[Shorewall-newbies] Shorewall on standalone DHCP system

Morten Bo Johansen nospam at mbjnet.dk
Mon Mar 15 11:39:56 PST 2004


Hi,


Actually I am not sure that I have any problems, but I have a
discomforting doubt that I might have, and basically I am looking for
someone to look me over the shoulder and tell me if what I am doing is
all right or not. I only very recently started to use shorewall on a
dial-up system, this being my first experience with firewalls. With
PPP the output of "shorewall hits" always showed a plethora of IP
addresses that had probed my ports, even if I was only only online for
a few minutes at a time! It sort of reassured me that my firewall
was reacting.

A few weeks ago I said goodbye to dial-up and got myself a broadband
connection, and now it seems that hardly anyone ever probes my ports
anymore..? For instance for today, where my system has been online for
about 8 hours "shorewall hits" doesn't show a single probe!

I have a single computer where the NIC connects to a cable modem and I
get my IP address via DHCP. 

I have followed the QuickStart setup instructions for a standalone
system in /usr/share/doc/shorewall-doc/html/standalone.htm and copied
the example files from the one-interface setup into /etc/shorewall and
made a few modifications. In the file "interfaces" I have:

   net   eth0   detect   dhcp,tcpflags,blacklist,routefilter

In the file "rules" I have:

   ACCEPT   net  fw   icmp   8
   
   # Redirect certain "hostile" ports (ones we don't use and where probes are
   # immediately considered to be hostile in nature) to port 49999 where
   # Portsentry is configured to block the attacking IP addresses. Note that
   # addresses which are blocked will be dynamically unblocked five days later.
   # 
   # PORTSENTRY.
   REDIRECT        net     49999           tcp     23
   REDIRECT        net     49999           tcp     110
   REDIRECT        net     49999           tcp     111
   REDIRECT        net     49999           udp     111
   REDIRECT        net     49999           tcp     119
   REDIRECT        net     49999           tcp     143
   REDIRECT        net     49999           tcp     515
   REDIRECT        net     49999           tcp     1080
   REDIRECT        net     49999           tcp     1284
   REDIRECT        net     49999           tcp     1433
   REDIRECT        net     49999           tcp     1434
   REDIRECT        net     49999           tcp     3128
   REDIRECT        net     49999           tcp     12345
   REDIRECT        net     49999           tcp     27374


and then I have the script that was referenced in the shorewall
documentation 

  http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt

to block the redirected ports with portsentry.

The other two files, "policy" and "zones" are unchanged from their
default. I have not changed anything else.

Here is some more information:

  # shorewall version
  1.4.10c
  
  # ip addr show
  1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
  2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
      link/ether 00:50:ba:bf:6c:7f brd ff:ff:ff:ff:ff:ff
      inet 10.3.52.53/21 brd 10.3.55.255 scope global eth0

  # sudo ip route show             
  10.3.48.0/21 via 10.3.52.53 dev eth0  scope link 
  10.3.48.0/21 dev eth0  proto kernel  scope link  src 10.3.52.53 
  default via 10.3.48.1 dev eth0 


I am also attaching the output of the command "shorewall status".

Like I said, I am not sure if anything is the matter. Maybe, the lack
of activity on my ports is simple due to my system being less visible
to the Internet now than it used to be when I was on dial-up? The IP
address that I am assigned, 10.3.52.53, is not a "real" IP address
that anyone could use to contact my computer is it? But still there
have been a few probes on my ports, so at least my system is not
invisible to the predators out there.

Any comments are welcome.


Thanks,

Morten
-------------- next part --------------
Shorewall-1.4.10c Status at  - man mar 15 20:29:19 CET 2004

Counters reset Mon Mar 15 17:37:02 CET 2004

Chain INPUT (policy DROP 19 packets, 6232 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  918  357K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
39241   14M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  918  357K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           udp dpts:67:68 
 2248  256K fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain all2all (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:!0x16/0x02 
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain blacklst (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:135 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
    3   144 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900 
    0     0 DROP       all  --  *      *       0.0.0.0/0            255.255.255.255     
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 state NEW 
    1    52 DROP       all  --  *      *       0.0.0.0/0            10.3.55.255         

Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       207.33.111.35        0.0.0.0/0           
    0     0 DROP       all  --  *      *       68.189.208.238       0.0.0.0/0           
    0     0 DROP       all  --  *      *       68.160.101.141       0.0.0.0/0           
    0     0 DROP       all  --  *      *       80.199.169.163       0.0.0.0/0           
    0     0 DROP       all  --  *      *       65.27.98.76          0.0.0.0/0           

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
36746   12M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
36746   12M blacklst   all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
36742   12M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68 
 2357 1909K tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 2499 1933K net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2101  247K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:!0x16/0x02 
  147  8828 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain logflags (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net2all (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:!0x16/0x02 
    4   196 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2495 1932K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:49999 
    4   196 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain newnotsyn (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast 
    0     0 DROP       all  --  *      *       10.3.55.255          0.0.0.0/0           
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    3   144 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain tcpflags (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:0 flags:0x16/0x02 

Mar 13 15:00:11 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3154 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 15:00:12 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3155 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 15:00:14 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3156 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 15:00:18 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3157 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 15:00:26 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3158 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 15:00:41 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3159 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 15:01:13 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3160 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 15:02:16 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=3161 DF PROTO=TCP SPT=1154 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 13 20:07:29 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=4835 DF PROTO=TCP SPT=1520 DPT=119 WINDOW=62928 RES=0x00 ACK RST URGP=0 
Mar 14 19:13:23 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40803 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH URGP=0 
Mar 14 19:13:23 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40804 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:13:23 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40805 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:13:23 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40806 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:13:24 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40807 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:13:26 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40808 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:13:30 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40809 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:13:37 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40810 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:13:52 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40811 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:14:22 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40812 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 
Mar 14 19:15:23 gatsby Shorewall:newnotsyn:DROP:IN= OUT=eth0 SRC=10.3.52.53 DST=80.91.224.252 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=40813 DF PROTO=TCP SPT=1450 DPT=119 WINDOW=62928 RES=0x00 ACK PSH FIN URGP=0 

NAT Table

Chain PREROUTING (policy ACCEPT 25 packets, 7664 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   24  7336 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 225 packets, 13453 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 222 packets, 13333 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:23 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:110 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111 redir ports 49999 
    0     0 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:111 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:119 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:515 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1080 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1284 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1433 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1434 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3128 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12345 redir ports 49999 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:27374 redir ports 49999 

Mangle Table

Chain PREROUTING (policy ACCEPT 40186 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         
40161   14M pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 40186 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3166 packets, 613K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 3166  613K outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 3167 packets, 613K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20 TOS set 0x08 

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20 TOS set 0x08 

udp      17 29 src=10.3.48.1 dst=255.255.255.255 sport=67 dport=68 [UNREPLIED] src=255.255.255.255 dst=10.3.48.1 sport=68 dport=67 use=1 


More information about the Shorewall-newbies mailing list