Simon Matter | 13 Oct 18:18 2011
Picon

Re: TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote:
>> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>> >
>> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which
>> is
>> >> RHEL6-based and I'm seeing no problem.
>> >
>> > I've done a bit more testing. Foobar6.1 is running kernel
>> > 2.6.32-131.17.1 whereas my Centos6 installation is running
>> > 2.6.32-71.29.1. Foobar6.1 works as expected while Centos6 shows
>> download
>> > speeds significantly below IN-BANDWIDTH. I'm seeing 22-23Mbit when I
>> set
>> > the IN-BANDWIDTH to 30mbit. While that is not as bad as you are
>> seeing,
>> > it shows that there are significant differences between RHEL6 kernel
>> > versions.
>>
>> Hm, I have to redo my tests then. My initial testing was with CentOS 6
>> on
>> box A. Box B also and still runs CentOS 6 while box A now runs stock
>> RHEL6.1 kernel. So, it may be that only the testbox running CentOS is
>> affected, I'll test it later today.
>
> I added the centos-cr repo and updated my CentOS 6 VM. It now runs at
> full speed.

The testbox I'm using is CentOS6 with CR enabled. Now, I also updated the
kernel to 2.6.32-131.17.1.el6.x86_64 from RedHat, and it doesn't change
anything. Download with wget shows something between 30 and 200K/s, while
(Continue reading)

Fabio Correa | 13 Oct 20:36 2011
Picon

more than one ip on the firewall

        Hi guys, I need a help and not know what to look for help
files. I have a gateway which responding for 2 ips and each of the ips
I have a http server. The http servers  not running on the firewall.
The question is: how to pass the requests on port 80 that fall in IP1
and IP2 to the correct machines? I will be grateful for any hint. I
had never worked with a firewall which responding for more than a
static ip. Thank you all.

--

-- 
Fábio R Corrêa

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
Simon Hobson | 13 Oct 20:57 2011
Picon

Re: more than one ip on the firewall

Fabio Correa wrote:

>I have a gateway which responding for 2 ips and each of the ips
>I have a http server. The http servers  not running on the firewall.
>The question is: how to pass the requests on port 80 that fall in IP1
>and IP2 to the correct machines?

It depends on what your internet connection is.
If it's PPP then all you need to do is add the right DNAT (IIRC) rule 
for each server. If you have an ethernet connection then you'd need 
to add the second IP as an alias to the outside interface - but I 
think Shorewall will do this automatically if you turn that on.

It might help if you give a few more details about your connection.

--

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
Laurent CARON | 13 Oct 20:44 2011

Re: more than one ip on the firewall

On 13/10/2011 20:36, Fabio Correa wrote:
>          Hi guys, I need a help and not know what to look for help
> files. I have a gateway which responding for 2 ips and each of the ips
> I have a http server. The http servers  not running on the firewall.
> The question is: how to pass the requests on port 80 that fall in IP1
> and IP2 to the correct machines? I will be grateful for any hint. I
> had never worked with a firewall which responding for more than a
> static ip. Thank you all.
>
>

Hi,

/etc/shorewall/rules

DNAT     net     loc:192.168.201.1  tcp    www - EXT_IP1
DNAT     net     loc:192.168.201.2  tcp    www - EXT_IP2

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
Tom Eastep | 13 Oct 20:45 2011
Picon

Re: more than one ip on the firewall


On Oct 13, 2011, at 11:36 AM, Fabio Correa wrote:

>        Hi guys, I need a help and not know what to look for help
> files. I have a gateway which responding for 2 ips and each of the ips
> I have a http server. The http servers  not running on the firewall.
> The question is: how to pass the requests on port 80 that fall in IP1
> and IP2 to the correct machines? I will be grateful for any hint. I
> had never worked with a firewall which responding for more than a
> static ip. Thank you all.
> 

See http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html for a description of the
things that you can do with multiple IP addresses. You probably want to look at the DNAT section.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
Simon Matter | 13 Oct 22:22 2011
Picon

Re: TC issues after updating from RHEL4 to RHEL6

> On Wed, 2011-10-12 at 17:53 +0200, Simon Matter wrote:
>> > On Wed, 2011-10-12 at 06:48 -0700, Tom Eastep wrote:
>> >
>> >> No, sorry - I've tried to reproduce this problem on Foobar6.1 which
>> is
>> >> RHEL6-based and I'm seeing no problem.
>> >
>> > I've done a bit more testing. Foobar6.1 is running kernel
>> > 2.6.32-131.17.1 whereas my Centos6 installation is running
>> > 2.6.32-71.29.1. Foobar6.1 works as expected while Centos6 shows
>> download
>> > speeds significantly below IN-BANDWIDTH. I'm seeing 22-23Mbit when I
>> set
>> > the IN-BANDWIDTH to 30mbit. While that is not as bad as you are
>> seeing,
>> > it shows that there are significant differences between RHEL6 kernel
>> > versions.
>>
>> Hm, I have to redo my tests then. My initial testing was with CentOS 6
>> on
>> box A. Box B also and still runs CentOS 6 while box A now runs stock
>> RHEL6.1 kernel. So, it may be that only the testbox running CentOS is
>> affected, I'll test it later today.
>
> I added the centos-cr repo and updated my CentOS 6 VM. It now runs at
> full speed.

Tom, did you test with complex TC or simple TC?
I've just tested adding burst on one of the existing EL4 systems and it
indeed increases the download speed to almost full speed. However, the
(Continue reading)

Carina V. Barca | 13 Oct 23:12 2011
Picon

FW: No internet in local net with shorewall


I don't know if the email lost, that's why I send it again.
Sorry if I send this twice.
From: carvandar <at> hotmail.com
To: shorewall-users <at> lists.sourceforge.net
Subject: Re: [Shorewall-users] No internet in local net with shorewall
Date: Wed, 12 Oct 2011 11:45:42 +0000

.ExternalClass .ecxhmmessage P {padding:0px;} .ExternalClass body.ecxhmmessage {font-size:10pt;font-family:Tahoma;}
I'm sorry, here it goes just like faq 15.
I must add that I can ping 8.8.8.8 or www.google.com, but I can't navigate.

Regardss

--Archivo adjunto de mensaje reenviado--
From: teastep <at> shorewall.net
To: c
Date: Tue, 11 Oct 2011 12:02:04 -0700
Subject: Re: [Shorewall-users] No internet in local net with shorewall

On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote:
>
> Tom: thanks for the answer.
> I attach what you asked..

But you clearly didn't read FAQ 15. Point number 4:

Forwarding is not enabled (This is often the problem for Debian
users). Enter this command:

cat /proc/sys/net/ipv4/ip_forward

If the value displayed is 0 (zero) then set IP_FORWARDING=On
in /etc/shorewall/shorewall.conf and restart Shorewall.

From the output of 'shorewall dump' that you posted (which is created
from the above command):

/proc/sys/net/ipv4/ip_forward = 0

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Shorewall 4.4.11.6 Dump at debian - mié oct 12 08:38:20 ART 2011

Counters reset mar oct 11 22:09:14 ART 2011

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 130K   14M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW 
 134K   14M net2fw     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   11   965 loc2fw     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW 
    0     0 net2loc    all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 loc_frwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5008  768K fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    4   396 fw2loc     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain Drop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 /* Auth */ 
    0     0 dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4 /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 /* Needed ICMP types */ 
    0     0 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137 dpts:1024:65535 /* SMB */ 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900 /* UPnP */ 
    0     0 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 /* Late DNS Replies */ 

Chain Reject (6 references)
 pkts bytes target     prot opt in     out     source               destination         
 128K   13M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 /* Auth */ 
 128K   13M dropBcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4 /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 /* Needed ICMP types */ 
  145  8618 dropInvalid  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,445 /* SMB */ 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 /* SMB */ 
    0     0 reject     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137 dpts:1024:65535 /* SMB */ 
   52  2544 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900 /* UPnP */ 
   87  4208 dropNotSyn  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 /* Late DNS Replies */ 

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 127K   13M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST 
  373 96852 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         

Chain dropInvalid (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   100 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 

Chain dropNotSyn (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 

Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   396 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68 
 4418  727K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
  590 41552 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   160 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 20,21,22,53,67,68,80,10000 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 53,67,68 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 /* Ping */ 
    7   805 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:loc2fw:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 20,21,22,25,43,53,63 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 110,123,143,443,465 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 587,993,995 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 43,53,63,123 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 /* Ping */ 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:loc2net:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 loc2net    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2294  753K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68 
 3969  405K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
  297 17784 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
   14   792 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 /* Ping */ 
 128K   13M Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   91  5974 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2fw:REJECT:' 
   91  5974 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:net2loc:REJECT:' 
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain reject (13 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match src-type BROADCAST 
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
  139  6752 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    4  1766 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Log (/var/log/messages)

Oct 12 06:41:31 net2fw:REJECT:IN=eth0 OUT= SRC=207.177.243.85 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=113 ID=28972 DF PROTO=TCP SPT=3101 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 06:41:32 net2fw:REJECT:IN=eth0 OUT= SRC=207.177.243.85 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=113 ID=29642 DF PROTO=TCP SPT=3101 DPT=110 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 06:46:09 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=55007 DF PROTO=TCP SPT=4438 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 06:46:09 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=55174 DF PROTO=TCP SPT=4438 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 07:10:19 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=36845 DF PROTO=TCP SPT=4607 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 07:10:20 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=37002 DF PROTO=TCP SPT=4607 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 07:32:22 net2fw:REJECT:IN=eth0 OUT= SRC=58.9.104.254 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=109 ID=29266 DF PROTO=TCP SPT=29716 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 07:32:23 net2fw:REJECT:IN=eth0 OUT= SRC=58.9.104.254 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=109 ID=29329 DF PROTO=TCP SPT=29723 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 07:32:24 net2fw:REJECT:IN=eth0 OUT= SRC=58.9.104.254 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=109 ID=29376 DF PROTO=TCP SPT=29723 DPT=4899 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 07:40:14 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=719 DF PROTO=TCP SPT=3532 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 07:40:15 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=850 DF PROTO=TCP SPT=3532 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 08:10:36 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=32081 DF PROTO=TCP SPT=4492 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 08:10:37 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.29.100 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=119 ID=32214 DF PROTO=TCP SPT=4492 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Oct 12 08:18:11 net2fw:REJECT:IN=eth0 OUT= SRC=187.104.115.71 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=113 ID=31781 DF PROTO=TCP SPT=62891 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 08:18:12 net2fw:REJECT:IN=eth0 OUT= SRC=187.104.115.71 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=113 ID=31802 DF PROTO=TCP SPT=62891 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 08:18:13 net2fw:REJECT:IN=eth0 OUT= SRC=187.104.115.71 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=113 ID=31812 DF PROTO=TCP SPT=62891 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 12 08:31:21 net2fw:REJECT:IN=eth0 OUT= SRC=50.22.55.166 DST=xxx.xxx.100.200 LEN=440 TOS=0x00
PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=5069 DPT=5060 LEN=420 
Oct 12 08:35:24 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.100.138 DST=xxx.xxx.100.200 LEN=52 TOS=0x00
PREC=0x00 TTL=127 ID=28268 DF PROTO=TCP SPT=44231 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 
Oct 12 08:35:25 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.100.138 DST=xxx.xxx.100.200 LEN=52 TOS=0x00
PREC=0x00 TTL=127 ID=28269 DF PROTO=TCP SPT=50375 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 
Oct 12 08:35:26 net2fw:REJECT:IN=eth0 OUT= SRC=xxx.xxx.100.138 DST=xxx.xxx.100.200 LEN=48 TOS=0x00
PREC=0x00 TTL=127 ID=28270 DF PROTO=TCP SPT=52423 DPT=3389 WINDOW=8192 RES=0x00 SYN URGP=0 

NAT Table

Chain PREROUTING (policy ACCEPT 229K packets, 28M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 229K   28M dnat       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 729 packets, 47112 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  729 47112 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 590 packets, 41552 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   805 loc_dnat   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       192.168.2.0/24       0.0.0.0/0           

Chain loc_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 80,8080 redir ports 8080 

Mangle Table

Chain PREROUTING (policy ACCEPT 235K packets, 29M bytes)
 pkts bytes target     prot opt in     out     source               destination         
 235K   29M tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 134K packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK and 0xffffff00 
    0     0 tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5012 packets, 769K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5012  769K tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 5012 packets, 769K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5012  769K tcpost     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Raw Table

Chain PREROUTING (policy ACCEPT 235K packets, 29M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5012 packets, 769K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Conntrack Table (28 out of 32768)

tcp      6 45 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=48363 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=48363 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 40 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=47764 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=47764 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
udp      17 9 src=xxx.xxx.100.200 dst=200.45.191.35 sport=57329 dport=53 packets=1 bytes=71
src=200.45.191.35 dst=xxx.xxx.100.200 sport=53 dport=57329 packets=1 bytes=152 mark=0 secmark=0 use=1
tcp      6 34 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=47173 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=47173 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
tcp      6 73 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=51113 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=51113 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
udp      17 21 src=xxx.xxx.100.200 dst=200.45.191.35 sport=44916 dport=53 packets=1 bytes=71
src=200.45.191.35 dst=xxx.xxx.100.200 sport=53 dport=44916 packets=1 bytes=152 mark=0 secmark=0 use=1
tcp      6 109 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=54684 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=54684 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
tcp      6 96 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=53530 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=53530 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 16 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=43972 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=43972 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 10 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=43402 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=43402 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 28 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=46585 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=46585 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 431999 ESTABLISHED src=xxx.xxx.100.138 dst=xxx.xxx.100.200 sport=30086 dport=22 packets=205
bytes=16980 src=xxx.xxx.100.200 dst=xxx.xxx.100.138 sport=22 dport=30086 packets=112
bytes=15593 [ASSURED] mark=0 secmark=0 use=2
tcp      6 5 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=42802 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=42802 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 56 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=49517 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=49517 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
udp      17 27 src=xxx.xxx.100.200 dst=200.45.191.35 sport=44326 dport=53 packets=1 bytes=71
src=200.45.191.35 dst=xxx.xxx.100.200 sport=53 dport=44326 packets=1 bytes=152 mark=0 secmark=0 use=1
tcp      6 67 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=50584 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=50584 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
tcp      6 22 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=44588 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=44588 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 102 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=54103 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=54103 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
udp      17 26 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 packets=537 bytes=176136 [UNREPLIED]
src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 packets=0 bytes=0 mark=0 secmark=0 use=1
tcp      6 51 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=48922 dport=22 packets=12 bytes=1152
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=48922 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
tcp      6 431997 ESTABLISHED src=87.236.52.74 dst=xxx.xxx.100.200 sport=55880 dport=22 packets=9
bytes=944 src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=55880 packets=11 bytes=2177
[ASSURED] mark=0 secmark=0 use=1
tcp      6 114 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=55303 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=55303 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
tcp      6 91 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=52891 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=52891 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
tcp      6 61 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=50081 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=50081 packets=15 bytes=2453 [ASSURED] mark=0
secmark=0 use=1
udp      17 15 src=xxx.xxx.100.200 dst=200.45.191.35 sport=60731 dport=53 packets=1 bytes=71
src=200.45.191.35 dst=xxx.xxx.100.200 sport=53 dport=60731 packets=1 bytes=152 mark=0 secmark=0 use=1
tcp      6 79 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=51682 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=51682 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1
udp      17 4 src=xxx.xxx.100.200 dst=200.45.191.35 sport=57399 dport=53 packets=1 bytes=71
src=200.45.191.35 dst=xxx.xxx.100.200 sport=53 dport=57399 packets=1 bytes=152 mark=0 secmark=0 use=1
tcp      6 85 TIME_WAIT src=87.236.52.74 dst=xxx.xxx.100.200 sport=52315 dport=22 packets=12 bytes=1168
src=xxx.xxx.100.200 dst=87.236.52.74 sport=22 dport=52315 packets=14 bytes=2401 [ASSURED] mark=0
secmark=0 use=1

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    inet xxx.xxx.100.200/24 brd xxx.xxx.100.255 scope global eth0
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast   
    3212       47       0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    3212       47       0       0       0       0      
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:19:d1:dd:af:d1 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    49709231   434598   0       0       0       476    
    TX: bytes  packets  errors  dropped carrier collsns 
    915614     5783     0       0       0       0      
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    link/ether 00:27:19:b1:6b:69 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    493638     5060     0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    3025939    4734     0       0       0       0      

/proc

   /proc/version = Linux version 2.6.26-2-686 (Debian 2.6.26-19) (dannf <at> debian.org) (gcc version 4.1.3
20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Wed Aug 19 06:06:52 UTC 2009
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 1
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 1
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 1
   /proc/sys/net/ipv4/conf/eth1/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 1
   /proc/sys/net/ipv4/conf/lo/log_martians = 1

Routing Rules

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

Table default:


Table local:

broadcast 192.168.2.255 dev eth1  proto kernel  scope link  src 192.168.2.1 
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
broadcast xxx.xxx.100.255 dev eth0  proto kernel  scope link  src xxx.xxx.100.200 
local xxx.xxx.100.200 dev eth0  proto kernel  scope host  src xxx.xxx.100.200 
local 192.168.2.1 dev eth1  proto kernel  scope host  src 192.168.2.1 
broadcast 192.168.2.0 dev eth1  proto kernel  scope link  src 192.168.2.1 
broadcast xxx.xxx.100.0 dev eth0  proto kernel  scope link  src xxx.xxx.100.200 
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 

Table main:

192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.1 
xxx.xxx.100.0/24 dev eth0  proto kernel  scope link  src xxx.xxx.100.200 
default via xxx.xxx.100.1 dev eth0 

ARP

? (xxx.xxx.100.138) at 00:09:0f:79:e7:04 [ether] on eth0
? (xxx.xxx.100.1) at 00:00:5a:10:0d:4c [ether] on eth0

Modules

iptable_filter          2624  1 
iptable_mangle          2688  1 
iptable_nat             4680  1 
iptable_raw             2176  0 
ip_tables              10160  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype            2304  2 
ipt_ah                  1664  0 
ipt_CLUSTERIP           5956  0 
ipt_ecn                 1888  0 
ipt_ECN                 2336  0 
ipt_LOG                 5028  6 
ipt_MASQUERADE          2592  1 
ipt_NETMAP              1760  0 
ipt_recent              6908  0 
ipt_REDIRECT            1760  1 
ipt_REJECT              2784  4 
ipt_ttl                 1600  0 
ipt_TTL                 1856  0 
ipt_ULOG                6820  0 
nf_conntrack           55540  31 xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda     3808  1 nf_nat_amanda
nf_conntrack_ftp        6852  1 nf_nat_ftp
nf_conntrack_h323      44712  1 nf_nat_h323
nf_conntrack_ipv4      12268  15 iptable_nat,nf_nat
nf_conntrack_irc        5124  1 nf_nat_irc
nf_conntrack_netbios_ns     2368  0 
nf_conntrack_netlink    14176  0 
nf_conntrack_pptp       5476  1 nf_nat_pptp
nf_conntrack_proto_gre     4416  1 nf_conntrack_pptp
nf_conntrack_proto_sctp     6600  0 
nf_conntrack_sane       4348  0 
nf_conntrack_sip       16124  1 nf_nat_sip
nf_conntrack_tftp       4180  1 nf_nat_tftp
nf_nat                 15576  13 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat
nf_nat_amanda           1824  0 
nf_nat_ftp              2528  0 
nf_nat_h323             5728  0 
nf_nat_irc              2080  0 
nf_nat_pptp             2880  0 
nf_nat_proto_gre        2212  1 nf_nat_pptp
nf_nat_sip              5440  0 
nf_nat_snmp_basic       8296  0 
nf_nat_tftp             1568  0 
xt_CLASSIFY             1696  0 
xt_comment              1664  21 
xt_connlimit            3720  0 
xt_connmark             2368  0 
xt_CONNMARK             2944  0 
xt_conntrack            3488  12 
xt_dccp                 2696  0 
xt_dscp                 2368  0 
xt_DSCP                 2944  0 
xt_hashlimit            9360  0 
xt_helper               2112  0 
xt_iprange              2272  0 
xt_length               1760  0 
xt_limit                2180  0 
xt_mac                  1728  0 
xt_mark                 1952  0 
xt_MARK                 2304  1 
xt_multiport            2816  11 
xt_NFLOG                1824  0 
xt_NFQUEUE              1792  0 
xt_owner                2560  0 
xt_physdev              2352  0 
xt_pkttype              1728  0 
xt_policy               2848  0 
xt_realm                1536  0 
xt_state                2016  0 
xt_tcpmss               1984  0 
xt_tcpudp               2816  16 
xt_time                 2528  0 

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Extended Connection Tracking Match Support: Available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
   Physdev-is-bridged Support: Available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Extended MARK Target 2: Available
   Mangle FORWARD Chain: Available
   Comments: Available
   Address Type Match: Available
   TCPMSS Match: Available
   Hashlimit Match: Available
   NFQUEUE Target: Available
   Realm Match: Available
   Helper Match: Available
   Connlimit Match: Available
   Time Match: Available
   Goto Support: Available
   LOGMARK Target: Not available
   IPMARK Target: Not available
   LOG Target: Available
   Persistent SNAT: Not available
   TPROXY Target: Not available
   FLOW Classifier: Available
   fwmark route mask: Available

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:56326           0.0.0.0:*               LISTEN      2069/rpc.statd  
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2058/portmap    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2223/sshd       
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      2246/cupsd      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2513/exim4      
tcp        0      0 xxx.xxx.100.200:22       87.236.52.74:55303      TIME_WAIT   -               
tcp        0     68 xxx.xxx.100.200:22       87.236.52.74:55880      ESTABLISHED 6080/sshd: root [pr
tcp        0      0 xxx.xxx.100.200:22       87.236.52.74:53530      TIME_WAIT   -               
tcp        0      0 xxx.xxx.100.200:22       xxx.xxx.100.138:30086    ESTABLISHED 6048/sshd: cmateos 
tcp6       0      0 :::22                   :::*                    LISTEN      2223/sshd       
tcp6       0      0 ::1:631                 :::*                    LISTEN      2246/cupsd      
udp        0      0 0.0.0.0:33047           0.0.0.0:*                           2069/rpc.statd  
udp        0      0 0.0.0.0:973             0.0.0.0:*                           2069/rpc.statd  
udp        0      0 0.0.0.0:111             0.0.0.0:*                           2058/portmap    
udp        0      0 0.0.0.0:631             0.0.0.0:*                           2246/cupsd      

Traffic Control

Device eth0:
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 915862 bytes 5785 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 


Device eth1:
qdisc pfifo_fast 0: root bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 3021564 bytes 4734 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 



TC Filters

Device eth0:

Device eth1:

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
Joshua J. Kugler | 13 Oct 23:23 2011
X-Face

Re: FW: No internet in local net with shorewall

I have had cases where Shorewall did not properly set ip forwarding to 
true, even though IP_FORWARDING=On was set in the config file.  I never 
bothered to investigated, I just put

echo 1 > /proc/sys/net/ipv4/ip_forward

in my

/etc/rc.local

file and called it a day.

But this was an old version of Shorewall. What version are you using?

j

On Thursday, October 13, 2011, Carina V. Barca elucidated thus:
> I don't know if the email lost, that's why I send it again.
> Sorry if I send this twice.
> From: carvandar <at> hotmail.com
> To: shorewall-users <at> lists.sourceforge.net
> Subject: Re: [Shorewall-users] No internet in local net with
> shorewall Date: Wed, 12 Oct 2011 11:45:42 +0000
> 
> 
> 
> 
> 
> 
> 
> 
> I'm sorry, here it goes just like faq 15.
> I must add that I can ping 8.8.8.8 or www.google.com, but I can't
> navigate.
> 
> Regardss
> 
> --Archivo adjunto de mensaje reenviado--
> From: teastep <at> shorewall.net
> To: c
> Date: Tue, 11 Oct 2011 12:02:04 -0700
> Subject: Re: [Shorewall-users] No internet in local net with
> shorewall
> 
> On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote:
> > Tom: thanks for the answer.
> > I attach what you asked..
> 
> But you clearly didn't read FAQ 15. Point number 4:
> 
>         Forwarding is not enabled (This is often the problem for
> Debian users). Enter this command:
> 
>         cat /proc/sys/net/ipv4/ip_forward
> 
>         If the value displayed is 0 (zero) then set IP_FORWARDING=On
>         in /etc/shorewall/shorewall.conf and restart Shorewall.
> 
> >From the output of 'shorewall dump' that you posted (which is
> >created
> 
> from the above command):
> 
>          /proc/sys/net/ipv4/ip_forward = 0
> 
> -Tom

--

-- 
Joshua Kugler
Part-Time System Admin/Programmer
http://www.eeinternet.com - Fairbanks, AK
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
Yogesh Phatak | 14 Oct 03:20 2011
Picon

Re: FW: No internet in local net with shorewall

Thanks for your reply. I am using Shorewall 4.4.11.6 and IP forwarding is set to 1 already:
 
/proc/sys/net/ipv4/ip_forward = 1
Also for DNS resolution I had added following rules:
 
###Next 4 Lines for DNS Resolution####
ACCEPT     loc       $FW                udp       53
ACCEPT     loc       $FW                tcp       53
ACCEPT     $FW       net                udp       53
ACCEPT     $FW       net                tcp       53

Is there any limitation to add rules in /etc/shorewall/rules file ?
 
Regards,
Yogesh
 
On Fri, Oct 14, 2011 at 2:42 AM, Carina V. Barca <carvandar <at> hotmail.com> wrote:

I don't know if the email lost, that's why I send it again.
Sorry if I send this twice.
From: carvandar <at> hotmail.com
To: shorewall-users <at> lists.sourceforge.net
Subject: Re: [Shorewall-users] No internet in local net with shorewall
Date: Wed, 12 Oct 2011 11:45:42 +0000

I'm sorry, here it goes just like faq 15.
I must add that I can ping 8.8.8.8 or www.google.com, but I can't navigate.

Regardss

--Archivo adjunto de mensaje reenviado--
From: teastep <at> shorewall.net
To: c
Date: Tue, 11 Oct 2011 12:02:04 -0700
Subject: Re: [Shorewall-users] No internet in local net with shorewall

On Tue, 2011-10-11 at 18:50 +0000, Carina V. Barca wrote:
>
> Tom: thanks for the answer.
> I attach what you asked..

But you clearly didn't read FAQ 15. Point number 4:

Forwarding is not enabled (This is often the problem for Debian
users). Enter this command:

cat /proc/sys/net/ipv4/ip_forward

If the value displayed is 0 (zero) then set IP_FORWARDING=On
in /etc/shorewall/shorewall.conf and restart Shorewall.

From the output of 'shorewall dump' that you posted (which is created
from the above command):

/proc/sys/net/ipv4/ip_forward = 0

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




--
Best Regards,
Yogesh Phatak.
Email ID : yoogesh <at> gmail.com
Cell : + 91 98233 00724
http://picasaweb.google.com/yoogesh

-----------------------------
Before you start some work, always ask yourself three questions - Why am I doing it, What the results might be and Will I be successful. Only when you think deeply
and find satisfactory answers to these questions, go ahead.
-----------------------------
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
Yogesh Phatak | 14 Oct 03:22 2011
Picon

Re: Shorewall Stop working

Yes the IP is reqachable from network(Client) system.
Yogesh
On Thu, Oct 13, 2011 at 7:39 PM, Tom Eastep <teastep <at> shorewall.net> wrote:
On Thu, 2011-10-13 at 13:53 +0530, Yogesh Phatak wrote:
>         Hello Team,
>
>         I have implemented the two-interface Shorewall on our network.
>         Previously it was working properly but suddenly its stop
>         working. Whenever we tried to browse any site
>         (blocked/allowed) , it say Connection timeout.
>         I am attaching the shorewall-dump output and would like to
>         request you to please help in this matter.

Yogesh,

I don't see anything wrong with the configuration -- if you 'shorewall
clear', can the local hosts ping 192.168.1.2?

-Tom

--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




--
Best Regards,
Yogesh Phatak.
Email ID : yoogesh <at> gmail.com
Cell : + 91 98233 00724
http://picasaweb.google.com/yoogesh

-----------------------------
Before you start some work, always ask yourself three questions - Why am I doing it, What the results might be and Will I be successful. Only when you think deeply
and find satisfactory answers to these questions, go ahead.
-----------------------------
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct

Gmane