You are not logged in.
Hello gang,
I have followed the archlinux 'router' tutorial to set up a firewall/router with 3 NICs. I have some experience with Ubuntu and Debian distros (always learning!) but decided to try archlinux for this router project after some glowing testimonials from a very tech savy friend. This is certainly the most ambitious project ive attempted so far- the learning opportunities have been rewarding but it also means theres a lot of variables that I may not be keeping straight.
The router is running newest version of archlinux (I think!?)
$ uname -a
Linux cerberus 5.2.1-arch1-1-ARCH #1 SMP PREEMPT Sun Jul 14 14:52:52 UTC 2019 x86_64 GNU/Linux
I used this method in shorewall to rename my interfaces using MACAddresses, extern0 (w/ dynamic IP from ISP), intern0 (called dmz in shorewall) and intern1 (loc). On the DMZ I have a single computer with a static IP that is running two server daemons- sshd and a webapp im trying to develop (deployed(?) using waitress-serve). This host also runs a no-ip client to update a ddns.net address. The loc interface (intern1) runs to a wifi access point/switch thing. From my laptop (on the loc LAN) I can ssh into the server using the DMZs local ip (10.0.0.62, the router's if on that side is 10.0.0.1 and to best of my knowledge that is the gateway on the server). When using an external IP (cell phone tethering) I can ssh into the server using my no-ip.com domain. What I can't get is a web service to work. My main goal is to serve up a flask application I'm working on. It is very beta at the moment, it is essentially the flask tutorial that I'm beginning to adapt for my own needs. It works fine using the flask development server and I can interact with it at localhost on my laptop. I've placed it on the server using the steps found with the flask tutorial. while it seems to working...
$ waitress-serve --call 'solis_wsg:create_app'
Serving on http://0.0.0.0:8080
I also tried using a simple python web server example script. (In case the problem was with waitress or the flask app.) I cannot access these from either a local address or the no-ip ddns address (using tethering.) My question is if there is anything wrong with the way I am approaching the port forwarding. It works for ssh so I'm worried maybe my ISP just blocks these things? (Is that a thing?) However, even attempts to use non-standard ports directly (username.ddns.net:8080 in my web browser, for example) do not seem to work. I've tried a TON of different versions of DNAT, Web(DNAT), ACCEPT, Web(ACCEPT), REDIRECT all to try foward port 80, 443 or even 8080 directly (the default port for waitress) I was trying 7778 and 8081 with the python script. Here is shorewall dump:
$ cat shorewall_dump
Shorewall 5.2.3.3 Dump at cerberus - Wed Jul 24 23:13:35 EDT 2019
Shorewall is running
State:Started Wed Jul 24 23:03:59 EDT 2019 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Wed Jul 24 23:03:58 EDT 2019 by Shorewall version 5.2.3.3)
Counters reset Wed Jul 24 23:03:59 EDT 2019
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
282 40089 net-fw all -- extern0 * 0.0.0.0/0 0.0.0.0/0
494 37482 loc-fw all -- intern1 * 0.0.0.0/0 0.0.0.0/0
12 928 dmz-fw all -- intern0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "INPUT REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
366K 545M net_frwd all -- extern0 * 0.0.0.0/0 0.0.0.0/0
300K 15M loc_frwd all -- intern1 * 0.0.0.0/0 0.0.0.0/0
2338 163K dmz_frwd all -- intern0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "FORWARD REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
275 21610 ACCEPT all -- * extern0 0.0.0.0/0 0.0.0.0/0
437 65531 fw-loc all -- * intern1 0.0.0.0/0 0.0.0.0/0
12 1524 fw-dmz all -- * intern0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "OUTPUT REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain dmz-fw (1 references)
pkts bytes target prot opt in out source destination
8 640 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
8 640 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
4 288 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
8 640 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "dmz-fw REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain dmz-loc (1 references)
pkts bytes target prot opt in out source destination
379 57909 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "dmz-loc REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain dmz_frwd (1 references)
pkts bytes target prot opt in out source destination
3 180 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
3 180 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
2338 163K tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
1959 106K ACCEPT all -- * extern0 0.0.0.0/0 0.0.0.0/0
379 57909 dmz-loc all -- * intern1 0.0.0.0/0 0.0.0.0/0
Chain dynamic (6 references)
pkts bytes target prot opt in out source destination
Chain fw-dmz (1 references)
pkts bytes target prot opt in out source destination
12 1524 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "fw-dmz REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain fw-loc (1 references)
pkts bytes target prot opt in out source destination
437 65531 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "fw-loc REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain loc-dmz (1 references)
pkts bytes target prot opt in out source destination
444 30305 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "loc-dmz REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain loc-fw (1 references)
pkts bytes target prot opt in out source destination
262 19635 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
262 19635 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
233 17907 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
232 17847 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6222 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
261 19575 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* DNS */
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* DNS */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "loc-fw REJECT "
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
241 40531 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
241 40531 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
299K 15M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
299K 15M ACCEPT all -- * extern0 0.0.0.0/0 0.0.0.0/0
445 30365 loc-dmz all -- * intern0 0.0.0.0/0 0.0.0.0/0
Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 4 level 6 prefix "logflags DROP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-dmz (1 references)
pkts bytes target prot opt in out source destination
4764 7128K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /* SSH */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.62 tcp dpt:22 ctorigdstport 22
9 540 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.62 ctorigdst [exernIP] tcp dpt:8080
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-dmz DROP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-fw (1 references)
pkts bytes target prot opt in out source destination
30 1641 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
30 1641 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
31 1925 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
252 38448 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9 360 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6222 /* SSH */
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
21 1281 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-fw DROP "
21 1281 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net-loc (1 references)
pkts bytes target prot opt in out source destination
361K 538M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-loc DROP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain net_frwd (1 references)
pkts bytes target prot opt in out source destination
9 540 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
9 540 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
366K 545M tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
361K 538M net-loc all -- * intern1 0.0.0.0/0 0.0.0.0/0
4773 7128K net-dmz all -- * intern0 0.0.0.0/0 0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all -- * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain sha-lh-17d1d222e8a500df962d (0 references)
pkts bytes target prot opt in out source destination
Chain sha-rh-6806e78c76f042237b8d (0 references)
pkts bytes target prot opt in out source destination
Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255
Chain smurflog (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "smurfs DROP "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain smurfs (6 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0 0.0.0.0/0
0 0 smurflog all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] ADDRTYPE match src-type BROADCAST
0 0 smurflog all -- * * 224.0.0.0/4 0.0.0.0/0 [goto]
Chain tcpflags (6 references)
pkts bytes target prot opt in out source destination
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x29
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x3F/0x00
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x06/0x06
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x05/0x05
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x03/0x03
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp flags:0x19/0x09
0 0 logflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp spt:0 flags:0x17/0x02
Log (/var/log/messages)
NAT Table
Chain PREROUTING (policy ACCEPT 522 packets, 54284 bytes)
pkts bytes target prot opt in out source destination
30 1821 net_dnat all -- extern0 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 270 packets, 20275 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 248 packets, 18099 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 258 packets, 18699 bytes)
pkts bytes target prot opt in out source destination
478 50767 extern0_masq all -- * extern0 0.0.0.0/0 0.0.0.0/0
Chain extern0_masq (1 references)
pkts bytes target prot opt in out source destination
227 32488 MASQUERADE all -- * * 176.16.50.0/24 0.0.0.0/0
3 180 MASQUERADE all -- * * 10.0.0.62 0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 to:10.0.0.62:22
9 540 DNAT tcp -- * * 0.0.0.0/0 [exernIP] multiport dports 80,443 to:10.0.0.62:8080
Mangle Table
Chain PREROUTING (policy ACCEPT 669K packets, 560M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 788 packets, 78499 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 668K packets, 560M bytes)
pkts bytes target prot opt in out source destination
470 27704 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
668K 560M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xffffff00
Chain OUTPUT (policy ACCEPT 724 packets, 88665 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 669K packets, 560M bytes)
pkts bytes target prot opt in out source destination
Raw Table
Chain PREROUTING (policy ACCEPT 669K packets, 560M bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x17/0x02 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1720 flags:0x17/0x02 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667 flags:0x17/0x02 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 flags:0x17/0x02 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6566 flags:0x17/0x02 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 CT helper tftp
Chain OUTPUT (policy ACCEPT 724 packets, 88665 bytes)
pkts bytes target prot opt in out source destination
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:10080 CT helper amanda
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x17/0x02 CT helper ftp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1719 CT helper RAS
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1720 flags:0x17/0x02 CT helper Q.931
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6667 flags:0x17/0x02 CT helper irc
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 CT helper netbios-ns
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 flags:0x17/0x02 CT helper pptp
0 0 CT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6566 flags:0x17/0x02 CT helper sane
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 CT helper sip
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 CT helper snmp
0 0 CT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 CT helper tftp
Conntrack Table (117 out of 262144)
ipv4 2 udp 17 0 src=[exernIP] dst=65.19.96.252 sport=4561 dport=53 src=65.19.96.252 dst=[exernIP] sport=53 dport=4561 mark=0 zone=0 use=2
ipv4 2 tcp 6 431979 ESTABLISHED src=176.16.50.2 dst=172.217.3.99 sport=60779 dport=443 src=172.217.3.99 dst=[exernIP] sport=443 dport=60779 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=176.16.50.2 dst=52.223.227.105 sport=60097 dport=443 src=52.223.227.105 dst=[exernIP] sport=443 dport=60097 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 88 src=176.16.50.2 dst=172.217.10.238 sport=61042 dport=443 src=172.217.10.238 dst=[exernIP] sport=443 dport=61042 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=104.16.31.34 sport=43216 dport=443 src=104.16.31.34 dst=[exernIP] sport=443 dport=43216 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 25 FIN_WAIT src=176.16.50.2 dst=173.194.66.188 sport=52247 dport=5228 src=173.194.66.188 dst=[exernIP] sport=5228 dport=52247 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 0 src=176.16.50.2 dst=176.16.50.1 sport=41467 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=41467 mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=176.16.50.2 dst=23.60.89.50 sport=59790 dport=443 src=23.60.89.50 dst=[exernIP] sport=443 dport=59790 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 82 TIME_WAIT src=176.16.50.2 dst=172.217.6.194 sport=36966 dport=443 src=172.217.6.194 dst=[exernIP] sport=443 dport=36966 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431966 ESTABLISHED src=176.16.50.2 dst=172.217.3.101 sport=59817 dport=443 src=172.217.3.101 dst=[exernIP] sport=443 dport=59817 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 205904 ESTABLISHED src=176.16.50.2 dst=173.194.207.188 sport=48538 dport=5228 src=173.194.207.188 dst=[exernIP] sport=5228 dport=48538 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 28 TIME_WAIT src=176.16.50.2 dst=3.19.80.222 sport=60957 dport=443 src=3.19.80.222 dst=[exernIP] sport=443 dport=60957 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 78 TIME_WAIT src=176.16.50.2 dst=104.20.187.5 sport=52072 dport=443 src=104.20.187.5 dst=[exernIP] sport=443 dport=52072 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 79 TIME_WAIT src=176.16.50.2 dst=172.217.6.205 sport=40490 dport=443 src=172.217.6.205 dst=[exernIP] sport=443 dport=40490 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431807 ESTABLISHED src=176.16.50.2 dst=198.252.206.25 sport=51148 dport=443 src=198.252.206.25 dst=[exernIP] sport=443 dport=51148 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 73 TIME_WAIT src=176.16.50.2 dst=172.217.9.234 sport=50464 dport=443 src=172.217.9.234 dst=[exernIP] sport=443 dport=50464 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431961 ESTABLISHED src=176.16.50.2 dst=184.25.176.117 sport=59899 dport=443 src=184.25.176.117 dst=[exernIP] sport=443 dport=59899 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 79 TIME_WAIT src=176.16.50.2 dst=172.217.10.132 sport=54662 dport=443 src=172.217.10.132 dst=[exernIP] sport=443 dport=54662 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431924 ESTABLISHED src=176.16.50.2 dst=54.152.84.208 sport=51044 dport=2350 src=54.152.84.208 dst=[exernIP] sport=2350 dport=51044 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 100 TIME_WAIT src=176.16.50.2 dst=172.217.11.2 sport=39106 dport=443 src=172.217.11.2 dst=[exernIP] sport=443 dport=39106 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.10.132 sport=60961 dport=443 src=172.217.10.132 dst=[exernIP] sport=443 dport=60961 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=13.33.87.20 sport=60302 dport=443 src=13.33.87.20 dst=[exernIP] sport=443 dport=60302 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 289844 ESTABLISHED src=176.16.50.2 dst=209.85.232.188 sport=39136 dport=5228 src=209.85.232.188 dst=[exernIP] sport=5228 dport=39136 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 20 TIME_WAIT src=176.16.50.2 dst=172.217.12.206 sport=58106 dport=443 src=172.217.12.206 dst=[exernIP] sport=443 dport=58106 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431773 ESTABLISHED src=176.16.50.2 dst=52.10.251.85 sport=40334 dport=443 src=52.10.251.85 dst=[exernIP] sport=443 dport=40334 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.11.42 sport=46700 dport=443 src=172.217.11.42 dst=[exernIP] sport=443 dport=46700 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431628 ESTABLISHED src=176.16.50.2 dst=10.0.0.62 sport=43788 dport=22 src=10.0.0.62 dst=176.16.50.2 sport=22 dport=43788 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431412 ESTABLISHED src=176.16.50.2 dst=52.94.240.157 sport=53598 dport=443 src=52.94.240.157 dst=[exernIP] sport=443 dport=53598 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 0 src=176.16.50.2 dst=172.29.243.255 sport=1975 dport=1975 [UNREPLIED] src=172.29.243.255 dst=[exernIP] sport=1975 dport=1975 mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=172.217.9.225 sport=44010 dport=443 src=172.217.9.225 dst=[exernIP] sport=443 dport=44010 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431974 ESTABLISHED src=176.16.50.2 dst=52.25.0.83 sport=59843 dport=443 src=52.25.0.83 dst=[exernIP] sport=443 dport=59843 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431977 ESTABLISHED src=176.16.50.2 dst=52.35.72.231 sport=59844 dport=443 src=52.35.72.231 dst=[exernIP] sport=443 dport=59844 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 14 TIME_WAIT src=176.16.50.2 dst=172.217.6.226 sport=40336 dport=443 src=172.217.6.226 dst=[exernIP] sport=443 dport=40336 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 79 TIME_WAIT src=176.16.50.2 dst=172.217.9.227 sport=60790 dport=443 src=172.217.9.227 dst=[exernIP] sport=443 dport=60790 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431989 ESTABLISHED src=176.16.50.2 dst=162.125.18.133 sport=60886 dport=443 src=162.125.18.133 dst=[exernIP] sport=443 dport=60886 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 29 src=[exernIP] dst=65.19.96.253 sport=46589 dport=53 src=65.19.96.253 dst=[exernIP] sport=53 dport=46589 mark=0 zone=0 use=2
ipv4 2 tcp 6 431976 ESTABLISHED src=176.16.50.2 dst=52.230.222.68 sport=59755 dport=443 src=52.230.222.68 dst=[exernIP] sport=443 dport=59755 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 115 src=176.16.50.2 dst=92.123.65.111 sport=63219 dport=3478 src=92.123.65.111 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 6 TIME_WAIT src=176.16.50.2 dst=172.217.10.2 sport=42596 dport=443 src=172.217.10.2 dst=[exernIP] sport=443 dport=42596 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=172.217.10.14 sport=57596 dport=443 src=172.217.10.14 dst=[exernIP] sport=443 dport=57596 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 75 TIME_WAIT src=176.16.50.2 dst=50.16.241.130 sport=41110 dport=443 src=50.16.241.130 dst=[exernIP] sport=443 dport=41110 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 5 src=[exernIP] dst=65.19.96.252 sport=8865 dport=53 src=65.19.96.252 dst=[exernIP] sport=53 dport=8865 mark=0 zone=0 use=2
ipv4 2 tcp 6 431909 ESTABLISHED src=176.16.50.2 dst=52.20.53.204 sport=60002 dport=443 src=52.20.53.204 dst=[exernIP] sport=443 dport=60002 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 29 src=176.16.50.2 dst=176.16.50.1 sport=60072 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=60072 mark=0 zone=0 use=2
ipv4 2 tcp 6 378990 ESTABLISHED src=176.16.50.2 dst=108.177.127.188 sport=40976 dport=5228 src=108.177.127.188 dst=[exernIP] sport=5228 dport=40976 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431995 ESTABLISHED src=176.16.50.2 dst=52.34.149.82 sport=59845 dport=443 src=52.34.149.82 dst=[exernIP] sport=443 dport=59845 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 19 TIME_WAIT src=176.16.50.2 dst=172.217.9.227 sport=60794 dport=443 src=172.217.9.227 dst=[exernIP] sport=443 dport=60794 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431993 ESTABLISHED src=176.16.50.2 dst=52.35.67.56 sport=59854 dport=443 src=52.35.67.56 dst=[exernIP] sport=443 dport=59854 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 5 src=176.16.50.2 dst=176.16.50.1 sport=37879 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=37879 mark=0 zone=0 use=2
ipv4 2 tcp 6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.11.35 sport=47871 dport=80 src=172.217.11.35 dst=[exernIP] sport=80 dport=47871 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431955 ESTABLISHED src=176.16.50.2 dst=52.6.88.49 sport=60902 dport=443 src=52.6.88.49 dst=[exernIP] sport=443 dport=60902 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=172.217.7.2 sport=53178 dport=443 src=172.217.7.2 dst=[exernIP] sport=443 dport=53178 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431996 ESTABLISHED src=176.16.50.2 dst=151.101.66.167 sport=59868 dport=443 src=151.101.66.167 dst=[exernIP] sport=443 dport=59868 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 20 TIME_WAIT src=176.16.50.2 dst=172.217.12.138 sport=59112 dport=443 src=172.217.12.138 dst=[exernIP] sport=443 dport=59112 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 19 TIME_WAIT src=176.16.50.2 dst=104.19.195.151 sport=56176 dport=443 src=104.19.195.151 dst=[exernIP] sport=443 dport=56176 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431805 ESTABLISHED src=176.16.50.2 dst=151.101.210.214 sport=36394 dport=443 src=151.101.210.214 dst=[exernIP] sport=443 dport=36394 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 82 src=176.16.50.2 dst=23.212.54.225 sport=63219 dport=3478 src=23.212.54.225 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 78 TIME_WAIT src=176.16.50.2 dst=172.217.10.2 sport=42652 dport=443 src=172.217.10.2 dst=[exernIP] sport=443 dport=42652 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 82 TIME_WAIT src=176.16.50.2 dst=107.20.240.232 sport=58872 dport=443 src=107.20.240.232 dst=[exernIP] sport=443 dport=58872 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431968 ESTABLISHED src=176.16.50.2 dst=3.19.80.222 sport=60960 dport=443 src=3.19.80.222 dst=[exernIP] sport=443 dport=60960 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=176.16.50.2 dst=176.16.50.1 sport=50176 dport=6222 src=176.16.50.1 dst=176.16.50.2 sport=6222 dport=50176 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 288739 ESTABLISHED src=176.16.50.2 dst=74.125.20.188 sport=48808 dport=5228 src=74.125.20.188 dst=[exernIP] sport=5228 dport=48808 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 107 src=176.16.50.2 dst=95.101.182.5 sport=63218 dport=3478 src=95.101.182.5 dst=[exernIP] sport=3478 dport=63218 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 260461 ESTABLISHED src=176.16.50.2 dst=173.194.68.188 sport=49126 dport=5228 src=173.194.68.188 dst=[exernIP] sport=5228 dport=49126 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 28 src=176.16.50.2 dst=193.47.166.28 sport=123 dport=123 src=193.47.166.28 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4 2 tcp 6 431686 ESTABLISHED src=176.16.50.2 dst=104.16.65.50 sport=44954 dport=443 src=104.16.65.50 dst=[exernIP] sport=443 dport=44954 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 29 src=176.16.50.2 dst=64.62.190.177 sport=123 dport=123 src=64.62.190.177 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4 2 tcp 6 431930 ESTABLISHED src=176.16.50.2 dst=173.194.205.188 sport=46680 dport=5228 src=173.194.205.188 dst=[exernIP] sport=5228 dport=46680 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 118 src=176.16.50.2 dst=141.207.137.233 sport=44207 dport=4500 src=141.207.137.233 dst=[exernIP] sport=4500 dport=44207 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 430573 ESTABLISHED src=176.16.50.2 dst=10.0.0.62 sport=40540 dport=22 src=10.0.0.62 dst=176.16.50.2 sport=22 dport=40540 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431994 ESTABLISHED src=176.16.50.2 dst=54.158.106.158 sport=60020 dport=443 src=54.158.106.158 dst=[exernIP] sport=443 dport=60020 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431998 ESTABLISHED src=176.16.50.2 dst=52.223.241.20 sport=59947 dport=443 src=52.223.241.20 dst=[exernIP] sport=443 dport=59947 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=172.217.12.161 sport=49004 dport=443 src=172.217.12.161 dst=[exernIP] sport=443 dport=49004 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=172.217.11.2 sport=39122 dport=443 src=172.217.11.2 dst=[exernIP] sport=443 dport=39122 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431998 ESTABLISHED src=176.16.50.2 dst=199.232.38.49 sport=59809 dport=443 src=199.232.38.49 dst=[exernIP] sport=443 dport=59809 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 79 TIME_WAIT src=176.16.50.2 dst=172.217.12.162 sport=36534 dport=443 src=172.217.12.162 dst=[exernIP] sport=443 dport=36534 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 19 TIME_WAIT src=176.16.50.2 dst=173.194.207.157 sport=53268 dport=443 src=173.194.207.157 dst=[exernIP] sport=443 dport=53268 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431997 ESTABLISHED src=176.16.50.2 dst=162.216.56.110 sport=60894 dport=443 src=162.216.56.110 dst=[exernIP] sport=443 dport=60894 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 3 src=176.16.50.2 dst=198.46.223.227 sport=123 dport=123 src=198.46.223.227 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4 2 udp 17 76 src=176.16.50.2 dst=172.217.3.99 sport=61021 dport=443 src=172.217.3.99 dst=[exernIP] sport=443 dport=61021 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 204320 ESTABLISHED src=176.16.50.2 dst=173.194.66.188 sport=43134 dport=5228 src=173.194.66.188 dst=[exernIP] sport=5228 dport=43134 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431980 ESTABLISHED src=176.16.50.2 dst=151.101.210.167 sport=59876 dport=443 src=151.101.210.167 dst=[exernIP] sport=443 dport=59876 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=176.16.50.2 dst=52.94.227.146 sport=47942 dport=443 src=52.94.227.146 dst=[exernIP] sport=443 dport=47942 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431999 ESTABLISHED src=176.16.50.2 dst=173.194.68.188 sport=59801 dport=5228 src=173.194.68.188 dst=[exernIP] sport=5228 dport=59801 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 98 TIME_WAIT src=176.16.50.2 dst=192.0.73.2 sport=39966 dport=443 src=192.0.73.2 dst=[exernIP] sport=443 dport=39966 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431997 ESTABLISHED src=176.16.50.2 dst=162.250.5.71 sport=59708 dport=5938 src=162.250.5.71 dst=[exernIP] sport=5938 dport=59708 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 99 src=176.16.50.2 dst=23.41.177.66 sport=63219 dport=3478 src=23.41.177.66 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431997 ESTABLISHED src=176.16.50.2 dst=162.216.56.110 sport=60889 dport=443 src=162.216.56.110 dst=[exernIP] sport=443 dport=60889 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431985 ESTABLISHED src=176.16.50.2 dst=52.207.122.21 sport=60848 dport=443 src=52.207.122.21 dst=[exernIP] sport=443 dport=60848 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 5 CLOSE src=176.16.50.2 dst=72.21.206.56 sport=53134 dport=443 src=72.21.206.56 dst=[exernIP] sport=443 dport=53134 [ASSURED] mark=0 zone=0 use=2
ipv4 2 udp 17 114 src=176.16.50.2 dst=173.194.207.189 sport=53843 dport=443 src=173.194.207.189 dst=[exernIP] sport=443 dport=53843 [ASSURED] mark=0 zone=0 use=2
ipv4 2 tcp 6 431996 ESTABLISHED src=176.16.50.2 dst=162.125.18.133 sport=60228 dport=443 src=162.125.18.133 dst=[exernIP] sport=443 dport=60228 [ASSURED] mark=0 zone=0 use=2
IP Configuration
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: intern1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 176.16.50.1/24 brd 176.16.50.255 scope global intern1
valid_lft forever preferred_lft forever
3: intern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 10.0.0.1/24 brd 10.0.0.255 scope global intern0
valid_lft forever preferred_lft forever
4: extern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet [exernIP]/22 brd 24.189.15.255 scope global noprefixroute extern0
valid_lft forever preferred_lft forever
IP Stats
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
560 5 0 0 0 0
TX: bytes packets errors dropped carrier collsns
560 5 0 0 0 0
2: intern1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 00:72:63:dc:89:78 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
1211739718 13517644 0 0 0 0
TX: bytes packets errors dropped carrier collsns
67814373278 46720981 0 0 0 0
3: intern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 00:72:63:dc:89:5f brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
4711077 48294 0 0 0 0
TX: bytes packets errors dropped carrier collsns
143317839 111700 0 0 0 0
4: extern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether bc:5f:f4:9c:12:f7 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
68500520233 50747827 0 0 0 0
TX: bytes packets errors dropped carrier collsns
1218858023 13617909 0 0 0 0
Routing Rules
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Table default:
Table local:
local [exernIP] dev extern0 proto kernel scope host src [exernIP]
local 176.16.50.1 dev intern1 proto kernel scope host src 176.16.50.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.0.0.1 dev intern0 proto kernel scope host src 10.0.0.1
broadcast 24.189.15.255 dev extern0 proto kernel scope link src [exernIP]
broadcast 24.189.12.0 dev extern0 proto kernel scope link src [exernIP]
broadcast 176.16.50.255 dev intern1 proto kernel scope link src 176.16.50.1
broadcast 176.16.50.0 dev intern1 proto kernel scope link src 176.16.50.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.0.0.255 dev intern0 proto kernel scope link src 10.0.0.1
broadcast 10.0.0.0 dev intern0 proto kernel scope link src 10.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
176.16.50.0/24 dev intern1 proto kernel scope link src 176.16.50.1
10.0.0.0/24 dev intern0 proto kernel scope link src 10.0.0.1
24.189.12.0/22 dev extern0 proto dhcp scope link src [exernIP] metric 204
default via 24.189.12.1 dev extern0 proto dhcp src [exernIP] metric 204
Per-IP Counters
iptaccount is not installed
NF Accounting
No NF Accounting defined (nfacct not found)
Events
PFKEY SPD
PFKEY SAD
/proc
/proc/version = Linux version 5.2.1-arch1-1-ARCH (builduser@heftig-55221) (gcc version 9.1.0 (GCC)) #1 SMP PREEMPT Sun Jul 14 14:52:52 UTC 2019
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/extern0/proxy_arp = 0
/proc/sys/net/ipv4/conf/extern0/arp_filter = 0
/proc/sys/net/ipv4/conf/extern0/arp_ignore = 0
/proc/sys/net/ipv4/conf/extern0/rp_filter = 1
/proc/sys/net/ipv4/conf/extern0/log_martians = 1
/proc/sys/net/ipv4/conf/intern0/proxy_arp = 0
/proc/sys/net/ipv4/conf/intern0/arp_filter = 0
/proc/sys/net/ipv4/conf/intern0/arp_ignore = 0
/proc/sys/net/ipv4/conf/intern0/rp_filter = 1
/proc/sys/net/ipv4/conf/intern0/log_martians = 1
/proc/sys/net/ipv4/conf/intern1/proxy_arp = 0
/proc/sys/net/ipv4/conf/intern1/arp_filter = 0
/proc/sys/net/ipv4/conf/intern1/arp_ignore = 0
/proc/sys/net/ipv4/conf/intern1/rp_filter = 1
/proc/sys/net/ipv4/conf/intern1/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
ARP
24.189.12.1 dev extern0 lladdr 00:01:5c:7d:b4:4f DELAY
10.0.0.62 dev intern0 lladdr e8:40:f2:a6:a2:a1 STALE
176.16.50.2 dev intern1 lladdr 04:92:26:8c:c4:98 REACHABLE
Modules
ip_tables 36864 10 iptable_filter,iptable_raw,iptable_nat,iptable_mangle
ipt_REJECT 16384 4
iptable_filter 16384 1
iptable_mangle 16384 1
iptable_nat 16384 1
iptable_raw 16384 1
nf_conntrack 172032 25 xt_conntrack,nf_nat_irc,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_conntrack_pptp,nf_conntrack_netbios_ns,nf_conntrack_sane,xt_nat,nf_nat_tftp,nf_nat_amanda,nf_conntrack_sip,nf_conntrack_h323,nf_nat_pptp,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_amanda,nf_conntrack_netlink,nf_conntrack_ftp,xt_CT,nf_nat_h323,nf_conntrack_snmp,nf_nat_snmp_basic,xt_MASQUERADE,nf_nat_sip
nf_conntrack_amanda 16384 3 nf_nat_amanda
nf_conntrack_broadcast 16384 2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp 24576 3 nf_nat_ftp
nf_conntrack_h323 86016 5 nf_nat_h323
nf_conntrack_irc 20480 3 nf_nat_irc
nf_conntrack_netbios_ns 16384 2
nf_conntrack_netlink 61440 0
nf_conntrack_pptp 20480 3 nf_nat_pptp
nf_conntrack_sane 20480 2
nf_conntrack_sip 40960 3 nf_nat_sip
nf_conntrack_snmp 16384 3 nf_nat_snmp_basic
nf_conntrack_tftp 20480 3 nf_nat_tftp
nf_defrag_ipv4 16384 1 nf_conntrack
nf_defrag_ipv6 24576 1 nf_conntrack
nf_log_common 16384 2 nf_log_ipv4,nf_log_ipv6
nf_log_ipv4 16384 14
nf_log_ipv6 16384 0
nf_nat 53248 10 nf_nat_irc,nf_nat_ftp,xt_nat,nf_nat_tftp,nf_nat_amanda,nf_nat_pptp,nf_nat_h323,iptable_nat,xt_MASQUERADE,nf_nat_sip
nf_nat_amanda 16384 0
nf_nat_ftp 20480 0
nf_nat_h323 24576 0
nf_nat_irc 20480 0
nf_nat_pptp 20480 0
nf_nat_sip 20480 0
nf_nat_snmp_basic 20480 0
nf_nat_tftp 16384 0
nf_reject_ipv4 16384 1 ipt_REJECT
nf_reject_ipv6 20480 1 ip6t_REJECT
xt_CT 16384 22
xt_LOG 20480 14
xt_MASQUERADE 20480 2
xt_NFLOG 16384 0
xt_TCPMSS 16384 1
xt_addrtype 16384 38
xt_comment 16384 14
xt_conntrack 16384 26
xt_hashlimit 20480 14
xt_hl 16384 0
xt_limit 16384 0
xt_mark 16384 1
xt_multiport 20480 1
xt_nat 16384 2
xt_recent 24576 1
xt_tcpudp 20480 42
Shorewall has detected the following iptables/netfilter capabilities:
--nflog-size support (NFLOG_SIZE): Available
ACCOUNT Target (ACCOUNT_TARGET): Not available
AUDIT Target (AUDIT_TARGET): Not available
Address Type Match (ADDRTYPE): Available
Amanda Helper: Available
Arptables JF (ARPTABLESJF): Not available
Basic Ematch (BASIC_EMATCH): Available
Basic Filter (BASIC_FILTER): Available
CLASSIFY Target (CLASSIFY_TARGET): Not available
CONNMARK Target (CONNMARK): Not available
CT Target (CT_TARGET): Available
Capabilities Version (CAPVERSION): 50200
Checksum Target (CHECKSUM_TARGET): Not available
Comments (COMMENTS): Available
Condition Match (CONDITION_MATCH): Not available
Connection Tracking Match (CONNTRACK_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Not available
Connmark Match (CONNMARK_MATCH): Not available
DSCP Match (DSCP_MATCH): Not available
DSCP Target (DSCP_TARGET): Not available
Enhanced Multi-port Match (EMULIPORT): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Extended MARK Target (XMARK): Available
Extended MARK Target 2 (EXMARK): Available
Extended Multi-port Match (XMULIPORT): Available
Extended REJECT (ENHANCED_REJECT): Available
FLOW Classifier (FLOW_FILTER): Available
FTP Helper: Available
FTP-0 Helper: Not available
Geo IP Match (GEOIP_MATCH): Not available
Goto Support (GOTO_TARGET): Available
H323 Helper: Available
Hashlimit Match (HASHLIMIT_MATCH): Available
Header Match (HEADER_MATCH): Not available
Helper Match (HELPER_MATCH): Not available
IMQ Target (IMQ_TARGET): Not available
INPUT chain in nat table (NAT_INPUT_CHAIN): Available
IP range Match(IPRANGE_MATCH): Not available
IPMARK Target (IPMARK_TARGET): Not available
IPP2P Match (IPP2P_MATCH): Not available
IRC Helper: Available
IRC-0 Helper: Not available
Iface Match (IFACE_MATCH): Not available
Ipset Match (IPSET_MATCH): Not available
Kernel Version (KERNELVERSION): 50201
LOG Target (LOG_TARGET): Available
LOGMARK Target (LOGMARK_TARGET): Not available
MARK Target (MARK): Available
MASQUERADE Target (MASQUERADE_TGT): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Mark in the filter table (MARK_ANYWHERE): Available
Multi-port Match (MULTIPORT): Available
NAT (NAT_ENABLED): Available
NETMAP Target (NETMAP_TARGET): Not available
NFAcct Match: Not available
NFLOG Target (NFLOG_TARGET): Available
NFQUEUE CPU Fanout (CPU_FANOUT): Not available
NFQUEUE Target (NFQUEUE_TARGET): Not available
Netbios_ns Helper: Available
New tos Match (NEW_TOS_MATCH): Not available
Owner Match (OWNER_MATCH): Not available
Owner Name Match (OWNER_NAME_MATCH): Not available
PPTP Helper: Available
Packet Mangling (MANGLE_ENABLED): Available
Packet length Match (LENGTH_MATCH): Not available
Persistent SNAT (PERSISTENT_SNAT): Available
Physdev Match (PHYSDEV_MATCH): Not available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Not available
Policy Match (POLICY_MATCH): Not available
RPFilter Match (RPFILTER_MATCH): Not available
Raw Table (RAW_TABLE): Available
Realm Match (REALM_MATCH): Not available
Recent Match "--reap" option (REAP_OPTION): Available
Recent Match (RECENT_MATCH): Available
Repeat match (KLUDGEFREE): Not available
SANE Helper: Available
SANE-0 Helper: Not available
SIP Helper: Available
SIP-0 Helper: Not available
SNMP Helper: Available
Statistic Match (STATISTIC_MATCH): Not available
TARPIT Target (TARPIT_TARGET): Not available
TCPMSS Match (TCPMSS_MATCH): Not available
TCPMSS Target (TCPMSS_TARGET): Available
TFTP Helper: Available
TFTP-0 Helper: Not available
TPROXY Target (TPROXY_TARGET): Not available
Time Match (TIME_MATCH): Not available
UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
ULOG Target (ULOG_TARGET): Not available
fwmark route mask (FWMARK_RT_MASK): Available
ipset V5 (IPSET_V5): Not available
iptables --wait option (WAIT_OPTION): Available
iptables -S (IPTABLES_S): Available
iptables-restore --wait option (RESTORE_WAIT_OPTION): Available
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:53 0.0.0.0:* users:(("dnsmasq",pid=501,fd=6))
udp UNCONN 0 0 0.0.0.0:67 0.0.0.0:* users:(("dnsmasq",pid=501,fd=4))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhcpcd",pid=428,fd=13))
tcp LISTEN 0 0 0.0.0.0:6222 0.0.0.0:* users:(("sshd",pid=4698,fd=3))
tcp LISTEN 0 0 0.0.0.0:53 0.0.0.0:* users:(("dnsmasq",pid=501,fd=7))
tcp ESTAB 0 0 176.16.50.1:6222 176.16.50.2:50176 users:(("sshd",pid=12101,fd=4),("sshd",pid=12099,fd=4))
Traffic Control
Device lo:
qdisc noqueue 0: root refcnt 2
Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
backlog 0b 0p requeues 0
Device intern1:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
Sent 67815075800 bytes 46721465 pkt (dropped 0, overlimits 0 requeues 7757)
backlog 0b 0p requeues 7757
maxpacket 27252 drop_overlimit 0 new_flow_count 1759 ecn_mark 0
new_flows_len 0 old_flows_len 0
Device intern0:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
Sent 143317839 bytes 111700 pkt (dropped 0, overlimits 0 requeues 1)
backlog 0b 0p requeues 1
maxpacket 1514 drop_overlimit 0 new_flow_count 15 ecn_mark 0
new_flows_len 0 old_flows_len 0
Device extern0:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn
Sent 1179649692 bytes 13618270 pkt (dropped 0, overlimits 0 requeues 373)
backlog 0b 0p requeues 373
maxpacket 17208 drop_overlimit 0 new_flow_count 106 ecn_mark 0
new_flows_len 0 old_flows_len 0
TC Filters
Device lo:
Device intern1:
Device intern0:
Device extern0:
Note that there were several attempts to login from a outside, cell phone tethered, client since resetting counters (per DNAT FAQ 1b) the number of packets is non zero right??
Here is the current shorewall/rules:
$ cat /etc/shorewall/rules
#
# Shorewall - Sample Rules File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Don't allow connection pickup from the net
#
Invalid(DROP) net all tcp
#
# Accept DNS connections from the firewall to the Internet
#
DNS(ACCEPT) $FW net
#
#
# Accept SSH connections from the other networks to the firewall and DMZ
#
SSH(ACCEPT) loc $FW tcp 6222
SSH(ACCEPT) loc dmz tcp 22
SSH(ACCEPT) net $FW tcp 6222
SSH(ACCEPT) net dmz tcp 22
#
# DMZ DNS access to the Internet
#
DNS(ACCEPT) dmz net
# Drop Ping from the "bad" net zone.
Ping(DROP) net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping(ACCEPT) loc $FW
Ping(ACCEPT) dmz $FW
Ping(ACCEPT) loc dmz
Ping(ACCEPT) dmz loc
Ping(ACCEPT) dmz net
Ping(ACCEPT) loc net
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc
Ping(ACCEPT) net dmz
#Ping(ACCEPT) net loc
# ------------FW's--------------
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
DNS(ACCEPT) loc $FW
DNS(ACCEPT) dmz $FW
# ------for server
DNAT net dmz:10.0.0.62:22 tcp 22
DNAT net dmz:10.0.0.62:8080 tcp 80,443 - &extern0
As said before, I've tried many, many differnt versions of that last DNAT rule. The one that is their now was suggested in the three-interface port forwarding guide for people who have a dynamic IP from their ISP.
Here is the rest of my config:
$ cat /etc/shorewall/snat
#
# Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
#
MASQUERADE 176.16.50.0/24 extern0
MASQUERADE 10.0.0.62 extern0
$ cat /etc/shorewall/zones
#
# Shorewall - Sample Zones File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
$ cat /etc/shorewall/interfaces
#
# Shorewall - Sample Interfaces File for three-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net extern0 tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=extern0
loc intern1 tcpflags,nosmurfs,routefilter,logmartians,physical=intern1
dmz intern0 tcpflags,nosmurfs,routefilter,logmartians,physical=intern0
$ cat /etc/shorewall/policy
#
# Shorewall - Sample Policy File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
$FW net ACCEPT
loc net ACCEPT
dmz net ACCEPT
net all DROP $LOG_LEVEL
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT $LOG_LEVEL
$ cat /etc/shorewall/shorewall.conf
###############################################################################
#
# Shorewall - Sample shorewall.conf for three-interface
# configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# P A G E R
###############################################################################
PAGER=
###############################################################################
# F I R E W A L L
###############################################################################
FIREWALL=
###############################################################################
# L O G G I N G
###############################################################################
LOG_LEVEL="info"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="%s %s "
LOGTAGONLY=No
LOGLIMIT="s:1/sec:10"
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL=
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
ARPTABLES=
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=Yes
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DISABLE_IPV6=No
DOCKER=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On
KEEP_RT_TABLES=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MINIUPNPD=No
MARK_IN_FORWARD_CHAIN=No
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
Let me know if there is anything else that is needed. I'm using dnsmasq as well (per the router/shorewall wikis) I can post that too (I feel a little bad about how much is here alreadyEDIT: posted dnsmasq config below (still feel bad)- its okay though cause the code boxes are scrollable right? please advise!) I am also fully aware that this very well maybe an issue with the server or waitress or the flask app and py script. Any advice on how to further probe if this is a packet forward issue or not would also be appreciated (and taken to its proper spot on fourm!) for the record, here is the state of the packet filter on the server itself:
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
8080 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
8080 (v6) ALLOW IN Anywhere (v6)
The server is running Ubuntu server. I know from reading the shorewall docs the gateway on this host MUST be the firewall's internal IP (internal right?) here is where I set the gateway in Ubuntu's netplan:
$ cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp3s0:
dhcp4: no
addresses: [10.0.0.62/24]
gateway4: 10.0.0.1
nameservers:
addresses: [10.0.0.1]
Yet when I run route:
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 enp3s0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
the gateway is 0.0.0.0?! So this is what I will be working on while I wait for any potential advice here. I've already tried this WikiHow but the results from route are the same. Will keep at it though! While its been a intense so far the feeling of accomplishment after winning each of the battles (OS wouldnt install, then I couldnt boot, then we had no internet..) has 100% got me hooked on figuring this dang box out! Thank you for any help or advice you may be able to provide!
EDIT: ran ip route instead of route:
$ ip route
default via 10.0.0.1 dev enp3s0 proto static
10.0.0.0/24 dev enp3s0 proto kernel scope link src 10.0.0.62
The gateway is set correctly after all? That was the one thing I was counting on working.. No ideas now. Will read up on snat to see if this rule in /etc/shorewall/snat is inappropreiate here?
MASQUERADE 10.0.0.62 extern0
I haven't messed with this because this was what got the server internet access in the first place.
Probably dnsmasq as well, here is the config why not?
$ cat /etc/dnsmasq.conf
# Configuration file for dnsmasq.
#
# Format is one option per line, legal options are the same
# as the long options legal on the command line. See
# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
# Listen on this specific port instead of the standard DNS port
# (53). Setting this to zero completely disables DNS function,
# leaving only DHCP and/or TFTP.
#port=5353
# The following two options make you a better netizen, since they
# tell dnsmasq to filter out queries which the public DNS cannot
# answer, and which load the servers (especially the root servers)
# unnecessarily. If you have a dial-on-demand link they also stop
# these requests from bringing up the link unnecessarily.
# Never forward plain names (without a dot or domain part)
#domain-needed
# Never forward addresses in the non-routed address spaces.
#bogus-priv
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
#conf-file=/usr/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
# is unsigned, or may be forgeries. Setting this option tells dnsmasq to
# check that an unsigned reply is OK, by finding a secure proof that a DS
# record somewhere between the root and the domain does not exist.
# The cost of setting this is that even queries in unsigned domains will need
# one or more extra DNS queries to verify.
#dnssec-check-unsigned
# Uncomment this to filter useless windows-originated DNS requests
# which can trigger dial-on-demand links needlessly.
# Note that (amongst other things) this blocks all SRV requests,
# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
# This option only affects forwarding, SRV records originating for
# dnsmasq (via srv-host= lines) are not suppressed by it.
#filterwin2k
# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
#strict-order
# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
#no-resolv
# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
# files for changes and re-read them then uncomment this.
#no-poll
# Add other name servers here, with domain specs if they are for
# non-public domains.
#server=/localnet/192.168.0.1
# Example of routing PTR queries to nameservers: this will send all
# address->name queries for 192.168.3/24 to nameserver 10.1.2.3
#server=/3.168.192.in-addr.arpa/10.1.2.3
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
#local=/localnet/
# Add domains which you want to force to an IP address here.
# The example below send any host in double-click.net to a local
# web-server.
#address=/double-click.net/127.0.0.1
# --address (and --server) work with IPv6 addresses too.
#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
# Add the IPs of all queries to yahoo.com, google.com, and their
# subdomains to the vpn and search ipsets:
#ipset=/yahoo.com/google.com/vpn,search
# You can control how dnsmasq talks to a server: this forces
# queries to 10.1.2.3 to be routed via eth1
# server=10.1.2.3@eth1
# and this sets the source (ie local) address used to talk to
# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that
# IP on the machine, obviously).
# server=10.1.2.3@192.168.1.1#55
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
#user=
#group=
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=intern0
interface=intern1
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
#listen-address=
# If you want dnsmasq to provide only DNS service on an interface,
# configure it as shown above, and then use the following line to
# disable DHCP and TFTP on it.
#no-dhcp-interface=
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
#bind-interfaces
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
#no-hosts
# or if you want it to read another file, as well as /etc/hosts, use
# this.
#addn-hosts=/etc/banner_add_hosts
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
#expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
#domain=thekelleys.org.uk
# Set a different domain for a particular subnet
#domain=wireless.thekelleys.org.uk,192.168.2.0/24
# Same idea, but range rather then subnet
#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=10.0.0.1,10.0.0.255,255.255.255.0,24h
dhcp-range=172.16.50.1,172.16.50.255,255.255.255.0,24h
# This is an example of a DHCP range where the netmask is given. This
# is needed for networks we reach the dnsmasq DHCP server via a relay
# agent. If you don't know what a DHCP relay agent is, you probably
# don't need to worry about this.
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
# This is an example of a DHCP range which sets a tag, so that
# some DHCP options may be set only for this network.
#dhcp-range=set:red,192.168.0.50,192.168.0.150
# Use this DHCP range only when the tag "green" is set.
#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
# Specify a subnet which can't be used for dynamic address allocation,
# is available for hosts with matching --dhcp-host lines. Note that
# dhcp-host declarations will be ignored unless there is a dhcp-range
# of some type for the subnet in question.
# In this case the netmask is implied (it comes from the network
# configuration on the machine running dnsmasq) it is possible to give
# an explicit netmask instead.
#dhcp-range=192.168.0.0,static
# Enable DHCPv6. Note that the prefix-length does not need to be specified
# and defaults to 64 if missing/
#dhcp-range=1234::2, 1234::500, 64, 12h
# Do Router Advertisements, BUT NOT DHCP for this subnet.
#dhcp-range=1234::, ra-only
# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
# hosts. Use the DHCPv4 lease to derive the name, network segment and
# MAC address and assume that the host will also have an
# IPv6 address calculated using the SLAAC algorithm.
#dhcp-range=1234::, ra-names
# Do Router Advertisements, BUT NOT DHCP for this subnet.
# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
#dhcp-range=1234::, ra-only, 48h
# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
# so that clients can use SLAAC addresses as well as DHCP ones.
#dhcp-range=1234::2, 1234::500, slaac
# Do Router Advertisements and stateless DHCP for this subnet. Clients will
# not get addresses from DHCP, but they will get other configuration information.
# They will use SLAAC for addresses.
#dhcp-range=1234::, ra-stateless
# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
# from DHCPv4 leases.
#dhcp-range=1234::, ra-stateless, ra-names
# Do router advertisements for all subnets where we're doing DHCPv6
# Unless overridden by ra-stateless, ra-names, et al, the router
# advertisements will have the M and O bits set, so that the clients
# get addresses and configuration from DHCPv6, and the A bit reset, so the
# clients don't use SLAAC addresses.
#enable-ra
# Supply parameters for specified hosts using DHCP. There are lots
# of valid alternatives, so we will give examples of each. Note that
# IP addresses DO NOT have to be in the range given above, they just
# need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any
# order.
# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# Always set the name of the host with hardware address
# 11:22:33:44:55:66 to be "fred"
#dhcp-host=11:22:33:44:55:66,fred
# Always give the host with Ethernet address 11:22:33:44:55:66
# the name fred and IP address 192.168.0.60 and lease time 45 minutes
#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
# Give a host with Ethernet address 11:22:33:44:55:66 or
# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
# that these two Ethernet interfaces will never be in use at the same
# time, and give the IP address to the second, even if it is already
# in use by the first. Useful for laptops with wired and wireless
# addresses.
#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
dhcp-host=04:92:26:8C:C4:9C,176.16.50.2
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
dhcp-host=e8:40:f2:a6:a2:a1,10.0.0.62
# Always give the host with client identifier 01:02:02:04
# the IP address 192.168.0.60
#dhcp-host=id:01:02:02:04,192.168.0.60
# Always give the InfiniBand interface with hardware address
# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the
# ip address 192.168.0.61. The client id is derived from the prefix
# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of
# hex digits of the hardware address.
#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61
# Always give the host with client identifier "marjorie"
# the IP address 192.168.0.60
#dhcp-host=id:marjorie,192.168.0.60
# Enable the address given for "judge" in /etc/hosts
# to be given to a machine presenting the name "judge" when
# it asks for a DHCP lease.
#dhcp-host=judge
# Never offer DHCP service to a machine whose Ethernet
# address is 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,ignore
# Ignore any client-id presented by the machine with Ethernet
# address 11:22:33:44:55:66. This is useful to prevent a machine
# being treated differently when running under different OS's or
# between PXE boot and OS boot.
#dhcp-host=11:22:33:44:55:66,id:*
# Send extra options which are tagged as "red" to
# the machine with Ethernet address 11:22:33:44:55:66
#dhcp-host=11:22:33:44:55:66,set:red
# Send extra options which are tagged as "red" to
# any machine with Ethernet address starting 11:22:33:
#dhcp-host=11:22:33:*:*:*,set:red
# Give a fixed IPv6 address and name to client with
# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
# Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
# Note also that the [] around the IPv6 address are obligatory.
#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
# Ignore any clients which are not specified in dhcp-host lines
# or /etc/ethers. Equivalent to ISC "deny unknown-clients".
# This relies on the special "known" tag which is set when
# a host is matched.
#dhcp-ignore=tag:!known
# Send extra options which are tagged as "red" to any machine whose
# DHCP vendorclass string includes the substring "Linux"
#dhcp-vendorclass=set:red,Linux
# Send extra options which are tagged as "red" to any machine one
# of whose DHCP userclass strings includes the substring "accounts"
#dhcp-userclass=set:red,accounts
# Send extra options which are tagged as "red" to any machine whose
# MAC address matches the pattern.
#dhcp-mac=set:red,00:60:8C:*:*:*
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers
# Send options to hosts which ask for a DHCP lease.
# See RFC 2132 for details of available options.
# Common options can be given to dnsmasq by name:
# run "dnsmasq --help dhcp" to get a list.
# Note that all the common settings, such as netmask and
# broadcast address, DNS server and default route, are given
# sane defaults by dnsmasq. You very likely will not need
# any dhcp-options. If you use Windows clients and Samba, there
# are some options which are recommended, they are detailed at the
# end of this section.
# Override the default route supplied by dnsmasq, which assumes the
# router is the same machine as the one running dnsmasq.
#dhcp-option=3,1.2.3.4
# Do the same thing, but using the option name
#dhcp-option=option:router,1.2.3.4
# Override the default route supplied by dnsmasq and send no default
# route at all. Note that this only works for the options sent by
# default (1, 3, 6, 12, 28) the same line will send a zero-length option
# for all other option numbers.
#dhcp-option=3
# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]
# Send DHCPv6 option for namservers as the machine running
# dnsmasq and another.
#dhcp-option=option6:dns-server,[::],[1234::88]
# Ask client to poll for option changes every six hours. (RFC4242)
#dhcp-option=option6:information-refresh-time,6h
# Set option 58 client renewal time (T1). Defaults to half of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T1,1m
# Set option 59 rebinding time (T2). Defaults to 7/8 of the
# lease time if not specified. (RFC2132)
#dhcp-option=option:T2,2m
# Set the NTP time server address to be the same machine as
# is running dnsmasq
#dhcp-option=42,0.0.0.0
# Set the NIS domain name to "welly"
#dhcp-option=40,welly
# Set the default time-to-live to 50
#dhcp-option=23,50
# Set the "all subnets are local" flag
#dhcp-option=27,1
# Send the etherboot magic flag and then etherboot options (a string).
#dhcp-option=128,e4:45:74:68:00:00
#dhcp-option=129,NIC=eepro100
# Specify an option which will only be sent to the "red" network
# (see dhcp-range for the declaration of the "red" network)
# Note that the tag: part must precede the option: part.
#dhcp-option = tag:red, option:ntp-server, 192.168.1.1
# The following DHCP options set up dnsmasq in the same way as is specified
# for the ISC dhcpcd in
# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
# adapted for a typical dnsmasq installation where the host running
# dnsmasq is also the host running samba.
# you may want to uncomment some or all of them if you use
# Windows clients and Samba.
#dhcp-option=19,0 # option ip-forwarding off
#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
#dhcp-option=45,0.0.0.0 # netbios datagram distribution server
#dhcp-option=46,8 # netbios node type
# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"
# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
# probably doesn't support this......
#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
# Send RFC-3442 classless static routes (note the netmask encoding)
#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
# Send vendor-class specific options encapsulated in DHCP option 43.
# The meaning of the options is defined by the vendor-class so
# options are sent only when the client supplied vendor class
# matches the class given here. (A substring match is OK, so "MSFT"
# matches "MSFT" and "MSFT 5.0"). This example sets the
# mtftp address to 0.0.0.0 for PXEClients.
#dhcp-option=vendor:PXEClient,1,0.0.0.0
# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
#dhcp-option=vendor:MSFT,2,1i
# Send the Encapsulated-vendor-class ID needed by some configurations of
# Etherboot to allow is to recognise the DHCP server.
#dhcp-option=vendor:Etherboot,60,"Etherboot"
# Send options to PXELinux. Note that we need to send the options even
# though they don't appear in the parameter request list, so we need
# to use dhcp-option-force here.
# See http://syslinux.zytor.com/pxe.php#special for details.
# Magic number - needed before anything else is recognised
#dhcp-option-force=208,f1:00:74:7e
# Configuration file name
#dhcp-option-force=209,configs/common
# Path prefix
#dhcp-option-force=210,/tftpboot/pxelinux/files/
# Reboot time. (Note 'i' to send 32-bit value)
#dhcp-option-force=211,30i
# Set the boot filename for netboot/PXE. You will only need
# this if you want to boot machines over the network and you will need
# a TFTP server; either dnsmasq's built-in TFTP server or an
# external one. (See below for how to enable the TFTP server.)
#dhcp-boot=pxelinux.0
# The same as above, but use custom tftp-server instead machine running dnsmasq
#dhcp-boot=pxelinux,server.name,192.168.1.100
# Boot for iPXE. The idea is to send two different
# filenames, the first loads iPXE, and the second tells iPXE what to
# load. The dhcp-match sets the ipxe tag for requests from iPXE.
#dhcp-boot=undionly.kpxe
#dhcp-match=set:ipxe,175 # iPXE sends a 175 option.
#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php
# Encapsulated options for iPXE. All the options are
# encapsulated within option 175
#dhcp-option=encap:175, 1, 5b # priority code
#dhcp-option=encap:175, 176, 1b # no-proxydhcp
#dhcp-option=encap:175, 177, string # bus-id
#dhcp-option=encap:175, 189, 1b # BIOS drive code
#dhcp-option=encap:175, 190, user # iSCSI username
#dhcp-option=encap:175, 191, pass # iSCSI password
# Test for the architecture of a netboot client. PXE clients are
# supposed to send their architecture as option 93. (See RFC 4578)
#dhcp-match=peecees, option:client-arch, 0 #x86-32
#dhcp-match=itanics, option:client-arch, 2 #IA64
#dhcp-match=hammers, option:client-arch, 6 #x86-64
#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
# Do real PXE, rather than just booting a single file, this is an
# alternative to dhcp-boot.
#pxe-prompt="What system shall I netboot?"
# or with timeout before first available action is taken:
#pxe-prompt="Press F8 for menu.", 60
# Available boot services. for PXE.
#pxe-service=x86PC, "Boot from local disk"
# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
#pxe-service=x86PC, "Install Linux", pxelinux
# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
# Beware this fails on old PXE ROMS.
#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
# Use bootserver on network, found my multicast or broadcast.
#pxe-service=x86PC, "Install windows from RIS server", 1
# Use bootserver at a known IP address.
#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
# If you have multicast-FTP available,
# information for that can be passed in a similar way using options 1
# to 5. See page 19 of
# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
# Enable dnsmasq's built-in TFTP server
#enable-tftp
# Set the root directory for files available via FTP.
#tftp-root=/var/ftpd
# Do not abort if the tftp-root is unavailable
#tftp-no-fail
# Make the TFTP server more secure: with this set, only files owned by
# the user dnsmasq is running as will be send over the net.
#tftp-secure
# This option stops dnsmasq from negotiating a larger blocksize for TFTP
# transfers. It will slow things down, but may rescue some broken TFTP
# clients.
#tftp-no-blocksize
# Set the boot file name only when the "red" tag is set.
#dhcp-boot=tag:red,pxelinux.red-net
# An example of dhcp-boot with an external TFTP server: the name and IP
# address of the server are given after the filename.
# Can fail with old PXE ROMS. Overridden by --pxe-service.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
# If there are multiple external tftp servers having a same name
# (using /etc/hosts) then that name can be specified as the
# tftp_servername (the third option to dhcp-boot) and in that
# case dnsmasq resolves this name and returns the resultant IP
# addresses in round robin fashion. This facility can be used to
# load balance the tftp load among a set of servers.
#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
# Set the limit on DHCP leases, the default is 150
#dhcp-lease-max=150
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
# whether it has a record of the lease or not. This avoids long timeouts
# when a machine wakes up on a new network. DO NOT enable this if there's
# the slightest chance that you might end up accidentally configuring a DHCP
# server for your campus/company accidentally. The ISC server uses
# the same option, and this URL provides more information:
# http://www.isc.org/files/auth.html
#dhcp-authoritative
# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039.
# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit
# option with a DHCPACK including a Rapid Commit option and fully committed address
# and configuration information. This must only be enabled if either the server is
# the only server for the subnet, or multiple servers are present and they each
# commit a binding for all clients.
#dhcp-rapid-commit
# Run an executable when a DHCP lease is created or destroyed.
# The arguments sent to the script are "add" or "del",
# then the MAC address, the IP address and finally the hostname
# if there is one.
#dhcp-script=/bin/echo
# Set the cachesize here.
#cache-size=150
# If you want to disable negative caching, uncomment this.
#no-negcache
# Normally responses which come from /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=
# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11
# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8
# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0
# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
# Change these lines if you want dnsmasq to serve MX records.
# Return an MX record named "maildomain.com" with target
# servermachine.com and preference 50
#mx-host=maildomain.com,servermachine.com,50
# Set the default target for MX records created using the localmx option.
#mx-target=servermachine.com
# Return an MX record pointing to the mx-target for all local
# machines.
#localmx
# Return an MX record pointing to itself for all local machines.
#selfmx
# Change the following lines if you want dnsmasq to serve SRV
# records. These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 389 (using domain=)
#domain=example.com
#srv-host=_ldap._tcp,ldapserver.example.com,389
# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com
# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for PTR records.)
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf. (Note that the
# domain-name expansion done for SRV records _does_not
# occur for TXT records.)
#Example SPF.
#txt-record=example.com,"v=spf1 a -all"
#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4
# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
#cname=bertand,bert
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
#log-queries
# Log lots of extra information about DHCP transactions.
#log-dhcp
# Include another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf
#conf-dir=/etc/dnsmasq.d
# Include all the files in a directory except those ending in .bak
#conf-dir=/etc/dnsmasq.d,.bak
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore
Thank you again!
Last edited by tehbrozor (2019-08-01 02:51:11)
Offline
Okay, got it working. Conclusion: shorewall rules were okay, ISP must just be preventing certain inbound ports. Served up the app on a more obscure port and I'm in business. This is the entry I ended up settling with:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
DNAT net dmz:10.0.0.62 tcp 26299
DNAT loc dmz:10.0.0.62 tcp 26299
I'll just have to link to the port in my site's html, no biggie. See y'alls on the Tubez!
Offline