1 |
Hi, |
2 |
|
3 |
I have a similar problem like Dale in this thread [gentoo-user] Need |
4 |
help networking two machines, but i think it is not exactly the same. |
5 |
|
6 |
I was trying to set up a home router following the |
7 |
gentoo-home-router-guide |
8 |
http://www.gentoo.org/doc/de/home-router-howto.xml |
9 |
with shorewall as firewall following the two-interfaces-guide |
10 |
http://www.shorewall.net/two-interface.htm. |
11 |
|
12 |
I can connect from the router to the internet. |
13 |
I can log in from the router to the desktop per ssh and back. |
14 |
I have set up an rsync on the router and rsync works from the desktop. |
15 |
I have set up dnsmasq on the server and dns is working on the desktop. |
16 |
I can ping between router and desktop and from the router to the internet |
17 |
|
18 |
I have set up an ntp on the router but ntp from the desktop gives me. |
19 |
14 Jan 20:25:53 ntpdate[31522]: no server suitable for synchronization found |
20 |
|
21 |
I can't ping from the desktop to the internet. |
22 |
ping www.gentoo.org |
23 |
PING www.gentoo.org (38.99.64.202) 56(84) bytes of data. |
24 |
|
25 |
--- www.gentoo.org ping statistics --- |
26 |
13 packets transmitted, 0 received, 100% packet loss, time 11999ms |
27 |
|
28 |
As you can see the address is resolved but i get 100% packet loss. |
29 |
Until now i have spent much time on this issues, so i hope to solve |
30 |
these problems with your help. |
31 |
I have added the configurations which may help you to discover my |
32 |
problem below. First the router configuration and then the desktop |
33 |
configuration. |
34 |
I hope i did not forget anything as it is very much, but if anything |
35 |
you need is missing please ask for it. |
36 |
|
37 |
Thanks Daniel |
38 |
|
39 |
|
40 |
|
41 |
> router: gentoo-vdr configuration |
42 |
|
43 |
|
44 |
lspci |
45 |
|
46 |
eth0 |
47 |
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169 |
48 |
Gigabit Ethernet (rev 10) |
49 |
|
50 |
eth1 |
51 |
02:06.0 Ethernet controller: Realtek Semiconductor Co., Ltd. |
52 |
RTL-8139/8139C/8139C+ (rev 10) |
53 |
|
54 |
|
55 |
ifconfig |
56 |
|
57 |
eth0 Link encap:Ethernet HWaddr 00:11:F0:00:0D:96 |
58 |
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 |
59 |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
60 |
RX packets:198008 errors:0 dropped:0 overruns:0 frame:0 |
61 |
TX packets:194409 errors:0 dropped:0 overruns:0 carrier:0 |
62 |
collisions:0 txqueuelen:1000 |
63 |
RX bytes:50101373 (47.7 Mb) TX bytes:129993047 (123.9 Mb) |
64 |
Interrupt:18 Base address:0xc000 |
65 |
|
66 |
eth1 Link encap:Ethernet HWaddr 00:10:DC:2B:D4:CF |
67 |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
68 |
RX packets:77637 errors:0 dropped:0 overruns:0 frame:0 |
69 |
TX packets:63189 errors:0 dropped:0 overruns:0 carrier:0 |
70 |
collisions:0 txqueuelen:1000 |
71 |
RX bytes:93609244 (89.2 Mb) TX bytes:7282392 (6.9 Mb) |
72 |
Interrupt:19 |
73 |
|
74 |
lo Link encap:Local Loopback |
75 |
inet addr:127.0.0.1 Mask:255.0.0.0 |
76 |
UP LOOPBACK RUNNING MTU:16436 Metric:1 |
77 |
RX packets:1236 errors:0 dropped:0 overruns:0 frame:0 |
78 |
TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0 |
79 |
collisions:0 txqueuelen:0 |
80 |
RX bytes:86198 (84.1 Kb) TX bytes:86198 (84.1 Kb) |
81 |
|
82 |
ppp0 Link encap:Point-to-Point Protocol |
83 |
inet addr:88.67.24.46 P-t-P:88.67.16.1 Mask:255.255.255.255 |
84 |
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 |
85 |
RX packets:163 errors:0 dropped:0 overruns:0 frame:0 |
86 |
TX packets:118 errors:0 dropped:0 overruns:0 carrier:0 |
87 |
collisions:0 txqueuelen:3 |
88 |
RX bytes:12249 (11.9 Kb) TX bytes:8557 (8.3 Kb) |
89 |
|
90 |
|
91 |
route |
92 |
|
93 |
Kernel IP routing table |
94 |
Destination Gateway Genmask Flags Metric Ref Use Iface |
95 |
dslb-088-067-01 * 255.255.255.255 UH 0 0 0 ppp0 |
96 |
localhost * 255.255.255.0 U 0 0 0 eth0 |
97 |
loopback * 255.0.0.0 U 0 0 0 lo |
98 |
default dslb-088-067-01 0.0.0.0 UG 0 0 0 ppp0 |
99 |
|
100 |
|
101 |
shorewall-config |
102 |
|
103 |
/etc/shorewall/interfaces |
104 |
|
105 |
#ZONE INTERFACE BROADCAST OPTIONS |
106 |
net ppp0 - tcpflags,norfc1918 |
107 |
loc eth0 detect tcpflags,detectnets |
108 |
|
109 |
|
110 |
/etc/shorewall/masq |
111 |
|
112 |
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC |
113 |
ppp0 eth0 |
114 |
|
115 |
|
116 |
/etc/shorewall/policy |
117 |
|
118 |
#SOURCE DEST POLICY LOG LIMIT:BURST |
119 |
# Policies for traffic originating from the local LAN (loc) |
120 |
# |
121 |
# If you want to force clients to access the Internet via a proxy server |
122 |
# on your firewall, change the loc to net policy to REJECT info. |
123 |
loc net ACCEPT |
124 |
loc $FW REJECT info |
125 |
loc all REJECT info |
126 |
|
127 |
# Policies for traffic originating from the firewall ($FW) |
128 |
# |
129 |
# If you want open access to the Internet from your firewall, change the |
130 |
# $FW to net policy to ACCEPT and remove the 'info' LOG LEVEL. |
131 |
# This may be useful if you run a proxy server on the firewall. |
132 |
$FW net ACCEPT |
133 |
$FW loc REJECT info |
134 |
$FW all REJECT info |
135 |
|
136 |
# Policies for traffic originating from the Internet zone (net) |
137 |
# |
138 |
net $FW DROP info |
139 |
net loc DROP info |
140 |
net all DROP info |
141 |
|
142 |
# THE FOLLOWING POLICY MUST BE LAST |
143 |
all all REJECT info |
144 |
|
145 |
|
146 |
/etc/shorewall/rules |
147 |
|
148 |
#ACTION SOURCE DEST PROTO DEST SOURCE |
149 |
ORIGINAL RATE USER/ |
150 |
# PORT PORT(S) |
151 |
DEST LIMIT GROUP |
152 |
#SECTION ESTABLISHED |
153 |
#SECTION RELATED |
154 |
SECTION NEW |
155 |
ACCEPT loc $FW tcp 22 |
156 |
ACCEPT $FW loc tcp 22 |
157 |
ACCEPT loc $FW udp 123 |
158 |
REJECT net $FW icmp 8 |
159 |
|
160 |
|
161 |
/etc/shorewall/zones |
162 |
|
163 |
#ZONE TYPE OPTIONS IN OUT |
164 |
# OPTIONS OPTIONS |
165 |
fw firewall |
166 |
net ipsec |
167 |
loc ipsec |
168 |
|
169 |
|
170 |
/etc/shorewall/shorewall.conf |
171 |
|
172 |
i have changed this from the default values |
173 |
|
174 |
IP_FORWARDING=On |
175 |
CLAMPMSS=Yes |
176 |
|
177 |
|
178 |
/etc/sysctl.conf |
179 |
|
180 |
net.ipv4.ip_forward = 1 |
181 |
net.ipv4.ip_dynaddr = 1 |
182 |
net.ipv4.conf.default.rp_filter = 1 |
183 |
net.ipv4.conf.all.rp_filter = 1 |
184 |
|
185 |
|
186 |
/etc/conf.d/net |
187 |
|
188 |
config_eth1="adsl" |
189 |
user_eth1="xxxxxxxxxx" |
190 |
dns_domain_eth1=(linux ) |
191 |
config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" ) |
192 |
dns_domain_eth0=(linux ) |
193 |
|
194 |
|
195 |
/etc/conf.d/hostname |
196 |
|
197 |
HOSTNAME="gentoo-vdr" |
198 |
|
199 |
|
200 |
/etc/hosts |
201 |
|
202 |
127.0.0.1 localhost |
203 |
192.168.0.1 gentoo-vdr.linux gentoo-vdr |
204 |
192.168.0.2 gentoo.linux gentoo |
205 |
::1 localhost |
206 |
|
207 |
|
208 |
|
209 |
> desktop: gentoo configuration |
210 |
|
211 |
|
212 |
lspci |
213 |
|
214 |
eth0 |
215 |
02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8169 |
216 |
Gigabit Ethernet (rev 10) |
217 |
|
218 |
|
219 |
ifconfig |
220 |
|
221 |
eth0 Link encap:Ethernet HWaddr 00:13:8F:D5:C4:C0 |
222 |
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 |
223 |
inet6 addr: fe80::213:8fff:fed5:c4c0/64 Scope:Link |
224 |
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 |
225 |
RX packets:194469 errors:0 dropped:0 overruns:0 frame:0 |
226 |
TX packets:198256 errors:0 dropped:0 overruns:0 carrier:0 |
227 |
collisions:0 txqueuelen:1000 |
228 |
RX bytes:129998303 (123.9 Mb) TX bytes:50122357 (47.8 Mb) |
229 |
Interrupt:17 Base address:0xc000 |
230 |
|
231 |
lo Link encap:Local Loopback |
232 |
inet addr:127.0.0.1 Mask:255.0.0.0 |
233 |
inet6 addr: ::1/128 Scope:Host |
234 |
UP LOOPBACK RUNNING MTU:16436 Metric:1 |
235 |
RX packets:129 errors:0 dropped:0 overruns:0 frame:0 |
236 |
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0 |
237 |
collisions:0 txqueuelen:0 |
238 |
RX bytes:9816 (9.5 Kb) TX bytes:9816 (9.5 Kb) |
239 |
|
240 |
route |
241 |
|
242 |
Kernel IP routing table |
243 |
Destination Gateway Genmask Flags Metric Ref Use Iface |
244 |
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 |
245 |
loopback * 255.0.0.0 U 0 0 0 lo |
246 |
default gentoo-vdr.linu 0.0.0.0 UG 0 0 0 eth0 |
247 |
|
248 |
|
249 |
/etc/conf.d/net |
250 |
|
251 |
config_eth0=( "192.168.0.2 broadcast 192.168.0.255 netmask 255.255.255.0" ) |
252 |
routes_eth0=("default via 192.168.0.1") |
253 |
dns_domain_eth0=(linux ) |
254 |
dns_servers_eth0="192.168.0.1" |
255 |
ntp_servers_eth0="192.168.0.1" |
256 |
|
257 |
|
258 |
/etc/hosts |
259 |
|
260 |
127.0.0.1 localhost |
261 |
192.168.0.2 gentoo.linux gentoo |
262 |
192.168.0.1 gentoo-vdr.linux gentoo-vdr |
263 |
::1 localhost |
264 |
|
265 |
/etc/conf.d/hostname |
266 |
|
267 |
HOSTNAME="gentoo" |
268 |
|
269 |
|
270 |
/etc/conf.d/ntp-client |
271 |
|
272 |
NTPCLIENT_CMD="ntpdate" |
273 |
NTPCLIENT_OPTS="192.168.0.1" |
274 |
|
275 |
|
276 |
|
277 |
> For those who are not familiar with shorewall here are the generated iptables on the router. |
278 |
|
279 |
iptables -L -t nat |
280 |
|
281 |
Chain PREROUTING (policy ACCEPT) |
282 |
target prot opt source destination |
283 |
|
284 |
Chain POSTROUTING (policy ACCEPT) |
285 |
target prot opt source destination |
286 |
ppp0_masq all -- anywhere anywhere |
287 |
|
288 |
Chain OUTPUT (policy ACCEPT) |
289 |
target prot opt source destination |
290 |
|
291 |
Chain ppp0_masq (1 references) |
292 |
target prot opt source destination |
293 |
MASQUERADE all -- localhost/24 anywhere policy |
294 |
match dir out pol none |
295 |
|
296 |
|
297 |
iptables -L -t mangle |
298 |
|
299 |
Chain PREROUTING (policy ACCEPT) |
300 |
target prot opt source destination |
301 |
tcpre all -- anywhere anywhere |
302 |
|
303 |
Chain INPUT (policy ACCEPT) |
304 |
target prot opt source destination |
305 |
|
306 |
Chain FORWARD (policy ACCEPT) |
307 |
target prot opt source destination |
308 |
tcfor all -- anywhere anywhere |
309 |
|
310 |
Chain OUTPUT (policy ACCEPT) |
311 |
target prot opt source destination |
312 |
tcout all -- anywhere anywhere |
313 |
|
314 |
Chain POSTROUTING (policy ACCEPT) |
315 |
target prot opt source destination |
316 |
tcpost all -- anywhere anywhere |
317 |
|
318 |
Chain tcfor (1 references) |
319 |
target prot opt source destination |
320 |
|
321 |
Chain tcout (1 references) |
322 |
target prot opt source destination |
323 |
|
324 |
Chain tcpost (1 references) |
325 |
target prot opt source destination |
326 |
|
327 |
Chain tcpre (1 references) |
328 |
target prot opt source destination |
329 |
|
330 |
|
331 |
iptables -L -t filter |
332 |
|
333 |
Chain INPUT (policy ACCEPT) |
334 |
target prot opt source destination |
335 |
LOG udp -- anywhere anywhere udp |
336 |
dpts:0:1023 LOG level warning |
337 |
LOG tcp -- anywhere anywhere tcp |
338 |
dpts:0:1023 LOG level warning |
339 |
DROP udp -- anywhere anywhere udp dpts:0:1023 |
340 |
DROP tcp -- anywhere anywhere tcp dpts:0:1023 |
341 |
LOG tcp -- anywhere anywhere tcp |
342 |
flags:FIN,SYN,RST,ACK/SYN LOG level warning |
343 |
DROP tcp -- anywhere anywhere tcp |
344 |
flags:FIN,SYN,RST,ACK/SYN |
345 |
DROP icmp -- anywhere anywhere icmp echo-request |
346 |
|
347 |
Chain FORWARD (policy DROP) |
348 |
target prot opt source destination |
349 |
|
350 |
Chain OUTPUT (policy ACCEPT) |
351 |
target prot opt source destination |
352 |
|
353 |
Chain Drop (3 references) |
354 |
target prot opt source destination |
355 |
reject tcp -- anywhere anywhere tcp dpt:auth |
356 |
dropBcast all -- anywhere anywhere |
357 |
ACCEPT icmp -- anywhere anywhere icmp |
358 |
fragmentation-needed |
359 |
ACCEPT icmp -- anywhere anywhere icmp time-exceeded |
360 |
dropInvalid all -- anywhere anywhere |
361 |
DROP udp -- anywhere anywhere multiport |
362 |
dports epmap,microsoft-ds |
363 |
DROP udp -- anywhere anywhere udp |
364 |
dpts:netbios-ns:netbios-ssn |
365 |
DROP udp -- anywhere anywhere udp |
366 |
spt:netbios-ns dpts:1024:65535 |
367 |
DROP tcp -- anywhere anywhere multiport |
368 |
dports epmap,netbios-ssn,microsoft-ds |
369 |
DROP udp -- anywhere anywhere udp dpt:1900 |
370 |
dropNotSyn tcp -- anywhere anywhere |
371 |
DROP udp -- anywhere anywhere udp spt:domain |
372 |
|
373 |
Chain Reject (5 references) |
374 |
target prot opt source destination |
375 |
reject tcp -- anywhere anywhere tcp dpt:auth |
376 |
dropBcast all -- anywhere anywhere |
377 |
ACCEPT icmp -- anywhere anywhere icmp |
378 |
fragmentation-needed |
379 |
ACCEPT icmp -- anywhere anywhere icmp time-exceeded |
380 |
dropInvalid all -- anywhere anywhere |
381 |
reject udp -- anywhere anywhere multiport |
382 |
dports epmap,microsoft-ds |
383 |
reject udp -- anywhere anywhere udp |
384 |
dpts:netbios-ns:netbios-ssn |
385 |
reject udp -- anywhere anywhere udp |
386 |
spt:netbios-ns dpts:1024:65535 |
387 |
reject tcp -- anywhere anywhere multiport |
388 |
dports epmap,netbios-ssn,microsoft-ds |
389 |
DROP udp -- anywhere anywhere udp dpt:1900 |
390 |
dropNotSyn tcp -- anywhere anywhere |
391 |
DROP udp -- anywhere anywhere udp spt:domain |
392 |
|
393 |
Chain all2all (0 references) |
394 |
target prot opt source destination |
395 |
ACCEPT all -- anywhere anywhere state |
396 |
RELATED,ESTABLISHED |
397 |
Reject all -- anywhere anywhere |
398 |
LOG all -- anywhere anywhere LOG level |
399 |
info prefix `Shorewall:all2all:REJECT:' |
400 |
reject all -- anywhere anywhere |
401 |
|
402 |
Chain dropBcast (2 references) |
403 |
target prot opt source destination |
404 |
DROP all -- anywhere anywhere PKTTYPE = |
405 |
broadcast |
406 |
DROP all -- anywhere anywhere PKTTYPE = |
407 |
multicast |
408 |
|
409 |
Chain dropInvalid (2 references) |
410 |
target prot opt source destination |
411 |
DROP all -- anywhere anywhere state INVALID |
412 |
|
413 |
Chain dropNotSyn (2 references) |
414 |
target prot opt source destination |
415 |
DROP tcp -- anywhere anywhere tcp |
416 |
flags:!FIN,SYN,RST,ACK/SYN |
417 |
|
418 |
Chain dynamic (4 references) |
419 |
target prot opt source destination |
420 |
|
421 |
Chain eth0_fwd (0 references) |
422 |
target prot opt source destination |
423 |
dynamic all -- anywhere anywhere state INVALID,NEW |
424 |
tcpflags tcp -- anywhere anywhere policy |
425 |
match dir in pol none |
426 |
loc_frwd all -- localhost/24 anywhere policy |
427 |
match dir in pol ipsec |
428 |
|
429 |
Chain eth0_in (0 references) |
430 |
target prot opt source destination |
431 |
dynamic all -- anywhere anywhere state INVALID,NEW |
432 |
tcpflags tcp -- anywhere anywhere policy |
433 |
match dir in pol none |
434 |
loc2fw all -- localhost/24 anywhere policy |
435 |
match dir in pol ipsec |
436 |
|
437 |
Chain fw2all (0 references) |
438 |
target prot opt source destination |
439 |
ACCEPT all -- anywhere anywhere state |
440 |
RELATED,ESTABLISHED |
441 |
Reject all -- anywhere anywhere |
442 |
LOG all -- anywhere anywhere LOG level |
443 |
info prefix `Shorewall:fw2all:REJECT:' |
444 |
reject all -- anywhere anywhere |
445 |
|
446 |
Chain fw2loc (0 references) |
447 |
target prot opt source destination |
448 |
ACCEPT all -- anywhere anywhere state |
449 |
RELATED,ESTABLISHED |
450 |
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
451 |
Reject all -- anywhere anywhere |
452 |
LOG all -- anywhere anywhere LOG level |
453 |
info prefix `Shorewall:fw2loc:REJECT:' |
454 |
reject all -- anywhere anywhere |
455 |
|
456 |
Chain fw2net (0 references) |
457 |
target prot opt source destination |
458 |
ACCEPT all -- anywhere anywhere state |
459 |
RELATED,ESTABLISHED |
460 |
ACCEPT all -- anywhere anywhere |
461 |
|
462 |
Chain loc2all (0 references) |
463 |
target prot opt source destination |
464 |
ACCEPT all -- anywhere anywhere state |
465 |
RELATED,ESTABLISHED |
466 |
Reject all -- anywhere anywhere |
467 |
LOG all -- anywhere anywhere LOG level |
468 |
info prefix `Shorewall:loc2all:REJECT:' |
469 |
reject all -- anywhere anywhere |
470 |
|
471 |
Chain loc2fw (1 references) |
472 |
target prot opt source destination |
473 |
ACCEPT all -- anywhere anywhere state |
474 |
RELATED,ESTABLISHED |
475 |
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh |
476 |
ACCEPT udp -- anywhere anywhere udp dpt:ntp |
477 |
Reject all -- anywhere anywhere |
478 |
LOG all -- anywhere anywhere LOG level |
479 |
info prefix `Shorewall:loc2fw:REJECT:' |
480 |
reject all -- anywhere anywhere |
481 |
|
482 |
Chain loc2net (1 references) |
483 |
target prot opt source destination |
484 |
ACCEPT all -- anywhere anywhere state |
485 |
RELATED,ESTABLISHED |
486 |
ACCEPT all -- anywhere anywhere |
487 |
|
488 |
Chain loc_frwd (1 references) |
489 |
target prot opt source destination |
490 |
loc2net all -- anywhere anywhere policy |
491 |
match dir out pol ipsec |
492 |
|
493 |
Chain logflags (5 references) |
494 |
target prot opt source destination |
495 |
LOG all -- anywhere anywhere LOG level |
496 |
info ip-options prefix `Shorewall:logflags:DROP:' |
497 |
DROP all -- anywhere anywhere |
498 |
|
499 |
Chain net2all (0 references) |
500 |
target prot opt source destination |
501 |
ACCEPT all -- anywhere anywhere state |
502 |
RELATED,ESTABLISHED |
503 |
Drop all -- anywhere anywhere |
504 |
LOG all -- anywhere anywhere LOG level |
505 |
info prefix `Shorewall:net2all:DROP:' |
506 |
DROP all -- anywhere anywhere |
507 |
|
508 |
Chain net2fw (1 references) |
509 |
target prot opt source destination |
510 |
ACCEPT all -- anywhere anywhere state |
511 |
RELATED,ESTABLISHED |
512 |
reject icmp -- anywhere anywhere icmp echo-request |
513 |
Drop all -- anywhere anywhere |
514 |
LOG all -- anywhere anywhere LOG level |
515 |
info prefix `Shorewall:net2fw:DROP:' |
516 |
DROP all -- anywhere anywhere |
517 |
|
518 |
Chain net2loc (1 references) |
519 |
target prot opt source destination |
520 |
ACCEPT all -- anywhere anywhere state |
521 |
RELATED,ESTABLISHED |
522 |
Drop all -- anywhere anywhere |
523 |
LOG all -- anywhere anywhere LOG level |
524 |
info prefix `Shorewall:net2loc:DROP:' |
525 |
DROP all -- anywhere anywhere |
526 |
|
527 |
Chain net_frwd (1 references) |
528 |
target prot opt source destination |
529 |
net2loc all -- anywhere localhost/24 policy |
530 |
match dir out pol ipsec |
531 |
|
532 |
Chain norfc1918 (2 references) |
533 |
target prot opt source destination |
534 |
rfc1918 all -- localhost/12 anywhere |
535 |
rfc1918 all -- anywhere anywhere ctorigdst |
536 |
localhost/12 |
537 |
rfc1918 all -- localhost/16 anywhere |
538 |
rfc1918 all -- anywhere anywhere ctorigdst |
539 |
localhost/16 |
540 |
rfc1918 all -- localhost/8 anywhere |
541 |
rfc1918 all -- anywhere anywhere ctorigdst |
542 |
localhost/8 |
543 |
|
544 |
Chain ppp0_fwd (0 references) |
545 |
target prot opt source destination |
546 |
dynamic all -- anywhere anywhere state INVALID,NEW |
547 |
norfc1918 all -- anywhere anywhere state NEW |
548 |
policy match dir in pol none |
549 |
tcpflags tcp -- anywhere anywhere policy |
550 |
match dir in pol none |
551 |
net_frwd all -- anywhere anywhere policy |
552 |
match dir in pol ipsec |
553 |
|
554 |
Chain ppp0_in (0 references) |
555 |
target prot opt source destination |
556 |
dynamic all -- anywhere anywhere state INVALID,NEW |
557 |
norfc1918 all -- anywhere anywhere state NEW |
558 |
policy match dir in pol none |
559 |
tcpflags tcp -- anywhere anywhere policy |
560 |
match dir in pol none |
561 |
net2fw all -- anywhere anywhere policy |
562 |
match dir in pol ipsec |
563 |
|
564 |
Chain reject (12 references) |
565 |
target prot opt source destination |
566 |
DROP all -- anywhere anywhere PKTTYPE = |
567 |
broadcast |
568 |
DROP all -- anywhere anywhere PKTTYPE = |
569 |
multicast |
570 |
DROP all -- localhost anywhere |
571 |
DROP all -- 255.255.255.255 anywhere |
572 |
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere |
573 |
REJECT tcp -- anywhere anywhere |
574 |
reject-with tcp-reset |
575 |
REJECT udp -- anywhere anywhere |
576 |
reject-with icmp-port-unreachable |
577 |
REJECT icmp -- anywhere anywhere |
578 |
reject-with icmp-host-unreachable |
579 |
REJECT all -- anywhere anywhere |
580 |
reject-with icmp-host-prohibited |
581 |
|
582 |
Chain rfc1918 (6 references) |
583 |
target prot opt source destination |
584 |
LOG all -- anywhere anywhere LOG level |
585 |
info prefix `Shorewall:rfc1918:DROP:' |
586 |
DROP all -- anywhere anywhere |
587 |
|
588 |
Chain shorewall (0 references) |
589 |
target prot opt source destination |
590 |
|
591 |
Chain smurfs (0 references) |
592 |
target prot opt source destination |
593 |
LOG all -- localhost anywhere LOG level |
594 |
info prefix `Shorewall:smurfs:DROP:' |
595 |
DROP all -- localhost anywhere |
596 |
LOG all -- 255.255.255.255 anywhere LOG level |
597 |
info prefix `Shorewall:smurfs:DROP:' |
598 |
DROP all -- 255.255.255.255 anywhere |
599 |
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG |
600 |
level info prefix `Shorewall:smurfs:DROP:' |
601 |
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere |
602 |
|
603 |
Chain tcpflags (4 references) |
604 |
target prot opt source destination |
605 |
logflags tcp -- anywhere anywhere tcp |
606 |
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG |
607 |
logflags tcp -- anywhere anywhere tcp |
608 |
flags:FIN,SYN,RST,PSH,ACK,URG/NONE |
609 |
logflags tcp -- anywhere anywhere tcp |
610 |
flags:SYN,RST/SYN,RST |
611 |
logflags tcp -- anywhere anywhere tcp |
612 |
flags:FIN,SYN/FIN,SYN |
613 |
logflags tcp -- anywhere anywhere tcp spt:0 |
614 |
flags:FIN,SYN,RST,ACK/SYN |
615 |
-- |
616 |
gentoo-user@g.o mailing list |