You are not logged in.

#1 2019-07-25 04:05:33

tehbrozor
Member
Registered: 2019-07-25
Posts: 3

[SOLVED] DNAT trouble with shorewall to a server on a DMZ

Hello gang,

I have followed the archlinux 'router' tutorial to set up a firewall/router with 3 NICs. I have some experience with Ubuntu and Debian distros (always learning!) but decided to try archlinux for this router project after some glowing testimonials from a very tech savy friend. This is certainly the most ambitious project ive attempted so far- the learning opportunities have been rewarding but it also means theres a lot of variables that I may not be keeping straight.
The router is running newest version of archlinux (I think!?)

$ uname -a
Linux cerberus 5.2.1-arch1-1-ARCH #1 SMP PREEMPT Sun Jul 14 14:52:52 UTC 2019 x86_64 GNU/Linux

I used this method in shorewall to rename my interfaces using MACAddresses, extern0 (w/ dynamic IP from ISP), intern0 (called dmz in shorewall) and intern1 (loc). On the DMZ I have a single computer with a static IP that is running two server daemons- sshd and a webapp im trying to develop (deployed(?) using waitress-serve). This host also runs a no-ip client to update a ddns.net address. The loc interface (intern1) runs to a wifi access point/switch thing. From my laptop (on the loc LAN) I can ssh into the server using the DMZs local ip (10.0.0.62, the router's if on that side is 10.0.0.1 and to best of my knowledge that is the gateway on the server). When using an external IP (cell phone tethering) I can ssh into the server using my no-ip.com domain. What I can't get is a web service to work. My main goal is to serve up a flask application I'm working on. It is very beta at the moment, it is essentially the flask tutorial that I'm beginning to adapt for my own needs. It works fine using the flask development server and I can interact with it at localhost on my laptop. I've placed it on the server using the steps found with the flask tutorial. while it seems to working...

$ waitress-serve --call 'solis_wsg:create_app'
Serving on http://0.0.0.0:8080

I also tried using a simple python web server example script. (In case the problem was with waitress or the flask app.) I cannot access these from either a local address or the no-ip ddns address (using tethering.) My question is if there is anything wrong with the way I am approaching the port forwarding. It works for ssh so I'm worried maybe my ISP just blocks these things? (Is that a thing?) However, even attempts to use non-standard ports directly (username.ddns.net:8080 in my web browser, for example) do not seem to work. I've tried a TON of different versions of DNAT, Web(DNAT), ACCEPT, Web(ACCEPT), REDIRECT all to try foward port 80, 443 or even 8080 directly (the default port for waitress) I was trying 7778 and 8081 with the python script. Here is shorewall dump:

$ cat shorewall_dump 
Shorewall 5.2.3.3 Dump at cerberus - Wed Jul 24 23:13:35 EDT 2019

Shorewall is running
State:Started Wed Jul 24 23:03:59 EDT 2019 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Wed Jul 24 23:03:58 EDT 2019 by Shorewall version 5.2.3.3)

Counters reset Wed Jul 24 23:03:59 EDT 2019

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  282 40089 net-fw     all  --  extern0 *       0.0.0.0/0            0.0.0.0/0           
  494 37482 loc-fw     all  --  intern1 *       0.0.0.0/0            0.0.0.0/0           
   12   928 dmz-fw     all  --  intern0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "INPUT REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 366K  545M net_frwd   all  --  extern0 *       0.0.0.0/0            0.0.0.0/0           
 300K   15M loc_frwd   all  --  intern1 *       0.0.0.0/0            0.0.0.0/0           
 2338  163K dmz_frwd   all  --  intern0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "FORWARD REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  275 21610 ACCEPT     all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           
  437 65531 fw-loc     all  --  *      intern1  0.0.0.0/0            0.0.0.0/0           
   12  1524 fw-dmz     all  --  *      intern0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "OUTPUT REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   640 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    8   640 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   288 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    8   640 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* DNS */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* DNS */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "dmz-fw REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  379 57909 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "dmz-loc REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   180 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    3   180 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
 2338  163K tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1959  106K ACCEPT     all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           
  379 57909 dmz-loc    all  --  *      intern1  0.0.0.0/0            0.0.0.0/0           

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain fw-dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   12  1524 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "fw-dmz REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain fw-loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  437 65531 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "fw-loc REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc-dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  444 30305 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* SSH */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "loc-dmz REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  262 19635 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  262 19635 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  233 17907 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  232 17847 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6222 /* SSH */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
  261 19575 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* DNS */
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* DNS */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "loc-fw REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  241 40531 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  241 40531 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
 299K   15M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 299K   15M ACCEPT     all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           
  445 30365 loc-dmz    all  --  *      intern0  0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logflags (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 4 level 6 prefix "logflags DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4764 7128K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* SSH */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.62            tcp dpt:22 ctorigdstport 22
    9   540 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.62            ctorigdst [exernIP] tcp dpt:8080
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-dmz DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   30  1641 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
   30  1641 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
   31  1925 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  252 38448 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    9   360 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6222 /* SSH */
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
   21  1281 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-fw DROP "
   21  1281 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 361K  538M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-loc DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   540 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    9   540 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
 366K  545M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 361K  538M net-loc    all  --  *      intern1  0.0.0.0/0            0.0.0.0/0           
 4773 7128K net-dmz    all  --  *      intern0  0.0.0.0/0            0.0.0.0/0           

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type BROADCAST
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain sha-lh-17d1d222e8a500df962d (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain sha-rh-6806e78c76f042237b8d (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255

Chain smurflog (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "smurfs DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain smurfs (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0           
    0     0 smurflog   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  ADDRTYPE match src-type BROADCAST
    0     0 smurflog   all  --  *      *       224.0.0.0/4          0.0.0.0/0           [goto] 

Chain tcpflags (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x29
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x00
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x06/0x06
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x05/0x05
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x03/0x03
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x19/0x09
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp spt:0 flags:0x17/0x02

Log (/var/log/messages)


NAT Table

Chain PREROUTING (policy ACCEPT 522 packets, 54284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  1821 net_dnat   all  --  extern0 *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 270 packets, 20275 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 248 packets, 18099 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 258 packets, 18699 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  478 50767 extern0_masq  all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           

Chain extern0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  227 32488 MASQUERADE  all  --  *      *       176.16.50.0/24       0.0.0.0/0           
    3   180 MASQUERADE  all  --  *      *       10.0.0.62            0.0.0.0/0           

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:10.0.0.62:22
    9   540 DNAT       tcp  --  *      *       0.0.0.0/0            [exernIP]        multiport dports 80,443 to:10.0.0.62:8080

Mangle Table

Chain PREROUTING (policy ACCEPT 669K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 788 packets, 78499 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 668K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  470 27704 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
 668K  560M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0xffffff00

Chain OUTPUT (policy ACCEPT 724 packets, 88665 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 669K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Raw Table

Chain PREROUTING (policy ACCEPT 669K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10080 CT helper amanda
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 flags:0x17/0x02 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1719 CT helper RAS
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1720 flags:0x17/0x02 CT helper Q.931
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667 flags:0x17/0x02 CT helper irc
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 CT helper netbios-ns
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 flags:0x17/0x02 CT helper pptp
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6566 flags:0x17/0x02 CT helper sane
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 CT helper sip
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 CT helper snmp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:69 CT helper tftp

Chain OUTPUT (policy ACCEPT 724 packets, 88665 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10080 CT helper amanda
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 flags:0x17/0x02 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1719 CT helper RAS
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1720 flags:0x17/0x02 CT helper Q.931
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667 flags:0x17/0x02 CT helper irc
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 CT helper netbios-ns
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 flags:0x17/0x02 CT helper pptp
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6566 flags:0x17/0x02 CT helper sane
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 CT helper sip
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 CT helper snmp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:69 CT helper tftp

Conntrack Table (117 out of 262144)

ipv4     2 udp      17 0 src=[exernIP] dst=65.19.96.252 sport=4561 dport=53 src=65.19.96.252 dst=[exernIP] sport=53 dport=4561 mark=0 zone=0 use=2
ipv4     2 tcp      6 431979 ESTABLISHED src=176.16.50.2 dst=172.217.3.99 sport=60779 dport=443 src=172.217.3.99 dst=[exernIP] sport=443 dport=60779 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=52.223.227.105 sport=60097 dport=443 src=52.223.227.105 dst=[exernIP] sport=443 dport=60097 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 88 src=176.16.50.2 dst=172.217.10.238 sport=61042 dport=443 src=172.217.10.238 dst=[exernIP] sport=443 dport=61042 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=104.16.31.34 sport=43216 dport=443 src=104.16.31.34 dst=[exernIP] sport=443 dport=43216 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 25 FIN_WAIT src=176.16.50.2 dst=173.194.66.188 sport=52247 dport=5228 src=173.194.66.188 dst=[exernIP] sport=5228 dport=52247 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 0 src=176.16.50.2 dst=176.16.50.1 sport=41467 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=41467 mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=23.60.89.50 sport=59790 dport=443 src=23.60.89.50 dst=[exernIP] sport=443 dport=59790 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 82 TIME_WAIT src=176.16.50.2 dst=172.217.6.194 sport=36966 dport=443 src=172.217.6.194 dst=[exernIP] sport=443 dport=36966 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431966 ESTABLISHED src=176.16.50.2 dst=172.217.3.101 sport=59817 dport=443 src=172.217.3.101 dst=[exernIP] sport=443 dport=59817 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 205904 ESTABLISHED src=176.16.50.2 dst=173.194.207.188 sport=48538 dport=5228 src=173.194.207.188 dst=[exernIP] sport=5228 dport=48538 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 28 TIME_WAIT src=176.16.50.2 dst=3.19.80.222 sport=60957 dport=443 src=3.19.80.222 dst=[exernIP] sport=443 dport=60957 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 78 TIME_WAIT src=176.16.50.2 dst=104.20.187.5 sport=52072 dport=443 src=104.20.187.5 dst=[exernIP] sport=443 dport=52072 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.6.205 sport=40490 dport=443 src=172.217.6.205 dst=[exernIP] sport=443 dport=40490 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431807 ESTABLISHED src=176.16.50.2 dst=198.252.206.25 sport=51148 dport=443 src=198.252.206.25 dst=[exernIP] sport=443 dport=51148 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 73 TIME_WAIT src=176.16.50.2 dst=172.217.9.234 sport=50464 dport=443 src=172.217.9.234 dst=[exernIP] sport=443 dport=50464 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431961 ESTABLISHED src=176.16.50.2 dst=184.25.176.117 sport=59899 dport=443 src=184.25.176.117 dst=[exernIP] sport=443 dport=59899 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.10.132 sport=54662 dport=443 src=172.217.10.132 dst=[exernIP] sport=443 dport=54662 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431924 ESTABLISHED src=176.16.50.2 dst=54.152.84.208 sport=51044 dport=2350 src=54.152.84.208 dst=[exernIP] sport=2350 dport=51044 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 100 TIME_WAIT src=176.16.50.2 dst=172.217.11.2 sport=39106 dport=443 src=172.217.11.2 dst=[exernIP] sport=443 dport=39106 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.10.132 sport=60961 dport=443 src=172.217.10.132 dst=[exernIP] sport=443 dport=60961 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=13.33.87.20 sport=60302 dport=443 src=13.33.87.20 dst=[exernIP] sport=443 dport=60302 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 289844 ESTABLISHED src=176.16.50.2 dst=209.85.232.188 sport=39136 dport=5228 src=209.85.232.188 dst=[exernIP] sport=5228 dport=39136 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 20 TIME_WAIT src=176.16.50.2 dst=172.217.12.206 sport=58106 dport=443 src=172.217.12.206 dst=[exernIP] sport=443 dport=58106 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431773 ESTABLISHED src=176.16.50.2 dst=52.10.251.85 sport=40334 dport=443 src=52.10.251.85 dst=[exernIP] sport=443 dport=40334 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.11.42 sport=46700 dport=443 src=172.217.11.42 dst=[exernIP] sport=443 dport=46700 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431628 ESTABLISHED src=176.16.50.2 dst=10.0.0.62 sport=43788 dport=22 src=10.0.0.62 dst=176.16.50.2 sport=22 dport=43788 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431412 ESTABLISHED src=176.16.50.2 dst=52.94.240.157 sport=53598 dport=443 src=52.94.240.157 dst=[exernIP] sport=443 dport=53598 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 0 src=176.16.50.2 dst=172.29.243.255 sport=1975 dport=1975 [UNREPLIED] src=172.29.243.255 dst=[exernIP] sport=1975 dport=1975 mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.9.225 sport=44010 dport=443 src=172.217.9.225 dst=[exernIP] sport=443 dport=44010 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431974 ESTABLISHED src=176.16.50.2 dst=52.25.0.83 sport=59843 dport=443 src=52.25.0.83 dst=[exernIP] sport=443 dport=59843 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431977 ESTABLISHED src=176.16.50.2 dst=52.35.72.231 sport=59844 dport=443 src=52.35.72.231 dst=[exernIP] sport=443 dport=59844 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 14 TIME_WAIT src=176.16.50.2 dst=172.217.6.226 sport=40336 dport=443 src=172.217.6.226 dst=[exernIP] sport=443 dport=40336 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.9.227 sport=60790 dport=443 src=172.217.9.227 dst=[exernIP] sport=443 dport=60790 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431989 ESTABLISHED src=176.16.50.2 dst=162.125.18.133 sport=60886 dport=443 src=162.125.18.133 dst=[exernIP] sport=443 dport=60886 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 29 src=[exernIP] dst=65.19.96.253 sport=46589 dport=53 src=65.19.96.253 dst=[exernIP] sport=53 dport=46589 mark=0 zone=0 use=2
ipv4     2 tcp      6 431976 ESTABLISHED src=176.16.50.2 dst=52.230.222.68 sport=59755 dport=443 src=52.230.222.68 dst=[exernIP] sport=443 dport=59755 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 115 src=176.16.50.2 dst=92.123.65.111 sport=63219 dport=3478 src=92.123.65.111 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 6 TIME_WAIT src=176.16.50.2 dst=172.217.10.2 sport=42596 dport=443 src=172.217.10.2 dst=[exernIP] sport=443 dport=42596 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.10.14 sport=57596 dport=443 src=172.217.10.14 dst=[exernIP] sport=443 dport=57596 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 75 TIME_WAIT src=176.16.50.2 dst=50.16.241.130 sport=41110 dport=443 src=50.16.241.130 dst=[exernIP] sport=443 dport=41110 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 5 src=[exernIP] dst=65.19.96.252 sport=8865 dport=53 src=65.19.96.252 dst=[exernIP] sport=53 dport=8865 mark=0 zone=0 use=2
ipv4     2 tcp      6 431909 ESTABLISHED src=176.16.50.2 dst=52.20.53.204 sport=60002 dport=443 src=52.20.53.204 dst=[exernIP] sport=443 dport=60002 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 29 src=176.16.50.2 dst=176.16.50.1 sport=60072 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=60072 mark=0 zone=0 use=2
ipv4     2 tcp      6 378990 ESTABLISHED src=176.16.50.2 dst=108.177.127.188 sport=40976 dport=5228 src=108.177.127.188 dst=[exernIP] sport=5228 dport=40976 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431995 ESTABLISHED src=176.16.50.2 dst=52.34.149.82 sport=59845 dport=443 src=52.34.149.82 dst=[exernIP] sport=443 dport=59845 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 19 TIME_WAIT src=176.16.50.2 dst=172.217.9.227 sport=60794 dport=443 src=172.217.9.227 dst=[exernIP] sport=443 dport=60794 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431993 ESTABLISHED src=176.16.50.2 dst=52.35.67.56 sport=59854 dport=443 src=52.35.67.56 dst=[exernIP] sport=443 dport=59854 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 5 src=176.16.50.2 dst=176.16.50.1 sport=37879 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=37879 mark=0 zone=0 use=2
ipv4     2 tcp      6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.11.35 sport=47871 dport=80 src=172.217.11.35 dst=[exernIP] sport=80 dport=47871 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431955 ESTABLISHED src=176.16.50.2 dst=52.6.88.49 sport=60902 dport=443 src=52.6.88.49 dst=[exernIP] sport=443 dport=60902 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.7.2 sport=53178 dport=443 src=172.217.7.2 dst=[exernIP] sport=443 dport=53178 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431996 ESTABLISHED src=176.16.50.2 dst=151.101.66.167 sport=59868 dport=443 src=151.101.66.167 dst=[exernIP] sport=443 dport=59868 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 20 TIME_WAIT src=176.16.50.2 dst=172.217.12.138 sport=59112 dport=443 src=172.217.12.138 dst=[exernIP] sport=443 dport=59112 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 19 TIME_WAIT src=176.16.50.2 dst=104.19.195.151 sport=56176 dport=443 src=104.19.195.151 dst=[exernIP] sport=443 dport=56176 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431805 ESTABLISHED src=176.16.50.2 dst=151.101.210.214 sport=36394 dport=443 src=151.101.210.214 dst=[exernIP] sport=443 dport=36394 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 82 src=176.16.50.2 dst=23.212.54.225 sport=63219 dport=3478 src=23.212.54.225 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 78 TIME_WAIT src=176.16.50.2 dst=172.217.10.2 sport=42652 dport=443 src=172.217.10.2 dst=[exernIP] sport=443 dport=42652 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 82 TIME_WAIT src=176.16.50.2 dst=107.20.240.232 sport=58872 dport=443 src=107.20.240.232 dst=[exernIP] sport=443 dport=58872 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431968 ESTABLISHED src=176.16.50.2 dst=3.19.80.222 sport=60960 dport=443 src=3.19.80.222 dst=[exernIP] sport=443 dport=60960 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=176.16.50.1 sport=50176 dport=6222 src=176.16.50.1 dst=176.16.50.2 sport=6222 dport=50176 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 288739 ESTABLISHED src=176.16.50.2 dst=74.125.20.188 sport=48808 dport=5228 src=74.125.20.188 dst=[exernIP] sport=5228 dport=48808 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 107 src=176.16.50.2 dst=95.101.182.5 sport=63218 dport=3478 src=95.101.182.5 dst=[exernIP] sport=3478 dport=63218 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 260461 ESTABLISHED src=176.16.50.2 dst=173.194.68.188 sport=49126 dport=5228 src=173.194.68.188 dst=[exernIP] sport=5228 dport=49126 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 28 src=176.16.50.2 dst=193.47.166.28 sport=123 dport=123 src=193.47.166.28 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4     2 tcp      6 431686 ESTABLISHED src=176.16.50.2 dst=104.16.65.50 sport=44954 dport=443 src=104.16.65.50 dst=[exernIP] sport=443 dport=44954 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 29 src=176.16.50.2 dst=64.62.190.177 sport=123 dport=123 src=64.62.190.177 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4     2 tcp      6 431930 ESTABLISHED src=176.16.50.2 dst=173.194.205.188 sport=46680 dport=5228 src=173.194.205.188 dst=[exernIP] sport=5228 dport=46680 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 118 src=176.16.50.2 dst=141.207.137.233 sport=44207 dport=4500 src=141.207.137.233 dst=[exernIP] sport=4500 dport=44207 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 430573 ESTABLISHED src=176.16.50.2 dst=10.0.0.62 sport=40540 dport=22 src=10.0.0.62 dst=176.16.50.2 sport=22 dport=40540 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431994 ESTABLISHED src=176.16.50.2 dst=54.158.106.158 sport=60020 dport=443 src=54.158.106.158 dst=[exernIP] sport=443 dport=60020 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431998 ESTABLISHED src=176.16.50.2 dst=52.223.241.20 sport=59947 dport=443 src=52.223.241.20 dst=[exernIP] sport=443 dport=59947 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.12.161 sport=49004 dport=443 src=172.217.12.161 dst=[exernIP] sport=443 dport=49004 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.11.2 sport=39122 dport=443 src=172.217.11.2 dst=[exernIP] sport=443 dport=39122 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431998 ESTABLISHED src=176.16.50.2 dst=199.232.38.49 sport=59809 dport=443 src=199.232.38.49 dst=[exernIP] sport=443 dport=59809 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.12.162 sport=36534 dport=443 src=172.217.12.162 dst=[exernIP] sport=443 dport=36534 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 19 TIME_WAIT src=176.16.50.2 dst=173.194.207.157 sport=53268 dport=443 src=173.194.207.157 dst=[exernIP] sport=443 dport=53268 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=176.16.50.2 dst=162.216.56.110 sport=60894 dport=443 src=162.216.56.110 dst=[exernIP] sport=443 dport=60894 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 3 src=176.16.50.2 dst=198.46.223.227 sport=123 dport=123 src=198.46.223.227 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4     2 udp      17 76 src=176.16.50.2 dst=172.217.3.99 sport=61021 dport=443 src=172.217.3.99 dst=[exernIP] sport=443 dport=61021 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 204320 ESTABLISHED src=176.16.50.2 dst=173.194.66.188 sport=43134 dport=5228 src=173.194.66.188 dst=[exernIP] sport=5228 dport=43134 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431980 ESTABLISHED src=176.16.50.2 dst=151.101.210.167 sport=59876 dport=443 src=151.101.210.167 dst=[exernIP] sport=443 dport=59876 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=52.94.227.146 sport=47942 dport=443 src=52.94.227.146 dst=[exernIP] sport=443 dport=47942 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=173.194.68.188 sport=59801 dport=5228 src=173.194.68.188 dst=[exernIP] sport=5228 dport=59801 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=192.0.73.2 sport=39966 dport=443 src=192.0.73.2 dst=[exernIP] sport=443 dport=39966 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=176.16.50.2 dst=162.250.5.71 sport=59708 dport=5938 src=162.250.5.71 dst=[exernIP] sport=5938 dport=59708 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 99 src=176.16.50.2 dst=23.41.177.66 sport=63219 dport=3478 src=23.41.177.66 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=176.16.50.2 dst=162.216.56.110 sport=60889 dport=443 src=162.216.56.110 dst=[exernIP] sport=443 dport=60889 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431985 ESTABLISHED src=176.16.50.2 dst=52.207.122.21 sport=60848 dport=443 src=52.207.122.21 dst=[exernIP] sport=443 dport=60848 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 5 CLOSE src=176.16.50.2 dst=72.21.206.56 sport=53134 dport=443 src=72.21.206.56 dst=[exernIP] sport=443 dport=53134 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 114 src=176.16.50.2 dst=173.194.207.189 sport=53843 dport=443 src=173.194.207.189 dst=[exernIP] sport=443 dport=53843 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431996 ESTABLISHED src=176.16.50.2 dst=162.125.18.133 sport=60228 dport=443 src=162.125.18.133 dst=[exernIP] sport=443 dport=60228 [ASSURED] mark=0 zone=0 use=2

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: intern1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 176.16.50.1/24 brd 176.16.50.255 scope global intern1
       valid_lft forever preferred_lft forever
3: intern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global intern0
       valid_lft forever preferred_lft forever
4: extern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet [exernIP]/22 brd 24.189.15.255 scope global noprefixroute extern0
       valid_lft forever preferred_lft forever

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast   
    560        5        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    560        5        0       0       0       0       
2: intern1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:72:63:dc:89:78 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    1211739718 13517644 0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    67814373278 46720981 0       0       0       0       
3: intern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:72:63:dc:89:5f brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    4711077    48294    0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    143317839  111700   0       0       0       0       
4: extern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether bc:5f:f4:9c:12:f7 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    68500520233 50747827 0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    1218858023 13617909 0       0       0       0       

Routing Rules

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Table default:


Table local:

local [exernIP] dev extern0 proto kernel scope host src [exernIP]
local 176.16.50.1 dev intern1 proto kernel scope host src 176.16.50.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.0.0.1 dev intern0 proto kernel scope host src 10.0.0.1
broadcast 24.189.15.255 dev extern0 proto kernel scope link src [exernIP]
broadcast 24.189.12.0 dev extern0 proto kernel scope link src [exernIP]
broadcast 176.16.50.255 dev intern1 proto kernel scope link src 176.16.50.1
broadcast 176.16.50.0 dev intern1 proto kernel scope link src 176.16.50.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.0.0.255 dev intern0 proto kernel scope link src 10.0.0.1
broadcast 10.0.0.0 dev intern0 proto kernel scope link src 10.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

176.16.50.0/24 dev intern1 proto kernel scope link src 176.16.50.1
10.0.0.0/24 dev intern0 proto kernel scope link src 10.0.0.1
24.189.12.0/22 dev extern0 proto dhcp scope link src [exernIP] metric 204
default via 24.189.12.1 dev extern0 proto dhcp src [exernIP] metric 204

Per-IP Counters

   iptaccount is not installed

NF Accounting

No NF Accounting defined (nfacct not found)

Events


PFKEY SPD


PFKEY SAD


/proc

   /proc/version = Linux version 5.2.1-arch1-1-ARCH (builduser@heftig-55221) (gcc version 9.1.0 (GCC)) #1 SMP PREEMPT Sun Jul 14 14:52:52 UTC 2019
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/extern0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/extern0/arp_filter = 0
   /proc/sys/net/ipv4/conf/extern0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/extern0/rp_filter = 1
   /proc/sys/net/ipv4/conf/extern0/log_martians = 1
   /proc/sys/net/ipv4/conf/intern0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/intern0/arp_filter = 0
   /proc/sys/net/ipv4/conf/intern0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/intern0/rp_filter = 1
   /proc/sys/net/ipv4/conf/intern0/log_martians = 1
   /proc/sys/net/ipv4/conf/intern1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/intern1/arp_filter = 0
   /proc/sys/net/ipv4/conf/intern1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/intern1/rp_filter = 1
   /proc/sys/net/ipv4/conf/intern1/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1

ARP

24.189.12.1 dev extern0 lladdr 00:01:5c:7d:b4:4f DELAY
10.0.0.62 dev intern0 lladdr e8:40:f2:a6:a2:a1 STALE
176.16.50.2 dev intern1 lladdr 04:92:26:8c:c4:98 REACHABLE

Modules

ip_tables              36864  10 iptable_filter,iptable_raw,iptable_nat,iptable_mangle
ipt_REJECT             16384  4
iptable_filter         16384  1
iptable_mangle         16384  1
iptable_nat            16384  1
iptable_raw            16384  1
nf_conntrack          172032  25 xt_conntrack,nf_nat_irc,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_conntrack_pptp,nf_conntrack_netbios_ns,nf_conntrack_sane,xt_nat,nf_nat_tftp,nf_nat_amanda,nf_conntrack_sip,nf_conntrack_h323,nf_nat_pptp,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_amanda,nf_conntrack_netlink,nf_conntrack_ftp,xt_CT,nf_nat_h323,nf_conntrack_snmp,nf_nat_snmp_basic,xt_MASQUERADE,nf_nat_sip
nf_conntrack_amanda    16384  3 nf_nat_amanda
nf_conntrack_broadcast    16384  2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp       24576  3 nf_nat_ftp
nf_conntrack_h323      86016  5 nf_nat_h323
nf_conntrack_irc       20480  3 nf_nat_irc
nf_conntrack_netbios_ns    16384  2
nf_conntrack_netlink    61440  0
nf_conntrack_pptp      20480  3 nf_nat_pptp
nf_conntrack_sane      20480  2
nf_conntrack_sip       40960  3 nf_nat_sip
nf_conntrack_snmp      16384  3 nf_nat_snmp_basic
nf_conntrack_tftp      20480  3 nf_nat_tftp
nf_defrag_ipv4         16384  1 nf_conntrack
nf_defrag_ipv6         24576  1 nf_conntrack
nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6
nf_log_ipv4            16384  14
nf_log_ipv6            16384  0
nf_nat                 53248  10 nf_nat_irc,nf_nat_ftp,xt_nat,nf_nat_tftp,nf_nat_amanda,nf_nat_pptp,nf_nat_h323,iptable_nat,xt_MASQUERADE,nf_nat_sip
nf_nat_amanda          16384  0
nf_nat_ftp             20480  0
nf_nat_h323            24576  0
nf_nat_irc             20480  0
nf_nat_pptp            20480  0
nf_nat_sip             20480  0
nf_nat_snmp_basic      20480  0
nf_nat_tftp            16384  0
nf_reject_ipv4         16384  1 ipt_REJECT
nf_reject_ipv6         20480  1 ip6t_REJECT
xt_CT                  16384  22
xt_LOG                 20480  14
xt_MASQUERADE          20480  2
xt_NFLOG               16384  0
xt_TCPMSS              16384  1
xt_addrtype            16384  38
xt_comment             16384  14
xt_conntrack           16384  26
xt_hashlimit           20480  14
xt_hl                  16384  0
xt_limit               16384  0
xt_mark                16384  1
xt_multiport           20480  1
xt_nat                 16384  2
xt_recent              24576  1
xt_tcpudp              20480  42

Shorewall has detected the following iptables/netfilter capabilities:
   --nflog-size support (NFLOG_SIZE): Available
   ACCOUNT Target (ACCOUNT_TARGET): Not available
   AUDIT Target (AUDIT_TARGET): Not available
   Address Type Match (ADDRTYPE): Available
   Amanda Helper: Available
   Arptables JF (ARPTABLESJF): Not available
   Basic Ematch (BASIC_EMATCH): Available
   Basic Filter (BASIC_FILTER): Available
   CLASSIFY Target (CLASSIFY_TARGET): Not available
   CONNMARK Target (CONNMARK): Not available
   CT Target (CT_TARGET): Available
   Capabilities Version (CAPVERSION): 50200
   Checksum Target (CHECKSUM_TARGET): Not available
   Comments (COMMENTS): Available
   Condition Match (CONDITION_MATCH): Not available
   Connection Tracking Match (CONNTRACK_MATCH): Available
   Connlimit Match (CONNLIMIT_MATCH): Not available
   Connmark Match (CONNMARK_MATCH): Not available
   DSCP Match (DSCP_MATCH): Not available
   DSCP Target (DSCP_TARGET): Not available
   Enhanced Multi-port Match (EMULIPORT): Available
   Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
   Extended MARK Target (XMARK): Available
   Extended MARK Target 2 (EXMARK): Available
   Extended Multi-port Match (XMULIPORT): Available
   Extended REJECT (ENHANCED_REJECT): Available
   FLOW Classifier (FLOW_FILTER): Available
   FTP Helper: Available
   FTP-0 Helper: Not available
   Geo IP Match (GEOIP_MATCH): Not available
   Goto Support (GOTO_TARGET): Available
   H323 Helper: Available
   Hashlimit Match (HASHLIMIT_MATCH): Available
   Header Match (HEADER_MATCH): Not available
   Helper Match (HELPER_MATCH): Not available
   IMQ Target (IMQ_TARGET): Not available
   INPUT chain in nat table (NAT_INPUT_CHAIN): Available
   IP range Match(IPRANGE_MATCH): Not available
   IPMARK Target (IPMARK_TARGET): Not available
   IPP2P Match (IPP2P_MATCH): Not available
   IRC Helper: Available
   IRC-0 Helper: Not available
   Iface Match (IFACE_MATCH): Not available
   Ipset Match (IPSET_MATCH): Not available
   Kernel Version (KERNELVERSION): 50201
   LOG Target (LOG_TARGET): Available
   LOGMARK Target (LOGMARK_TARGET): Not available
   MARK Target (MARK): Available
   MASQUERADE Target (MASQUERADE_TGT): Available
   Mangle FORWARD Chain (MANGLE_FORWARD): Available
   Mark in the filter table (MARK_ANYWHERE): Available
   Multi-port Match (MULTIPORT): Available
   NAT (NAT_ENABLED): Available
   NETMAP Target (NETMAP_TARGET): Not available
   NFAcct Match: Not available
   NFLOG Target (NFLOG_TARGET): Available
   NFQUEUE CPU Fanout (CPU_FANOUT): Not available
   NFQUEUE Target (NFQUEUE_TARGET): Not available
   Netbios_ns Helper: Available
   New tos Match (NEW_TOS_MATCH): Not available
   Owner Match (OWNER_MATCH): Not available
   Owner Name Match (OWNER_NAME_MATCH): Not available
   PPTP Helper: Available
   Packet Mangling (MANGLE_ENABLED): Available
   Packet length Match (LENGTH_MATCH): Not available
   Persistent SNAT (PERSISTENT_SNAT): Available
   Physdev Match (PHYSDEV_MATCH): Not available
   Physdev-is-bridged Support (PHYSDEV_BRIDGE): Not available
   Policy Match (POLICY_MATCH): Not available
   RPFilter Match (RPFILTER_MATCH): Not available
   Raw Table (RAW_TABLE): Available
   Realm Match (REALM_MATCH): Not available
   Recent Match "--reap" option (REAP_OPTION): Available
   Recent Match (RECENT_MATCH): Available
   Repeat match (KLUDGEFREE): Not available
   SANE Helper: Available
   SANE-0 Helper: Not available
   SIP Helper: Available
   SIP-0 Helper: Not available
   SNMP Helper: Available
   Statistic Match (STATISTIC_MATCH): Not available
   TARPIT Target (TARPIT_TARGET): Not available
   TCPMSS Match (TCPMSS_MATCH): Not available
   TCPMSS Target (TCPMSS_TARGET): Available
   TFTP Helper: Available
   TFTP-0 Helper: Not available
   TPROXY Target (TPROXY_TARGET): Not available
   Time Match (TIME_MATCH): Not available
   UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
   ULOG Target (ULOG_TARGET): Not available
   fwmark route mask (FWMARK_RT_MASK): Available
   ipset V5 (IPSET_V5): Not available
   iptables --wait option (WAIT_OPTION): Available
   iptables -S (IPTABLES_S): Available
   iptables-restore --wait option (RESTORE_WAIT_OPTION): Available

Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port                                                                                   
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("dnsmasq",pid=501,fd=6))                                               
udp     UNCONN   0        0                0.0.0.0:67            0.0.0.0:*       users:(("dnsmasq",pid=501,fd=4))                                               
udp     UNCONN   0        0                0.0.0.0:68            0.0.0.0:*       users:(("dhcpcd",pid=428,fd=13))                                               
tcp     LISTEN   0        0                0.0.0.0:6222          0.0.0.0:*       users:(("sshd",pid=4698,fd=3))                                                 
tcp     LISTEN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("dnsmasq",pid=501,fd=7))                                               
tcp     ESTAB    0        0            176.16.50.1:6222      176.16.50.2:50176   users:(("sshd",pid=12101,fd=4),("sshd",pid=12099,fd=4))                        

Traffic Control

Device lo:
qdisc noqueue 0: root refcnt 2 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0


Device intern1:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 67815075800 bytes 46721465 pkt (dropped 0, overlimits 0 requeues 7757) 
 backlog 0b 0p requeues 7757
  maxpacket 27252 drop_overlimit 0 new_flow_count 1759 ecn_mark 0
  new_flows_len 0 old_flows_len 0


Device intern0:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 143317839 bytes 111700 pkt (dropped 0, overlimits 0 requeues 1) 
 backlog 0b 0p requeues 1
  maxpacket 1514 drop_overlimit 0 new_flow_count 15 ecn_mark 0
  new_flows_len 0 old_flows_len 0


Device extern0:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 1179649692 bytes 13618270 pkt (dropped 0, overlimits 0 requeues 373) 
 backlog 0b 0p requeues 373
  maxpacket 17208 drop_overlimit 0 new_flow_count 106 ecn_mark 0
  new_flows_len 0 old_flows_len 0



TC Filters

Device lo:

Device intern1:

Device intern0:

Device extern0:

Note that there were several attempts to login from a outside, cell phone tethered, client since resetting counters (per DNAT FAQ 1b) the number of packets is non zero right??
Here is the current shorewall/rules:

$ cat /etc/shorewall/rules
#
# Shorewall - Sample Rules File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)	net		all		tcp
#
#	Accept DNS connections from the firewall to the Internet
#
DNS(ACCEPT)	$FW		net
#
#
#	Accept SSH connections from the other networks to the firewall and DMZ
#
SSH(ACCEPT)     loc             $FW		tcp	6222
SSH(ACCEPT)     loc             dmz		tcp	22
SSH(ACCEPT)	net		$FW		tcp	6222
SSH(ACCEPT)	net		dmz		tcp	22
#
#	DMZ DNS access to the Internet
#
DNS(ACCEPT)	dmz		net


# Drop Ping from the "bad" net zone.

Ping(DROP)   	net             $FW

#
#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#

Ping(ACCEPT)    loc             $FW
Ping(ACCEPT)    dmz             $FW
Ping(ACCEPT)    loc             dmz
Ping(ACCEPT)    dmz             loc
Ping(ACCEPT)    dmz             net
Ping(ACCEPT)	loc		net

ACCEPT		$FW		net		icmp
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		dmz		icmp

# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc

Ping(ACCEPT)    net             dmz
#Ping(ACCEPT)    net             loc

# ------------FW's--------------
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
DNS(ACCEPT)	loc		$FW
DNS(ACCEPT)	dmz		$FW
# ------for server
DNAT		net		dmz:10.0.0.62:22 tcp	22		

DNAT		net		dmz:10.0.0.62:8080 tcp	80,443	-		&extern0

As said before, I've tried many, many differnt versions of that last DNAT rule. The one that is their now was suggested in the three-interface port forwarding guide for people who have a dynamic IP from their ISP.
Here is the rest of my config:

$ cat /etc/shorewall/snat
#
# Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
#
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
#
MASQUERADE		176.16.50.0/24		extern0
MASQUERADE		10.0.0.62		extern0
$ cat /etc/shorewall/zones  
#
# Shorewall - Sample Zones File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4
dmz	ipv4
$ cat /etc/shorewall/interfaces
#
# Shorewall - Sample Interfaces File for three-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE	INTERFACE	OPTIONS
net     extern0          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=extern0
loc     intern1          tcpflags,nosmurfs,routefilter,logmartians,physical=intern1
dmz     intern0          tcpflags,nosmurfs,routefilter,logmartians,physical=intern0
$ cat /etc/shorewall/policy
#
# Shorewall - Sample Policy File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
$FW	net		ACCEPT
loc	net		ACCEPT
dmz	net		ACCEPT
net	all		DROP		$LOG_LEVEL
# THE FOLLOWING POLICY MUST BE LAST
all	all		REJECT		$LOG_LEVEL
$ cat /etc/shorewall/shorewall.conf
###############################################################################
#
# Shorewall - Sample shorewall.conf for three-interface
#                         configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################
STARTUP_ENABLED=Yes

###############################################################################
#		              V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#			        P A G E R
###############################################################################

PAGER=

###############################################################################
#			     F I R E W A L L
###############################################################################

FIREWALL=

###############################################################################
#		                L O G G I N G
###############################################################################

LOG_LEVEL="info"

BLACKLIST_LOG_LEVEL=

INVALID_LOG_LEVEL=

LOG_BACKEND=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOG_ZONE=Both

LOGALLNEW=

LOGFILE=/var/log/messages

LOGFORMAT="%s %s "

LOGTAGONLY=No

LOGLIMIT="s:1/sec:10"

MACLIST_LOG_LEVEL="$LOG_LEVEL"

RELATED_LOG_LEVEL=

RPFILTER_LOG_LEVEL="$LOG_LEVEL"

SFILTER_LOG_LEVEL="$LOG_LEVEL"

SMURF_LOG_LEVEL="$LOG_LEVEL"

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"

UNTRACKED_LOG_LEVEL=

###############################################################################
#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
###############################################################################

ARPTABLES=

CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

GEOIPDIR=/usr/share/xt_geoip/LE

IPTABLES=

IP=

IPSET=

LOCKFILE=

MODULESDIR=

NFACCT=

PERL=/usr/bin/perl

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

RESTOREFILE=restore

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=

TC=

###############################################################################
#		D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'

###############################################################################
#			F I R E W A L L	  O P T I O N S
###############################################################################

ACCOUNTING=Yes

ACCOUNTING_TABLE=filter

ADD_IP_ALIASES=No

ADD_SNAT_ALIASES=No

ADMINISABSENTMINDED=Yes

AUTOCOMMENT=Yes

AUTOHELPERS=Yes

AUTOMAKE=Yes

BALANCE_PROVIDERS=No

BASIC_FILTERS=No

BLACKLIST="NEW,INVALID,UNTRACKED"

CLAMPMSS=Yes

CLEAR_TC=Yes

COMPLETE=No

DEFER_DNS_RESOLUTION=Yes

DISABLE_IPV6=No

DOCKER=No

DELETE_THEN_ADD=Yes

DETECT_DNAT_IPADDRS=No

DONT_LOAD=

DYNAMIC_BLACKLIST=Yes

EXPAND_POLICIES=Yes

EXPORTMODULES=Yes

FASTACCEPT=No

FORWARD_CLEAR_MARK=

HELPERS=

IGNOREUNKNOWNVARIABLES=No

IMPLICIT_CONTINUE=No

IPSET_WARNINGS=Yes

IP_FORWARDING=On

KEEP_RT_TABLES=No

MACLIST_TABLE=filter

MACLIST_TTL=

MANGLE_ENABLED=Yes

MINIUPNPD=No

MARK_IN_FORWARD_CHAIN=No

MULTICAST=No

MUTEX_TIMEOUT=60

NULL_ROUTE_RFC1918=No

OPTIMIZE=All

OPTIMIZE_ACCOUNTING=No

PERL_HASH_SEED=0

REJECT_ACTION=

RENAME_COMBINED=Yes

REQUIRE_INTERFACE=No

RESTART=restart

RESTORE_DEFAULT_ROUTE=Yes

RESTORE_ROUTEMARKS=Yes

RETAIN_ALIASES=No

ROUTE_FILTER=No

SAVE_ARPTABLES=No

SAVE_IPSETS=No

TC_ENABLED=Internal

TC_EXPERT=No

TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

TRACK_PROVIDERS=Yes

TRACK_RULES=No

USE_DEFAULT_RT=Yes

USE_NFLOG_SIZE=No

USE_PHYSICAL_NAMES=No

USE_RT_NAMES=No

VERBOSE_MESSAGES=Yes

WARNOLDCAPVERSION=Yes

WORKAROUNDS=No

ZERO_MARKS=No

ZONE2ZONE=-

###############################################################################
#			P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

INVALID_DISPOSITION=CONTINUE

MACLIST_DISPOSITION=REJECT

RELATED_DISPOSITION=ACCEPT

RPFILTER_DISPOSITION=DROP

SMURF_DISPOSITION=DROP

SFILTER_DISPOSITION=DROP

TCP_FLAGS_DISPOSITION=DROP

UNTRACKED_DISPOSITION=CONTINUE

################################################################################
#			P A C K E T  M A R K  L A Y O U T
################################################################################

TC_BITS=

PROVIDER_BITS=

PROVIDER_OFFSET=

MASK_BITS=

ZONE_BITS=0

Let me know if there is anything else that is needed. I'm using dnsmasq as well (per the router/shorewall wikis) I can post that too (I feel a little bad about how much is here alreadyEDIT: posted dnsmasq config below (still feel bad)- its okay though cause the code boxes are scrollable right? please advise!) I am also fully aware that this very well maybe an issue with the server or waitress or the flask app and py script. Any advice on how to further probe if this is a packet forward issue or not would also be appreciated (and taken to its proper spot on fourm!) for the record, here is the state of the packet filter on the server itself:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
8080                       ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
8080 (v6)                  ALLOW IN    Anywhere (v6)             

The server is running Ubuntu server. I know from reading the shorewall docs the gateway on this host MUST be the firewall's internal IP (internal right?) here is where I set the gateway in Ubuntu's netplan:

$ cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp3s0:
      dhcp4: no
      addresses: [10.0.0.62/24]
      gateway4: 10.0.0.1
      nameservers:
        addresses: [10.0.0.1]

Yet when I run route:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 enp3s0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp3s0

the gateway is 0.0.0.0?! So this is what I will be working on while I wait for any potential advice here. I've already tried this WikiHow but the results from route are the same. Will keep at it though! While its been a intense so far the feeling of accomplishment after winning each of the battles (OS wouldnt install, then I couldnt boot, then we had no internet..) has 100% got me hooked on figuring this dang box out! Thank you for any help or advice you may be able to provide!

EDIT: ran ip route instead of route:

$ ip route
default via 10.0.0.1 dev enp3s0 proto static 
10.0.0.0/24 dev enp3s0 proto kernel scope link src 10.0.0.62

The gateway is set correctly after all? That was the one thing I was counting on working.. No ideas now. Will read up on snat to see if this rule in /etc/shorewall/snat is inappropreiate here?

MASQUERADE		10.0.0.62		extern0

I haven't messed with this because this was what got the server internet access in the first place.
Probably dnsmasq as well, here is the config why not?

$ cat /etc/dnsmasq.conf  
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.

# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353

# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.

# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv

# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=/usr/share/dnsmasq/trust-anchors.conf
#dnssec

# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS 
# record somewhere between the root and the domain does not exist. 
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned

# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=

# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers to are  known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
#strict-order

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv

# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll

# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1

# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3

# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/

# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1

# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83

# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search

# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1

# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55

# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=intern0
interface=intern1

# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=

# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces

# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts

# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts

# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
#     as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
#    domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk

# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24

# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=10.0.0.1,10.0.0.255,255.255.255.0,24h
dhcp-range=172.16.50.1,172.16.50.255,255.255.255.0,24h

# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h

# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150

# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h

# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static

# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h

# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only 

# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack 
# hosts. Use the DHCPv4 lease to derive the name, network segment and 
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC algorithm.
#dhcp-range=1234::, ra-names

# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h

# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac

# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless

# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names

# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router 
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the 
# clients don't use SLAAC addresses.
#enable-ra

# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.

# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60

# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred

# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m

# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
dhcp-host=04:92:26:8C:C4:9C,176.16.50.2
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
dhcp-host=e8:40:f2:a6:a2:a1,10.0.0.62

# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60

# Always give the InfiniBand interface with hardware address
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
# ip address 192.168.0.61. The client id is derived from the prefix
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
# hex digits of the hardware address.
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61

# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60

# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge

# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore

# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*

# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red

# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red

# Give a fixed IPv6 address and name to client with 
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also that the [] around the IPv6 address are obligatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] 

# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known

# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux

# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts

# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*

# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers

# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.

# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4

# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4

# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3

# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5

# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]

# Send DHCPv6 option for namservers as the machine running 
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]

# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h

# Set option 58 client renewal time (T1). Defaults to half of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T1,1m

# Set option 59 rebinding time (T2). Defaults to 7/8 of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T2,2m

# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0

# Set the NIS domain name to "welly"
#dhcp-option=40,welly

# Set the default time-to-live to 50
#dhcp-option=23,50

# Set the "all subnets are local" flag
#dhcp-option=27,1

# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100

# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1

# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0           # option ip-forwarding off
#dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0     # netbios datagram distribution server
#dhcp-option=46,8           # netbios node type

# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"

# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com

# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8

# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0

# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i

# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"

# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i

# Set the boot filename for netboot/PXE. You will only need
# this if you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built-in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0

# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100

# Boot for iPXE. The idea is to send two different
# filenames, the first loads iPXE, and the second tells iPXE what to
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
#dhcp-boot=undionly.kpxe
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php

# Encapsulated options for iPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b         # priority code
#dhcp-option=encap:175, 176, 1b       # no-proxydhcp
#dhcp-option=encap:175, 177, string   # bus-id
#dhcp-option=encap:175, 189, 1b       # BIOS drive code
#dhcp-option=encap:175, 190, user     # iSCSI username
#dhcp-option=encap:175, 191, pass     # iSCSI password

# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64

# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60

# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"

# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux

# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4

# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1

# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4

# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf


# Enable dnsmasq's built-in TFTP server
#enable-tftp

# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd

# Do not abort if the tftp-root is unavailable
#tftp-no-fail

# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure

# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize

# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net

# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3

# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fashion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name

# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150

# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases

# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative

# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
# option with a DHCPACK including a Rapid Commit option and fully committed address
# and configuration information. This must only be enabled if either the server is 
# the only server for the subnet, or multiple servers are present and they each
# commit a binding for all clients.
#dhcp-rapid-commit

# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo

# Set the cachesize here.
#cache-size=150

# If you want to disable negative caching, uncomment this.
#no-negcache

# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=

# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11

# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0

# Change these lines if you want dnsmasq to serve MX records.

# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50

# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com

# Return an MX record pointing to the mx-target for all local
# machines.
#localmx

# Return an MX record pointing to itself for all local machines.
#selfmx

# Change the following lines if you want dnsmasq to serve SRV
# records.  These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389

# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"

# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)

#Example SPF.
#txt-record=example.com,"v=spf1 a -all"

#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4

# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries

# Log lots of extra information about DHCP transactions.
#log-dhcp

# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d

# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak

# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore

Thank you again!

Last edited by tehbrozor (2019-08-01 02:51:11)

Offline

#2 2019-08-01 02:46:34

tehbrozor
Member
Registered: 2019-07-25
Posts: 3

Re: [SOLVED] DNAT trouble with shorewall to a server on a DMZ

Okay, got it working. Conclusion: shorewall rules were okay, ISP must just be preventing certain inbound ports. Served up the app on a more obscure port and I'm in business. This is the entry I ended up settling with:

#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP

DNAT		net		dmz:10.0.0.62	 tcp	26299
DNAT		loc		dmz:10.0.0.62	 tcp	26299

I'll just have to link to the port in my site's html, no biggie. See y'alls on the Tubez!

Offline

Board footer

Powered by FluxBB