Tom Eastep | 3 Jan 17:27 2016
Picon

Shorewall 4.6.13.4

Shorewall 4.6.13.4 is now available for download.

Problems Corrected:

1)  This release includes a couple of additional configure/install
     fixes from Matt Darfeuille.

2)  The DROP command was previously rejected in the mangle file. That
     has been corrected.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Tom Eastep | 3 Jan 01:04 2016
Picon

Shorewall 5.0.3.1

Pardon the rapid-fire releases, but hopefully I have uploaded this 
before the distro maintainers have processed 5.0.3.

Problems Corrected:

1)  Previously, the compiler flagged DROP as an error in the mangle
     file. That action is now handled properly.

Thank you for using Shorewall,

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Bill Shirley | 2 Jan 17:26 2016

systemd shorewall[6].service file

[0:root <at> elmo my.tables 130]$ rpm -q shorewall
shorewall-4.6.11.1-2.fc22.noarch

Are there systemd service files for Fedora in Shorewalls code?  I had a problem with my last
re-boot (power outage) where shorewall6.service failed (probably because shorewall.service was
running):
[1:root <at> elmo shorewall6 4]$ systemctl status shorewall6.service
? shorewall6.service - Shorewall IPv6 firewall
    Loaded: loaded (/usr/lib/systemd/system/shorewall6.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Fri 2015-12-18 13:18:40 EST; 2 weeks 0 days ago
  Main PID: 1889 (code=exited, status=255)

Dec 18 13:18:31 elmo.example.com shorewall6[1889]: Compiling...
Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Processing /etc/shorewall6/params ...
Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Processing /etc/shorewall6/shorewall6.conf...
Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Loading Modules...
Dec 18 13:18:38 elmo.example.com shorewall6[1889]: Another app is currently holding the xtables lock.
Perhaps you want to use 
the -w option?
Dec 18 13:18:40 elmo.example.com shorewall6[1889]: ERROR: Cannot Create Mangle chain fooX2349
Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service: main process exited, code=exited, status=255/n/a
Dec 18 13:18:40 elmo.example.com systemd[1]: Failed to start Shorewall IPv6 firewall.
Dec 18 13:18:40 elmo.example.com systemd[1]: Unit shorewall6.service entered failed state.
Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service failed.

If you do supply the service files, either shorewall.service needs:
[Unit]
Before=network-online.target shorewall6.service

or shorewall6.service needs:
(Continue reading)

Bill Shirley | 2 Jan 15:19 2016

Logging in mangle table

[1:root <at> elmo shorewall 148]$ rpm -q shorewall
shorewall-4.6.11.1-2.fc22.noarch

I'm trying to log any unmatched esp traffic in the mangle table and getting an error:
Checking /etc/shorewall/mangle...
    ERROR: LOG requires a level /etc/shorewall/mangle (line 63)

params:
MY_LOG_HASHLIMIT="-m hashlimit --hashlimit-upto 3/min --hashlimit-burst 2 --hashlimit-name
lograte --hashlimit-mode srcip 
--hashlimit-htable-expire 60000"

mangle (all four INLINEs fail):
CONTINUE:P   -   -   esp     { test=!0/$CONNMASK }
#INLINE:P   -   -   esp     ; -j LOG --log-level 4 --log-prefix "Unknown esp partner"
#INLINE:P -   -   esp     ; -j LOG --log-level warning --log-prefix "Unknown esp partner" $MY_LOG_HASHLIMIT
INLINE:P   -   -   esp     ; -j LOG --log-level 4 --log-prefix "Unknown esp partner" $MY_LOG_HASHLIMIT
#INLINE:P   -   -   esp     ; $MY_LOG_HASHLIMIT -j LOG --log-level 4 --log-prefix "Unknown esp partner"

Also getting an error when I try to use DROP:
Checking /etc/shorewall/mangle...
    ERROR: Invalid ACTION (DROP) /etc/shorewall/mangle (line 61)

mangle:
DROP:P   -   -   esp

I can't seem to find the magical incantation to achieve this.

Also, can the compiler trigger an error when there is a lone underscore (\s_[\s$])?  I've had
had a problem a couple of times where I typed an underscore instead of a dash.
(Continue reading)

Tom Eastep | 1 Jan 18:07 2016
Picon

Shorewall 5.0.3

Happy New Year everyone!

The Shorewall Team is pleased to announce the availability of Shorewall 
5.0.3.

Problems Corrected:

1)  To avoid interference with other subsystem settings, all released
     shorewall6.conf files now specify IP_FORWARDING=keep. Previously,
     the settings were inconsistent among the various sample files.

2)  This release includes more fixes to the configure, install and
     uninstall scripts (Matt Darfeuille).

3)  Previously, Shorewall6 rejected rules in which the SOURCE contained
     both an interface name and a MAC address (in Shorewall
     format). That defect has been corrected so that such rules are now
     accepted.

New Features:

1)  The MODULESDIR option in shorewall[6].conf has been extended to
     allow specification of additional directories to be added to those
     defaulted by Shorewall. If the specified value begins with "+",
     then the remainder of the value is assumed to be a colon-separated
     list of directory names that are relative to /lib/modules/`uname
     -r`.

     For example, to load the xt_RTPENGINE module, you would create
     /etc/shorewall/modules as follows:
(Continue reading)

Jacob W. Hiltz | 29 Dec 15:34 2015

Shorewall,HAProxy and TProxy

Shorewall version 4.6.4.3

I am trying to configure Shorewall such that it will allow HAProxy,running on the same machine, to pass through the connecting clients IP (transparent mode). I’ve tried to adapt a modified version of the squid transparent configuration using TProxy but am unable to connect to the backend servers.

- Shorewall is the gateway for the backend servers
- HAProxy is correctly configured
- Kernel support compiled "CONFIG_NETFILTER_TPROXY" “CONFIG_NETFILTER_XT_TARGET_TPROXY"

The below rules do fix my issue, allowing the connections. I am quite new to Shorewall/IPTables but expect this to be somewhat of a tribal issue. 

iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Nigel Quinn | 23 Dec 18:47 2015

Shorewall SFILTER issue with CoovaChilli configuration

Hi,

I have been having some issues configuring Shorewall to work with the CoovaChilli access controller
software, and I'm hoping there is a simple solution to it. :)

So, I have a server, eth0 WAN, eth1 LAN, tun10 is the tun interface that CoovaChilli puts onto eth1 to capture
all user traffic, then authenticates it against a RADIUS server, and routes authenticated traffic to
eth0 to access the internet.

The problem I am having is that Shorewall intermittently has issues with the NATing of packets, so I see lots
of SFILTER messages showing return traffic coming into eth0 to the IP address of PCs on
tun10(192.168.200.0/24).  So at times the clients can access the internet and at other times they can't. 
So why the SFILTER messages, if the masq file is configured correctly why is Shorewall not translating the
packets, or keeping track of the translation?

I hope that makes sense, I've attached the Shorewall dump file, thanks in advance for any help.

Thanks,

Nigel

NSSLGlobal Ltd                                                  
Switchboard:     +44 (0) 1737 648 800        
Support:         +44 (0) 1737 648 864        
Fax:             +44 (0) 1737 648 888        
Email:          support <at> nsslglobal.com
Company Reg:    England, 3879526             

NSSLGlobal GmbH
Switchboard:    +49 4068 277-0
Support:        +49 4068 277-260
Fax:            +49 4068 277-135
Email:          support.de <at> nsslglobal.com
Company Reg:    Lubeck, HRB 9134 HL
Shorewall 4.5.16.1 Dump at aquamekong.cruisecontrolmail.com - Wed Dec 23 16:56:52 GMT 2015

Shorewall is running
State:Started (Wed Dec 23 16:55:46 GMT 2015) from /etc/shorewall/
Counters reset Wed Dec 23 16:55:46 GMT 2015

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    68 lan2fw     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
  344 58053 vsat2fw    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 chill2fw   all  --  tun10  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    7   672 lan_frwd   all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    8   672 vsat_frwd  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 chill_frwd  all  --  tun10  *       0.0.0.0/0            0.0.0.0/0           
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 fw2lan     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    4   304 fw2vsat    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 fw2chill   all  --  *      tun10   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 Drop       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain Broadcast (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type MULTICAST 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type ANYCAST 
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4         

Chain Drop (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 /* Auth */ 
    0     0 Broadcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 code 4 /* Needed ICMP types */ 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 /* Needed ICMP types */ 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:137 dpts:1024:65535 /* SMB */ 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 135,139,445 /* SMB */ 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1900 /* UPnP */ 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 /* Late DNS Replies */ 

Chain chill2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW,UNTRACKED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 22,80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain chill2lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain chill2vsat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain chill_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 sfilter    all  --  *      tun10   0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW,UNTRACKED 
    0     0 chill2lan  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 chill2vsat  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain fw2chill (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.200.1       
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.1       multiport dports 53,67:68 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.1       multiport dports 80,443,3990,4990 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 3990,4990 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fw2lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 3990,4990 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fw2vsat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   152 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 3990,4990 
    2   152 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain lan2chill (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.200.1       
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.1       multiport dports 53,67:68 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.1       multiport dports 80,443,3990,4990 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain lan2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    68 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW,UNTRACKED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 22,80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
    1    68 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain lan2vsat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   672 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain lan_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 sfilter    all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW,UNTRACKED 
    7   672 lan2vsat   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 lan2chill  all  --  *      tun10   0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain reject (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match src-type BROADCAST 
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain sfilter (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   672 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:sfilter:DROP:' 
    8   672 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain vsat2chill (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.200.1       
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.1       multiport dports 53,67:68 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.1       multiport dports 80,443,3990,4990 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain vsat2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  342 57901 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW,UNTRACKED 
    2   152 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 22,80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
  342 57901 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain vsat2lan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain vsat_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   672 sfilter    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID,NEW,UNTRACKED 
    0     0 vsat2lan   all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 vsat2chill  all  --  *      tun10   0.0.0.0/0            0.0.0.0/0           

Log (/var/log/messages)

Dec 15 10:57:53 sfilter:DROP:IN=eth0 OUT=eth0 SRC=192.168.200.1 DST=192.168.200.10 LEN=48 TOS=0x00
PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=22 DPT=1137 WINDOW=32768 RES=0x00 ACK SYN URGP=0 
Dec 15 10:57:59 sfilter:DROP:IN=eth0 OUT=eth0 SRC=192.168.200.1 DST=192.168.200.10 LEN=48 TOS=0x00
PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=22 DPT=1137 WINDOW=32768 RES=0x00 ACK SYN URGP=0 
Dec 15 10:58:10 sfilter:DROP:IN=eth0 OUT=eth0 SRC=192.168.200.1 DST=192.168.200.10 LEN=48 TOS=0x00
PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=22 DPT=1137 WINDOW=32768 RES=0x00 ACK SYN URGP=0 
Dec 15 10:58:17 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 15 10:58:17 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 15 10:58:18 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 15 10:58:18 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 15 10:58:19 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 15 10:58:20 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 15 10:58:24 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 15 10:58:33 sfilter:DROP:IN=eth0 OUT=eth0 SRC=192.168.200.1 DST=192.168.200.10 LEN=40 TOS=0x00
PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=22 DPT=1137 WINDOW=0 RES=0x00 ACK RST URGP=0 
Dec 15 12:30:57 sfilter:DROP:IN=eth0 OUT=eth0 SRC=74.125.226.174 DST=192.168.200.10 LEN=48
TOS=0x00 PREC=0x00 TTL=63 ID=0 PROTO=TCP SPT=443 DPT=1335 WINDOW=32768 RES=0x00 ACK SYN URGP=0 
Dec 23 16:56:10 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 23 16:56:10 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 23 16:56:10 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 23 16:56:11 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 23 16:56:12 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 23 16:56:13 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 23 16:56:13 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 
Dec 23 16:56:16 sfilter:DROP:IN=eth0 OUT=eth0 SRC=199.27.105.111 DST=192.168.200.10 LEN=84
TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=6000 DPT=6010 LEN=64 

NAT Table

Chain PREROUTING (policy ACCEPT 20 packets, 2893 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   152 eth0_masq  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain eth0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       192.168.100.0/24     0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      *       192.168.200.0/24     0.0.0.0/0           

Mangle Table

Chain PREROUTING (policy ACCEPT 55 packets, 10199 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  598 83713 tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 39 packets, 7658 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  345 58121 tcin       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   15  1344 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK and 0xffffff00 
   15  1344 tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   304 tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   976 tcpost     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    7   672 MARK       all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           MARK xset 0x3/0xff 

Chain tcin (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain tcpost (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 MARK xset 0x1/0xff 
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 MARK xset 0x1/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 50002,540,1526 MARK xset 0x1/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport sports 50002,540,1526 MARK xset 0x1/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 MARK xset 0x2/0xff 
    0     0 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 MARK xset 0x2/0xff 

Chain tcpre (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Raw Table

Chain PREROUTING (policy ACCEPT 55 packets, 10199 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Conntrack Table (52 out of 65536)

ipv4     2 udp      17 165 src=10.110.0.227 dst=173.255.246.13 sport=123 dport=123 src=173.255.246.13
dst=10.110.0.227 sport=123 dport=123 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 unknown  2 583 src=192.168.1.254 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.1.254 mark=0 secmark=0 use=2
ipv4     2 udp      17 27 src=192.168.128.100 dst=255.255.255.255 sport=67 dport=68 [UNREPLIED]
src=255.255.255.255 dst=192.168.128.100 sport=68 dport=67 mark=0 secmark=0 use=2
ipv4     2 udp      17 17 src=192.168.1.63 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.63 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 unknown  2 583 src=192.168.128.17 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.128.17 mark=0 secmark=0 use=2
ipv4     2 unknown  2 583 src=192.168.128.35 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.128.35 mark=0 secmark=0 use=2
ipv4     2 unknown  2 495 src=10.110.1.185 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=10.110.1.185
mark=0 secmark=0 use=2
ipv4     2 unknown  2 583 src=192.168.128.44 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.128.44 mark=0 secmark=0 use=2
ipv4     2 udp      17 28 src=192.168.1.40 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.40 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 unknown  2 584 src=192.168.1.13 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=192.168.1.13
mark=0 secmark=0 use=2
ipv4     2 udp      17 5 src=192.168.1.32 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.32 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 udp      17 28 src=192.168.1.29 dst=224.0.0.251 sport=5353 dport=5353 [UNREPLIED] src=224.0.0.251
dst=192.168.1.29 sport=5353 dport=5353 mark=0 secmark=0 use=2
ipv4     2 unknown  2 584 src=192.168.128.18 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.128.18 mark=0 secmark=0 use=2
ipv4     2 unknown  2 583 src=10.6.0.73 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=10.6.0.73 mark=0
secmark=0 use=2
ipv4     2 udp      17 16 src=10.10.9.95 dst=255.255.255.255 sport=1026 dport=1947 [UNREPLIED]
src=255.255.255.255 dst=10.10.9.95 sport=1947 dport=1026 mark=0 secmark=0 use=2
ipv4     2 udp      17 25 src=169.254.99.57 dst=224.0.0.251 sport=5353 dport=5353 [UNREPLIED] src=224.0.0.251
dst=169.254.99.57 sport=5353 dport=5353 mark=0 secmark=0 use=2
ipv4     2 udp      17 29 src=192.168.1.30 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.30 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 udp      17 47 src=192.168.200.10 dst=199.27.105.109 sport=6010 dport=3478 src=199.27.105.109
dst=10.110.0.227 sport=3478 dport=6010 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 143 src=192.168.200.10 dst=199.27.105.111 sport=6010 dport=6000 src=199.27.105.111
dst=10.110.0.227 sport=6000 dport=6010 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 udp      17 11 src=192.168.1.65 dst=224.0.0.251 sport=5353 dport=5353 [UNREPLIED] src=224.0.0.251
dst=192.168.1.65 sport=5353 dport=5353 mark=0 secmark=0 use=2
ipv4     2 udp      17 25 src=192.168.1.28 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.28 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 unknown  2 495 src=213.52.50.198 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=213.52.50.198
mark=0 secmark=0 use=2
ipv4     2 unknown  2 496 src=10.6.0.73 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=10.6.0.73 mark=0
secmark=0 use=2
ipv4     2 unknown  2 264 src=192.168.100.254 dst=224.0.0.22 [UNREPLIED] src=224.0.0.22
dst=192.168.100.254 mark=0 secmark=0 use=2
ipv4     2 udp      17 79 src=192.168.200.10 dst=199.27.105.109 sport=6010 dport=6000 src=199.27.105.109
dst=10.110.0.227 sport=6000 dport=6010 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 unknown  2 583 src=192.168.128.39 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.128.39 mark=0 secmark=0 use=2
ipv4     2 udp      17 27 src=192.168.1.1 dst=255.255.255.255 sport=67 dport=68 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.1 sport=68 dport=67 mark=0 secmark=0 use=2
ipv4     2 udp      17 111 src=192.168.200.10 dst=199.27.105.111 sport=6010 dport=3478 src=199.27.105.111
dst=10.110.0.227 sport=3478 dport=6010 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 unknown  2 370 src=192.168.128.235 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.128.235 mark=0 secmark=0 use=2
ipv4     2 unknown  2 279 src=10.110.0.227 dst=224.0.0.22 [UNREPLIED] src=224.0.0.22 dst=10.110.0.227
mark=0 secmark=0 use=2
ipv4     2 unknown  2 543 src=192.168.1.15 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=192.168.1.15
mark=0 secmark=0 use=2
ipv4     2 udp      17 28 src=192.168.1.76 dst=224.0.0.251 sport=5353 dport=5353 [UNREPLIED] src=224.0.0.251
dst=192.168.1.76 sport=5353 dport=5353 mark=0 secmark=0 use=2
ipv4     2 udp      17 11 src=192.168.1.84 dst=255.255.255.255 sport=17500 dport=17500 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.84 sport=17500 dport=17500 mark=0 secmark=0 use=2
ipv4     2 unknown  2 495 src=82.133.60.112 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=82.133.60.112 mark=0 secmark=0 use=2
ipv4     2 udp      17 27 src=192.168.1.4 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.4 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 udp      17 26 src=192.168.1.14 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.14 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 unknown  2 515 src=134.159.223.210 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1
dst=134.159.223.210 mark=0 secmark=0 use=2
ipv4     2 udp      17 26 src=192.168.128.44 dst=224.0.0.251 sport=5353 dport=5353 [UNREPLIED]
src=224.0.0.251 dst=192.168.128.44 sport=5353 dport=5353 mark=0 secmark=0 use=2
ipv4     2 udp      17 28 src=192.168.1.21 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.21 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 udp      17 28 src=192.168.1.66 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.66 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 udp      17 27 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255
dst=0.0.0.0 sport=67 dport=68 mark=0 secmark=0 use=2
ipv4     2 unknown  2 515 src=192.168.1.69 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=192.168.1.69
mark=0 secmark=0 use=2
ipv4     2 udp      17 2 src=192.168.1.69 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.69 sport=137 dport=137 mark=0 secmark=0 use=2
ipv4     2 unknown  2 515 src=81.4.133.247 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=81.4.133.247
mark=0 secmark=0 use=2
ipv4     2 unknown  2 515 src=104.129.91.216 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=104.129.91.216
mark=0 secmark=0 use=2
ipv4     2 unknown  2 583 src=192.168.128.251 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251
dst=192.168.128.251 mark=0 secmark=0 use=2
ipv4     2 unknown  2 282 src=192.168.1.68 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=192.168.1.68
mark=0 secmark=0 use=2
ipv4     2 udp      17 164 src=10.110.0.227 dst=129.250.35.250 sport=123 dport=123 src=129.250.35.250
dst=10.110.0.227 sport=123 dport=123 [ASSURED] mark=0 secmark=0 use=2
ipv4     2 unknown  2 294 src=82.133.60.70 dst=224.0.0.251 [UNREPLIED] src=224.0.0.251 dst=82.133.60.70
mark=0 secmark=0 use=2
ipv4     2 unknown  2 543 src=10.110.24.185 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=10.110.24.185
mark=0 secmark=0 use=2
ipv4     2 unknown  2 495 src=213.52.47.65 dst=224.0.0.1 [UNREPLIED] src=224.0.0.1 dst=213.52.47.65
mark=0 secmark=0 use=2
ipv4     2 udp      17 12 src=192.168.1.41 dst=255.255.255.255 sport=137 dport=137 [UNREPLIED]
src=255.255.255.255 dst=192.168.1.41 sport=137 dport=137 mark=0 secmark=0 use=2

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    inet 127.0.0.1/8 scope host lo
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP qlen 1000
    inet 10.110.0.227/28 brd 10.110.0.239 scope global eth0

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast   
    1973       20       0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    1973       20       0       0       0       0      
2: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:25:90:61:eb:40 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0      
3: eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:25:90:61:eb:41 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0      
4: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:25:90:61:eb:42 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0      
5: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:25:90:61:eb:43 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    0          0        0       0       0       0      
    TX: bytes  packets  errors  dropped carrier collsns 
    0          0        0       0       0       0      
6: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP qlen 1000
    link/ether 00:25:90:6c:38:06 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    954052     5828     0       0       0       2075   
    TX: bytes  packets  errors  dropped carrier collsns 
    99679      885      0       0       0       0      
7: eth1: <NO-CARRIER,BROADCAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    link/ether 00:25:90:6c:38:07 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    96823      670      0       0       0       22     
    TX: bytes  packets  errors  dropped carrier collsns 
    125190     757      0       0       0       0      

Bridges

bridge name	bridge id		STP enabled	interfaces

Routing Rules

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

Table default:

Table local:

local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.110.0.227 dev eth0 proto kernel scope host src 10.110.0.227
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.110.0.239 dev eth0 proto kernel scope link src 10.110.0.227
broadcast 10.110.0.224 dev eth0 proto kernel scope link src 10.110.0.227
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

10.110.0.224/28 dev eth0 proto kernel scope link src 10.110.0.227
169.254.0.0/16 dev eth0 scope link metric 1006
default via 10.110.0.225 dev eth0

Per-IP Counters

   iptaccount is not installed

NF Accounting

No NF Accounting defined (nfacct not found)

/proc

   /proc/version = Linux version 2.6.32-220.17.1.el6.x86_64 (mockbuild <at> c6b5.bsys.dev.centos.org)
(gcc version 4.4.6 20110731 (Red Hat 4.4.6-3) (GCC) ) #1 SMP Wed May 16 00:01:37 BST 2012
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth1/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth1/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth1/log_martians = 1
   /proc/sys/net/ipv4/conf/eth2/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth2/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth2/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth2/log_martians = 1
   /proc/sys/net/ipv4/conf/eth3/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth3/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth3/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth3/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth3/log_martians = 1
   /proc/sys/net/ipv4/conf/eth4/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth4/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth4/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth4/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth4/log_martians = 1
   /proc/sys/net/ipv4/conf/eth5/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth5/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth5/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth5/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth5/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1

ARP

? (10.110.0.225) at 00:20:0e:10:47:9a [ether] on eth0

Modules

ip_set                 31069  1 xt_set
iptable_filter          2793  1 
iptable_mangle          3349  1 
iptable_nat             6158  1 
iptable_raw             2264  0 
ip_tables              17831  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype            2153  4 
ipt_ah                  1247  0 
ipt_CLUSTERIP           6988  0 
ipt_ecn                 1507  0 
ipt_ECN                 1955  0 
ipt_LOG                 5845  1 
ipt_MASQUERADE          2466  2 
ipt_NETMAP              1832  0 
ipt_REDIRECT            1840  0 
ipt_REJECT              2383  4 
ipt_ULOG               10765  0 
nf_conntrack           79453  35 xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
nf_conntrack_amanda     2979  1 nf_nat_amanda
nf_conntrack_broadcast     1471  2 nf_conntrack_snmp,nf_conntrack_netbios_ns
nf_conntrack_ftp       12913  1 nf_nat_ftp
nf_conntrack_h323      67696  1 nf_nat_h323
nf_conntrack_ipv4       9506  22 iptable_nat,nf_nat
nf_conntrack_ipv6       8748  2 
nf_conntrack_irc        5530  1 nf_nat_irc
nf_conntrack_netbios_ns     1323  0 
nf_conntrack_netlink    17264  0 
nf_conntrack_pptp      12166  1 nf_nat_pptp
nf_conntrack_proto_gre     7195  1 nf_conntrack_pptp
nf_conntrack_proto_sctp    12482  0 
nf_conntrack_proto_udplite     3348  0 
nf_conntrack_sane       5716  0 
nf_conntrack_sip       19359  1 nf_nat_sip
nf_conntrack_snmp       1651  1 nf_nat_snmp_basic
nf_conntrack_tftp       4878  1 nf_nat_tftp
nf_defrag_ipv4          1483  2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6         12182  2 xt_TPROXY,nf_conntrack_ipv6
nf_nat                 22726  12 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda           1277  0 
nf_nat_ftp              3507  0 
nf_nat_h323             8830  0 
nf_nat_irc              1883  0 
nf_nat_pptp             4653  0 
nf_nat_proto_gre        3028  1 nf_nat_pptp
nf_nat_sip              6171  0 
nf_nat_snmp_basic       8822  0 
nf_nat_tftp              987  0 
nf_tproxy_core          1460  1 xt_TPROXY,[permanent]
xt_AUDIT                3064  0 
xt_CHECKSUM             1303  0 
xt_CLASSIFY             1069  0 
xt_comment              1034  9 
xt_connlimit            3430  0 
xt_connmark             1347  0 
xt_CONNMARK             1507  0 
xt_conntrack            2776  19 
xt_dccp                 2215  0 
xt_dscp                 1831  0 
xt_DSCP                 2279  0 
xt_hashlimit            9781  0 
xt_helper               1497  0 
xt_iprange              2312  0 
xt_length               1322  0 
xt_limit                2182  0 
xt_mac                  1118  0 
xt_mark                 1057  0 
xt_MARK                 1057  8 
xt_multiport            2700  16 
xt_NFLOG                1195  0 
xt_NFQUEUE              2186  0 
xt_owner                1252  0 
xt_physdev              1741  0 
xt_pkttype              1194  0 
xt_policy               2616  0 
xt_realm                1060  0 
xt_recent               7932  0 
xt_sctp                 2508  0 
xt_set                  4032  0 
xt_state                1492  2 
xt_statistic            1652  0 
xt_tcpmss               1607  0 
xt_TCPMSS               3445  0 
xt_time                 2183  0 
xt_TPROXY               8976  0 

Shorewall has detected the following iptables/netfilter capabilities:
   ACCOUNT Target (ACCOUNT_TARGET): Not available
   Address Type Match (ADDRTYPE): Available
   Amanda Helper: Available
   Arptables JF: Not available
   AUDIT Target (AUDIT_TARGET): Available
   Basic Filter (BASIC_FILTER): Available
   Capabilities Version (CAPVERSION): 40515
   Checksum Target: Available
   CLASSIFY Target (CLASSIFY_TARGET): Available
   Comments (COMMENTS): Available
   Condition Match (CONDITION_MATCH): Not available
   Connection Tracking Match (CONNTRACK_MATCH): Available
   Connlimit Match (CONNLIMIT_MATCH): Available
   Connmark Match (CONNMARK_MATCH): Available
   CONNMARK Target (CONNMARK): Available
   CT Target (CT_TARGET): Not available
   DSCP Match (DSCP_MATCH): Available
   DSCP Target (DSCP_TARGET): Available
   Enhanced Multi-port Match (EMULIPORT): Available
   Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
   Extended Connmark Match (XCONNMARK_MATCH): Available
   Extended CONNMARK Target (XCONNMARK): Available
   Extended MARK Target 2 (EXMARK): Available
   Extended MARK Target (XMARK): Available
   Extended Multi-port Match (XMULIPORT): Available
   Extended REJECT (ENHANCED_REJECT): Available
   FLOW Classifier (FLOW_FILTER): Available
   FTP-0 Helper: Not available
   FTP Helper: Available
   fwmark route mask (FWMARK_RT_MASK): Available
   Geo IP match: Not available
   Goto Support (GOTO_TARGET): Available
   H323 Helper: Available
   Hashlimit Match (HASHLIMIT_MATCH): Available
   Header Match (HEADER_MATCH): Not available
   Helper Match (HELPER_MATCH): Available
   IMQ Target (IMQ_TARGET): Not available
   IPMARK Target (IPMARK_TARGET): Not available
   IPP2P Match (IPP2P_MATCH): Not available
   IP range Match(IPRANGE_MATCH): Available
   ipset V5 (IPSET_V5): Not available
   iptables -S (IPTABLES_S): Available
   IRC-0 Helper: Not available
   IRC Helper: Available
   Kernel Version (KERNELVERSION): 20632
   LOGMARK Target (LOGMARK_TARGET): Not available
   LOG Target (LOG_TARGET): Available
   Mangle FORWARD Chain (MANGLE_FORWARD): Available
   Mark in any table (MARK_ANYWHERE): Available
   MARK Target (MARK): Available
   MASQUERADE Target: Available
   Multi-port Match (MULTIPORT): Available
   NAT (NAT_ENABLED): Available
   Netbios_ns Helper: Not available
   New tos Match: Available
   NFAcct match: Not available
   NFLOG Target (NFLOG_TARGET): Available
   NFQUEUE Target (NFQUEUE_TARGET): Available
   Owner Match (OWNER_MATCH): Available
   Owner Name Match (OWNER_NAME_MATCH): Available
   Packet length Match (LENGTH_MATCH): Available
   Packet Mangling (MANGLE_ENABLED): Available
   Packet Type Match (USEPKTTYPE): Available
   Persistent SNAT (PERSISTENT_SNAT): Available
   Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
   Physdev Match (PHYSDEV_MATCH): Available
   Policy Match (POLICY_MATCH): Available
   PPTP Helper: Available
   Rawpost Table (RAWPOST_TABLE): Not available
   Raw Table (RAW_TABLE): Available
   Realm Match (REALM_MATCH): Available
   Recent Match (RECENT_MATCH): Available
   Repeat match (KLUDGEFREE): Available
   RPFilter match: Not available
   SANE-0 Helper: Not available
   SANE Helper: Available
   SIP-0 Helper: Not available
   SIP Helper: Available
   SNMP Helper: Available
   Statistic Match (STATISTIC_MATCH): Available
   TCPMSS Match (TCPMSS_MATCH): Available
   TFTP-0 Helper: Not available
   TFTP Helper: Available
   Time Match (TIME_MATCH): Available
   TPROXY Target (TPROXY_TARGET): Available
   UDPLITE Port Redirection: Not available
   ULOG Target (ULOG_TARGET): Available

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      2295/mysqld         
tcp        0      0 0.0.0.0:52394               0.0.0.0:*                   LISTEN      1472/rpc.statd      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1454/rpcbind        
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      2170/vsftpd         
tcp        0      0 192.168.100.254:53          0.0.0.0:*                   LISTEN      1431/named          
tcp        0      0 10.110.0.227:53             0.0.0.0:*                   LISTEN      1431/named          
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      1431/named          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2143/sshd           
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2465/master         
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      1431/named          
tcp        0      0 :::111                      :::*                        LISTEN      1454/rpcbind        
tcp        0      0 :::80                       :::*                        LISTEN      2505/httpd          
tcp        0      0 :::42645                    :::*                        LISTEN      1472/rpc.statd      
tcp        0      0 :::22                       :::*                        LISTEN      2143/sshd           
tcp        0      0 ::1:953                     :::*                        LISTEN      1431/named          
tcp        0      0 :::443                      :::*                        LISTEN      2505/httpd          
tcp        0      0 :::540                      :::*                        LISTEN      2151/xinetd         
udp        0      0 0.0.0.0:781                 0.0.0.0:*                               1454/rpcbind        
udp        0      0 0.0.0.0:783                 0.0.0.0:*                               1365/portreserve    
udp        0      0 0.0.0.0:800                 0.0.0.0:*                               1472/rpc.statd      
udp        0      0 192.168.100.254:53          0.0.0.0:*                               1431/named          
udp        0      0 10.110.0.227:53             0.0.0.0:*                               1431/named          
udp        0      0 127.0.0.1:53                0.0.0.0:*                               1431/named          
udp        0      0 0.0.0.0:58168               0.0.0.0:*                               1539/avahi-daemon   
udp        0      0 0.0.0.0:69                  0.0.0.0:*                               2151/xinetd         
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               1539/avahi-daemon   
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1454/rpcbind        
udp        0      0 0.0.0.0:54261               0.0.0.0:*                               1472/rpc.statd      
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               1365/portreserve    
udp        0      0 10.110.0.227:123            0.0.0.0:*                               2159/ntpd           
udp        0      0 127.0.0.1:123               0.0.0.0:*                               2159/ntpd           
udp        0      0 0.0.0.0:123                 0.0.0.0:*                               2159/ntpd           
udp        0      0 :::781                      :::*                                    1454/rpcbind        
udp        0      0 :::111                      :::*                                    1454/rpcbind        
udp        0      0 :::34800                    :::*                                    1472/rpc.statd      
udp        0      0 fe80::225:90ff:fe6c:3807:123 :::*                                    2159/ntpd           
udp        0      0 fe80::225:90ff:fe6c:3806:123 :::*                                    2159/ntpd           
udp        0      0 ::1:123                     :::*                                    2159/ntpd           
udp        0      0 :::123                      :::*                                    2159/ntpd           

Traffic Control

Device eth0:
qdisc prio 1: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 1214 bytes 13 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
qdisc sfq 11: parent 1:1 limit 127p quantum 1875b flows 127/1024 perturb 10sec 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
qdisc sfq 12: parent 1:2 limit 127p quantum 1875b flows 127/1024 perturb 10sec 
 Sent 444 bytes 6 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 
qdisc sfq 13: parent 1:3 limit 127p quantum 1875b flows 127/1024 perturb 10sec 
 Sent 770 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 

class prio 1:1 parent 1: leaf 11: 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
class prio 1:2 parent 1: leaf 12: 
 Sent 444 bytes 6 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 
class prio 1:3 parent 1: leaf 13: 
 Sent 770 bytes 7 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0 

Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1
 Sent 125190 bytes 757 pkt (dropped 0, overlimits 0 requeues 0) 
 rate 0bit 0pps backlog 0b 0p requeues 0 

TC Filters

Device eth0:
filter parent 1: protocol all pref 1 u32 
filter parent 1: protocol all pref 1 u32 fh 800: ht divisor 1 
filter parent 1: protocol all pref 1 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid 1:1  (rule hit 13 success 0)
  match 00060000/00ff0000 at 8 (success 0 ) 
  match 05000000/0f00ffc0 at 0 (success 0 ) 
  match 00100000/00ff0000 at 32 (success 0 ) 
filter parent 1: protocol all pref 1 u32 fh 800::801 order 2049 key ht 800 bkt 0 flowid 1:1  (rule hit 13 success 0)
  match 00000600/0000ff00 at 4 (success 0 ) 
  match 05000000/0f00ffc0 at 0 (success 0 ) 
  match 00100000/00ff0000 at 32 (success 0 ) 
filter parent 1: protocol all pref 17 fw 
filter parent 1: protocol all pref 17 fw handle 0x1 classid 1:1 
filter parent 1: protocol all pref 18 fw 
filter parent 1: protocol all pref 18 fw handle 0x2 classid 1:2 
filter parent 1: protocol all pref 19 fw 
filter parent 1: protocol all pref 19 fw handle 0x3 classid 1:3 

Device eth1:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Bill Shirley | 23 Dec 11:21 2015

Suggestion for rules ipset ADD

I have a rule to add addresses to an ipset defined:
ipset -exist create IpPort3600 hash:ip,port timeout 3600
ipset -exist create IpOneDay hash:ip timeout 86400

in /etc/shorewall/rules:
ADD(+IpPort3600:src,dst):notice:ADD,IpPort3600 inet    fw      tcp,udp domain
ADD(+IpOneDay:src):info:ADD,IpOneDay        inet    fw      tcp     mysql

My suggestion is to allow ADD to specify a timeout value:
ADD(+IpPort3600:src,dst, <at> 600):notice:ADD,IpPort3600    inet    fw      tcp,udp domain
and thus set a 10 minute timeout(600) instead of the default one hour timeout(3600).

Also:
ADD(+IpOneDay:src, <at> 14400):info:ADD,IpOneDay,14400    inet    fw      tcp     mysql

[0:root <at> elmo shorewall]$ rpm -q shorewall
shorewall-4.6.11.1-2.fc22.noarch

The 3600 in the name reminds me that the timeout is 3600.  If I could specify the
timeout in the rule ADD I would rename that ipset and could vary the timeout
in the rules:
ADD(+IpPort:src,dst,600):notice:ADD,IpPort,600 inet    fw      tcp,udp domain

And rename IpOneDay to Ip:
ADD(+Ip:src, <at> 14400):info:ADD,Ip,14400            inet    fw      tcp     mysql
ADD(+Ip:src, <at> 86400):info:ADD,Ip,86400            inet    fw tcp     ssh

Bill
PS. Many thanks to Tom et. al. for Shorewall.

------------------------------------------------------------------------------
matt darfeuille | 18 Dec 19:25 2015
Picon

shorewall init openwrt

Hi,

>From what I understand shorewall init won't work on openwrt!

So I'm looking for an alternative way to 'close' the firewall before 
networking is brought up.

Could simply using an init script that would 'close' the firewall 
before starting networking be a solution?

Any other ideas for closing the firewall before the network 
interfaces are brought up during boot?

-Matt

------------------------------------------------------------------------------
Norman Henderson | 17 Dec 07:22 2015
Picon

maintaining a provider in disabled state until wanted

Hello friends,

The multi-provider structure seems to work fine when it's really being used for links to multiple ISP's of relatively stable quality. It's problematic when the ISP's are unstable (I am in Africa) mostly because failures aren't directly detectable: usually there is a break, or a major slowdown somewhere upstream in the ISP's network. 

It has become very complicated because we also have several sites connected by links that aren't always reliable (OpenVPN tunnels over said unreliable ISP's; even our WiFi links go down sometimes).

The cleanest solution seems to be to manually disable / enable providers as needed (or use a monitoring tool to do so). However the question:

Is there a clean way to mark a provider so that it will NOT be enabled upon shorewall (re)start? I guess I could do it in an extension script but that is a bit of a hack.

Input welcome!

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Norman Henderson | 17 Dec 07:06 2015
Picon

Issue with shorewall iptrace - resolved - others beware

I tore my hair out for several days because, although shorewall iptrace produced the appropriate rules as shown by iptables -n -t raw -L PREROUTING and iptables -n -t raw -L POSTROUTING, nothing was recorded in /var/log/kern.log.

It turned out, that my system (Ubuntu 14.04.1 LTS, kernel 3.16.0-51) had the value ipt_ULOG in /proc/net/netfilter/nf_log line 2. This can be seen / changed through: sysctl.

I didn't have time to figure out how ULOG works and how to make it work, so the simplest solution was to run sysctl net.netfilter.nf_log.2=ipt_LOG

Perhaps this will be of use to someone else, and, perhaps someone can add comment about a better solution that will be permanent. This sysctl setting has to be repeated after reboots.
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Gmane