[prev in list] [next in list] [prev in thread] [next in thread]
List: leaf-user
Subject: [leaf-user] Subnets
From: "S. Keel" <sakeel () u ! washington ! edu>
Date: 2003-11-29 21:40:30
[Download RAW message or body]
Hey everyone,
I have setup my bering 1.1 firewall with 3 NICs, one for external (eth0)
and the other two for a couple of small Windows Workgroups. Here's the
setup for the internal interfaces:
eth1 = wkgrp1 (192.168.1.0/24)
eth2 = wkgrp2 (192.168.2.0/24)
This seems to be working okay. I can get out from both subnets, resolv
names with dnscache, etc; but I can't see a host from one subnet to the
other. In other words, if I ping a host on wkgrp2 from a host on wkgrp1,
I get a "destination port unreachable" response. However, if I ping
192.168.2.254 from a host on wkgrp1, or 192.168.1.254 from a host on
wkgrp2, I get a response.
In shorewall, didn't define an additional zone for the second subnet, just
adding it to the existing loc subnet.
The following is the output from...
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:da:5a:1f:71 brd ff:ff:ff:ff:ff:ff
inet 140.142.207.130/24 brd 255.255.255.255 scope global eth0
inet 140.142.207.131/24 brd 255.255.255.255 scope global secondary eth0
inet 140.142.207.136/24 brd 255.255.255.255 scope global secondary eth0
inet 140.142.207.137/24 brd 255.255.255.255 scope global secondary eth0
inet 140.142.207.139/24 brd 255.255.255.255 scope global secondary eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:09:5b:1b:81:0e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:09:5b:1b:80:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.1.255 scope global eth2
ip route show
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
140.142.207.0/24 dev eth0 proto kernel scope link src 140.142.207.130
default via 140.142.207.100 dev eth0
shorewall status
Shorewall-1.4.2 Status at vilgw - Sat Nov 29 14:27:28 UTC 2003
Counters reset Sat Nov 29 14:05:49 UTC 2003
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 \
state INVALID 3 238 ACCEPT all -- lo * 0.0.0.0/0 \
0.0.0.0/0 205 21474 eth0_in all -- eth0 * 0.0.0.0/0 \
0.0.0.0/0 1043 73946 eth1_in all -- eth1 * 0.0.0.0/0 \
0.0.0.0/0 29 4221 eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 \
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject all -- * \
* 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 \
state INVALID 2646 427K eth0_fwd all -- eth0 * 0.0.0.0/0 \
0.0.0.0/0 4627 374K eth1_fwd all -- eth1 * 0.0.0.0/0 \
0.0.0.0/0 48 5040 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 \
LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject all -- * \
* 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 \
state INVALID 3 238 ACCEPT all -- * lo 0.0.0.0/0 \
0.0.0.0/0 58 4387 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
757 137K fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
50 6516 fw2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 \
LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * \
* 0.0.0.0/0 0.0.0.0/0
Chain all2all (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 131 16399 common all -- * \
* 0.0.0.0/0 0.0.0.0/0 52 5280 LOG all -- * * \
0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix \
`Shorewall:all2all:REJECT:' 52 5280 reject all -- * * 0.0.0.0/0 \
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source destination
102 3768 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0
128 15402 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 \
udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 \
0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 \
0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 \
255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 \
224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 \
0.0.0.0/0 udp spt:53 state NEW 0 0 DROP all -- * * \
0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * \
0.0.0.0/0 192.168.1.255 0 0 DROP all -- * * \
0.0.0.0/0 192.168.1.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source destination
2646 427K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
14 1418 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 \
state NEW 2642 427K net2loc all -- * eth1 0.0.0.0/0 \
0.0.0.0/0 4 638 net2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source destination
205 21474 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
65 4765 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 \
state NEW 205 21474 net2fw all -- * * 0.0.0.0/0 \
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source destination
4627 374K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
4623 374K loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 loc2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
4 240 loc2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source destination
1043 73946 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
1043 73946 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source destination
48 5040 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
48 5040 loc2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 loc2loc all -- * eth2 0.0.0.0/0 0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
29 4221 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
29 4221 loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2loc (2 references)
pkts bytes target prot opt in out source destination
807 144K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * \
* 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all \
-- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source destination
16 1696 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * \
* 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 42 2691 ACCEPT \
udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 \
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 \
icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 \
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source destination
Chain loc2fw (2 references)
pkts bytes target prot opt in out source destination
985 66552 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 3 196 ACCEPT udp -- * \
* 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 4 240 ACCEPT \
icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 \
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW \
tcp dpt:80 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 \
state NEW tcp dpt:22 79 11119 all2all all -- * * 0.0.0.0/0 \
0.0.0.0/0
Chain loc2loc (4 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT tcp -- * \
* 0.0.0.0/0 192.168.1.18 state NEW tcp dpt:80 0 0 ACCEPT \
tcp -- * * 0.0.0.0/0 192.168.1.18 state NEW tcp dpt:22 \
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2 \
state NEW tcp dpt:22 52 5280 all2all all -- * * 0.0.0.0/0 \
0.0.0.0/0
Chain loc2net (2 references)
pkts bytes target prot opt in out source destination
4567 370K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 16 1600 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 40 2400 ACCEPT all -- * \
* 0.0.0.0/0 0.0.0.0/0
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 \
LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:' 0 0 DROP all -- * \
* 0.0.0.0/0 0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 177 9711 common all -- * \
* 0.0.0.0/0 0.0.0.0/0 128 5428 LOG all -- * * \
0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix \
`Shorewall:net2all:DROP:' 128 5428 DROP all -- * * 0.0.0.0/0 \
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
42 13181 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * \
* 0.0.0.0/0 0.0.0.0/0 icmp type 8 163 8293 net2all all \
-- * * 0.0.0.0/0 0.0.0.0/0
Chain net2loc (2 references)
pkts bytes target prot opt in out source destination
2632 426K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 \
state RELATED,ESTABLISHED 0 0 newnotsyn tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 state NEW tcp flags:!0x16/0x02 0 0 ACCEPT icmp -- * \
* 0.0.0.0/0 192.168.1.18 icmp type 8 0 0 ACCEPT icmp \
-- * * 0.0.0.0/0 192.168.1.20 icmp type 8 0 0 \
ACCEPT icmp -- * * 0.0.0.0/0 192.168.1.2 icmp type \
8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.18 \
state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 \
192.168.1.18 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * \
0.0.0.0/0 192.168.1.18 state NEW tcp dpt:21 0 0 ACCEPT tcp \
-- * * 0.0.0.0/0 192.168.1.18 state NEW tcp \
dpts:5000:6000 0 0 ACCEPT tcp -- * * 0.0.0.0/0 \
192.168.1.2 state NEW tcp dpt:22 0 0 ACCEPT udp -- * * \
128.95.48.15 192.168.1.20 state NEW udp dpt:111 0 0 ACCEPT tcp \
-- * * 128.95.48.15 192.168.1.20 state NEW tcp dpt:111 0 \
0 ACCEPT udp -- * * 128.95.48.15 192.168.1.20 state \
NEW udp dpt:1023 0 0 ACCEPT udp -- * * 128.95.48.15 \
192.168.1.20 state NEW udp dpt:2049 0 0 ACCEPT tcp -- * * \
12.235.186.124 192.168.2.12 state NEW tcp dpt:21 0 0 ACCEPT tcp \
-- * * 12.235.186.124 192.168.2.12 state NEW tcp dpt:3389 14 \
1418 net2all all -- * * 0.0.0.0/0 0.0.0.0/0
Chain newnotsyn (9 references)
pkts bytes target prot opt in out source destination
16 1600 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 \
reject-with tcp-reset 180 20682 REJECT all -- * * 0.0.0.0/0 \
0.0.0.0/0 reject-with icmp-port-unreachable
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0
0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0
0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0
0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0
0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0
0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0
0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0
0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0
0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0
0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
Nov 29 14:25:31 net2all:DROP:IN=eth0 OUT= SRC�0.142.207.100 DST�0.142.207.255 LEN6 \
TOS=0x00 PREC=0x00 TTL%5 ID9242 PROTO=ICMP TYPE=9 CODE=0 Nov 29 14:25:46 \
net2all:DROP:IN=eth0 OUT= SRC�0.142.207.100 DST�0.142.207.255 LEN6 TOS=0x00 PREC=0x00 \
TTL%5 ID9246 PROTO=ICMP TYPE=9 CODE=0 Nov 29 14:25:54 all2all:REJECT:IN=eth2 OUT=eth1 \
SRC�2.168.2.21 DST�2.168.1.1 LEN�5 TOS=0x00 PREC=0x00 TTL�7 ID73 PROTO=UDP SPT�27 \
DPT�1 LEN… Nov 29 14:25:54 all2all:REJECT:IN=eth2 OUT=eth1 SRC�2.168.2.24 \
DST�2.168.1.1 LEN�5 TOS=0x00 PREC=0x00 TTL�7 IDi5 PROTO=UDP SPT�26 DPT�1 LEN… Nov 29 \
14:25:57 net2all:DROP:IN=eth0 OUT= SRC�0.142.207.45 DST�0.142.207.255 LEN@ TOS=0x00 \
PREC=0x00 TTL0 ID�394 PROTO=UDP SPT�40 DPT#01 LEN Nov 29 14:25:58 \
net2all:DROP:IN=eth0 OUT= SRC�0.142.207.100 DST�0.142.207.255 LEN6 TOS=0x00 PREC=0x00 \
TTL%5 ID9249 PROTO=ICMP TYPE=9 CODE=0 Nov 29 14:26:00 all2all:REJECT:IN=eth2 OUT=eth1 \
SRC�2.168.2.24 DST�2.168.1.1 LEN�5 TOS=0x00 PREC=0x00 TTL�7 IDi6 PROTO=UDP SPT�26 \
DPT�1 LEN… Nov 29 14:26:01 all2all:REJECT:IN=eth2 OUT=eth1 SRC�2.168.2.21 \
DST�2.168.1.1 LEN�5 TOS=0x00 PREC=0x00 TTL�7 ID74 PROTO=UDP SPT�27 DPT�1 LEN… Nov 29 \
14:26:06 all2all:REJECT:IN=eth2 OUT=eth1 SRC�2.168.2.24 DST�2.168.1.1 LEN�5 TOS=0x00 \
PREC=0x00 TTL�7 IDi7 PROTO=UDP SPT�26 DPT�1 LEN… Nov 29 14:26:07 \
all2all:REJECT:IN=eth2 OUT=eth1 SRC�2.168.2.21 DST�2.168.1.1 LEN�5 TOS=0x00 PREC=0x00 \
TTL�7 ID75 PROTO=UDP SPT�27 DPT�1 LEN… Nov 29 14:26:10 net2all:DROP:IN=eth0 OUT= \
SRC�0.142.207.100 DST�0.142.207.255 LEN6 TOS=0x00 PREC=0x00 TTL%5 ID9254 PROTO=ICMP \
TYPE=9 CODE=0 Nov 29 14:26:12 all2all:REJECT:IN=eth2 OUT=eth1 SRC�2.168.2.24 \
DST�2.168.1.1 LEN�5 TOS=0x00 PREC=0x00 TTL�7 IDi8 PROTO=UDP SPT�26 DPT�1 LEN… Nov 29 \
14:26:13 all2all:REJECT:IN=eth2 OUT=eth1 SRC�2.168.2.21 DST�2.168.1.1 LEN�5 TOS=0x00 \
PREC=0x00 TTL�7 ID76 PROTO=UDP SPT�27 DPT�1 LEN… Nov 29 14:26:23 net2all:DROP:IN=eth0 \
OUT= SRC�0.142.207.100 DST�0.142.207.255 LEN6 TOS=0x00 PREC=0x00 TTL%5 ID9259 \
PROTO=ICMP TYPE=9 CODE=0 Nov 29 14:26:35 net2all:DROP:IN=eth0 OUT= SRC�0.142.207.100 \
DST�0.142.207.255 LEN6 TOS=0x00 PREC=0x00 TTL%5 ID9268 PROTO=ICMP TYPE=9 CODE=0 Nov \
29 14:26:48 net2all:DROP:IN=eth0 OUT= SRC�0.142.207.100 DST�0.142.207.255 LEN6 \
TOS=0x00 PREC=0x00 TTL%5 ID9271 PROTO=ICMP TYPE=9 CODE=0 Nov 29 14:26:57 \
net2all:DROP:IN=eth0 OUT= SRC�0.142.207.45 DST�0.142.207.255 LEN@ TOS=0x00 PREC=0x00 \
TTL0 ID�481 PROTO=UDP SPT�40 DPT#01 LEN Nov 29 14:27:01 net2all:DROP:IN=eth0 OUT= \
SRC�0.142.207.100 DST�0.142.207.255 LEN6 TOS=0x00 PREC=0x00 TTL%5 ID9277 PROTO=ICMP \
TYPE=9 CODE=0 Nov 29 14:27:13 net2all:DROP:IN=eth0 OUT= SRC�0.142.207.100 \
DST�0.142.207.255 LEN6 TOS=0x00 PREC=0x00 TTL%5 ID9281 PROTO=ICMP TYPE=9 CODE=0 Nov \
29 14:27:28 net2all:DROP:IN=eth0 OUT= SRC�0.142.207.100 DST�0.142.207.255 LEN6 \
TOS=0x00 PREC=0x00 TTL%5 ID9293 PROTO=ICMP TYPE=9 CODE=0
NAT Table
Chain PREROUTING (policy ACCEPT 270 packets, 26430 bytes)
pkts bytes target prot opt in out source destination
284 27848 nat_in all -- * * 0.0.0.0/0 0.0.0.0/0
119 11700 loc_dnat all -- eth1 * 0.0.0.0/0 0.0.0.0/0
76 9195 loc_dnat all -- eth2 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 44 packets, 2831 bytes)
pkts bytes target prot opt in out source destination
84 5231 nat_out all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 loc_snat all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 loc_snat all -- * eth2 0.0.0.0/0 0.0.0.0/0
82 5091 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 44 packets, 2831 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
40 2400 SNAT all -- * * 192.168.1.0/24 0.0.0.0/0 \
to:140.142.207.130 0 0 SNAT all -- * * 192.168.2.0/24 \
0.0.0.0/0 to:140.142.207.130
Chain loc_dnat (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 140.142.207.137 \
tcp dpt:80 to:192.168.1.18 0 0 DNAT tcp -- * * 0.0.0.0/0 \
140.142.207.137 tcp dpt:22 to:192.168.1.18 0 0 DNAT tcp -- * * \
0.0.0.0/0 140.142.207.136 tcp dpt:22 to:192.168.1.2
Chain loc_snat (2 references)
pkts bytes target prot opt in out source destination
0 0 SNAT tcp -- * * 0.0.0.0/0 192.168.1.18 \
tcp dpt:80 to:192.168.1.254 0 0 SNAT tcp -- * * 0.0.0.0/0 \
192.168.1.18 tcp dpt:80 to:192.168.1.254 0 0 SNAT tcp -- * * \
0.0.0.0/0 192.168.1.18 tcp dpt:22 to:192.168.1.254 0 0 SNAT \
tcp -- * * 0.0.0.0/0 192.168.1.18 tcp dpt:22 \
to:192.168.1.254 0 0 SNAT tcp -- * * 0.0.0.0/0 \
192.168.1.2 tcp dpt:22 to:192.168.1.254 0 0 SNAT tcp -- * * \
0.0.0.0/0 192.168.1.2 tcp dpt:22 to:192.168.1.254
Chain nat_in (1 references)
pkts bytes target prot opt in out source destination
4 638 DNAT all -- * * 0.0.0.0/0 140.142.207.131 \
to:192.168.2.12 4 312 DNAT all -- * * 0.0.0.0/0 \
140.142.207.136 to:192.168.1.2 3 234 DNAT all -- * * \
0.0.0.0/0 140.142.207.137 to:192.168.1.18 3 234 DNAT all -- \
* * 0.0.0.0/0 140.142.207.139 to:192.168.1.20
Chain nat_out (1 references)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.2.12 0.0.0.0/0 \
to:140.142.207.131 0 0 SNAT all -- * * 192.168.1.2 \
0.0.0.0/0 to:140.142.207.136 0 0 SNAT all -- * * \
192.168.1.18 0.0.0.0/0 to:140.142.207.137 0 0 SNAT all \
-- * * 192.168.1.20 0.0.0.0/0 to:140.142.207.139
Mangle Table
Chain PREROUTING (policy ACCEPT 8611 packets, 907K bytes)
pkts bytes target prot opt in out source destination
89 6953 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0 \
state NEW 8611 907K pretos all -- * * 0.0.0.0/0 \
0.0.0.0/0
Chain INPUT (policy ACCEPT 1280 packets, 99879 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 7321 packets, 807K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 868 packets, 148K bytes)
pkts bytes target prot opt in out source destination
868 148K outtos all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 8107 packets, 947K bytes)
pkts bytes target prot opt in out source destination
Chain logdrop (30 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 \
LOG flags 0 level 6 prefix `Shorewall:man1918:DROP:' 0 0 DROP all -- * \
* 0.0.0.0/0 0.0.0.0/0
Chain man1918 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0 169.254.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 172.16.0.0/12
0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24
0 0 logdrop all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7
0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6
0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5
0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3
0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 198.18.0.0/15
0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8
0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4
Chain outtos (1 references)
pkts bytes target prot opt in out source destination
0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 \
tcp dpt:22 TOS set 0x10 742 136K TOS tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * \
0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS \
tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set \
0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 \
tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source destination
5340 403K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 \
tcp dpt:22 TOS set 0x10 2386 319K TOS tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * \
0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS \
tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set \
0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 \
tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 \
0.0.0.0/0 tcp dpt:20 TOS set 0x08
tcp 6 431999 ESTABLISHED src�2.168.1.4 dst�2.168.1.254 sport2803 dport" \
src�2.168.1.254 dst�2.168.1.4 sport" dport2803 [ASSURED] use=1 tcp 6 431968 \
ESTABLISHED src�2.168.1.4 dst�0.142.15.38 sport2804 dport" src�0.142.15.38 \
dst�0.142.207.130 sport" dport2804 [ASSURED] use=1
Thanks,
Stefan
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic