[Shorewall-newbies] No access from loc to net

motiv8d forumshelp at isbest.biz
Sat Mar 13 14:02:00 PST 2004


I have just setup shorewall. I seem to have a problem with forwarding.
When I am using the firewall box, I can connect to the net, ping etc. 
When I am using a pc on the local network I cannot ping externally or 
access the internet. I can however ping the fw.
I noticed when shorewall was starting that the 3 zones were all listed 
as 0.0.0.0/0 so I added entries in ./shorewall/hosts for the correct 
zones. I am not sure if I have done the right thing there or not, 
however, it didnt solve my problem. I still cannot get access to the net 
from loc.

The relevant files etc are below if someone would be so kind as to sift 
through them and let me know what is likely wrong. btw I am using debian 
sid.
thanks

root at chewy:/etc/shorewall# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:b3:b7:13:8e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:dc:e0:f5:82 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 brd 10.255.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:09:5b:1b:70:65 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.254/24 brd 10.255.255.255 scope global eth2
root at chewy:/etc/shorewall# ip route show
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.254
10.10.10.0/24 dev eth1  proto kernel  scope link  src 10.10.10.254
10.10.11.0/24 dev eth2  proto kernel  scope link  src 10.10.11.254
default via 192.168.0.1 dev eth0
root at chewy:/etc/shorewall# shorewall start
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Starting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Connection Tracking Match: Available
Determining Zones...
   Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
   Local Zone: eth1:10.10.10.0/24 eth1:0.0.0.0/0
   DMZ Zone: eth2:10.10.11.0/24 eth2:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Setting up Accounting...
Setting up User Sets...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Setting up Kernel Route Filtering...
Processing /etc/shorewall/tunnels...
Processing Actions...
Processing /etc/shorewall/rules...
   Rule "ACCEPT fw net tcp 53" added.
   Rule "ACCEPT fw net udp 53" added.
   Rule "ACCEPT fw loc tcp 53" added.
   Rule "ACCEPT fw loc udp 53" added.
   Rule "ACCEPT loc fw tcp 22" added.
   Rule "ACCEPT loc dmz tcp 22" added.
   Rule "ACCEPT dmz net tcp 53" added.
   Rule "ACCEPT dmz net udp 53" added.
   Rule "ACCEPT net fw icmp 8" added.
   Rule "ACCEPT loc fw icmp 8" added.
   Rule "ACCEPT dmz fw icmp 8" added.
   Rule "ACCEPT loc dmz icmp 8" added.
   Rule "ACCEPT dmz loc icmp 8" added.
   Rule "ACCEPT dmz net icmp 8" added.
   Rule "ACCEPT fw loc icmp 8" added.
   Rule "ACCEPT fw dmz icmp 8" added.
   Rule "ACCEPT net dmz icmp 8" added.
   Rule "ACCEPT net loc icmp 8" added.
Processing /etc/shorewall/policy...
   Policy ACCEPT for fw to net using chain fw2net
   Policy REJECT for fw to loc using chain all2all
   Policy REJECT for fw to dmz using chain all2all
   Policy DROP for net to fw using chain net2all
   Policy DROP for net to loc using chain net2all
   Policy DROP for net to dmz using chain net2all
   Policy REJECT for loc to fw using chain all2all
   Policy ACCEPT for loc to net using chain loc2net
   Policy REJECT for loc to dmz using chain all2all
   Policy REJECT for dmz to fw using chain all2all
   Policy ACCEPT for dmz to net using chain dmz2net
   Policy REJECT for dmz to loc using chain all2all
Masqueraded Subnets and Hosts:
   To 0.0.0.0/0 from 10.10.10.0/24 through eth0
   To 0.0.0.0/0 from 10.10.11.0/24 through eth0
Processing /etc/shorewall/tos...
   Rule "all all tcp - ssh 16" added.
   Rule "all all tcp ssh - 16" added.
   Rule "all all tcp - ftp 16" added.
   Rule "all all tcp ftp - 16" added.
   Rule "all all tcp ftp-data - 8" added.
   Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Started


hosts file:
#ZONE           HOST(S)                         OPTIONS
dmz             eth2:10.10.11.0/24
loc             eth1:10.10.10.0/24
fw              eth0:192.168.0.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE


policy file:
###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw              net             ACCEPT
# Also If You Wish To Open Up DMZ Access To The Internet
# remove the comment from the following line.
dmz             net             ACCEPT
#
net             all             DROP            info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


rules file:
##############################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  
ORIGINAL        RATE    USER
#                                                       PORT    PORT(S) 
DEST            LIMIT   SET
#
#       Accept DNS connections from the firewall to the Internet
#
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
#
#
#       Accept DNS connections from the local network to the firewall
#
ACCEPT          fw              loc             tcp     53
ACCEPT          fw              loc             udp     53
#
#       Accept SSH connections from the local network to the firewall 
and DMZ
#
ACCEPT          loc             fw              tcp     22
ACCEPT          loc             dmz             tcp     22
#
#       Accept SSH connections from the net to the firewall and DMZ
#
#ACCEPT         net             fw              tcp     22
#
#
#       DMZ DNS access to the Internet
#
ACCEPT          dmz             net             tcp     53
ACCEPT          dmz             net             udp     53
#
#       Make ping work bi-directionally between the dmz, net, Firewall 
and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#
ACCEPT          net             fw              icmp    8
ACCEPT          loc             fw              icmp    8
ACCEPT          dmz             fw              icmp    8
ACCEPT          loc             dmz             icmp    8
ACCEPT          dmz             loc             icmp    8
ACCEPT          dmz             net             icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              dmz             icmp    8
ACCEPT          net             dmz             icmp    8       # Only 
with Proxy ARP and
ACCEPT          net             loc             icmp    8       # static NAT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


masq file:
##############################################################################
#INTERFACE              SUBNET          ADDRESS
eth0                    eth1
eth0                    eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE



-------------- next part --------------
Shorewall-1.4.10c Status at chewy - Sat Mar 13 22:50:59 CET 2004

Counters reset Sat Mar 13 22:46:48 CET 2004

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
   30  3376 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   23  1586 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 eth2_in    all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 eth2_fwd   all  --  eth2   *       0.0.0.0/0            0.0.0.0/0           
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 1 packets, 124 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
   20  2656 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   10   828 fw2loc     all  --  *      eth1    0.0.0.0/0            10.10.10.0/24       
   28  3808 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 fw2dmz     all  --  *      eth2    0.0.0.0/0            10.10.11.0/24       
    0     0 fw2dmz     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0           
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain all2all (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   48  5214 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   35  4260 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 
   35  4260 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:135 
    3   234 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900 
    0     0 DROP       all  --  *      *       0.0.0.0/0            255.255.255.255     
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 state NEW 
    0     0 DROP       icmp --  *      *       0.0.0.0              0.0.0.0/0           
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0             
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x10/0x10 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x04/0x04 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x01/0x01 
   40  4096 DROP       all  --  *      *       0.0.0.0/0            192.168.0.255       
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.10.10.255        
    0     0 DROP       all  --  *      *       0.0.0.0/0            10.10.11.255        

Chain dmz2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain dmz2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain dmz2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain dmz_frwd (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dmz2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 dmz2loc    all  --  *      eth1    0.0.0.0/0            10.10.10.0/24       
    0     0 dmz2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      eth2    0.0.0.0/0            10.10.11.0/24       
    0     0 ACCEPT     all  --  *      eth2    0.0.0.0/0            0.0.0.0/0           

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 net2loc    all  --  *      eth1    0.0.0.0/0            10.10.10.0/24       
    0     0 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 net2dmz    all  --  *      eth2    0.0.0.0/0            10.10.11.0/24       
    0     0 net2dmz    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0           

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   30  3376 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
   30  3376 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 loc_frwd   all  --  *      *       10.10.10.0/24        0.0.0.0/0           
    0     0 loc_frwd   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   23  1586 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
   13   866 loc2fw     all  --  *      *       10.10.10.0/24        0.0.0.0/0           
   10   720 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 dmz_frwd   all  --  *      *       10.10.11.0/24        0.0.0.0/0           
    0     0 dmz_frwd   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 dmz2fw     all  --  *      *       10.10.11.0/24        0.0.0.0/0           
    0     0 dmz2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fw2dmz (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fw2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   10   828 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   28  3808 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53 
   20  2656 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain loc2dmz (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain loc2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    3   180 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   20  1406 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain loc_frwd (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            10.10.10.0/24       
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 loc2dmz    all  --  *      eth2    0.0.0.0/0            10.10.11.0/24       
    0     0 loc2dmz    all  --  *      eth2    0.0.0.0/0            0.0.0.0/0           

Chain net2all (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   30  3376 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net2dmz (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   30  3376 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net2loc (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain reject (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast 
    0     0 DROP       all  --  *      *       192.168.0.255        0.0.0.0/0           
    0     0 DROP       all  --  *      *       10.10.10.255         0.0.0.0/0           
    0     0 DROP       all  --  *      *       10.10.11.255         0.0.0.0/0           
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
   35  4260 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Mar 13 22:48:46 all2all:REJECT:IN=eth1 OUT= SRC=10.10.10.100 DST=10.10.10.254 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=43324 PROTO=UDP SPT=1027 DPT=53 LEN=42 
Mar 13 22:48:48 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32780 DPT=111 LEN=104 
Mar 13 22:48:50 all2all:REJECT:IN=eth1 OUT= SRC=10.10.10.100 DST=10.10.10.254 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=43326 PROTO=UDP SPT=1027 DPT=53 LEN=42 
Mar 13 22:48:50 all2all:REJECT:IN=eth1 OUT= SRC=10.10.10.100 DST=10.10.10.254 LEN=62 TOS=0x00 PREC=0x00 TTL=128 ID=43327 PROTO=UDP SPT=1027 DPT=53 LEN=42 
Mar 13 22:48:53 all2all:REJECT:IN=eth1 OUT= SRC=10.10.10.100 DST=10.10.10.254 LEN=72 TOS=0x00 PREC=0x00 TTL=128 ID=43328 PROTO=UDP SPT=1027 DPT=53 LEN=52 
Mar 13 22:48:58 all2all:REJECT:IN=eth1 OUT= SRC=10.10.10.100 DST=10.10.10.254 LEN=63 TOS=0x00 PREC=0x00 TTL=128 ID=43332 PROTO=UDP SPT=1027 DPT=53 LEN=43 
Mar 13 22:48:58 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:48:58 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:49:08 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32780 DPT=111 LEN=104 
Mar 13 22:49:28 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32780 DPT=111 LEN=104 
Mar 13 22:49:29 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:49:29 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:49:48 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32780 DPT=111 LEN=104 
Mar 13 22:50:00 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:50:00 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:50:08 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32780 DPT=111 LEN=104 
Mar 13 22:50:28 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32780 DPT=111 LEN=104 
Mar 13 22:50:31 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:50:31 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=145 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=125 
Mar 13 22:50:48 all2all:REJECT:IN= OUT=eth1 SRC=10.10.10.254 DST=10.255.255.255 LEN=124 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32780 DPT=111 LEN=104 

NAT Table

Chain PREROUTING (policy ACCEPT 266 packets, 19353 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 304 packets, 37803 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    8  1168 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 561 packets, 72891 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       10.10.10.0/24        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      *       10.10.11.0/24        0.0.0.0/0           

Mangle Table

Chain PREROUTING (policy ACCEPT 3271 packets, 838K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   90  8894 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 2546 packets, 746K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2216 packets, 541K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   58  7292 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 2644 packets, 599K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20 TOS set 0x08 

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20 TOS set 0x08 

udp      17 1 src=192.168.0.254 dst=192.168.0.255 sport=631 dport=631 [UNREPLIED] src=192.168.0.255 dst=192.168.0.254 sport=631 dport=631 use=1 
udp      17 18 src=192.168.0.254 dst=192.168.0.255 sport=32780 dport=111 [UNREPLIED] src=192.168.0.255 dst=192.168.0.254 sport=111 dport=32780 use=1 
udp      17 18 src=10.10.10.254 dst=10.255.255.255 sport=32780 dport=111 [UNREPLIED] src=10.255.255.255 dst=10.10.10.254 sport=111 dport=32780 use=1 
udp      17 24 src=192.168.0.1 dst=192.168.0.255 sport=520 dport=520 [UNREPLIED] src=192.168.0.255 dst=192.168.0.1 sport=520 dport=520 use=1 


More information about the Shorewall-newbies mailing list