http://blog.gmane.org/gmane.comp.security.shorewall hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.comp.security.shorewall/21061 Hay Tom. Long time no talk... finally like 5 years later I am starting the process of upgrading some of my network appliances. I am moving from Shorewall 1.4 to 4.0 mainly for the multi isp support. In my testing under QEMU with my flash drive housing all of my LRP based packages I am getting an error starting Shorewall with a multiple providers configuration. Again my system is embeded running on a diskless low power board with 4 ethernet ports. It is using busybox and my own init process so its not exactly standard and already in the past I found some issues with the "arp" command as I recall that you patched into 1.4 back in the day. So here is the error. ERROR: the provider 'track' option requires Connmark Match in your kernel and iptables At the end of this email is some info that will help figure out whats up. I have looked it over for a few days and to me it seems that my kernel and iptables should support the Connmark module. I updated the kernel with what is as best I can tell all that is needed from the docs, but I have __NOT__ yet updated my iptables but its my next target. Ideas? Thanks for your time hope all is well up north enjoying the rain today here in Portland. Regards Sean Mathews Nu Tech CTO Nu Tech Software Solutions, inc. Tigard Oregon. struct SoftwareProfessional { double salary; long lunches; float jobs; char unstable; void work; short tempers; }; shorcap reports CONNMARK= XCONNMAR= CONNMARK_MATCH= XCONNMARK_MATCH= [root< at >UFO]# iptables -N foobar123 [root< at >UFO]# iptables -A foobar123 -m connmark --mark 2 -j ACCEPT [root< at >UFO]# iptables: No chain/target/match by that name Shorewall-4.2.2 iptables v1.3.4: no command specified Try `iptables -h' or 'iptables --help' for more information. Linux Kernel v2.4.32-bs-ebtables-grsec Configuration ========================================================================================================================= +============================================= QoS and/or fair queueing =============================================+ | Arrow keys navigate the menu. <Enter> selects submenus --->. Highlighted letters are hotkeys. Pressing <Y> | | includes, <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for Help. Legend: [*] built-in | | [ ] e|cluded <M> module < > module capable | | | | +================================================================================================================+ | | | [*] QoS and/or fair queueing | | | | < > CBQ packet scheduler | | | | <*> HTB packet scheduler | | | | < > CSZ packet scheduler | | | | < > H-FSC packet scheduler | | | | < > ATM pseudo-scheduler | | | | <*> The simplest PRIO pseudoscheduler | | | | < > RED queue | | | | <*> SFQ queue | | | | < > TEQL queue | | | | < > TBF queue | | | | < > GRED queue | | | | < > Network emulator | | | | < > Diffserv field marker | | | | <*> Ingress Qdisc | | | | [*] QoS support | | | | [*] Rate estimator | | | | [*] Packet classifier API | | | | < > TC inde| classifier | | | | < > Routing table based classifier | | | | <*> Firewall based classifier | | | | <*> U32 classifier | | | | < > Special RSVP classifier | | | | < > Special RSVP classifier for IPv6 | | | | [*] Traffic policing (needed for in/egress) | | | | | | | | | | | | | | | | | | | | | | | +================================================================================================================+ | +====================================================================================================================+ | <Select> < E|it > < Help > | +====================================================================================================================+ Linux Kernel v2.4.32-bs-ebtables-grsec Configuration ======================================================================================================================== +==============================================q Networking options ================================================+ | Arrow keys navigate the menu. <Enter> selects submenus --->. Highlighted letters are hotkeys. Pressing <Y> | | includes, <N> excludes, <M> modularizes features. Press <Esc><Esc> to exit, <?> for Help. Legend: [*] built-in | | [ ] e|cluded <M> module < > module capable | | | | +===============================================================================================================+ | | | <*> Packet socket | | | | [ ] Packet socket: mmapped IO | | | | < > Netlink device emulation | | | | [*] Network packet filtering (replaces ipchains) | | | | [ ] Network packet filtering debugging | | | | [*] Socket Filtering | | | | <*> Uni| domain sockets | | | | [*] TCP/IP networking | | | | [*] IP: multicasting | | | | [*] IP: advanced router | | | | [*] IP: policy routing | | | | [*] IP: use netfilter MARK value as routing key | | | | [*] IP: fast network address translation | | | | [*] IP: equal cost multipath | | | | [*] IP: use TOS value as routing key | | | | [*] IP: verbose route monitoring | | | | [ ] IP: kernel level autoconfiguration | | | | <*> IP: tunneling | | | | <*> IP: GRE tunnels over IP | | | | [ ] IP: broadcast GRE over IP | | | | [ ] IP: multicast routing | | | | [ ] IP: ARP daemon support (EXPERIMENTAL) | | | | [*] IP: TCP E|plicit Congestion Notification support | | | | [*] IP: TCP syncookie support (disabled per default) | | | | IP: Netfilter Configuration ---> | | | | IP: Virtual Server Configuration ---> | | | | < > The IPv6 protocol (EXPERIMENTAL) | | | | < > Kernel httpd acceleration (EXPERIMENTAL) | | | | SCTP Configuration (EXPERIMENTAL) ---> | | | | <*> Asynchronous Transfer Mode (ATM) (EXPERIMENTAL) | | | | <*> Classical IP over ATM | | | | [ ] Do NOT send ICMP if no neighbour | | | | < > LAN Emulation (LANE) support | | | | < > RFC1483/2684 Bridged protocols | | | | <*> 802.1Q VLAN Support | | | | --- | | | | < > The IP| protocol | | | | < > Appletalk protocol support | | | | < > DECnet Support | | | | <*> 802.1d Ethernet Bridging | | | | <*> Bridge: ebtables | | | | <*> ebt: filter table support | | | | <*> ebt: nat table support | | | | <*> ebt: broute table support | | | | <*> ebt: log support | | | | <*> ebt: ulog support | | | | <*> ebt: IP filter support | | | | <*> ebt: ARP filter support | | | | <*> ebt: among filter support | | | | <*> ebt: limit filter support | | | | <*> ebt: 802.1Q VLAN filter support | | | | <*> ebt: 802.3 filter support | | | | <*> ebt: packet type filter support | | | | <*> ebt: STP filter support | | | | <*> ebt: mark filter support | | | | <*> ebt: arp reply target support | | | | <*> ebt: snat target support | | | | <*> ebt: dnat target support | | | | <*> ebt: redirect target support | | | | <*> ebt: mark target support | | | | < > CCITT |.25 Packet Layer (EXPERIMENTAL) | | | +===========================v(+)================================================================================+ | +===================================================================================================================+ | <Select> < E|it > < Help > | +===================================================================================================================+ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ sean mathews 2008-12-02T14:40:36 http://comments.gmane.org/gmane.comp.security.shorewall/21058 Hello Tom, On page "Traffic Shaping/Control" of Shorewall documentation you write: Warning Shorewall's builtin traffic shaping feature is limited to ten (10) devices. Do you plan to extend this limit? What causes of such limitation? Thank you, Alex ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ alex 2008-12-02T08:12:38 http://comments.gmane.org/gmane.comp.security.shorewall/21055 Hi anyone can help me to create a TC Rules on my shorewall 3.2.X ? Shorewall are on my linux gateway (eth0: Net and Eth1:Lan) I have a link: eth0 2048kbits 2048kbits (Sdsl) I want create a tc for: eth1 and fw to eth0: All protocol are limited at 1792kbits (a ftp or web download can't get more 1792 kbits of BP) a exeption: port UDP 4639 with in source: eth1:192.168.20.1 can use the reserved 256 Kbits (2048 - 1792) and more if necessary but have in minimum 256 Kbs .. i don't have understand the documentation sorry ;=) Thanks for your help jerome ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Phibee Network Operation Center 2008-12-01T16:26:28 http://comments.gmane.org/gmane.comp.security.shorewall/21049 Hello, I have configured a Multi ISP recently but It didn't start, it shown me the error: ERROR: Unable to determine the MAC address of 192.168.22.254 through interface eth0 ip addr show output: inet 192.168.21.219/24 brd 192.168.21.255 scope global eth0 (real Ip) inet 192.168.22.220/24 brd 192.168.22.255 scope global eth0 (Virtual Ip) inet 192.168.21.220/24 brd 192.168.21.255 scope global secondary eth0 (Virtual Ip) configuration: ISP1 2 2 main eth0:192.168.21.220 192.168.21.254 track lan,lan2 ISP2 3 3 main eth0:192.168.22.220 192.168.22.254 track lan,lan2 The first provider is installed OK. What could be the error ? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Adrian Chapela 2008-12-01T08:30:13 http://comments.gmane.org/gmane.comp.security.shorewall/21044 Found an error I didn't expect on bind starting. "command channel listening on 127.0.0.1#953" So.... I should be setting up an interface for 'lo' as well? Haven't found anyone mentioning the lo interface. I just assumed that lo would have been given a default ACCEPT policy. Just checking before I start trying to configure all this into the files. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T15:10:54 http://comments.gmane.org/gmane.comp.security.shorewall/21032 OK, I got the note about using the policy "redundancy" to separate the logging rules. Making great progress. Shorewall is relatively intuitive if you are familiar with the whole iptables thing. But it has been a few years since I wrote my own firewalls. 'nuther question: I have this: Nov 29 19:38:01 voyager kernel: Shorewall:mangle:PREROUTING:IN=eth1 OUT= MAC=01:00:5e:00:00:fb:00:19:e3:d6:1c:50:08:00 SRC=192.168.1.102 DST=224.0.0.251 LEN=118 TOS=0x18 PREC=0x00 TTL=255 ID=51329 PROTO=UDP SPT=5353 DPT=5353 LEN=98 Nov 29 19:38:01 voyager kernel: Shorewall:nat:PREROUTING:IN=eth1 OUT= MAC=01:00:5e:00:00:fb:00:19:e3:d6:1c:50:08:00 SRC=192.168.1.102 DST=224.0.0.251 LEN=118 TOS =0x18 PREC=0x00 TTL=255 ID=51329 PROTO=UDP SPT=5353 DPT=5353 LEN=98 From what I can figure out this is a macbook that is sending out some kind of Multicast DNS. Never heard of it. It's not handled by the DNS macro. I guess this is part of Bonjour (which I'm liking less and less all the time -- why must they reinvent everything). I'm going to guess that bind9 doesn't support this and doesn't seem to need to. So it would be safe to set a rule like: DROP loc all tcp 5353 DROP loc all udp 5353 Yes/No? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-30T01:00:32 http://comments.gmane.org/gmane.comp.security.shorewall/21028 Isn't the following redundant: net $FW DROP info net loc DROP info net all DROP info in that the last rule (net all) will DROP everything and therefore the only additional input for this interraction would be under rules. similarly loc net ACCEPT loc $FW REJECT loc all REJECT doesn't require the "loc $FW REJECT" line for the same reasons. True? Another question: I initially tried setting up my interfaces such that: net eth1 detect dhcp... loc eth0 detect dhcp... but no DHCP entry in rules. I got a lot of blocked UDP port 53 traffic. Where does the dhcp option come in (with the manpage instruction to include this) and how does that fit in with the DHCP rule. Do they both need to be present? redundant? Or is there something else in the background? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-29T23:18:56 http://comments.gmane.org/gmane.comp.security.shorewall/21022 Hello again, testing my config files to do a change from Shorewall shell 4.0 to Shorewall Perl 4.2.2 (because I need the feature of ISP's sharing a interface). In my first tests I have saw some problems with my old shorewall.conf but now all is OK. My problem is the next, I tested the next: shorewall try -C perl . -> All work OK. shorewall try -C shell . -> The next output error is showed: Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... ERROR: Invalid TARGET in rule "COMMENT Needed ICMP types " /sbin/shorewall: line 384: 16011 Terminado $command $SHOREWALL_SHELL $sc $< at > What could be the reason ? I only install shorewall-common and shorewall-perl, could be this the reason ? With shorewall perl all is running very fast and the log in the screen is very small compared with shorewall shell 4.0, is this normal ? Thank you! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Adrian Chapela 2008-11-28T10:23:54 http://comments.gmane.org/gmane.comp.security.shorewall/21020 Hello, I want to do a configuration with 5 ISP, 4 of them sharing one ethernet interface. I am using Debian, is there any package in debian with this functionality ? If no, What is the version which I need ? In Docs you say shorewall-perl 4.1.2 but I only can download 4.2 tree, is it ok to do what I want ? Thank you! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Adrian Chapela 2008-11-27T15:46:26 http://comments.gmane.org/gmane.comp.security.shorewall/21013 Hello, I'm trying to get a Shorewall installation on Debian and am running into some problems that actually related to DHCP, or at least that's my theory. I'm writing to this list in hopes that enough people have already been through this that they know an answer. The problem I have is that the DHCP server doesn't know what interface to listen to and, more importantly, not to listen to. The problem I have is that on the one subnet I have two DHCP servers in violent contention with each other and typically within minutes my entire network is fubar. What's worse is this new DHCP server is much faster at responding. Because of the rather nasty effect it has on the subnet, testing is very limited this time of year as term papers come due and email, web, and printers are of absolute importance. I think there is a way to configure this under the dhcp server configuration but I'm curious what the shorewall people have to say about this one. Also, there is a lot of martian traffic. But I won't really look into this one until I've been able to set this up for more than 5 minutes. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Tom Allison 2008-11-26T23:22:39 http://comments.gmane.org/gmane.comp.security.shorewall/21010 Hi There, Re-work my question earlier, also by putting result from '/sbin/shorewall dump' which attached on 'status.txt' and i am sorry for not making it as gzip As suggested and as I am still a newbie here, I change the IP for eth0 and eth1, but unfortunately, still same result, but I hope to get a light this time Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> 10.1.1.4 connected to a router, act as gateway for other hosts eth1 -> 10.1.2.1 connected to wireless router eth2 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip from TPG Shorewall configuration Interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - loc eth0 10.255.255.255 loc eth1 10.255.255.255 Masq #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth0 Policy all all ACCEPT Zones fw firewall net ipv4 loc ipv4 ~# shorewall check Checking... Initializing... Determining Zones... IPv4 Zones: net loc Firewall Zone: fw Validating interfaces file... Validating hosts file... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Validating Policy file... Determining Hosts in Zones... net Zone: ppp0:0.0.0.0/0 loc Zone: eth0:0.0.0.0/0 eth1:0.0.0.0/0 Deleting user chains... Checking /etc/shorewall/routestopped ... Creating Interface Chains... Checking Common Rules Checking Kernel Route Filtering... Checking Martian Logging... Checking /etc/shorewall/rules... Checking Actions... Checking /usr/share/shorewall/action.Drop for Chain Drop... Checking /usr/share/shorewall/action.Reject for Chain Reject... Checking /etc/shorewall/policy... Checking Masquerading/SNAT Checking Traffic Control Rules... Checking Rule Activation... Compiling IP Forwarding... Shorewall configuration verified ~# shorewall status Shorewall-4.0.14 Status at debian - Tue Nov 25 20:23:36 EST 2008 Shorewall is running State:Started (Tue Nov 25 20:23:32 EST 2008) ~# ifconfig eth0 Link encap:Ethernet HWaddr 00:E0:4C:50:18:FD inet addr:10.1.1.4 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:232 errors:0 dropped:0 overruns:0 frame:0 TX packets:321 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:38692 (37.7 KiB) TX bytes:218234 (213.1 KiB) Interrupt:201 Base address:0xa000 eth1 Link encap:Ethernet HWaddr 00:E0:4C:50:16:70 inet addr:10.1.2.1 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:17 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3287 (3.2 KiB) TX bytes:0 (0.0 b) Interrupt:209 Base address:0x8000 eth2 Link encap:Ethernet HWaddr 00:15:58:1D:4B:4F inet6 addr: fe80::215:58ff:fe1d:4b4f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425 errors:0 dropped:0 overruns:0 frame:0 TX packets:423 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:59062 (57.6 KiB) TX bytes:67383 (65.8 KiB) Interrupt:193 Base address:0xa800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:560 (560.0 b) TX bytes:560 (560.0 b) ppp0 Link encap:Point-to-Point Protocol inet addr:xxx.xxx.xxx.xxx P-t-P:10.20.20.106 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:379 errors:0 dropped:0 overruns:0 frame:0 TX packets:375 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:47826 (46.7 KiB) TX bytes:56054 (54.7 KiB) iface eth0 inet static address 10.1.1.4 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 iface eth1 inet static address 10.1.2.1 netmask 255.0.0.0 network 10.0.0.0 broadcast 10.255.255.255 Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=tagline{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}} {\*\generator Msftedit 5.41.15.1515;}\viewkind4\uc1\pard\f0\fs20 Shorewall 4.0.14 Dump at debian - Wed Nov 26 18:16:24 EST 2008\par \par Shorewall-shell 4.0.14\par \par Counters reset Wed Nov 26 18:15:28 EST 2008\par \par Chain INPUT (policy DROP 0 packets, 0 bytes)\par pkts bytes target prot opt in out source destination \par 0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 \par 88 11204 ppp0_in 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 \par 137 21991 eth0_in 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 \par 0 0 eth1_in 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 \par 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED \par 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain FORWARD (policy DROP 0 packets, 0 bytes)\par pkts bytes target prot opt in out source destination \par 0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU \par 0 0 ppp0_fwd 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 \par 0 0 eth0_fwd 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 \par 0 0 eth1_fwd 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 \par 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED \par 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain OUTPUT (policy DROP 0 packets, 0 bytes)\par pkts bytes target prot opt in out source destination \par 0 0 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0 \par 88 13668 ppp0_out 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 \par 158 116K eth0_out 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 \par 0 0 eth1_out 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 \par 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED \par 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain Drop (0 references)\par pkts bytes target prot opt in out source destination \par 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 \par 0 0 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 \par 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 \par 0 0 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 \par 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 \par 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 \par 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 \par 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 \par 0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 \par 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 \par \par Chain Reject (0 references)\par pkts bytes target prot opt in out source destination \par 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 \par 0 0 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 \par 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 \par 0 0 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 \par 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 \par 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 \par 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 \par 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 \par 0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 \par 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 \par \par Chain all2all (10 references)\par pkts bytes target prot opt in out source destination \par 353 149K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED \par 118 14320 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain dropBcast (2 references)\par pkts bytes target prot opt in out source destination \par 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast \par 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast \par \par Chain dropInvalid (2 references)\par pkts bytes target prot opt in out source destination \par 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID \par \par Chain dropNotSyn (2 references)\par pkts bytes target prot opt in out source destination \par 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 \par \par Chain dynamic (6 references)\par pkts bytes target prot opt in out source destination \par \par Chain eth0_fwd (1 references)\par pkts bytes target prot opt in out source destination \par 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW \par 0 0 all2all 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 \par 0 0 ACCEPT 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 \par \par Chain eth0_in (1 references)\par pkts bytes target prot opt in out source destination \par 30 3116 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW \par 137 21991 all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain eth0_out (1 references)\par pkts bytes target prot opt in out source destination \par 158 116K all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain eth1_fwd (1 references)\par pkts bytes target prot opt in out source destination \par 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW \par 0 0 all2all 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 \par 0 0 ACCEPT 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 \par \par Chain eth1_in (1 references)\par pkts bytes target prot opt in out source destination \par 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW \par 0 0 all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain eth1_out (1 references)\par pkts bytes target prot opt in out source destination \par 0 0 all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain logdrop (0 references)\par pkts bytes target prot opt in out source destination \par 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:' \par 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain logreject (0 references)\par pkts bytes target prot opt in out source destination \par 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:' \par 0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain ppp0_fwd (1 references)\par pkts bytes target prot opt in out source destination \par 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW \par 0 0 all2all 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 \par 0 0 all2all 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 \par \par Chain ppp0_in (1 references)\par pkts bytes target prot opt in out source destination \par 88 11204 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW \par 88 11204 all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain ppp0_out (1 references)\par pkts bytes target prot opt in out source destination \par 88 13668 all2all 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain reject (7 references)\par pkts bytes target prot opt in out source destination \par 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast \par 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast \par 0 0 DROP 0 -- * * 10.255.255.255 0.0.0.0/0 \par 0 0 DROP 0 -- * * 10.255.255.255 0.0.0.0/0 \par 0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0 \par 0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0 \par 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 \par 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset \par 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable \par 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable \par 0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited \par \par Chain shorewall (0 references)\par pkts bytes target prot opt in out source destination \par \par Chain smurfs (0 references)\par pkts bytes target prot opt in out source destination \par 0 0 LOG 0 -- * * 10.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' \par 0 0 DROP 0 -- * * 10.255.255.255 0.0.0.0/0 \par 0 0 LOG 0 -- * * 10.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' \par 0 0 DROP 0 -- * * 10.255.255.255 0.0.0.0/0 \par 0 0 LOG 0 -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' \par 0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0 \par 0 0 LOG 0 -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' \par 0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0 \par \par Log (/var/log/messages)\par \par \par NAT Table\par \par Chain PREROUTING (policy ACCEPT 94 packets, 11453 bytes)\par pkts bytes target prot opt in out source destination \par \par Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)\par pkts bytes target prot opt in out source destination \par 0 0 ppp0_masq 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 \par \par Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\par pkts bytes target prot opt in out source destination \par \par Chain ppp0_masq (1 references)\par pkts bytes target prot opt in out source destination \par 0 0 MASQUERADE 0 -- * * 10.0.0.0/8 0.0.0.0/0 \par 0 0 MASQUERADE 0 -- * * 10.0.0.0/8 0.0.0.0/0 \par \par Mangle Table\par \par Chain PREROUTING (policy ACCEPT 229 packets, 33707 bytes)\par pkts bytes target prot opt in out source destination \par 229 33707 tcpre 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain INPUT (policy ACCEPT 229 packets, 33707 bytes)\par pkts bytes target prot opt in out source destination \par \par Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)\par pkts bytes target prot opt in out source destination \par 0 0 tcfor 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain OUTPUT (policy ACCEPT 716 packets, 433K bytes)\par pkts bytes target prot opt in out source destination \par 250 131K tcout 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain POSTROUTING (policy ACCEPT 250 packets, 131K bytes)\par pkts bytes target prot opt in out source destination \par 250 131K tcpost 0 -- * * 0.0.0.0/0 0.0.0.0/0 \par \par Chain tcfor (1 references)\par pkts bytes target prot opt in out source destination \par \par Chain tcout (1 references)\par pkts bytes target prot opt in out source destination \par \par Chain tcpost (1 references)\par pkts bytes target prot opt in out source destination \par \par Chain tcpre (1 references)\par pkts bytes target prot opt in out source destination \par \par Conntrack Table\par \par udp 17 1 src=89.33.91.152 dst=220.244.8.194 sport=60189 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=89.33.91.152 sport=64198 dport=60189 packets=0 bytes=0 mark=0 use=1\par udp 17 29 src=65.95.84.151 dst=220.244.8.194 sport=7156 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=65.95.84.151 sport=64198 dport=7156 packets=0 bytes=0 mark=0 use=1\par udp 17 17 src=58.63.40.48 dst=220.244.8.194 sport=16001 dport=64198 packets=2 bytes=258 [UNREPLIED] src=220.244.8.194 dst=58.63.40.48 sport=64198 dport=16001 packets=0 bytes=0 mark=0 use=1\par udp 17 5 src=123.119.57.138 dst=220.244.8.194 sport=14571 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=123.119.57.138 sport=64198 dport=14571 packets=0 bytes=0 mark=0 use=1\par tcp 6 431986 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=2034 dport=10000 packets=18 bytes=3417 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=2034 packets=19 bytes=14273 [ASSURED] mark=0 use=1\par udp 17 1 src=165.234.211.42 dst=220.244.8.194 sport=35759 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=165.234.211.42 sport=64198 dport=35759 packets=0 bytes=0 mark=0 use=1\par udp 17 22 src=93.81.140.126 dst=220.244.8.194 sport=26614 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=93.81.140.126 sport=64198 dport=26614 packets=0 bytes=0 mark=0 use=1\par udp 17 13 src=84.79.198.236 dst=220.244.8.194 sport=6882 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=84.79.198.236 sport=64198 dport=6882 packets=0 bytes=0 mark=0 use=1\par udp 17 8 src=88.102.29.17 dst=220.244.8.194 sport=23599 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=88.102.29.17 sport=64198 dport=23599 packets=0 bytes=0 mark=0 use=1\par tcp 6 431985 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=2040 dport=10000 packets=7 bytes=1053 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=2040 packets=7 bytes=3071 [ASSURED] mark=0 use=1\par udp 17 21 src=125.173.204.96 dst=220.244.8.194 sport=9462 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=125.173.204.96 sport=64198 dport=9462 packets=0 bytes=0 mark=0 use=1\par udp 17 12 src=173.32.175.123 dst=220.244.8.194 sport=23061 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=173.32.175.123 sport=64198 dport=23061 packets=0 bytes=0 mark=0 use=1\par udp 17 25 src=79.119.249.103 dst=220.244.8.194 sport=22947 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=79.119.249.103 sport=64198 dport=22947 packets=0 bytes=0 mark=0 use=1\par udp 17 17 src=77.248.58.156 dst=220.244.8.194 sport=60066 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=77.248.58.156 sport=64198 dport=60066 packets=0 bytes=0 mark=0 use=1\par udp 17 23 src=81.233.19.138 dst=220.244.8.194 sport=20101 dport=64198 packets=2 bytes=262 [UNREPLIED] src=220.244.8.194 dst=81.233.19.138 sport=64198 dport=20101 packets=0 bytes=0 mark=0 use=1\par udp 17 18 src=190.224.137.131 dst=220.244.8.194 sport=21345 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=190.224.137.131 sport=64198 dport=21345 packets=0 bytes=0 mark=0 use=1\par udp 17 26 src=88.147.243.26 dst=220.244.8.194 sport=38485 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=88.147.243.26 sport=64198 dport=38485 packets=0 bytes=0 mark=0 use=1\par udp 17 10 src=85.178.74.198 dst=220.244.8.194 sport=33689 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=85.178.74.198 sport=64198 dport=33689 packets=0 bytes=0 mark=0 use=1\par udp 17 8 src=85.225.222.197 dst=220.244.8.194 sport=7298 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=85.225.222.197 sport=64198 dport=7298 packets=0 bytes=0 mark=0 use=1\par udp 17 28 src=87.114.145.223 dst=220.244.8.194 sport=17430 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=87.114.145.223 sport=64198 dport=17430 packets=0 bytes=0 mark=0 use=1\par udp 17 26 src=65.102.193.59 dst=220.244.8.194 sport=43573 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=65.102.193.59 sport=64198 dport=43573 packets=0 bytes=0 mark=0 use=1\par udp 17 29 src=68.102.169.14 dst=220.244.8.194 sport=39410 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=68.102.169.14 sport=64198 dport=39410 packets=0 bytes=0 mark=0 use=1\par tcp 6 431985 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=2033 dport=10000 packets=21 bytes=4523 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=2033 packets=23 bytes=15143 [ASSURED] mark=0 use=1\par tcp 6 431985 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=2039 dport=10000 packets=7 bytes=1037 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=2039 packets=7 bytes=3295 [ASSURED] mark=0 use=1\par udp 17 10 src=90.190.249.58 dst=220.244.8.194 sport=53422 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=90.190.249.58 sport=64198 dport=53422 packets=0 bytes=0 mark=0 use=1\par udp 17 24 src=61.171.83.138 dst=220.244.8.194 sport=7781 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=61.171.83.138 sport=64198 dport=7781 packets=0 bytes=0 mark=0 use=1\par tcp 6 431999 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=2038 dport=10000 packets=16 bytes=6575 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=2038 packets=23 bytes=15169 [ASSURED] mark=0 use=1\par tcp 6 431985 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=2030 dport=10000 packets=26 bytes=5176 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=2030 packets=31 bytes=19091 [ASSURED] mark=0 use=1\par udp 17 19 src=85.130.121.14 dst=220.244.8.194 sport=9650 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=85.130.121.14 sport=64198 dport=9650 packets=0 bytes=0 mark=0 use=1\par udp 17 15 src=83.27.131.133 dst=220.244.8.194 sport=11175 dport=64198 packets=2 bytes=285 [UNREPLIED] src=220.244.8.194 dst=83.27.131.133 sport=64198 dport=11175 packets=0 bytes=0 mark=0 use=1\par udp 17 18 src=71.135.173.213 dst=220.244.8.194 sport=34802 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=71.135.173.213 sport=64198 dport=34802 packets=0 bytes=0 mark=0 use=1\par udp 17 7 src=62.182.108.26 dst=220.244.8.194 sport=29889 dport=64198 packets=3 bytes=431 [UNREPLIED] src=220.244.8.194 dst=62.182.108.26 sport=64198 dport=29889 packets=0 bytes=0 mark=0 use=1\par udp 17 21 src=10.1.1.5 dst=10.255.255.255 sport=137 dport=137 packets=12 bytes=936 [UNREPLIED] src=10.255.255.255 dst=10.1.1.5 sport=137 dport=137 packets=0 bytes=0 mark=0 use=1\par udp 17 15 src=217.216.59.10 dst=220.244.8.194 sport=16948 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=217.216.59.10 sport=64198 dport=16948 packets=0 bytes=0 mark=0 use=1\par udp 17 29 src=10.1.1.5 dst=10.255.255.255 sport=138 dport=138 packets=7 bytes=1471 [UNREPLIED] src=10.255.255.255 dst=10.1.1.5 sport=138 dport=138 packets=0 bytes=0 mark=0 use=1\par udp 17 5 src=217.216.189.243 dst=220.244.8.194 sport=7473 dport=64198 packets=1 bytes=90 [UNREPLIED] src=220.244.8.194 dst=217.216.189.243 sport=64198 dport=7473 packets=0 bytes=0 mark=0 use=1\par udp 17 9 src=124.118.16.254 dst=220.244.8.194 sport=38585 dport=64198 packets=1 bytes=90 [UNREPLIED] src=220.244.8.194 dst=124.118.16.254 sport=64198 dport=38585 packets=0 bytes=0 mark=0 use=1\par udp 17 29 src=116.71.145.147 dst=220.244.8.194 sport=9054 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=116.71.145.147 sport=64198 dport=9054 packets=0 bytes=0 mark=0 use=1\par udp 17 6 src=83.21.128.39 dst=220.244.8.194 sport=24004 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=83.21.128.39 sport=64198 dport=24004 packets=0 bytes=0 mark=0 use=1\par udp 17 8 src=10.1.1.5 dst=10.1.1.4 sport=1025 dport=53 packets=3 bytes=267 [UNREPLIED] src=10.1.1.4 dst=10.1.1.5 sport=53 dport=1025 packets=0 bytes=0 mark=0 use=1\par udp 17 29 src=125.33.253.80 dst=220.244.8.194 sport=3393 dport=64198 packets=1 bytes=93 [UNREPLIED] src=220.244.8.194 dst=125.33.253.80 sport=64198 dport=3393 packets=0 bytes=0 mark=0 use=1\par udp 17 8 src=61.64.79.59 dst=220.244.8.194 sport=10906 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=61.64.79.59 sport=64198 dport=10906 packets=0 bytes=0 mark=0 use=1\par udp 17 10 src=77.248.20.60 dst=220.244.8.194 sport=39311 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=77.248.20.60 sport=64198 dport=39311 packets=0 bytes=0 mark=0 use=1\par udp 17 9 src=83.246.149.143 dst=220.244.8.194 sport=17930 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=83.246.149.143 sport=64198 dport=17930 packets=0 bytes=0 mark=0 use=1\par udp 17 5 src=10.1.1.5 dst=10.1.1.4 sport=2614 dport=53 packets=2 bytes=118 [UNREPLIED] src=10.1.1.4 dst=10.1.1.5 sport=53 dport=2614 packets=0 bytes=0 mark=0 use=1\par udp 17 14 src=93.149.57.93 dst=220.244.8.194 sport=48702 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=93.149.57.93 sport=64198 dport=48702 packets=0 bytes=0 mark=0 use=1\par udp 17 5 src=116.225.231.167 dst=220.244.8.194 sport=18578 dport=64198 packets=1 bytes=90 [UNREPLIED] src=220.244.8.194 dst=116.225.231.167 sport=64198 dport=18578 packets=0 bytes=0 mark=0 use=1\par tcp 6 431986 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=2037 dport=10000 packets=10 bytes=1594 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=2037 packets=10 bytes=6351 [ASSURED] mark=0 use=1\par udp 17 5 src=88.19.244.145 dst=220.244.8.194 sport=13426 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=88.19.244.145 sport=64198 dport=13426 packets=0 bytes=0 mark=0 use=1\par udp 17 16 src=193.110.124.39 dst=220.244.8.194 sport=8652 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=193.110.124.39 sport=64198 dport=8652 packets=0 bytes=0 mark=0 use=1\par udp 17 12 src=59.114.32.68 dst=220.244.8.194 sport=26061 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=59.114.32.68 sport=64198 dport=26061 packets=0 bytes=0 mark=0 use=1\par udp 17 12 src=62.163.39.247 dst=220.244.8.194 sport=26671 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=62.163.39.247 sport=64198 dport=26671 packets=0 bytes=0 mark=0 use=1\par udp 17 16 src=189.38.103.98 dst=220.244.8.194 sport=1025 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=189.38.103.98 sport=64198 dport=1025 packets=0 bytes=0 mark=0 use=1\par udp 17 27 src=218.254.101.38 dst=220.244.8.194 sport=27162 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=218.254.101.38 sport=64198 dport=27162 packets=0 bytes=0 mark=0 use=1\par udp 17 17 src=222.183.78.223 dst=220.244.8.194 sport=28521 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=222.183.78.223 sport=64198 dport=28521 packets=0 bytes=0 mark=0 use=1\par udp 17 17 src=41.196.80.213 dst=220.244.8.194 sport=41165 dport=64198 packets=2 bytes=262 [UNREPLIED] src=220.244.8.194 dst=41.196.80.213 sport=64198 dport=41165 packets=0 bytes=0 mark=0 use=1\par udp 17 26 src=117.23.236.41 dst=220.244.8.194 sport=19546 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=117.23.236.41 sport=64198 dport=19546 packets=0 bytes=0 mark=0 use=1\par udp 17 24 src=82.177.44.2 dst=220.244.8.194 sport=7688 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=82.177.44.2 sport=64198 dport=7688 packets=0 bytes=0 mark=0 use=1\par udp 17 23 src=87.218.182.78 dst=220.244.8.194 sport=12243 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=87.218.182.78 sport=64198 dport=12243 packets=0 bytes=0 mark=0 use=1\par udp 17 10 src=77.202.101.76 dst=220.244.8.194 sport=22653 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=77.202.101.76 sport=64198 dport=22653 packets=0 bytes=0 mark=0 use=1\par \par IP Configuration\par \par 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue \par link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\par inet 127.0.0.1/8 scope host lo\par inet6 ::1/128 scope host \par valid_lft forever preferred_lft forever\par 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000\par link/ether 00:e0:4c:50:18:fd brd ff:ff:ff:ff:ff:ff\par inet 10.1.1.4/8 brd 10.255.255.255 scope global eth0\par inet6 fe80::2e0:4cff:fe50:18fd/64 scope link \par valid_lft forever preferred_lft forever\par 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000\par link/ether 00:e0:4c:50:16:70 brd ff:ff:ff:ff:ff:ff\par inet 10.1.2.1/8 brd 10.255.255.255 scope global eth1\par 4: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000\par link/ether 00:15:58:1d:4b:4f brd ff:ff:ff:ff:ff:ff\par inet6 fe80::215:58ff:fe1d:4b4f/64 scope link \par valid_lft forever preferred_lft forever\par 5: sit0: <NOARP> mtu 1480 qdisc noop \par link/sit 0.0.0.0 brd 0.0.0.0\par 6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen 3\par link/ppp \par inet 220.244.8.194 peer 10.20.20.125/32 scope global ppp0\par \par IP Stats\par \par 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue \par link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\par RX: bytes packets errors dropped overrun mcast \par 1456 16 0 0 0 0 \par TX: bytes packets errors dropped carrier collsns \par 1456 16 0 0 0 0 \par 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000\par link/ether 00:e0:4c:50:18:fd brd ff:ff:ff:ff:ff:ff\par RX: bytes packets errors dropped overrun mcast \par 102198 593 0 0 0 0 \par TX: bytes packets errors dropped carrier collsns \par 548506 782 0 0 0 0 \par 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000\par link/ether 00:e0:4c:50:16:70 brd ff:ff:ff:ff:ff:ff\par RX: bytes packets errors dropped overrun mcast \par 3287 17 0 0 0 0 \par TX: bytes packets errors dropped carrier collsns \par 0 0 0 0 0 0 \par 4: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000\par link/ether 00:15:58:1d:4b:4f brd ff:ff:ff:ff:ff:ff\par RX: bytes packets errors dropped overrun mcast \par 19113 146 0 0 0 0 \par TX: bytes packets errors dropped carrier collsns \par 22264 147 0 0 0 0 \par 5: sit0: <NOARP> mtu 1480 qdisc noop \par link/sit 0.0.0.0 brd 0.0.0.0\par RX: bytes packets errors dropped overrun mcast \par 0 0 0 0 0 0 \par TX: bytes packets errors dropped carrier collsns \par 0 0 0 0 0 0 \par 6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen 3\par link/ppp \par RX: bytes packets errors dropped overrun mcast \par 14927 124 0 0 0 0 \par TX: bytes packets errors dropped carrier collsns \par 17995 125 0 0 0 0 \par \par /proc\par \par /proc/version = Linux version 2.6.18-5-686 (Debian 2.6.18.dfsg.1-17) (dannf< at >debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Mon Dec 24 16:41:07 UTC 2007\par /proc/sys/net/ipv4/ip_forward = 1\par /proc/sys/net/ipv4/icmp_echo_ignore_all = 0\par /proc/sys/net/ipv4/conf/all/proxy_arp = 0\par /proc/sys/net/ipv4/conf/all/arp_filter = 0\par /proc/sys/net/ipv4/conf/all/arp_ignore = 0\par /proc/sys/net/ipv4/conf/all/rp_filter = 1\par /proc/sys/net/ipv4/conf/all/log_martians = 0\par /proc/sys/net/ipv4/conf/default/proxy_arp = 0\par /proc/sys/net/ipv4/conf/default/arp_filter = 0\par /proc/sys/net/ipv4/conf/default/arp_ignore = 0\par /proc/sys/net/ipv4/conf/default/rp_filter = 1\par /proc/sys/net/ipv4/conf/default/log_martians = 0\par /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0\par /proc/sys/net/ipv4/conf/eth0/arp_filter = 0\par /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0\par /proc/sys/net/ipv4/conf/eth0/rp_filter = 0\par /proc/sys/net/ipv4/conf/eth0/log_martians = 0\par /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0\par /proc/sys/net/ipv4/conf/eth1/arp_filter = 0\par /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0\par /proc/sys/net/ipv4/conf/eth1/rp_filter = 0\par /proc/sys/net/ipv4/conf/eth1/log_martians = 0\par /proc/sys/net/ipv4/conf/lo/proxy_arp = 0\par /proc/sys/net/ipv4/conf/lo/arp_filter = 0\par /proc/sys/net/ipv4/conf/lo/arp_ignore = 0\par /proc/sys/net/ipv4/conf/lo/rp_filter = 0\par /proc/sys/net/ipv4/conf/lo/log_martians = 0\par /proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0\par /proc/sys/net/ipv4/conf/ppp0/arp_filter = 0\par /proc/sys/net/ipv4/conf/ppp0/arp_ignore = 0\par /proc/sys/net/ipv4/conf/ppp0/rp_filter = 0\par /proc/sys/net/ipv4/conf/ppp0/log_martians = 0\par \par Routing Rules\par \par 0:\tab from all lookup 255 \par 32766:\tab from all lookup main \par 32767:\tab from all lookup default \par \par Table 255:\par \par broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 \par broadcast 10.0.0.0 dev eth0 proto kernel scope link src 10.1.1.4 \par broadcast 10.0.0.0 dev eth1 proto kernel scope link src 10.1.2.1 \par local 10.1.2.1 dev eth1 proto kernel scope host src 10.1.2.1 \par broadcast 10.255.255.255 dev eth0 proto kernel scope link src 10.1.1.4 \par broadcast 10.255.255.255 dev eth1 proto kernel scope link src 10.1.2.1 \par local 10.1.1.4 dev eth0 proto kernel scope host src 10.1.1.4 \par local 220.244.8.194 dev ppp0 proto kernel scope host src 220.244.8.194 \par broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 \par local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 \par local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 \par \par Table default:\par \par \par Table main:\par \par 10.20.20.125 dev ppp0 proto kernel scope link src 220.244.8.194 \par 10.0.0.0/8 dev eth0 proto kernel scope link src 10.1.1.4 \par 10.0.0.0/8 dev eth1 proto kernel scope link src 10.1.2.1 \par default dev ppp0 scope link \par \par ARP\par \par ? (10.1.1.5) at 00:E0:4C:50:16:2F [ether] on eth0\par ? (10.20.20.125) at <from_interface> PERM PUB on eth1\par \par Modules\par \par ip_conntrack 49088 24 ipt_MASQUERADE,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_sip,ip_conntrack_pptp,ip_conntrack_netbios_ns,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_amanda,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,ip_nat\par ip_conntrack_amanda 4932 1 ip_nat_amanda\par ip_conntrack_ftp 7760 1 ip_nat_ftp\par ip_conntrack_h323 47676 1 ip_nat_h323\par ip_conntrack_irc 6800 1 ip_nat_irc\par ip_conntrack_netbios_ns 3040 0 \par ip_conntrack_pptp 11504 1 ip_nat_pptp\par ip_conntrack_sip 7376 1 ip_nat_sip\par ip_conntrack_tftp 4344 1 ip_nat_tftp\par ip_nat 16876 12 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,iptable_nat\par ip_nat_amanda 2400 0 \par ip_nat_ftp 3328 0 \par ip_nat_h323 7104 0 \par ip_nat_irc 2720 0 \par ip_nat_pptp 5988 0 \par ip_nat_sip 4096 0 \par ip_nat_snmp_basic 9316 0 \par ip_nat_tftp 1920 0 \par iptable_filter 3104 1 \par iptable_mangle 2880 1 \par iptable_nat 7044 1 \par iptable_raw 2144 0 \par ip_tables 13028 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter\par ipt_addrtype 1952 0 \par ipt_ah 2016 0 \par ipt_CLUSTERIP 8196 0 \par ipt_dscp 1792 0 \par ipt_DSCP 2336 0 \par ipt_ecn 2304 0 \par ipt_ECN 3072 0 \par ipt_hashlimit 8744 0 \par ipt_iprange 1888 0 \par ipt_LOG 6112 6 \par ipt_MASQUERADE 3712 2 \par ipt_NETMAP 2176 0 \par ipt_owner 2080 0 \par ipt_recent 8432 0 \par ipt_REDIRECT 2176 0 \par ipt_REJECT 5248 4 \par ipt_SAME 2496 0 \par ipt_TCPMSS 4096 1 \par ipt_tos 1760 0 \par ipt_TOS 2304 0 \par ipt_ttl 1984 0 \par ipt_TTL 2400 0 \par ipt_ULOG 7780 0 \par xt_CLASSIFY 1984 0 \par xt_comment 1952 0 \par xt_connmark 2144 0 \par xt_CONNMARK 2464 0 \par xt_conntrack 2624 0 \par xt_dccp 3396 0 \par xt_helper 2560 0 \par xt_length 2048 0 \par xt_limit 2752 0 \par xt_mac 2016 0 \par xt_mark 1984 0 \par xt_MARK 2464 0 \par xt_multiport 3264 4 \par xt_NFQUEUE 2144 0 \par xt_physdev 3024 0 \par xt_pkttype 2016 4 \par xt_policy 3648 0 \par xt_state 2272 11 \par xt_tcpmss 2336 0 \par xt_tcpudp 3136 12 \par \par Shorewall has detected the following iptables/netfilter capabilities:\par NAT: Available\par Packet Mangling: Available\par Multi-port Match: Available\par Extended Multi-port Match: Available\par Connection Tracking Match: Available\par Packet Type Match: Available\par Policy Match: Available\par Physdev Match: Available\par Physdev-is-bridged Support: Available\par Packet length Match: Available\par IP range Match: Available\par Recent Match: Available\par Owner Match: Available\par Ipset Match: Not available\par CONNMARK Target: Available\par Extended CONNMARK Target: Available\par Connmark Match: Available\par Extended Connmark Match: Available\par Raw Table: Available\par IPP2P Match: Not available\par CLASSIFY Target: Available\par Extended REJECT: Available\par Repeat match: Available\par MARK Target: Available\par Extended MARK Target: Available\par Mangle FORWARD Chain: Available\par Comments: Available\par Address Type Match: Available\par TCPMSS Match: Available\par Hashlimit Match: Available\par NFQUEUE Target: Available\par \par Traffic Control\par \par Device eth0:\par qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1\par Sent 547726 bytes 782 pkt (dropped 0, overlimits 0 requeues 0) \par rate 0bit 0pps backlog 0b 0p requeues 0 \par \par Device eth1:\par qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1\par Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) \par rate 0bit 0pps backlog 0b 0p requeues 0 \par \par Device eth2:\par qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1\par Sent 21771 bytes 147 pkt (dropped 0, overlimits 0 requeues 0) \par rate 0bit 0pps backlog 0b 0p requeues 0 \par \par Device ppp0:\par qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1\par Sent 17934 bytes 121 pkt (dropped 0, overlimits 0 requeues 0) \par rate 0bit 0pps backlog 0b 0p requeues 0 \par \par \par TC Filters\par \par Device eth0:\par \par Device eth1:\par \par Device eth2:\par \par Device ppp0:\par \par } ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Phillipus Gunawan 2008-11-25T19:27:19 http://comments.gmane.org/gmane.comp.security.shorewall/21007 Hi There, Re-work my question earlier, also by putting result from '/sbin/shorewall dump' which attached on 'status.txt' and i am sorry for not making it as gzip As suggested and as I am still a newbie here, I change the IP for eth0 and eth1, but unfortunately, still same result, but I hope to get a light this time I did not attached the result of the dump result, as it it delay this message to be added On Policy, I simply put "ALL ALL ACCEPT" just for a starter, to get this shorewall working is my priority I am using eth0 and connect from other host (e.g. 10.1.1.5, winXp) and set the gateway and DNS as 10.1.1.4 No connection, only able to ping 10.1.1.4 .... Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> 10.1.1.4 connected to a router, act as gateway for other hosts eth1 -> 10.1.2.1 connected to wireless router, not connected at the moment, just trying to get wired connection working eth2 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip from TPG Shorewall configuration Interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - loc eth0 10.255.255.255 loc eth1 10.255.255.255 Masq #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth0 Policy all all ACCEPT Zones fw firewall net ipv4 loc ipv4 ~# shorewall status Shorewall-4.0.14 Status at debian - Tue Nov 25 20:23:36 EST 2008 Shorewall is running State:Started (Tue Nov 25 20:23:32 EST 2008) ~# ifconfig eth0 Link encap:Ethernet HWaddr 00:E0:4C:50:18:FD inet addr:10.1.1.4 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:232 errors:0 dropped:0 overruns:0 frame:0 TX packets:321 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:38692 (37.7 KiB) TX bytes:218234 (213.1 KiB) Interrupt:201 Base address:0xa000 eth1 Link encap:Ethernet HWaddr 00:E0:4C:50:16:70 inet addr:10.1.2.1 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:17 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3287 (3.2 KiB) TX bytes:0 (0.0 b) Interrupt:209 Base address:0x8000 eth2 Link encap:Ethernet HWaddr 00:15:58:1D:4B:4F inet6 addr: fe80::215:58ff:fe1d:4b4f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425 errors:0 dropped:0 overruns:0 frame:0 TX packets:423 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:59062 (57.6 KiB) TX bytes:67383 (65.8 KiB) Interrupt:193 Base address:0xa800 ppp0 Link encap:Point-to-Point Protocol inet addr:xxx.xxx.xxx.xxx P-t-P:10.20.20.106 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:379 errors:0 dropped:0 overruns:0 frame:0 TX packets:375 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:47826 (46.7 KiB) TX bytes:56054 (54.7 KiB) Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=tagline ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Phillipus Gunawan 2008-11-26T06:18:05 http://comments.gmane.org/gmane.comp.security.shorewall/21005 Hi There, Re-work my question earlier, also by putting result from '/sbin/shorewall dump' which attached on 'status.txt' and i am sorry for not making it as gzip I also will repeat the post earlier for better understanding my question (hey, I am looking for the answers.....) Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> 10.1.1.1 connected to a router, act as gateway for other hosts eth1 -> 10.1.1.4 connected to wireless router eth2 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip from TPG Shorewall configuration Interfaces #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect routefilter loc eth0 10.1.1.255 loc eth1 10.1.1.255 Masq #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 eth1 ppp0 eth0 Policy $FW net ACCEPT $FW loc ACCEPT net $FW ACCEPT net loc ACCEPT loc $FW ACCEPT loc net ACCEPT Zones fw firewall net ipv4 loc ipv4 ~# shorewall check Checking... Initializing... Determining Zones... IPv4 Zones: net loc Firewall Zone: fw Validating interfaces file... Validating hosts file... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Validating Policy file... Determining Hosts in Zones... net Zone: ppp0:0.0.0.0/0 loc Zone: eth0:0.0.0.0/0 eth1:0.0.0.0/0 Deleting user chains... Checking /etc/shorewall/routestopped ... Creating Interface Chains... Checking Common Rules Checking Kernel Route Filtering... Checking Martian Logging... Checking /etc/shorewall/rules... Checking Actions... Checking /usr/share/shorewall/action.Drop for Chain Drop... Checking /usr/share/shorewall/action.Reject for Chain Reject... Checking /etc/shorewall/policy... Checking Masquerading/SNAT Checking Traffic Control Rules... Checking Rule Activation... Compiling IP Forwarding... Shorewall configuration verified ~# shorewall status Shorewall-4.0.14 Status at debian - Tue Nov 25 20:23:36 EST 2008 Shorewall is running State:Started (Tue Nov 25 20:23:32 EST 2008) ~# ifconfig eth0 Link encap:Ethernet HWaddr 00:E0:4C:50:18:FD inet addr:10.1.1.1 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:201 Base address:0x8000 eth1 Link encap:Ethernet HWaddr 00:E0:4C:50:16:70 inet addr:10.1.1.4 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::2e0:4cff:fe50:1670/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2388 errors:0 dropped:0 overruns:0 frame:0 TX packets:3341 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:305137 (297.9 KiB) TX bytes:2690271 (2.5 MiB) Interrupt:209 Base address:0xc000 eth2 Link encap:Ethernet HWaddr 00:15:58:1D:4B:4F inet6 addr: fe80::215:58ff:fe1d:4b4f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425 errors:0 dropped:0 overruns:0 frame:0 TX packets:423 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:59062 (57.6 KiB) TX bytes:67383 (65.8 KiB) Interrupt:193 Base address:0xa800 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:560 (560.0 b) TX bytes:560 (560.0 b) ppp0 Link encap:Point-to-Point Protocol inet addr:xxx.xxx.xxx.xxx P-t-P:10.20.20.106 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:379 errors:0 dropped:0 overruns:0 frame:0 TX packets:375 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:47826 (46.7 KiB) TX bytes:56054 (54.7 KiB) Problem 1 I install Debian with eth2 plugged When Im using eth2, I can log in to my box (using webmin) to configure the debian either using 10.1.1.1 or 10.1.1.4 address remotely from other hosts, I can ping other host (e.g 10.1.1.5). But when I use eth2, I cant ping or do anything, the ping result from Debian: From 10.1.1.4 Host Unreachable What mistake I did? Why I can't use eth1 connected with other hosts? Problem 2 PPPoE up and running, I can ping any web address from Debian (e.g. www.yahoo.com) But Im not able to make other host (e.g. 10.1.1.5) connect to internet via gateway on eth1 nor eth2 Again, ignoring the use of eth2 and I can configure eth1 to talk with other hosts (problem 1 solved), how I can make Shorewall working to share the internet? Or, just using eth2, what mistake on my Shorewall conf? Any help would be much appreciated Thanks in advance Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=taglineShorewall 4.0.14 Dump at debian - Wed Nov 26 01:07:36 EST 2008 Shorewall-shell 4.0.14 Counters reset Wed Nov 26 01:06:57 EST 2008 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 72 8686 ppp0_in 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_in 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 163 23308 eth1_in 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ppp0_fwd 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth0_fwd 0 -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth1_fwd 0 -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0 72 10486 ppp0_out 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 eth0_out 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 175 116K eth1_out 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain Drop (0 references) pkts bytes target prot opt in out source destination 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain Reject (0 references) pkts bytes target prot opt in out source destination 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 dropBcast 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 0 0 dropInvalid 0 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 Chain all2all (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast Chain dropInvalid (2 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID Chain dropNotSyn (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 Chain dynamic (6 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth0_out (1 references) pkts bytes target prot opt in out source destination 0 0 fw2loc 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 loc2net 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 43 4678 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 43 4678 smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 129 19062 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 163 23308 loc2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_out (1 references) pkts bytes target prot opt in out source destination 175 116K fw2loc 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2loc (2 references) pkts bytes target prot opt in out source destination 175 116K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 72 10486 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (2 references) pkts bytes target prot opt in out source destination 120 18630 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 43 4678 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) pkts bytes target prot opt in out source destination 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:' 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain logflags (5 references) pkts bytes target prot opt in out source destination 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logflags:DROP:' 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) pkts bytes target prot opt in out source destination 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logreject:REJECT:' 0 0 reject 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 72 8686 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain ppp0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2loc 0 -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 net2loc 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain ppp0_in (1 references) pkts bytes target prot opt in out source destination 72 8686 dynamic 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 72 8686 smurfs 0 -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 6 288 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 72 8686 net2fw 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain ppp0_out (1 references) pkts bytes target prot opt in out source destination 72 10486 fw2net 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (7 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP 0 -- * * 10.1.1.255 0.0.0.0/0 0 0 DROP 0 -- * * 10.1.1.255 0.0.0.0/0 0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain shorewall (0 references) pkts bytes target prot opt in out source destination Chain smurfs (6 references) pkts bytes target prot opt in out source destination 0 0 LOG 0 -- * * 10.1.1.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP 0 -- * * 10.1.1.255 0.0.0.0/0 0 0 LOG 0 -- * * 10.1.1.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP 0 -- * * 10.1.1.255 0.0.0.0/0 0 0 LOG 0 -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP 0 -- * * 255.255.255.255 0.0.0.0/0 0 0 LOG 0 -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP 0 -- * * 224.0.0.0/4 0.0.0.0/0 Chain tcpflags (6 references) pkts bytes target prot opt in out source destination 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x17/0x02 Log (/var/log/messages) NAT Table Chain PREROUTING (policy ACCEPT 82 packets, 9078 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ppp0_masq 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain ppp0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE 0 -- * * 10.0.0.0/8 0.0.0.0/0 0 0 MASQUERADE 0 -- * * 10.0.0.0/8 0.0.0.0/0 Mangle Table Chain PREROUTING (policy ACCEPT 236 packets, 32034 bytes) pkts bytes target prot opt in out source destination 236 32034 tcpre 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 236 packets, 32034 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 tcfor 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 456 packets, 284K bytes) pkts bytes target prot opt in out source destination 247 127K tcout 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 247 packets, 127K bytes) pkts bytes target prot opt in out source destination 247 127K tcpost 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination Chain tcpost (1 references) pkts bytes target prot opt in out source destination Chain tcpre (1 references) pkts bytes target prot opt in out source destination Conntrack Table udp 17 21 src=99.240.27.239 dst=220.244.8.194 sport=11808 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=99.240.27.239 sport=64198 dport=11808 packets=0 bytes=0 mark=0 use=1 udp 17 5 src=218.78.204.112 dst=220.244.8.194 sport=18592 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=218.78.204.112 sport=64198 dport=18592 packets=0 bytes=0 mark=0 use=1 udp 17 24 src=219.81.238.239 dst=220.244.8.194 sport=14502 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=219.81.238.239 sport=64198 dport=14502 packets=0 bytes=0 mark=0 use=1 udp 17 11 src=218.19.123.201 dst=220.244.8.194 sport=20879 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=218.19.123.201 sport=64198 dport=20879 packets=0 bytes=0 mark=0 use=1 udp 17 19 src=210.22.56.236 dst=220.244.8.194 sport=27693 dport=64198 packets=2 bytes=252 [UNREPLIED] src=220.244.8.194 dst=210.22.56.236 sport=64198 dport=27693 packets=0 bytes=0 mark=0 use=1 tcp 6 431994 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=4822 dport=10000 packets=7 bytes=1037 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4822 packets=7 bytes=2527 [ASSURED] mark=0 use=1 tcp 6 431994 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=4825 dport=10000 packets=9 bytes=1602 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4825 packets=10 bytes=4905 [ASSURED] mark=0 use=1 udp 17 3 src=85.147.241.182 dst=220.244.8.194 sport=45860 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=85.147.241.182 sport=64198 dport=45860 packets=0 bytes=0 mark=0 use=1 udp 17 14 src=200.80.219.2 dst=220.244.8.194 sport=17821 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=200.80.219.2 sport=64198 dport=17821 packets=0 bytes=0 mark=0 use=1 udp 17 25 src=212.25.39.236 dst=220.244.8.194 sport=3910 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=212.25.39.236 sport=64198 dport=3910 packets=0 bytes=0 mark=0 use=1 tcp 6 431961 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=4815 dport=10000 packets=7 bytes=989 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4815 packets=7 bytes=3845 [ASSURED] mark=0 use=1 tcp 6 431999 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=4820 dport=10000 packets=20 bytes=5151 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4820 packets=24 bytes=16893 [ASSURED] mark=0 use=1 udp 17 8 src=117.197.193.65 dst=220.244.8.194 sport=23608 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=117.197.193.65 sport=64198 dport=23608 packets=0 bytes=0 mark=0 use=1 tcp 6 431996 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=4821 dport=10000 packets=13 bytes=2215 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4821 packets=13 bytes=8601 [ASSURED] mark=0 use=1 udp 17 23 src=75.85.19.185 dst=220.244.8.194 sport=10465 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=75.85.19.185 sport=64198 dport=10465 packets=0 bytes=0 mark=0 use=1 udp 17 14 src=59.188.153.218 dst=220.244.8.194 sport=13820 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=59.188.153.218 sport=64198 dport=13820 packets=0 bytes=0 mark=0 use=1 udp 17 26 src=77.230.137.56 dst=220.244.8.194 sport=23302 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=77.230.137.56 sport=64198 dport=23302 packets=0 bytes=0 mark=0 use=1 udp 17 6 src=190.46.68.220 dst=220.244.8.194 sport=24163 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=190.46.68.220 sport=64198 dport=24163 packets=0 bytes=0 mark=0 use=1 udp 17 22 src=89.149.92.97 dst=220.244.8.194 sport=9555 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=89.149.92.97 sport=64198 dport=9555 packets=0 bytes=0 mark=0 use=1 udp 17 28 src=89.76.100.189 dst=220.244.8.194 sport=14914 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=89.76.100.189 sport=64198 dport=14914 packets=0 bytes=0 mark=0 use=1 udp 17 4 src=202.92.189.70 dst=220.244.8.194 sport=19731 dport=64198 packets=2 bytes=252 [UNREPLIED] src=220.244.8.194 dst=202.92.189.70 sport=64198 dport=19731 packets=0 bytes=0 mark=0 use=1 udp 17 13 src=60.167.3.244 dst=220.244.8.194 sport=24562 dport=64198 packets=1 bytes=90 [UNREPLIED] src=220.244.8.194 dst=60.167.3.244 sport=64198 dport=24562 packets=0 bytes=0 mark=0 use=1 udp 17 7 src=218.191.238.85 dst=220.244.8.194 sport=6884 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=218.191.238.85 sport=64198 dport=6884 packets=0 bytes=0 mark=0 use=1 udp 17 2 src=65.93.1.250 dst=220.244.8.194 sport=14732 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=65.93.1.250 sport=64198 dport=14732 packets=0 bytes=0 mark=0 use=1 udp 17 10 src=72.231.214.56 dst=220.244.8.194 sport=1000 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=72.231.214.56 sport=64198 dport=1000 packets=0 bytes=0 mark=0 use=1 tcp 6 431995 ESTABLISHED src=10.1.1.5 dst=10.1.1.4 sport=4823 dport=10000 packets=12 bytes=2159 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4823 packets=13 bytes=8803 [ASSURED] mark=0 use=1 udp 17 13 src=118.169.96.58 dst=220.244.8.194 sport=23658 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=118.169.96.58 sport=64198 dport=23658 packets=0 bytes=0 mark=0 use=1 udp 17 17 src=10.1.1.5 dst=10.1.1.1 sport=2614 dport=53 packets=2 bytes=122 [UNREPLIED] src=10.1.1.1 dst=10.1.1.5 sport=53 dport=2614 packets=0 bytes=0 mark=0 use=1 udp 17 3 src=78.25.156.173 dst=220.244.8.194 sport=17810 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=78.25.156.173 sport=64198 dport=17810 packets=0 bytes=0 mark=0 use=1 tcp 6 4 CLOSE src=10.1.1.5 dst=10.1.1.4 sport=4819 dport=10000 packets=17 bytes=1506 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4819 packets=25 bytes=18121 [ASSURED] mark=0 use=1 udp 17 10 src=79.153.70.95 dst=220.244.8.194 sport=17678 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=79.153.70.95 sport=64198 dport=17678 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=61.69.174.75 dst=220.244.8.194 sport=37593 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=61.69.174.75 sport=64198 dport=37593 packets=0 bytes=0 mark=0 use=1 udp 17 22 src=221.45.36.187 dst=220.244.8.194 sport=10988 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=221.45.36.187 sport=64198 dport=10988 packets=0 bytes=0 mark=0 use=1 udp 17 18 src=10.1.1.5 dst=10.1.1.1 sport=1025 dport=53 packets=2 bytes=178 [UNREPLIED] src=10.1.1.1 dst=10.1.1.5 sport=53 dport=1025 packets=0 bytes=0 mark=0 use=1 udp 17 8 src=79.76.160.7 dst=220.244.8.194 sport=8766 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=79.76.160.7 sport=64198 dport=8766 packets=0 bytes=0 mark=0 use=1 udp 17 16 src=221.225.78.47 dst=220.244.8.194 sport=6582 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=221.225.78.47 sport=64198 dport=6582 packets=0 bytes=0 mark=0 use=1 udp 17 9 src=115.82.211.193 dst=220.244.8.194 sport=9200 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=115.82.211.193 sport=64198 dport=9200 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=218.173.110.174 dst=220.244.8.194 sport=20364 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=218.173.110.174 sport=64198 dport=20364 packets=0 bytes=0 mark=0 use=1 udp 17 16 src=123.221.156.73 dst=220.244.8.194 sport=42847 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=123.221.156.73 sport=64198 dport=42847 packets=0 bytes=0 mark=0 use=1 udp 17 8 src=78.62.125.147 dst=220.244.8.194 sport=13209 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=78.62.125.147 sport=64198 dport=13209 packets=0 bytes=0 mark=0 use=1 udp 17 18 src=84.54.156.171 dst=220.244.8.194 sport=8939 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=84.54.156.171 sport=64198 dport=8939 packets=0 bytes=0 mark=0 use=1 udp 17 23 src=80.34.231.227 dst=220.244.8.194 sport=61525 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=80.34.231.227 sport=64198 dport=61525 packets=0 bytes=0 mark=0 use=1 udp 17 8 src=91.154.72.246 dst=220.244.8.194 sport=7189 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=91.154.72.246 sport=64198 dport=7189 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=10.1.1.5 dst=10.255.255.255 sport=137 dport=137 packets=18 bytes=1674 [UNREPLIED] src=10.255.255.255 dst=10.1.1.5 sport=137 dport=137 packets=0 bytes=0 mark=0 use=1 udp 17 18 src=118.208.174.37 dst=220.244.8.194 sport=50020 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=118.208.174.37 sport=64198 dport=50020 packets=0 bytes=0 mark=0 use=1 udp 17 13 src=142.161.179.138 dst=220.244.8.194 sport=9704 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=142.161.179.138 sport=64198 dport=9704 packets=0 bytes=0 mark=0 use=1 udp 17 25 src=158.37.101.180 dst=220.244.8.194 sport=35551 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=158.37.101.180 sport=64198 dport=35551 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=114.92.96.136 dst=220.244.8.194 sport=38193 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=114.92.96.136 sport=64198 dport=38193 packets=0 bytes=0 mark=0 use=1 udp 17 7 src=123.195.34.196 dst=220.244.8.194 sport=23688 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=123.195.34.196 sport=64198 dport=23688 packets=0 bytes=0 mark=0 use=1 udp 17 25 src=120.2.34.235 dst=220.244.8.194 sport=31980 dport=64198 packets=2 bytes=258 [UNREPLIED] src=220.244.8.194 dst=120.2.34.235 sport=64198 dport=31980 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=84.60.148.211 dst=220.244.8.194 sport=10644 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=84.60.148.211 sport=64198 dport=10644 packets=0 bytes=0 mark=0 use=1 udp 17 21 src=60.48.104.132 dst=220.244.8.194 sport=36988 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=60.48.104.132 sport=64198 dport=36988 packets=0 bytes=0 mark=0 use=1 tcp 6 6 CLOSE src=10.1.1.5 dst=10.1.1.4 sport=4824 dport=10000 packets=21 bytes=2620 src=10.1.1.4 dst=10.1.1.5 sport=10000 dport=4824 packets=31 bytes=23771 [ASSURED] mark=0 use=1 udp 17 28 src=79.151.146.33 dst=220.244.8.194 sport=50029 dport=64198 packets=3 bytes=393 [UNREPLIED] src=220.244.8.194 dst=79.151.146.33 sport=64198 dport=50029 packets=0 bytes=0 mark=0 use=1 udp 17 15 src=59.57.158.74 dst=220.244.8.194 sport=26668 dport=64198 packets=1 bytes=129 [UNREPLIED] src=220.244.8.194 dst=59.57.158.74 sport=64198 dport=26668 packets=0 bytes=0 mark=0 use=1 udp 17 27 src=10.1.1.5 dst=10.255.255.255 sport=138 dport=138 packets=10 bytes=2152 [UNREPLIED] src=10.255.255.255 dst=10.1.1.5 sport=138 dport=138 packets=0 bytes=0 mark=0 use=1 udp 17 19 src=64.231.70.197 dst=220.244.8.194 sport=61196 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=64.231.70.197 sport=64198 dport=61196 packets=0 bytes=0 mark=0 use=1 udp 17 4 src=89.110.10.155 dst=220.244.8.194 sport=12584 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=89.110.10.155 sport=64198 dport=12584 packets=0 bytes=0 mark=0 use=1 udp 17 2 src=58.8.212.237 dst=220.244.8.194 sport=24608 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=58.8.212.237 sport=64198 dport=24608 packets=0 bytes=0 mark=0 use=1 udp 17 18 src=71.131.202.243 dst=220.244.8.194 sport=25082 dport=64198 packets=1 bytes=126 [UNREPLIED] src=220.244.8.194 dst=71.131.202.243 sport=64198 dport=25082 packets=0 bytes=0 mark=0 use=1 udp 17 6 src=67.240.47.247 dst=220.244.8.194 sport=63323 dport=64198 packets=1 bytes=131 [UNREPLIED] src=220.244.8.194 dst=67.240.47.247 sport=64198 dport=63323 packets=0 bytes=0 mark=0 use=1 IP Configuration 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:15:58:1d:4b:4f brd ff:ff:ff:ff:ff:ff inet6 fe80::215:58ff:fe1d:4b4f/64 scope link valid_lft forever preferred_lft forever 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:4c:50:18:fd brd ff:ff:ff:ff:ff:ff inet 10.1.1.1/8 brd 10.255.255.255 scope global eth0 4: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:4c:50:16:70 brd ff:ff:ff:ff:ff:ff inet 10.1.1.4/8 brd 10.255.255.255 scope global eth1 inet6 fe80::2e0:4cff:fe50:1670/64 scope link valid_lft forever preferred_lft forever 5: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp inet 220.244.8.194 peer 10.20.20.125/32 scope global ppp0 IP Stats 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 560 8 0 0 0 0 TX: bytes packets errors dropped carrier collsns 560 8 0 0 0 0 2: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:15:58:1d:4b:4f brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 13726 107 0 0 0 0 TX: bytes packets errors dropped carrier collsns 15905 108 0 0 0 0 3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:4c:50:18:fd brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 4: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:4c:50:16:70 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 102922 729 0 0 0 0 TX: bytes packets errors dropped carrier collsns 612605 905 0 0 0 0 5: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 6: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1492 qdisc pfifo_fast qlen 3 link/ppp RX: bytes packets errors dropped overrun mcast 10550 89 0 0 0 0 TX: bytes packets errors dropped carrier collsns 12646 90 0 0 0 0 /proc /proc/version = Linux version 2.6.18-5-686 (Debian 2.6.18.dfsg.1-17) (dannf< at >debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Mon Dec 24 16:41:07 UTC 2007 /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/arp_ignore = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 1 /proc/sys/net/ipv4/conf/all/log_martians = 0 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/arp_ignore = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 1 /proc/sys/net/ipv4/conf/default/log_martians = 0 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 /proc/sys/net/ipv4/conf/eth0/log_martians = 0 /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth1/arp_filter = 0 /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth1/rp_filter = 0 /proc/sys/net/ipv4/conf/eth1/log_martians = 0 /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 /proc/sys/net/ipv4/conf/lo/arp_filter = 0 /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 /proc/sys/net/ipv4/conf/lo/rp_filter = 0 /proc/sys/net/ipv4/conf/lo/log_martians = 0 /proc/sys/net/ipv4/conf/ppp0/proxy_arp = 0 /proc/sys/net/ipv4/conf/ppp0/arp_filter = 0 /proc/sys/net/ipv4/conf/ppp0/arp_ignore = 0 /proc/sys/net/ipv4/conf/ppp0/rp_filter = 1 /proc/sys/net/ipv4/conf/ppp0/log_martians = 0 Routing Rules 0:from all lookup 255 32766:from all lookup main 32767:from all lookup default Table 255: broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 10.0.0.0 dev eth1 proto kernel scope link src 10.1.1.4 broadcast 10.0.0.0 dev eth0 proto kernel scope link src 10.1.1.1 broadcast 10.255.255.255 dev eth1 proto kernel scope link src 10.1.1.4 broadcast 10.255.255.255 dev eth0 proto kernel scope link src 10.1.1.1 local 10.1.1.4 dev eth1 proto kernel scope host src 10.1.1.4 local 220.244.8.194 dev ppp0 proto kernel scope host src 220.244.8.194 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 10.1.1.1 dev eth0 proto kernel scope host src 10.1.1.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table default: Table main: 10.20.20.125 dev ppp0 proto kernel scope link src 220.244.8.194 10.0.0.0/8 dev eth1 proto kernel scope link src 10.1.1.4 10.0.0.0/8 dev eth0 proto kernel scope link src 10.1.1.1 default dev ppp0 scope link ARP ? (10.1.1.5) at 00:E0:4C:50:16:2F [ether] on eth1 ? (10.20.20.125) at <from_interface> PERM PUB on eth1 Modules ip_conntrack 49088 24 ipt_MASQUERADE,ip_nat_tftp,ip_nat_snmp_basic,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,ip_conntrack_tftp,ip_conntrack_sip,ip_conntrack_pptp,ip_conntrack_netbios_ns,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_amanda,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,ip_nat ip_conntrack_amanda 4932 1 ip_nat_amanda ip_conntrack_ftp 7760 1 ip_nat_ftp ip_conntrack_h323 47676 1 ip_nat_h323 ip_conntrack_irc 6800 1 ip_nat_irc ip_conntrack_netbios_ns 3040 0 ip_conntrack_pptp 11504 1 ip_nat_pptp ip_conntrack_sip 7376 1 ip_nat_sip ip_conntrack_tftp 4344 1 ip_nat_tftp ip_nat 16876 12 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_tftp,ip_nat_sip,ip_nat_pptp,ip_nat_irc,ip_nat_h323,ip_nat_ftp,ip_nat_amanda,iptable_nat ip_nat_amanda 2400 0 ip_nat_ftp 3328 0 ip_nat_h323 7104 0 ip_nat_irc 2720 0 ip_nat_pptp 5988 0 ip_nat_sip 4096 0 ip_nat_snmp_basic 9316 0 ip_nat_tftp 1920 0 iptable_filter 3104 1 iptable_mangle 2880 1 iptable_nat 7044 1 iptable_raw 2144 0 ip_tables 13028 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter ipt_addrtype 1952 0 ipt_ah 2016 0 ipt_CLUSTERIP 8196 0 ipt_dscp 1792 0 ipt_DSCP 2336 0 ipt_ecn 2304 0 ipt_ECN 3072 0 ipt_hashlimit 8744 0 ipt_iprange 1888 0 ipt_LOG 6112 7 ipt_MASQUERADE 3712 2 ipt_NETMAP 2176 0 ipt_owner 2080 0 ipt_recent 8432 0 ipt_REDIRECT 2176 0 ipt_REJECT 5248 4 ipt_SAME 2496 0 ipt_TCPMSS 4096 0 ipt_tos 1760 0 ipt_TOS 2304 0 ipt_ttl 1984 0 ipt_TTL 2400 0 ipt_ULOG 7780 0 xt_CLASSIFY 1984 0 xt_comment 1952 0 xt_connmark 2144 0 xt_CONNMARK 2464 0 xt_conntrack 2624 0 xt_dccp 3396 0 xt_helper 2560 0 xt_length 2048 0 xt_limit 2752 0 xt_mac 2016 0 xt_mark 1984 0 xt_MARK 2464 0 xt_multiport 3264 4 xt_NFQUEUE 2144 0 xt_physdev 3024 0 xt_pkttype 2016 4 xt_policy 3648 0 xt_state 2272 23 xt_tcpmss 2336 0 xt_tcpudp 3136 16 Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available NFQUEUE Target: Available Traffic Control Device eth2: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 15701 bytes 109 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device eth0: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device eth1: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 611722 bytes 906 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device ppp0: qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 12744 bytes 87 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 TC Filters Device eth2: Device eth0: Device eth1: Device ppp0: ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ Phillipus Gunawan 2008-11-25T02:22:24 http://comments.gmane.org/gmane.comp.security.shorewall/21001 Shorewall version 4.0.14 Debian Etch Webmin Version 1.441 eth0 -> connected to adsl bridged modem, working OK using RP-PPPoE, outputing ppp0 with correct ip from TPG eth1 -> 10.1.1.1 connected to a router, act as gateway for other hosts eth2 -> 10.1.1.4 connected to wireless router Problem 1 Ignoring the use of eth1, I install Debian with eth2 plugged When Im using eth2, I can log in to my box (using webmin) to configure the debian either using 10.1.1.1 or 10.1.1.4 address, I can ping other host (e.g 10.1.1.5). But when I use eth2, I cant ping or do anything, the ping result from Debian: From 10.1.1.4 Host Unreachable What mistake I did? Why I can't use eth1 connected with other hosts? Problem 2 PPPoE up and running, I can ping any web address from Debian (e.g. www.yahoo.com) But Im not able to make other host (e.g. 10.1.1.5) connect to internet via gateway on eth1 nor eth2 Again, ignoring the use of eth2 and I can configure eth1 to talk with other hosts, how I can make Shorewall working to share the internet? Shorewall configuration Interfaces #ZONE INT