Shorewall 4.2.5 Dump at mistral.cejil.org - Mon Mar 30 20:29:32 ART 2009 Shorewall-perl 4.2.5.3 Counters reset Mon Mar 30 20:27:15 ART 2009 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 60 ACCEPT udp -- vnet0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- vnet0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- vnet0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 29 3008 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 333 34878 net2fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 vpn2fw all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 vms2fw all -- vnet+ * 0.0.0.0/0 0.0.0.0/0 77 6804 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 304 ACCEPT all -- * vnet0 0.0.0.0/0 10.3.14.0/24 state RELATED,ESTABLISHED 4 304 ACCEPT all -- vnet0 * 10.3.14.0/24 0.0.0.0/0 0 0 ACCEPT all -- vnet0 vnet0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * vnet0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- vnet0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 net_frwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 vpn_frwd all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 vms_frwd all -- vnet+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 264 25982 fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 fw2vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0 1 76 fw2vms all -- * vnet+ 0.0.0.0/0 0.0.0.0/0 77 6804 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain Drop (9 references) pkts bytes target prot opt in out source destination 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ 4 1400 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 /* Needed ICMP types */ 2 1244 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ 0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ Chain Reject (3 references) pkts bytes target prot opt in out source destination 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 /* Auth */ 0 0 dropBcast all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 /* Needed ICMP types */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 /* Needed ICMP types */ 0 0 dropInvalid all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445 /* SMB */ 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 /* SMB */ 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */ 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* SMB */ 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* UPnP */ 0 0 dropNotSyn tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ Chain blacklst (6 references) pkts bytes target prot opt in out source destination Chain dropBcast (2 references) pkts bytes target prot opt in out source destination 2 156 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 Chain dropInvalid (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID Chain dropNotSyn (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 Chain dynamic (2 references) pkts bytes target prot opt in out source destination Chain fw2net (1 references) pkts bytes target prot opt in out source destination 169 19927 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */ 85 5295 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */ 10 760 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /* NTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 /* FTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* Mail */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /* Mail */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 /* Mail */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 /* POP3 */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /* POP3S */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 /* IMAP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /* IMAPS */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* OpenVPN */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1194 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2vms (1 references) pkts bytes target prot opt in out source destination 1 76 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /* NTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2vpn (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /* NTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logflags (5 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix `Shorewall:logflags:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) pkts bytes target prot opt in out source destination 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 5 1460 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 5 1460 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 5 1460 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 276 23115 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 328 33418 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 reject icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 /* Ping */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /* Mail */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /* Mail */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 /* Mail */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 /* POP3 */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /* POP3S */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 /* IMAP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /* IMAPS */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* OpenVPN */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 4 1400 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 2 1244 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2fw:DROP:' 2 1244 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2vms (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.17 tcp dpt:389 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.17 tcp dpt:636 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.17 tcp dpt:22 ctorigdst 94.75.244.57 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.18 tcp dpt:25 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.18 tcp dpt:465 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.18 tcp dpt:587 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.18 tcp dpt:110 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.18 tcp dpt:143 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.18 tcp dpt:993 ctorigdst 94.75.244.29 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.3.14.18 tcp dpt:22 ctorigdst 94.75.244.57 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2vms:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2vpn (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2vpn:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net_frwd (1 references) pkts bytes target prot opt in out source destination 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 norfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 net2vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0 0 0 net2vms all -- * vnet+ 0.0.0.0/0 0.0.0.0/0 Chain norfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 rfc1918 all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 172.16.0.0/12 0 0 rfc1918 all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 192.168.0.0/16 0 0 rfc1918 all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 ctorigdst 10.0.0.0/8 Chain reject (11 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain rfc1918 (6 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:rfc1918:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination Chain smurfs (6 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST 0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0 Chain tcpflags (6 references) pkts bytes target prot opt in out source destination 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x17/0x02 Chain vms2fw (1 references) pkts bytes target prot opt in out source destination 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /* NTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 5 prefix `Shorewall:vms2fw:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain vms2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:vms2net:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain vms2vms (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain vms2vpn (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:vms2vpn:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain vms_frwd (1 references) pkts bytes target prot opt in out source destination 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 vms2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 vms2vpn all -- * tun+ 0.0.0.0/0 0.0.0.0/0 Chain vpn2fw (1 references) pkts bytes target prot opt in out source destination 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */ 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /* NTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* HTTP */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* HTTPS */ 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 5 prefix `Shorewall:vpn2fw:REJECT:' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain vpn2net (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:vpn2net:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain vpn2vms (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:vpn2vms:DROP:' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain vpn2vpn (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain vpn_frwd (1 references) pkts bytes target prot opt in out source destination 0 0 blacklst all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 vpn2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 vpn2vms all -- * vnet+ 0.0.0.0/0 0.0.0.0/0 Log (/var/log/shorewall.log) NAT Table Chain PREROUTING (policy ACCEPT 7 packets, 1596 bytes) pkts bytes target prot opt in out source destination 7 1596 dnat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 117 packets, 7473 bytes) pkts bytes target prot opt in out source destination 1 76 MASQUERADE all -- * * 10.3.14.0/24 !10.3.14.0/24 Chain OUTPUT (policy ACCEPT 117 packets, 7473 bytes) pkts bytes target prot opt in out source destination Chain dnat (1 references) pkts bytes target prot opt in out source destination 5 1460 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:389 to:10.3.14.17:389 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:636 to:10.3.14.17:636 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.57 tcp dpt:10017 to:10.3.14.17:22 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:25 to:10.3.14.18:25 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:465 to:10.3.14.18:465 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:587 to:10.3.14.18:587 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:110 to:10.3.14.18:110 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:143 to:10.3.14.18:143 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.29 tcp dpt:993 to:10.3.14.18:993 0 0 DNAT tcp -- * * 0.0.0.0/0 94.75.244.57 tcp dpt:10018 to:10.3.14.18:22 Mangle Table Chain PREROUTING (policy ACCEPT 419 packets, 42350 bytes) pkts bytes target prot opt in out source destination 419 42350 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 411 packets, 41742 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 8 packets, 608 bytes) pkts bytes target prot opt in out source destination 8 608 tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 342 packets, 32862 bytes) pkts bytes target prot opt in out source destination 342 32862 tcout all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 350 packets, 33470 bytes) pkts bytes target prot opt in out source destination 350 33470 tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination Chain tcpost (1 references) pkts bytes target prot opt in out source destination Chain tcpre (1 references) pkts bytes target prot opt in out source destination Conntrack Table udp 17 111 src=10.3.14.17 dst=91.189.94.4 sport=123 dport=123 packets=4 bytes=304 src=91.189.94.4 dst=94.75.244.29 sport=123 dport=1 packets=4 bytes=304 [ASSURED] mark=0 secmark=0 use=1 udp 17 2 src=94.75.244.29 dst=80.85.129.103 sport=123 dport=123 packets=1 bytes=76 src=80.85.129.103 dst=94.75.244.29 sport=123 dport=123 packets=1 bytes=76 mark=0 secmark=0 use=1 udp 17 70 src=127.0.0.1 dst=127.0.0.1 sport=45314 dport=53 packets=2 bytes=120 src=127.0.0.1 dst=127.0.0.1 sport=53 dport=45314 packets=2 bytes=152 [ASSURED] mark=0 secmark=0 use=1 udp 17 1 src=94.75.244.29 dst=83.137.16.7 sport=123 dport=123 packets=1 bytes=76 src=83.137.16.7 dst=94.75.244.29 sport=123 dport=123 packets=1 bytes=76 mark=0 secmark=0 use=1 udp 17 74 src=127.0.0.1 dst=127.0.0.1 sport=60027 dport=53 packets=2 bytes=140 src=127.0.0.1 dst=127.0.0.1 sport=53 dport=60027 packets=2 bytes=140 [ASSURED] mark=0 secmark=0 use=1 udp 17 2 src=94.75.244.29 dst=85.12.29.43 sport=123 dport=123 packets=1 bytes=76 src=85.12.29.43 dst=94.75.244.29 sport=123 dport=123 packets=1 bytes=76 mark=0 secmark=0 use=1 tcp 6 299 ESTABLISHED src=190.244.95.55 dst=94.75.244.29 sport=55924 dport=22 packets=276 bytes=23115 src=94.75.244.29 dst=190.244.95.55 sport=22 dport=55924 packets=169 bytes=19927 [ASSURED] mark=0 secmark=0 use=1 IP Configuration 1: lo: mtu 16436 qdisc noqueue state UNKNOWN inet 127.0.0.1/8 scope host lo 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 94.75.244.29/26 brd 94.75.244.63 scope global eth0 inet 94.75.244.57/26 brd 94.75.244.63 scope global secondary eth0:0 4: vnet0: mtu 1500 qdisc noqueue state UNKNOWN inet 10.3.14.1/24 brd 10.3.14.255 scope global vnet0 IP Stats 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 6892 78 0 0 0 0 TX: bytes packets errors dropped carrier collsns 6892 78 0 0 0 0 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1e:c9:b0:70:e2 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 41670 343 0 0 0 0 TX: bytes packets errors dropped carrier collsns 29520 254 0 0 0 0 3: eth1: mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 00:1e:c9:b0:70:e4 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 4: vnet0: mtu 1500 qdisc noqueue state UNKNOWN link/ether 26:1f:34:97:99:a4 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 420 7 0 0 0 1 TX: bytes packets errors dropped carrier collsns 534 7 0 0 0 0 5: vnet1: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500 link/ether 32:40:38:8b:46:0b brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 468 6 0 0 0 0 TX: bytes packets errors dropped carrier collsns 2642 51 0 0 0 0 6: vnet2: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500 link/ether 26:1f:34:97:99:a4 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 1364 22 0 0 0 0 TX: bytes packets errors dropped carrier collsns 3134 57 0 0 0 0 Bridges bridge name bridge id STP enabled interfaces vnet0 8000.261f349799a4 yes vnet1 vnet2 /proc /proc/version = Linux version 2.6.27-11-server (buildd@rothera) (gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu11) ) #1 SMP Thu Jan 29 20:19:41 UTC 2009 /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/arp_ignore = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 1 /proc/sys/net/ipv4/conf/all/log_martians = 1 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/arp_ignore = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 0 /proc/sys/net/ipv4/conf/default/log_martians = 1 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth0/rp_filter = 0 /proc/sys/net/ipv4/conf/eth0/log_martians = 1 /proc/sys/net/ipv4/conf/eth1/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth1/arp_filter = 0 /proc/sys/net/ipv4/conf/eth1/arp_ignore = 0 /proc/sys/net/ipv4/conf/eth1/rp_filter = 0 /proc/sys/net/ipv4/conf/eth1/log_martians = 1 /proc/sys/net/ipv4/conf/lo/proxy_arp = 0 /proc/sys/net/ipv4/conf/lo/arp_filter = 0 /proc/sys/net/ipv4/conf/lo/arp_ignore = 0 /proc/sys/net/ipv4/conf/lo/rp_filter = 0 /proc/sys/net/ipv4/conf/lo/log_martians = 1 /proc/sys/net/ipv4/conf/vnet0/proxy_arp = 0 /proc/sys/net/ipv4/conf/vnet0/arp_filter = 0 /proc/sys/net/ipv4/conf/vnet0/arp_ignore = 0 /proc/sys/net/ipv4/conf/vnet0/rp_filter = 0 /proc/sys/net/ipv4/conf/vnet0/log_martians = 1 /proc/sys/net/ipv4/conf/vnet1/proxy_arp = 0 /proc/sys/net/ipv4/conf/vnet1/arp_filter = 0 /proc/sys/net/ipv4/conf/vnet1/arp_ignore = 0 /proc/sys/net/ipv4/conf/vnet1/rp_filter = 0 /proc/sys/net/ipv4/conf/vnet1/log_martians = 1 /proc/sys/net/ipv4/conf/vnet2/proxy_arp = 0 /proc/sys/net/ipv4/conf/vnet2/arp_filter = 0 /proc/sys/net/ipv4/conf/vnet2/arp_ignore = 0 /proc/sys/net/ipv4/conf/vnet2/rp_filter = 0 /proc/sys/net/ipv4/conf/vnet2/log_martians = 1 Routing Rules 0: from all lookup local 32766: from all lookup main 32767: from all lookup default Table default: Table local: broadcast 10.3.14.0 dev vnet0 proto kernel scope link src 10.3.14.1 broadcast 94.75.244.0 dev eth0 proto kernel scope link src 94.75.244.29 local 10.3.14.1 dev vnet0 proto kernel scope host src 10.3.14.1 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 10.3.14.255 dev vnet0 proto kernel scope link src 10.3.14.1 local 94.75.244.57 dev eth0 proto kernel scope host src 94.75.244.29 local 94.75.244.29 dev eth0 proto kernel scope host src 94.75.244.29 broadcast 94.75.244.63 dev eth0 proto kernel scope link src 94.75.244.29 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Table main: 94.75.244.0/26 dev eth0 proto kernel scope link src 94.75.244.29 10.3.14.0/24 dev vnet0 proto kernel scope link src 10.3.14.1 default via 94.75.244.62 dev eth0 metric 100 ARP ? (10.3.14.17) at 52:54:00:57:9c:86 [ether] on vnet0 ? (94.75.244.62) at 00:00:0c:07:ac:43 [ether] on eth0 Modules iptable_filter 10752 1 iptable_mangle 10880 1 iptable_nat 13448 1 iptable_raw 10368 0 ip_tables 19600 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter ipt_addrtype 10496 4 ipt_ah 9728 0 ipt_CLUSTERIP 14980 0 ipt_ecn 10112 0 ipt_ECN 10496 0 ipt_LOG 13700 16 ipt_MASQUERADE 10752 1 ipt_NETMAP 9856 0 ipt_recent 16028 0 ipt_REDIRECT 9856 0 ipt_REJECT 11136 4 ipt_ttl 9728 0 ipt_TTL 9984 0 ipt_ULOG 15268 0 nf_conntrack 72032 30 xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4 nf_conntrack_amanda 11904 1 nf_nat_amanda nf_conntrack_ftp 15652 1 nf_nat_ftp nf_conntrack_h323 56904 1 nf_nat_h323 nf_conntrack_ipv4 21900 51 iptable_nat,nf_nat nf_conntrack_irc 13348 1 nf_nat_irc nf_conntrack_netbios_ns 10496 0 nf_conntrack_netlink 24320 0 nf_conntrack_pptp 14084 1 nf_nat_pptp nf_conntrack_proto_gre 13056 1 nf_conntrack_pptp nf_conntrack_proto_sctp 16392 0 nf_conntrack_sip 26260 1 nf_nat_sip nf_conntrack_tftp 12308 1 nf_nat_tftp nf_nat 25368 13 ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat nf_nat_amanda 9984 0 nf_nat_ftp 10880 0 nf_nat_h323 14464 0 nf_nat_irc 10240 0 nf_nat_pptp 11136 0 nf_nat_proto_gre 10372 1 nf_nat_pptp nf_nat_sip 14976 0 nf_nat_snmp_basic 17032 0 nf_nat_tftp 9600 0 xt_CLASSIFY 9728 0 xt_comment 9728 69 xt_connlimit 12040 0 xt_connmark 10496 0 xt_CONNMARK 11136 0 xt_conntrack 11904 13 xt_dccp 11016 0 xt_dscp 10496 0 xt_DSCP 11264 0 xt_hashlimit 18576 0 xt_helper 10240 0 xt_iprange 10496 0 xt_length 9856 0 xt_limit 10372 0 xt_mac 9856 0 xt_mark 10112 0 xt_MARK 10496 0 xt_multiport 11392 4 xt_NFLOG 9856 0 xt_NFQUEUE 9856 0 xt_owner 10752 0 xt_physdev 10640 0 xt_pkttype 9856 0 xt_policy 11136 0 xt_realm 9600 0 xt_state 10112 35 xt_tcpmss 10112 0 xt_tcpudp 11008 92 xt_time 10752 0 Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Extended Connection Tracking Match Support: Not available Old Connection Tracking Match Syntax: Not available Packet Type Match: Available Policy Match: Available Physdev Match: Available Physdev-is-bridged Support: Available Packet length Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Extended CONNMARK Target: Available Connmark Match: Available Extended Connmark Match: Available Raw Table: Available IPP2P Match: Not available CLASSIFY Target: Available Extended REJECT: Available Repeat match: Available MARK Target: Available Extended MARK Target: Available Mangle FORWARD Chain: Available Comments: Available Address Type Match: Available TCPMSS Match: Available Hashlimit Match: Available NFQUEUE Target: Available Realm Match: Available Helper Match: Available Connlimit Match: Available Time Match: Available Goto Support: Available Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:5900 0.0.0.0:* LISTEN 6957/kvm tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 6962/kvm tcp 0 0 10.3.14.1:53 0.0.0.0:* LISTEN 6925/dnsmasq tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 6408/dnscache tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6494/sshd tcp 0 0 94.75.244.29:22 190.244.95.55:55924 ESTABLISHED 6992/sshd: cejil [p udp 0 0 10.3.14.1:53 0.0.0.0:* 6925/dnsmasq udp 0 0 127.0.0.1:53 0.0.0.0:* 6408/dnscache udp 0 0 0.0.0.0:67 0.0.0.0:* 6925/dnsmasq udp 0 0 10.3.14.1:123 0.0.0.0:* 6860/ntpd udp 0 0 94.75.244.57:123 0.0.0.0:* 6860/ntpd udp 0 0 94.75.244.29:123 0.0.0.0:* 6860/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 6860/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 6860/ntpd Traffic Control Device eth0: qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 28132 bytes 255 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device vnet1: qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 2694 bytes 52 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 Device vnet2: qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 3186 bytes 58 pkt (dropped 0, overlimits 0 requeues 0) rate 0bit 0pps backlog 0b 0p requeues 0 TC Filters Device eth0: Device vnet1: Device vnet2: