[Shorewall-users] Shorewall rejects NTP requests

Sven Kobow

2017-05-12 09:24:18 UTC

Hi Roberto,
here is the output:

[BEGIN]

Shorewall 5.0.4 Dump at firewall.local - Do 11. Mai 21:15:07 CEST 2017

Shorewall is running
State:Started (Mi 10. Mai 22:51:44 CEST 2017) from /etc/shorewall/
(/var/lib/shorewall/firewall compiled by Shorewall version 5.0.4)

Counters reset Mi 10. Mai 22:51:44 CEST 2017

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10315 5139K net-fw all -- eth1 * 0.0.0.0/0 0.0.0.0/0
11466 1102K loc-fw all -- eth0 * 0.0.0.0/0 0.0.0.0/0
294 48707 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:INPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
37120 8452K net_frwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
34460 5107K loc_frwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:FORWARD:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10464 779K fw-net all -- * eth1 0.0.0.0/0 0.0.0.0/0
8939 2999K fw-loc all -- * eth0 0.0.0.0/0 0.0.0.0/0
294 48707 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:OUTPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]

Chain Broadcast (2 references)
pkts bytes target prot opt in out source destination
1367 416K DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
647 23308 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match dst-type ANYCAST

Chain Drop (2 references)
pkts bytes target prot opt in out source destination
2 1070 all -- * * 0.0.0.0/0 0.0.0.0/0
2 1070 Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 11 /* Needed ICMP types */
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900 /* UPnP */
2 1070 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 /* Late DNS Replies */

Chain Reject (6 references)
pkts bytes target prot opt in out source destination
2201 476K all -- * * 0.0.0.0/0 0.0.0.0/0
2201 476K Broadcast all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 3 code 4 /* Needed ICMP types */
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 11 /* Needed ICMP types */
13 4628 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,445 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 /* SMB */
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:137 dpts:1024:65535 /* SMB */
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 135,139,445 /* SMB */
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900 /* UPnP */
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 /* Late DNS Replies */

Chain dynamic (4 references)
pkts bytes target prot opt in out source destination

Chain fw-loc (1 references)
pkts bytes target prot opt in out source destination
8881 2983K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:123 /* NTP */
9 432 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
49 16072 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
49 16072 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:fw-loc:REJECT:"
49 16072 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]

Chain fw-net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
124 15080 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
10228 757K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 /* DNS */
3 180 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 /* DNS */
30 2280 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:123 /* NTP */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
79 4740 Reject all -- * * 0.0.0.0/0 0.0.0.0/0
79 4740 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:fw-net:REJECT:"
79 4740 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]

Chain loc-fw (1 references)
pkts bytes target prot opt in out source destination
8418 871K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
8418 871K smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
2599 194K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
3048 231K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
6208 407K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53 /* DNS */
110 6608 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:123 /* NTP */
1 64 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8 /* Ping */
2073 455K Reject all -- * * 0.0.0.0/0 0.0.0.0/0
46 11338 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:loc-fw:REJECT:"
46 11338 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]

Chain loc-net (1 references)
pkts bytes target prot opt in out source destination
11685 3316K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
21402 1627K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:123 /* NTP */
1373 164K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
22775 1791K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
22775 1791K smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
12488 3369K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
34460 5107K loc-net all -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 4 level 6 prefix
"Shorewall:logflags:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0

Chain net-fw (1 references)
pkts bytes target prot opt in out source destination
43 11409 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
43 11409 smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
60 16633 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
10272 5128K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
41 10339 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8 /* Ping */
2 1070 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:net-fw:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain net-loc (1 references)
pkts bytes target prot opt in out source destination
37120 8452K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:net-loc:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 smurfs all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
15148 7222K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
37120 8452K net-loc all -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain reject (11 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
100 6000 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
74 26150 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited

Chain sha-lh-56f47107bc14542ec8d0 (0 references)
pkts bytes target prot opt in out source destination

Chain sha-rh-3bcc28f05bfb8988e4cb (0 references)
pkts bytes target prot opt in out source destination

Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0
0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask:
255.255.255.255

Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
"Shorewall:smurfs:DROP:"
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain smurfs (4 references)
pkts bytes target prot opt in out source destination
1038 352K RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0
0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4
0.0.0.0/0 [goto]

Chain tcpflags (4 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02

Log (/var/log/syslog)

May 11 18:33:00 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=54.230.202.47 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44427 DF
PROTO=TCP SPT=50849 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 18:33:00 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=54.230.202.243 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52383 DF
PROTO=TCP SPT=43606 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 18:33:00 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=54.230.202.143 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14278 DF
PROTO=TCP SPT=48615 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 19:39:53 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.200
DST=192.168.0.1 LEN=308 TOS=0x00 PREC=0x00 TTL=64 ID=45542 DF
PROTO=UDP SPT=68 DPT=67 LEN=288
May 11 19:39:53 fw-loc:REJECT:IN= OUT=eth0 SRC=192.168.0.1
DST=192.168.0.200 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=41322 DF
PROTO=UDP SPT=67 DPT=68 LEN=308
May 11 20:40:01 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48281 DF PROTO=TCP
SPT=34740 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 20:46:13 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22982 DF PROTO=TCP
SPT=39418 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 20:50:16 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12329 DF PROTO=TCP
SPT=52565 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 20:56:11 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50098 DF PROTO=TCP
SPT=55808 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 20:59:21 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.29
DST=192.168.0.1 LEN=358 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=68 DPT=67 LEN=338
May 11 20:59:24 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.29
DST=192.168.0.1 LEN=337 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP
SPT=68 DPT=67 LEN=317
May 11 20:59:33 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.29
DST=192.168.0.1 LEN=337 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP
SPT=68 DPT=67 LEN=317
May 11 20:59:48 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.29
DST=192.168.0.1 LEN=337 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP
SPT=68 DPT=67 LEN=317
May 11 21:05:16 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10238 DF PROTO=TCP
SPT=52080 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 21:07:08 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=216.34.181.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35699 DF
PROTO=TCP SPT=55846 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 21:07:12 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=216.34.181.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4015 DF
PROTO=TCP SPT=55847 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 21:08:32 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=216.34.181.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12115 DF
PROTO=TCP SPT=55848 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 21:11:16 loc-fw:REJECT:IN=eth0 OUT= SRC=192.168.0.2
DST=192.168.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31011 DF PROTO=TCP
SPT=60185 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 21:12:07 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=216.34.181.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8334 DF
PROTO=TCP SPT=55849 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
May 11 21:14:14 fw-net:REJECT:IN= OUT=eth1 SRC=192.168.10.2
DST=216.34.181.97 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63123 DF
PROTO=TCP SPT=55850 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 42 packets, 2873 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 35 packets, 2405 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 58 packets, 4302 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 58 packets, 4282 bytes)
pkts bytes target prot opt in out source destination
32392 2446K eth1_masq all -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain eth1_masq (1 references)
pkts bytes target prot opt in out source destination
22131 1687K MASQUERADE all -- * * 192.168.0.0/24 0.0.0.0/0

Mangle Table

Chain PREROUTING (policy ACCEPT 182 packets, 35439 bytes)
pkts bytes target prot opt in out source destination
93657 20M tcpre all -- * * 0.0.0.0/0 0.0.0.0/0

Chain INPUT (policy ACCEPT 182 packets, 35439 bytes)
pkts bytes target prot opt in out source destination
22075 6290K tcin all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
71580 14M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK and 0xffffff00
71580 14M tcfor all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 153 packets, 33729 bytes)
pkts bytes target prot opt in out source destination
19697 3827K tcout all -- * * 0.0.0.0/0 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 152 packets, 33669 bytes)
pkts bytes target prot opt in out source destination
91149 17M tcpost all -- * * 0.0.0.0/0 0.0.0.0/0

Chain tcfor (1 references)
pkts bytes target prot opt in out source destination

Chain tcin (1 references)
pkts bytes target prot opt in out source destination

Chain tcout (1 references)
pkts bytes target prot opt in out source destination

Chain tcpost (1 references)
pkts bytes target prot opt in out source destination

Chain tcpre (1 references)
pkts bytes target prot opt in out source destination

Raw Table

Chain PREROUTING (policy ACCEPT 182 packets, 35439 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6667 CT helper irc
46 4146 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:69 CT helper tftp

Chain OUTPUT (policy ACCEPT 153 packets, 33729 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1720 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6667 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1723 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:6566 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:69 CT helper tftp

Conntrack Table (64 out of 65536)

udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=56640 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=56640 mark=0 use=2
tcp 6 379466 ESTABLISHED src=192.168.0.100 dst=80.241.60.199
sport=57425 dport=143 src=80.241.60.199 dst=192.168.10.2 sport=143
dport=57425 [ASSURED] mark=0 use=2
tcp 6 344554 ESTABLISHED src=192.168.0.27 dst=176.32.99.148
sport=53014 dport=443 src=176.32.99.148 dst=192.168.10.2 sport=443
dport=53014 [ASSURED] mark=0 use=2
udp 17 175 src=192.168.0.25 dst=192.168.0.1 sport=55525 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=55525 [ASSURED] mark=0
use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=43081 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=43081 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=47967 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=47967 mark=0 use=2
udp 17 25 src=192.168.0.25 dst=192.168.0.1 sport=59015 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=59015 mark=0 use=2
udp 17 11 src=192.168.0.25 dst=192.168.0.1 sport=54470 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=54470 [ASSURED] mark=0
use=2
tcp 6 431999 ESTABLISHED src=192.168.0.25 dst=192.168.0.1
sport=62858 dport=22 src=192.168.0.1 dst=192.168.0.25 sport=22
dport=62858 [ASSURED] mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=35438 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=35438 mark=0 use=2
tcp 6 347110 ESTABLISHED src=192.168.0.29 dst=54.229.136.60
sport=53085 dport=443 src=54.229.136.60 dst=192.168.10.2 sport=443
dport=53085 [ASSURED] mark=0 use=2
tcp 6 347195 ESTABLISHED src=192.168.0.29 dst=74.125.30.188
sport=34775 dport=443 src=74.125.30.188 dst=192.168.10.2 sport=443
dport=34775 [ASSURED] mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=37442 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=37442 mark=0 use=2
tcp 6 344125 ESTABLISHED src=192.168.0.27 dst=205.251.243.55
sport=53757 dport=443 src=205.251.243.55 dst=192.168.10.2 sport=443
dport=53757 [ASSURED] mark=0 use=2
tcp 6 431035 ESTABLISHED src=192.168.0.34 dst=74.125.28.188
sport=36703 dport=443 src=74.125.28.188 dst=192.168.10.2 sport=443
dport=36703 [ASSURED] mark=0 use=2
udp 17 15 src=192.168.0.25 dst=192.168.0.1 sport=54457 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=54457 mark=0 use=2
udp 17 15 src=192.168.10.2 dst=192.168.10.1 sport=49804 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=49804 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=50744 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=50744 mark=0 use=2
tcp 6 431443 ESTABLISHED src=192.168.0.34 dst=52.17.53.193
sport=38222 dport=80 src=52.17.53.193 dst=192.168.10.2 sport=80
dport=38222 [ASSURED] mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=49265 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=49265 mark=0 use=2
tcp 6 347110 ESTABLISHED src=192.168.0.29 dst=54.229.136.60
sport=53580 dport=443 src=54.229.136.60 dst=192.168.10.2 sport=443
dport=53580 [ASSURED] mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=46188 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=46188 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=48070 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=48070 mark=0 use=2
udp 17 25 src=192.168.0.25 dst=192.168.0.1 sport=64830 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=64830 mark=0 use=2
tcp 6 347110 ESTABLISHED src=192.168.0.29 dst=54.229.136.60
sport=49771 dport=443 src=54.229.136.60 dst=192.168.10.2 sport=443
dport=49771 [ASSURED] mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=33822 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=33822 mark=0 use=2
tcp 6 347110 ESTABLISHED src=192.168.0.29 dst=54.229.136.60
sport=48582 dport=443 src=54.229.136.60 dst=192.168.10.2 sport=443
dport=48582 [ASSURED] mark=0 use=2
tcp 6 337954 ESTABLISHED src=192.168.0.100 dst=17.252.92.9
sport=55771 dport=443 src=17.252.92.9 dst=192.168.10.2 sport=443
dport=55771 [ASSURED] mark=0 use=2
udp 17 175 src=192.168.0.25 dst=192.168.0.1 sport=59133 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=59133 [ASSURED] mark=0
use=2
tcp 6 384794 ESTABLISHED src=192.168.0.25 dst=17.252.28.72
sport=59406 dport=443 src=17.252.28.72 dst=192.168.10.2 sport=443
dport=59406 [ASSURED] mark=0 use=2
udp 17 15 src=192.168.10.2 dst=192.168.10.1 sport=43775 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=43775 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=40223 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=40223 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=47970 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=47970 mark=0 use=2
udp 17 25 src=192.168.0.25 dst=192.168.0.1 sport=59175 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=59175 mark=0 use=2
udp 17 25 src=192.168.0.25 dst=192.168.0.1 sport=53310 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=53310 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=43720 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=43720 mark=0 use=2
udp 17 17 src=192.168.0.200 dst=192.168.0.1 sport=51744 dport=53
src=192.168.0.1 dst=192.168.0.200 sport=53 dport=51744 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=44149 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=44149 mark=0 use=2
udp 17 25 src=192.168.10.2 dst=192.168.10.1 sport=54570 dport=53
src=192.168.10.1 dst=192.168.10.2 sport=53 dport=54570 mark=0 use=2
udp 17 15 src=192.168.0.25 dst=192.168.0.1 sport=50224 dport=53
src=192.168.0.1 dst=192.168.0.25 sport=53 dport=50224 mark=0 use=2
tcp 6 344641 ESTABLISHED src=192.168.0.24 dst=151.101.114.2
sport=53153 dport=443 src=151.101.114.2 dst=192.168.10.2 sport=443
dport=53153 [ASSURED] mark=0 use=2

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
inet 192.168.10.2/24 brd 192.168.10.255 scope global eth1
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
233080 1424 0 0 0 0
TX: bytes packets errors dropped carrier collsns
233080 1424 0 0 0 0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP mode DEFAULT group default qlen 1000
link/ether 00:1e:06:30:75:12 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
60866237 658062 0 0 0 0
TX: bytes packets errors dropped carrier collsns
350004207 663857 0 0 0 0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP mode DEFAULT group default qlen 1000
link/ether 00:24:9b:0c:e9:8a brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
500457337 800710 0 0 0 0
TX: bytes packets errors dropped carrier collsns
60194874 612778 0 0 0 0
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN mode DEFAULT group default
link/ether 02:42:81:b2:45:34 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0

Routing Rules

0: from all lookup local
32766: from all lookup main
32767: from all lookup default

Table default:

Table local:

local 192.168.0.1 dev eth0 proto kernel scope host src 192.168.0.1
local 192.168.10.2 dev eth1 proto kernel scope host src 192.168.10.2
local 172.17.0.1 dev docker0 proto kernel scope host src 172.17.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 192.168.0.255 dev eth0 proto kernel scope link src 192.168.0.1
broadcast 192.168.0.0 dev eth0 proto kernel scope link src 192.168.0.1
broadcast 192.168.10.255 dev eth1 proto kernel scope link src 192.168.10.2
broadcast 192.168.10.0 dev eth1 proto kernel scope link src 192.168.10.2
broadcast 172.17.255.255 dev docker0 proto kernel scope link src 172.17.0.1
broadcast 172.17.0.0 dev docker0 proto kernel scope link src 172.17.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
default via 192.168.10.1 dev eth1 onlink

Per-IP Counters

iptaccount is not installed

NF Accounting

No NF Accounting defined (nfacct not found)

Events

/proc

/proc/version = Linux version 3.10.105-138
(***@1604_builder_armhf) (gcc version 4.9.4 (Ubuntu/Linaro
4.9.4-2ubuntu1~16.04) ) #1 SMP PREEMPT Fri Apr 7 12:40:29 UTC 2017
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 1
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 1
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/docker0/proxy_arp = 0
/proc/sys/net/ipv4/conf/docker0/arp_filter = 0
/proc/sys/net/ipv4/conf/docker0/arp_ignore = 0
/proc/sys/net/ipv4/conf/docker0/rp_filter = 1
/proc/sys/net/ipv4/conf/docker0/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 1
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/eth1/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth1/arp_filter = 0
/proc/sys/net/ipv4/conf/eth1/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth1/rp_filter = 1
/proc/sys/net/ipv4/conf/eth1/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 1
/proc/sys/net/ipv4/conf/lo/log_martians = 1

ARP

[truncated]

Modules

iptable_filter 1523 1
iptable_mangle 1482 1
iptable_nat 2561 1
iptable_raw 1321 1
ip_tables 11686 4
iptable_filter,iptable_mangle,iptable_nat,iptable_raw
ipt_MASQUERADE 1870 1
ipt_REJECT 2798 4
ipt_rpfilter 1879 0
ipt_ULOG 4721 0
nf_conntrack 86475 33
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,ipt_MASQUERADE,nf_conntrack_proto_udplite,nf_nat,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,iptable_nat,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
nf_conntrack_amanda 2674 3 nf_nat_amanda
nf_conntrack_broadcast 1397 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 6623 3 nf_nat_ftp
nf_conntrack_h323 45873 5 nf_nat_h323
nf_conntrack_ipv4 14361 41
nf_conntrack_irc 4234 3 nf_nat_irc
nf_conntrack_netbios_ns 1144 2
nf_conntrack_netlink 27860 0
nf_conntrack_pptp 5024 3 nf_nat_pptp
nf_conntrack_proto_gre 6920 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 8718 0
nf_conntrack_proto_udplite 5089 0
nf_conntrack_sane 3896 2
nf_conntrack_sip 22593 3 nf_nat_sip
nf_conntrack_snmp 1456 3 nf_nat_snmp_basic
nf_conntrack_tftp 3619 3 nf_nat_tftp
nf_defrag_ipv4 1244 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 43339 1 xt_TPROXY
nf_nat 16245 12
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,ipt_MASQUERADE,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,iptable_nat
nf_nat_amanda 1150 0
nf_nat_ftp 1875 0
nf_nat_h323 6238 0
nf_nat_ipv4 3756 1 iptable_nat
nf_nat_irc 1528 0
nf_nat_pptp 2182 0
nf_nat_proto_gre 1365 1 nf_nat_pptp
nf_nat_sip 8879 0
nf_nat_snmp_basic 8034 0
nf_nat_tftp 894 0
nf_tproxy_core 1106 1 xt_TPROXY
xt_addrtype 2747 5
xt_CHECKSUM 1127 0
xt_CLASSIFY 896 0
xt_comment 805 27
xt_connlimit 3275 0
xt_connmark 1680 0
xt_conntrack 2993 18
xt_CT 4238 22
xt_dscp 1494 0
xt_DSCP 1818 0
xt_hashlimit 9612 0
xt_helper 1236 0
xt_iprange 1438 0
xt_length 1061 0
xt_LOG 13089 10
xt_mark 1032 1
xt_multiport 1630 4
xt_nat 1638 0
xt_NFLOG 1006 0
xt_NFQUEUE 2298 0
xt_owner 1239 0
xt_physdev 1809 0
xt_pkttype 929 0
xt_realm 1011 0
xt_recent 10468 1
xt_statistic 1186 0
xt_tcpmss 1250 0
xt_TCPMSS 3570 0
xt_time 2225 0
xt_TPROXY 4601 0

Shorewall has detected the following iptables/netfilter capabilities:
ACCOUNT Target (ACCOUNT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
AUDIT Target (AUDIT_TARGET): Not available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
Capabilities Version (CAPVERSION): 50004
Checksum Target (CHECKSUM_TARGET): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Connmark Match (CONNMARK_MATCH): Available
CONNMARK Target (CONNMARK): Available
CT Target (CT_TARGET): Available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Extended CONNMARK Target (XCONNMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended MARK Target (XMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP-0 Helper: Not available
FTP Helper: Available
fwmark route mask (FWMARK_RT_MASK): Available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Available
Iface Match (IFACE_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IP range Match(IPRANGE_MATCH): Available
ipset V5 (IPSET_V5): Not available
iptables -S (IPTABLES_S): Available
iptables --wait option (WAIT_OPTION): Available
IRC-0 Helper: Not available
IRC Helper: Available
Kernel Version (KERNELVERSION): 310105
LOGMARK Target (LOGMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
Netbios_ns Helper: Available
New tos Match (NEW_TOS_MATCH): Available
NFAcct Match: Not available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Packet length Match (LENGTH_MATCH): Available
Packet Mangling (MANGLE_ENABLED): Available
Packet Type Match (USEPKTTYPE): Available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Physdev Match (PHYSDEV_MATCH): Available
Policy Match (POLICY_MATCH): Available
PPTP Helper: Available
Rawpost Table (RAWPOST_TABLE): Not available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Available
Recent Match "--reap" option (REAP_OPTION): Available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Available
RPFilter Match (RPFILTER_MATCH): Available
SANE-0 Helper: Not available
SANE Helper: Available
SIP-0 Helper: Not available
SIP Helper: Available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP-0 Helper: Not available
TFTP Helper: Available
Time Match (TIME_MATCH): Available
TPROXY Target (TPROXY_TARGET): Available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Available

Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port
tcp LISTEN 0 10 172.17.0.1:53 *:*
users:(("named",pid=7400,fd=25))
tcp LISTEN 0 10 192.168.10.2:53 *:*
users:(("named",pid=7400,fd=24))
tcp LISTEN 0 10 192.168.0.1:53 *:*
users:(("named",pid=7400,fd=23))
tcp LISTEN 0 10 127.0.0.1:53 *:*
users:(("named",pid=7400,fd=22))
tcp LISTEN 0 128 192.168.0.1:22 *:*
users:(("sshd",pid=730,fd=3))
tcp LISTEN 0 128 127.0.0.1:8118 *:*
users:(("privoxy",pid=542,fd=4))
tcp LISTEN 0 128 127.0.0.1:953 *:*
users:(("named",pid=7400,fd=26))
tcp ESTAB 0 0 192.168.0.1:22
192.168.0.25:62858 users:(("sshd",pid=20016,fd=3))

Traffic Control

Device eth0:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1
1 1 1 1 1 1
Sent 350020377 bytes 664102 pkt (dropped 0, overlimits 0 requeues 4)
backlog 0b 0p requeues 4

Device eth1:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1
1 1 1 1 1 1
Sent 55292650 bytes 612778 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0

TC Filters

Device eth0:

Device eth1:

[END]

Regards

Sven

Post by Roberto C. SÃ¡nchez

Post by Sven Kobow
Hi,
I have setup my shorewall firewall as demonstrated in the two interface
sample. So far it is working okay. I only have the problem that it is not
possible to do NTP requests to public NTP servers and I can see that these
requests are rejected by shorewall as there are log entries.
I tried adding rules allowing all NTP traffic from local net to anywhere
and from FW to net or anywhere. But I could not get things working.
When the client is resolving the name of the NTP server to a ipv6 address
request are successfull. Using ipv4 addresses or disabling ipv6 on the
client results in contant failures.
Did anybody experience such a behavior as well?
Thanks

Sven,
I have not encountered anything like this. Can you send the output of
'shorewall dump' (run as root)?
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users