[Shorewall-users] ADSL router, two nics, web server not visible from internet

Chris Meadows chrismeadows at yahoo.com
Tue Aug 26 07:07:52 PDT 2003


I have an ADSL router, a linux box with two NICS connected to the
router and another PC connected to the router.

I installed shorewall using the two interface method.

I can ping and see the webserver on the linux box from the local
network, but not from the internet.

Sys info as follows:

[root at wilma root]# shorewall version
1.4.6b

[root at wilma root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:60:08:46:2d:1f brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:40:f4:60:a1:78 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.4/24 brd 192.168.0.255 scope global eth1


[root at wilma root]# ip route show
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.4
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth0

Attached is the shorewall status output after a 'shorewall reset', then
a ping from the internet.


my nat file hasn't changed
my policy file hasn't changed other than allowing fw -> net
my rules files is also attached


I read the following snippet on the shorewall website

----
Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular
snafus:

    * Port Forwarding where client and server are in the same subnet.
See FAQ 2.
    * Changing the IP address of a local system to be in the external
subnet, thinking that Shorewall will suddenly believe that the system
is in the 'net' zone.
    * Multiple interfaces connected to the same HUB or Switch. Given
the way that the Linux kernel respond to ARP "who-has" requests, this
type of setup does NOT work the way that you expect it to.

----

So I guess I'm breaking the third point, but the website doesn't say
that this setup can't be made to work, it just says that it doesn't
work the way you expect to.

Any help much appreciated

Regards,


Chris

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
-------------- next part --------------
Shorewall-1.4.6b Status at wilma - Tue Aug 26 12:10:49 BST 2003

Counters reset Tue Aug 26 12:08:51 BST 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID 
    6   312 eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 eth1_in    all  --  eth1   *       0.0.0.0/0            0.0.0.0/0          
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID 
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          
    0     0 eth1_fwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0          
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0          
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID 
    0     0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          udp dpts:67:68 
   12  1366 fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0          
    0     0 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0          
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain all2all (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:135 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpts:137:139 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:139 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:135 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpt:1900 
    0     0 DROP       all  --  *      *       0.0.0.0/0            255.255.255.255    
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4        
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:113 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spt:53 state NEW 
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.255      
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.0.255      

Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW 
    0     0 net2loc    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0          

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   312 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp dpts:67:68 
    0     0 rfc1918    all  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW 
    6   312 net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0          

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 loc2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW udp dpts:137:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpts:137:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:445 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW udp spt:137 dpts:1024:65535 
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   416 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:53 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 
    4   950 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:22 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:443 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW udp dpts:137:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpts:137:139 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:445 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW udp spt:137 dpts:1024:65535 
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain net2all (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    6   312 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 8 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:443 
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.4        state NEW tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.4        state NEW tcp dpt:443 
    0     0 net2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain newnotsyn (8 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:newnotsyn:DROP:' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain reject (11 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          reject-with icmp-host-prohibited 

Chain rfc1918 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       255.255.255.255      0.0.0.0/0          
    0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0          
    0     0 logdrop    all  --  *      *       172.16.0.0/12        0.0.0.0/0          
    0     0 logdrop    all  --  *      *       192.0.2.0/24         0.0.0.0/0          
    0     0 logdrop    all  --  *      *       192.168.0.0/16       0.0.0.0/0          
    0     0 logdrop    all  --  *      *       0.0.0.0/7            0.0.0.0/0          
    0     0 logdrop    all  --  *      *       2.0.0.0/8            0.0.0.0/0          
    0     0 logdrop    all  --  *      *       5.0.0.0/8            0.0.0.0/0          
    0     0 logdrop    all  --  *      *       7.0.0.0/8            0.0.0.0/0          
    0     0 logdrop    all  --  *      *       10.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       23.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       27.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       31.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       36.0.0.0/7           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       39.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       41.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       42.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       49.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       50.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       58.0.0.0/7           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       60.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       70.0.0.0/7           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       72.0.0.0/5           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       83.0.0.0/8           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       84.0.0.0/6           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       88.0.0.0/5           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       96.0.0.0/3           0.0.0.0/0          
    0     0 logdrop    all  --  *      *       127.0.0.0/8          0.0.0.0/0          
    0     0 logdrop    all  --  *      *       197.0.0.0/8          0.0.0.0/0          
    0     0 logdrop    all  --  *      *       198.18.0.0/15        0.0.0.0/0          
    0     0 logdrop    all  --  *      *       201.0.0.0/8          0.0.0.0/0          
    0     0 logdrop    all  --  *      *       240.0.0.0/4          0.0.0.0/0          

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Aug 26 11:53:48 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.3 DST=192.168.0.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=3300 PROTO=UDP SPT=138 DPT=138 LEN=215 
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=204 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=9 DPT=138 LEN=184 
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.3 DST=192.168.0.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=3301 PROTO=UDP SPT=138 DPT=138 LEN=215 
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=9 DPT=138 LEN=221 
Aug 26 11:53:49 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=9 DPT=138 LEN=214 
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=11 DPT=138 LEN=221 
Aug 26 11:58:05 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=11 DPT=138 LEN=214 
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=12 DPT=138 LEN=221 
Aug 26 12:03:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=12 DPT=138 LEN=214 
Aug 26 12:05:46 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.3 DST=192.168.0.255 LEN=235 TOS=0x00 PREC=0x00 TTL=128 ID=3827 PROTO=UDP SPT=138 DPT=138 LEN=215 
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=214 
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=13 DPT=138 LEN=221 
Aug 26 12:09:06 localhost Shorewall:logdrop:DROP:IN=eth0 OUT= SRC=192.168.0.2 DST=192.168.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=13 DPT=138 LEN=214 

NAT Table

Chain PREROUTING (policy ACCEPT 2 packets, 475 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   482 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 2 packets, 482 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   482 MASQUERADE  all  --  *      *       192.168.0.0/24       0.0.0.0/0          

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:192.168.0.4:80 
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:443 to:192.168.0.4:443 

Mangle Table

Chain PREROUTING (policy ACCEPT 10 packets, 1262 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   950 man1918    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0          state NEW 
   10  1262 pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain INPUT (policy ACCEPT 6 packets, 312 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12 packets, 1366 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   12  1366 outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain POSTROUTING (policy ACCEPT 16 packets, 2316 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain logdrop (30 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   950 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:' 
    4   950 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain man1918 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            255.255.255.255    
    0     0 DROP       all  --  *      *       0.0.0.0/0            169.254.0.0/16     
    0     0 logdrop    all  --  *      *       0.0.0.0/0            172.16.0.0/12      
    0     0 logdrop    all  --  *      *       0.0.0.0/0            192.0.2.0/24       
    4   950 logdrop    all  --  *      *       0.0.0.0/0            192.168.0.0/16     
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/7          
    0     0 logdrop    all  --  *      *       0.0.0.0/0            2.0.0.0/8          
    0     0 logdrop    all  --  *      *       0.0.0.0/0            5.0.0.0/8          
    0     0 logdrop    all  --  *      *       0.0.0.0/0            7.0.0.0/8          
    0     0 logdrop    all  --  *      *       0.0.0.0/0            10.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            23.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            27.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            31.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            36.0.0.0/7         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            39.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            41.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            42.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            49.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            50.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            58.0.0.0/7         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            60.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            70.0.0.0/7         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            72.0.0.0/5         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            83.0.0.0/8         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            84.0.0.0/6         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            88.0.0.0/5         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            96.0.0.0/3         
    0     0 logdrop    all  --  *      *       0.0.0.0/0            127.0.0.0/8        
    0     0 logdrop    all  --  *      *       0.0.0.0/0            197.0.0.0/8        
    0     0 logdrop    all  --  *      *       0.0.0.0/0            198.18.0.0/15      
    0     0 logdrop    all  --  *      *       0.0.0.0/0            201.0.0.0/8        
    0     0 logdrop    all  --  *      *       0.0.0.0/0            240.0.0.0/4        

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08 

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08 
    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08 

tcp      6 428859 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1028 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1028 [ASSURED] use=1 
tcp      6 428855 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1029 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1029 [ASSURED] use=1 
tcp      6 428855 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1030 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1030 [ASSURED] use=1 
tcp      6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1031 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1031 [ASSURED] use=1 
tcp      6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1032 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1032 [ASSURED] use=1 
tcp      6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1033 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1033 [ASSURED] use=1 
tcp      6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1034 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1034 [ASSURED] use=1 
tcp      6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1035 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1035 [ASSURED] use=1 
tcp      6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1036 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1036 [ASSURED] use=1 
tcp      6 428856 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1037 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1037 [ASSURED] use=1 
tcp      6 428891 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1038 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1038 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1039 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1039 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1040 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1040 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1041 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1041 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1042 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1042 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1043 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1043 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1044 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1044 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1045 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1045 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1046 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1046 [ASSURED] use=1 
tcp      6 428888 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=1047 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=1047 [ASSURED] use=1 
tcp      6 5 TIME_WAIT src=192.168.0.2 dst=193.108.93.106 sport=1093 dport=80 src=193.108.93.106 dst=192.168.0.2 sport=80 dport=1093 [ASSURED] use=1 
tcp      6 35 TIME_WAIT src=192.168.0.2 dst=193.108.93.114 sport=1089 dport=80 src=193.108.93.114 dst=192.168.0.2 sport=80 dport=1089 [ASSURED] use=1 
tcp      6 5 TIME_WAIT src=192.168.0.2 dst=193.108.93.114 sport=1090 dport=80 src=193.108.93.114 dst=192.168.0.2 sport=80 dport=1090 [ASSURED] use=1 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rules
Type: application/octet-stream
Size: 9192 bytes
Desc: rules
Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030826/f5b70e80/rules-0001.obj


More information about the Shorewall-users mailing list