.0/6
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 84.0.0.0/6
> >     0     0 logdrop    all  --  *      *       88.0.0.0/5
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 88.0.0.0/5
> >     0     0 logdrop    all  --  *      *       96.0.0.0/3
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 96.0.0.0/3
> >     0     0 logdrop    all  --  *      *       127.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 127.0.0.0/8
> >     0     0 logdrop    all  --  *      *       197.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 197.0.0.0/8
> >     0     0 logdrop    all  --  *      *       198.18.0.0/15
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 198.18.0.0/15
> >     0     0 logdrop    all  --  *      *       223.0.0.0/8
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 223.0.0.0/8
> >     0     0 logdrop    all  --  *      *       240.0.0.0/4
> 0.0.0.0/0
> >     0     0 logdrop    all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           ctorigdst 240.0.0.0/4
> >
> > Chain shorewall (0 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Dec 12 18:09:38 net2all:DROP:IN=eth0 OUT= SRC=66.130.171.179
> DST=66.130.132.35 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=11396 DF PROTO=TCP
> SPT=2028 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
> > Dec 12 18:10:31 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=57865 PROTO=2
> > Dec 12 18:11:32 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=59308 PROTO=2
> > Dec 12 18:43:50 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=40315 PROTO=2
> > Dec 12 18:44:26 newnotsyn:DROP:IN=eth0 OUT= SRC=66.130.254.47
> DST=66.130.132.35 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=33852 PROTO=TCP
> SPT=1025 DPT=1568 WINDOW=0 RES=0x00 ACK RST URGP=0
> > Dec 12 18:44:51 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=41795 PROTO=2
> > Dec 12 18:45:51 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=43184 PROTO=2
> > Dec 12 18:46:52 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=44680 PROTO=2
> > Dec 12 18:47:53 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=45971 PROTO=2
> > Dec 12 18:48:53 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=47304 PROTO=2
> > Dec 12 18:49:54 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=48645 PROTO=2
> > Dec 12 18:50:54 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=49987 PROTO=2
> > Dec 12 18:51:55 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=51302 PROTO=2
> > Dec 12 18:52:56 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=52787 PROTO=2
> > Dec 12 18:53:42 newnotsyn:DROP:IN=eth0 OUT= SRC=66.130.254.47
> DST=66.130.132.35 LEN=40 TOS=0x00 PREC=0x00 TTL=124 ID=8517 PROTO=TCP
> SPT=1025 DPT=1740 WINDOW=0 RES=0x00 ACK RST URGP=0
> > Dec 12 18:53:56 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=55110 PROTO=2
> > Dec 12 18:54:56 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=56617 PROTO=2
> > Dec 12 18:55:57 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=57993 PROTO=2
> > Dec 12 18:56:57 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=59354 PROTO=2
> > Dec 12 18:57:57 logdrop:DROP:IN=eth0 OUT= SRC=10.32.0.1 DST=224.0.0.1
> LEN=28 TOS=0x00 PREC=0xC0 TTL=1 ID=60752 PROTO=2
> >
> > NAT Table
> >
> > Chain PREROUTING (policy ACCEPT 271 packets, 45616 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Chain POSTROUTING (policy ACCEPT 82 packets, 6765 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >    20  1467 eth0_masq  all  --  *      eth0    0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain OUTPUT (policy ACCEPT 82 packets, 6765 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Chain eth0_masq (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 MASQUERADE  all  --  *      *       192.168.1.0/24
> 0.0.0.0/0
> >
> > Mangle Table
> >
> > Chain PREROUTING (policy ACCEPT 1290 packets, 452K bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >   277  133K pretos     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain INPUT (policy ACCEPT 1131 packets, 414K bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Chain OUTPUT (policy ACCEPT 393 packets, 37382 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >   153 12288 outtos     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> >
> > Chain POSTROUTING (policy ACCEPT 393 packets, 37382 bytes)
> >  pkts bytes target     prot opt in     out     source
> destination
> >
> > Chain outtos (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:22 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp spt:22 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:21 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp spt:21 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp spt:20 TOS set 0x08
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:20 TOS set 0x08
> >
> > Chain pretos (1 references)
> >  pkts bytes target     prot opt in     out     source
> destination
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:22 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp spt:22 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:21 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp spt:21 TOS set 0x10
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp spt:20 TOS set 0x08
> >     0     0 TOS        tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:20 TOS set 0x08
> >
> > udp      17 30 src=66.130.132.35 dst=24.200.241.6 sport=1032 dport=53
> src=24.200.241.6 dst=66.130.132.35 sport=53 dport=1032 [ASSURED] use=1
> > udp      17 29 src=10.32.0.1 dst=255.255.255.255 sport=67 dport=68
> [UNREPLIED] src=255.255.255.255 dst=10.32.0.1 sport=68 dport=67 use=1
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Shorewall-newbies mailing list
> > Post: Shorewall-newbies at lists.shorewall.net
> > Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-newbies
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
>
>


--
Michel D'Astous
mdastous at cqmail.net


More information about the Shorewall-newbies mailing list