You are not logged in.

#1 2019-07-25 04:05:33

tehbrozor
Member
Registered: 2019-07-25
Posts: 3

[SOLVED] DNAT trouble with shorewall to a server on a DMZ

Hello gang,

I have followed the archlinux 'router' tutorial to set up a firewall/router with 3 NICs. I have some experience with Ubuntu and Debian distros (always learning!) but decided to try archlinux for this router project after some glowing testimonials from a very tech savy friend. This is certainly the most ambitious project ive attempted so far- the learning opportunities have been rewarding but it also means theres a lot of variables that I may not be keeping straight.
The router is running newest version of archlinux (I think!?)

$ uname -a
Linux cerberus 5.2.1-arch1-1-ARCH #1 SMP PREEMPT Sun Jul 14 14:52:52 UTC 2019 x86_64 GNU/Linux

I used this method in shorewall to rename my interfaces using MACAddresses, extern0 (w/ dynamic IP from ISP), intern0 (called dmz in shorewall) and intern1 (loc). On the DMZ I have a single computer with a static IP that is running two server daemons- sshd and a webapp im trying to develop (deployed(?) using waitress-serve). This host also runs a no-ip client to update a ddns.net address. The loc interface (intern1) runs to a wifi access point/switch thing. From my laptop (on the loc LAN) I can ssh into the server using the DMZs local ip (10.0.0.62, the router's if on that side is 10.0.0.1 and to best of my knowledge that is the gateway on the server). When using an external IP (cell phone tethering) I can ssh into the server using my no-ip.com domain. What I can't get is a web service to work. My main goal is to serve up a flask application I'm working on. It is very beta at the moment, it is essentially the flask tutorial that I'm beginning to adapt for my own needs. It works fine using the flask development server and I can interact with it at localhost on my laptop. I've placed it on the server using the steps found with the flask tutorial. while it seems to working...

$ waitress-serve --call 'solis_wsg:create_app'
Serving on http://0.0.0.0:8080

I also tried using a simple python web server example script. (In case the problem was with waitress or the flask app.) I cannot access these from either a local address or the no-ip ddns address (using tethering.) My question is if there is anything wrong with the way I am approaching the port forwarding. It works for ssh so I'm worried maybe my ISP just blocks these things? (Is that a thing?) However, even attempts to use non-standard ports directly (username.ddns.net:8080 in my web browser, for example) do not seem to work. I've tried a TON of different versions of DNAT, Web(DNAT), ACCEPT, Web(ACCEPT), REDIRECT all to try foward port 80, 443 or even 8080 directly (the default port for waitress) I was trying 7778 and 8081 with the python script. Here is shorewall dump:

$ cat shorewall_dump 
Shorewall 5.2.3.3 Dump at cerberus - Wed Jul 24 23:13:35 EDT 2019

Shorewall is running
State:Started Wed Jul 24 23:03:59 EDT 2019 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Wed Jul 24 23:03:58 EDT 2019 by Shorewall version 5.2.3.3)

Counters reset Wed Jul 24 23:03:59 EDT 2019

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  282 40089 net-fw     all  --  extern0 *       0.0.0.0/0            0.0.0.0/0           
  494 37482 loc-fw     all  --  intern1 *       0.0.0.0/0            0.0.0.0/0           
   12   928 dmz-fw     all  --  intern0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "INPUT REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 366K  545M net_frwd   all  --  extern0 *       0.0.0.0/0            0.0.0.0/0           
 300K   15M loc_frwd   all  --  intern1 *       0.0.0.0/0            0.0.0.0/0           
 2338  163K dmz_frwd   all  --  intern0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "FORWARD REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  275 21610 ACCEPT     all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           
  437 65531 fw-loc     all  --  *      intern1  0.0.0.0/0            0.0.0.0/0           
   12  1524 fw-dmz     all  --  *      intern0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "OUTPUT REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   640 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    8   640 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   288 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    8   640 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* DNS */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* DNS */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "dmz-fw REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz-loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  379 57909 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "dmz-loc REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain dmz_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   180 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    3   180 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
 2338  163K tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 1959  106K ACCEPT     all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           
  379 57909 dmz-loc    all  --  *      intern1  0.0.0.0/0            0.0.0.0/0           

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain fw-dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   12  1524 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "fw-dmz REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain fw-loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  437 65531 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "fw-loc REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc-dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  444 30305 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* SSH */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "loc-dmz REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  262 19635 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  262 19635 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  233 17907 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  232 17847 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6222 /* SSH */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
  261 19575 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* DNS */
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* DNS */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "loc-fw REJECT "
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain loc_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  241 40531 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
  241 40531 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
 299K   15M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 299K   15M ACCEPT     all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           
  445 30365 loc-dmz    all  --  *      intern0  0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logflags (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 4 level 6 prefix "logflags DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-dmz (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4764 7128K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 /* SSH */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.62            tcp dpt:22 ctorigdstport 22
    9   540 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.62            ctorigdst [exernIP] tcp dpt:8080
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-dmz DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-fw (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   30  1641 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
   30  1641 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:67:68
   31  1925 tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  252 38448 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    9   360 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6222 /* SSH */
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* Ping */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
   21  1281 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-fw DROP "
   21  1281 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net-loc (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 361K  538M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "net-loc DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain net_frwd (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   540 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
    9   540 smurfs     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW,UNTRACKED
 366K  545M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 361K  538M net-loc    all  --  *      intern1  0.0.0.0/0            0.0.0.0/0           
 4773 7128K net-dmz    all  --  *      intern0  0.0.0.0/0            0.0.0.0/0           

Chain reject (10 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type BROADCAST
    0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain sha-lh-17d1d222e8a500df962d (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain sha-rh-6806e78c76f042237b8d (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255

Chain smurflog (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix "smurfs DROP "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain smurfs (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0           
    0     0 smurflog   all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  ADDRTYPE match src-type BROADCAST
    0     0 smurflog   all  --  *      *       224.0.0.0/4          0.0.0.0/0           [goto] 

Chain tcpflags (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x29
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x00
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x06/0x06
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x05/0x05
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x03/0x03
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x19/0x09
    0     0 logflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp spt:0 flags:0x17/0x02

Log (/var/log/messages)


NAT Table

Chain PREROUTING (policy ACCEPT 522 packets, 54284 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  1821 net_dnat   all  --  extern0 *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 270 packets, 20275 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 248 packets, 18099 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 258 packets, 18699 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  478 50767 extern0_masq  all  --  *      extern0  0.0.0.0/0            0.0.0.0/0           

Chain extern0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  227 32488 MASQUERADE  all  --  *      *       176.16.50.0/24       0.0.0.0/0           
    3   180 MASQUERADE  all  --  *      *       10.0.0.62            0.0.0.0/0           

Chain net_dnat (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:10.0.0.62:22
    9   540 DNAT       tcp  --  *      *       0.0.0.0/0            [exernIP]        multiport dports 80,443 to:10.0.0.62:8080

Mangle Table

Chain PREROUTING (policy ACCEPT 669K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 788 packets, 78499 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 668K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  470 27704 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
 668K  560M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0xffffff00

Chain OUTPUT (policy ACCEPT 724 packets, 88665 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 669K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Raw Table

Chain PREROUTING (policy ACCEPT 669K packets, 560M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10080 CT helper amanda
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 flags:0x17/0x02 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1719 CT helper RAS
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1720 flags:0x17/0x02 CT helper Q.931
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667 flags:0x17/0x02 CT helper irc
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 CT helper netbios-ns
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 flags:0x17/0x02 CT helper pptp
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6566 flags:0x17/0x02 CT helper sane
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 CT helper sip
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 CT helper snmp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:69 CT helper tftp

Chain OUTPUT (policy ACCEPT 724 packets, 88665 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:10080 CT helper amanda
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 flags:0x17/0x02 CT helper ftp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1719 CT helper RAS
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1720 flags:0x17/0x02 CT helper Q.931
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6667 flags:0x17/0x02 CT helper irc
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137 CT helper netbios-ns
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1723 flags:0x17/0x02 CT helper pptp
    0     0 CT         tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6566 flags:0x17/0x02 CT helper sane
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 CT helper sip
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:161 CT helper snmp
    0     0 CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:69 CT helper tftp

Conntrack Table (117 out of 262144)

ipv4     2 udp      17 0 src=[exernIP] dst=65.19.96.252 sport=4561 dport=53 src=65.19.96.252 dst=[exernIP] sport=53 dport=4561 mark=0 zone=0 use=2
ipv4     2 tcp      6 431979 ESTABLISHED src=176.16.50.2 dst=172.217.3.99 sport=60779 dport=443 src=172.217.3.99 dst=[exernIP] sport=443 dport=60779 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=52.223.227.105 sport=60097 dport=443 src=52.223.227.105 dst=[exernIP] sport=443 dport=60097 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 88 src=176.16.50.2 dst=172.217.10.238 sport=61042 dport=443 src=172.217.10.238 dst=[exernIP] sport=443 dport=61042 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=104.16.31.34 sport=43216 dport=443 src=104.16.31.34 dst=[exernIP] sport=443 dport=43216 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 25 FIN_WAIT src=176.16.50.2 dst=173.194.66.188 sport=52247 dport=5228 src=173.194.66.188 dst=[exernIP] sport=5228 dport=52247 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 0 src=176.16.50.2 dst=176.16.50.1 sport=41467 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=41467 mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=23.60.89.50 sport=59790 dport=443 src=23.60.89.50 dst=[exernIP] sport=443 dport=59790 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 82 TIME_WAIT src=176.16.50.2 dst=172.217.6.194 sport=36966 dport=443 src=172.217.6.194 dst=[exernIP] sport=443 dport=36966 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431966 ESTABLISHED src=176.16.50.2 dst=172.217.3.101 sport=59817 dport=443 src=172.217.3.101 dst=[exernIP] sport=443 dport=59817 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 205904 ESTABLISHED src=176.16.50.2 dst=173.194.207.188 sport=48538 dport=5228 src=173.194.207.188 dst=[exernIP] sport=5228 dport=48538 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 28 TIME_WAIT src=176.16.50.2 dst=3.19.80.222 sport=60957 dport=443 src=3.19.80.222 dst=[exernIP] sport=443 dport=60957 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 78 TIME_WAIT src=176.16.50.2 dst=104.20.187.5 sport=52072 dport=443 src=104.20.187.5 dst=[exernIP] sport=443 dport=52072 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.6.205 sport=40490 dport=443 src=172.217.6.205 dst=[exernIP] sport=443 dport=40490 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431807 ESTABLISHED src=176.16.50.2 dst=198.252.206.25 sport=51148 dport=443 src=198.252.206.25 dst=[exernIP] sport=443 dport=51148 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 73 TIME_WAIT src=176.16.50.2 dst=172.217.9.234 sport=50464 dport=443 src=172.217.9.234 dst=[exernIP] sport=443 dport=50464 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431961 ESTABLISHED src=176.16.50.2 dst=184.25.176.117 sport=59899 dport=443 src=184.25.176.117 dst=[exernIP] sport=443 dport=59899 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.10.132 sport=54662 dport=443 src=172.217.10.132 dst=[exernIP] sport=443 dport=54662 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431924 ESTABLISHED src=176.16.50.2 dst=54.152.84.208 sport=51044 dport=2350 src=54.152.84.208 dst=[exernIP] sport=2350 dport=51044 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 100 TIME_WAIT src=176.16.50.2 dst=172.217.11.2 sport=39106 dport=443 src=172.217.11.2 dst=[exernIP] sport=443 dport=39106 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.10.132 sport=60961 dport=443 src=172.217.10.132 dst=[exernIP] sport=443 dport=60961 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=13.33.87.20 sport=60302 dport=443 src=13.33.87.20 dst=[exernIP] sport=443 dport=60302 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 289844 ESTABLISHED src=176.16.50.2 dst=209.85.232.188 sport=39136 dport=5228 src=209.85.232.188 dst=[exernIP] sport=5228 dport=39136 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 20 TIME_WAIT src=176.16.50.2 dst=172.217.12.206 sport=58106 dport=443 src=172.217.12.206 dst=[exernIP] sport=443 dport=58106 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431773 ESTABLISHED src=176.16.50.2 dst=52.10.251.85 sport=40334 dport=443 src=52.10.251.85 dst=[exernIP] sport=443 dport=40334 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.11.42 sport=46700 dport=443 src=172.217.11.42 dst=[exernIP] sport=443 dport=46700 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431628 ESTABLISHED src=176.16.50.2 dst=10.0.0.62 sport=43788 dport=22 src=10.0.0.62 dst=176.16.50.2 sport=22 dport=43788 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431412 ESTABLISHED src=176.16.50.2 dst=52.94.240.157 sport=53598 dport=443 src=52.94.240.157 dst=[exernIP] sport=443 dport=53598 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 0 src=176.16.50.2 dst=172.29.243.255 sport=1975 dport=1975 [UNREPLIED] src=172.29.243.255 dst=[exernIP] sport=1975 dport=1975 mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.9.225 sport=44010 dport=443 src=172.217.9.225 dst=[exernIP] sport=443 dport=44010 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431974 ESTABLISHED src=176.16.50.2 dst=52.25.0.83 sport=59843 dport=443 src=52.25.0.83 dst=[exernIP] sport=443 dport=59843 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431977 ESTABLISHED src=176.16.50.2 dst=52.35.72.231 sport=59844 dport=443 src=52.35.72.231 dst=[exernIP] sport=443 dport=59844 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 14 TIME_WAIT src=176.16.50.2 dst=172.217.6.226 sport=40336 dport=443 src=172.217.6.226 dst=[exernIP] sport=443 dport=40336 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.9.227 sport=60790 dport=443 src=172.217.9.227 dst=[exernIP] sport=443 dport=60790 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431989 ESTABLISHED src=176.16.50.2 dst=162.125.18.133 sport=60886 dport=443 src=162.125.18.133 dst=[exernIP] sport=443 dport=60886 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 29 src=[exernIP] dst=65.19.96.253 sport=46589 dport=53 src=65.19.96.253 dst=[exernIP] sport=53 dport=46589 mark=0 zone=0 use=2
ipv4     2 tcp      6 431976 ESTABLISHED src=176.16.50.2 dst=52.230.222.68 sport=59755 dport=443 src=52.230.222.68 dst=[exernIP] sport=443 dport=59755 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 115 src=176.16.50.2 dst=92.123.65.111 sport=63219 dport=3478 src=92.123.65.111 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 6 TIME_WAIT src=176.16.50.2 dst=172.217.10.2 sport=42596 dport=443 src=172.217.10.2 dst=[exernIP] sport=443 dport=42596 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.10.14 sport=57596 dport=443 src=172.217.10.14 dst=[exernIP] sport=443 dport=57596 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 75 TIME_WAIT src=176.16.50.2 dst=50.16.241.130 sport=41110 dport=443 src=50.16.241.130 dst=[exernIP] sport=443 dport=41110 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 5 src=[exernIP] dst=65.19.96.252 sport=8865 dport=53 src=65.19.96.252 dst=[exernIP] sport=53 dport=8865 mark=0 zone=0 use=2
ipv4     2 tcp      6 431909 ESTABLISHED src=176.16.50.2 dst=52.20.53.204 sport=60002 dport=443 src=52.20.53.204 dst=[exernIP] sport=443 dport=60002 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 29 src=176.16.50.2 dst=176.16.50.1 sport=60072 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=60072 mark=0 zone=0 use=2
ipv4     2 tcp      6 378990 ESTABLISHED src=176.16.50.2 dst=108.177.127.188 sport=40976 dport=5228 src=108.177.127.188 dst=[exernIP] sport=5228 dport=40976 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431995 ESTABLISHED src=176.16.50.2 dst=52.34.149.82 sport=59845 dport=443 src=52.34.149.82 dst=[exernIP] sport=443 dport=59845 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 19 TIME_WAIT src=176.16.50.2 dst=172.217.9.227 sport=60794 dport=443 src=172.217.9.227 dst=[exernIP] sport=443 dport=60794 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431993 ESTABLISHED src=176.16.50.2 dst=52.35.67.56 sport=59854 dport=443 src=52.35.67.56 dst=[exernIP] sport=443 dport=59854 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 5 src=176.16.50.2 dst=176.16.50.1 sport=37879 dport=53 src=176.16.50.1 dst=176.16.50.2 sport=53 dport=37879 mark=0 zone=0 use=2
ipv4     2 tcp      6 431815 ESTABLISHED src=176.16.50.2 dst=172.217.11.35 sport=47871 dport=80 src=172.217.11.35 dst=[exernIP] sport=80 dport=47871 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431955 ESTABLISHED src=176.16.50.2 dst=52.6.88.49 sport=60902 dport=443 src=52.6.88.49 dst=[exernIP] sport=443 dport=60902 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.7.2 sport=53178 dport=443 src=172.217.7.2 dst=[exernIP] sport=443 dport=53178 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431996 ESTABLISHED src=176.16.50.2 dst=151.101.66.167 sport=59868 dport=443 src=151.101.66.167 dst=[exernIP] sport=443 dport=59868 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 20 TIME_WAIT src=176.16.50.2 dst=172.217.12.138 sport=59112 dport=443 src=172.217.12.138 dst=[exernIP] sport=443 dport=59112 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 19 TIME_WAIT src=176.16.50.2 dst=104.19.195.151 sport=56176 dport=443 src=104.19.195.151 dst=[exernIP] sport=443 dport=56176 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431805 ESTABLISHED src=176.16.50.2 dst=151.101.210.214 sport=36394 dport=443 src=151.101.210.214 dst=[exernIP] sport=443 dport=36394 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 82 src=176.16.50.2 dst=23.212.54.225 sport=63219 dport=3478 src=23.212.54.225 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 78 TIME_WAIT src=176.16.50.2 dst=172.217.10.2 sport=42652 dport=443 src=172.217.10.2 dst=[exernIP] sport=443 dport=42652 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 82 TIME_WAIT src=176.16.50.2 dst=107.20.240.232 sport=58872 dport=443 src=107.20.240.232 dst=[exernIP] sport=443 dport=58872 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431968 ESTABLISHED src=176.16.50.2 dst=3.19.80.222 sport=60960 dport=443 src=3.19.80.222 dst=[exernIP] sport=443 dport=60960 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=176.16.50.1 sport=50176 dport=6222 src=176.16.50.1 dst=176.16.50.2 sport=6222 dport=50176 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 288739 ESTABLISHED src=176.16.50.2 dst=74.125.20.188 sport=48808 dport=5228 src=74.125.20.188 dst=[exernIP] sport=5228 dport=48808 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 107 src=176.16.50.2 dst=95.101.182.5 sport=63218 dport=3478 src=95.101.182.5 dst=[exernIP] sport=3478 dport=63218 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 260461 ESTABLISHED src=176.16.50.2 dst=173.194.68.188 sport=49126 dport=5228 src=173.194.68.188 dst=[exernIP] sport=5228 dport=49126 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 28 src=176.16.50.2 dst=193.47.166.28 sport=123 dport=123 src=193.47.166.28 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4     2 tcp      6 431686 ESTABLISHED src=176.16.50.2 dst=104.16.65.50 sport=44954 dport=443 src=104.16.65.50 dst=[exernIP] sport=443 dport=44954 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 29 src=176.16.50.2 dst=64.62.190.177 sport=123 dport=123 src=64.62.190.177 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4     2 tcp      6 431930 ESTABLISHED src=176.16.50.2 dst=173.194.205.188 sport=46680 dport=5228 src=173.194.205.188 dst=[exernIP] sport=5228 dport=46680 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 118 src=176.16.50.2 dst=141.207.137.233 sport=44207 dport=4500 src=141.207.137.233 dst=[exernIP] sport=4500 dport=44207 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 430573 ESTABLISHED src=176.16.50.2 dst=10.0.0.62 sport=40540 dport=22 src=10.0.0.62 dst=176.16.50.2 sport=22 dport=40540 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431994 ESTABLISHED src=176.16.50.2 dst=54.158.106.158 sport=60020 dport=443 src=54.158.106.158 dst=[exernIP] sport=443 dport=60020 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431998 ESTABLISHED src=176.16.50.2 dst=52.223.241.20 sport=59947 dport=443 src=52.223.241.20 dst=[exernIP] sport=443 dport=59947 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.12.161 sport=49004 dport=443 src=172.217.12.161 dst=[exernIP] sport=443 dport=49004 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=172.217.11.2 sport=39122 dport=443 src=172.217.11.2 dst=[exernIP] sport=443 dport=39122 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431998 ESTABLISHED src=176.16.50.2 dst=199.232.38.49 sport=59809 dport=443 src=199.232.38.49 dst=[exernIP] sport=443 dport=59809 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 79 TIME_WAIT src=176.16.50.2 dst=172.217.12.162 sport=36534 dport=443 src=172.217.12.162 dst=[exernIP] sport=443 dport=36534 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 19 TIME_WAIT src=176.16.50.2 dst=173.194.207.157 sport=53268 dport=443 src=173.194.207.157 dst=[exernIP] sport=443 dport=53268 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=176.16.50.2 dst=162.216.56.110 sport=60894 dport=443 src=162.216.56.110 dst=[exernIP] sport=443 dport=60894 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 3 src=176.16.50.2 dst=198.46.223.227 sport=123 dport=123 src=198.46.223.227 dst=[exernIP] sport=123 dport=123 mark=0 zone=0 use=2
ipv4     2 udp      17 76 src=176.16.50.2 dst=172.217.3.99 sport=61021 dport=443 src=172.217.3.99 dst=[exernIP] sport=443 dport=61021 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 204320 ESTABLISHED src=176.16.50.2 dst=173.194.66.188 sport=43134 dport=5228 src=173.194.66.188 dst=[exernIP] sport=5228 dport=43134 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431980 ESTABLISHED src=176.16.50.2 dst=151.101.210.167 sport=59876 dport=443 src=151.101.210.167 dst=[exernIP] sport=443 dport=59876 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=52.94.227.146 sport=47942 dport=443 src=52.94.227.146 dst=[exernIP] sport=443 dport=47942 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431999 ESTABLISHED src=176.16.50.2 dst=173.194.68.188 sport=59801 dport=5228 src=173.194.68.188 dst=[exernIP] sport=5228 dport=59801 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 98 TIME_WAIT src=176.16.50.2 dst=192.0.73.2 sport=39966 dport=443 src=192.0.73.2 dst=[exernIP] sport=443 dport=39966 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=176.16.50.2 dst=162.250.5.71 sport=59708 dport=5938 src=162.250.5.71 dst=[exernIP] sport=5938 dport=59708 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 99 src=176.16.50.2 dst=23.41.177.66 sport=63219 dport=3478 src=23.41.177.66 dst=[exernIP] sport=3478 dport=63219 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431997 ESTABLISHED src=176.16.50.2 dst=162.216.56.110 sport=60889 dport=443 src=162.216.56.110 dst=[exernIP] sport=443 dport=60889 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431985 ESTABLISHED src=176.16.50.2 dst=52.207.122.21 sport=60848 dport=443 src=52.207.122.21 dst=[exernIP] sport=443 dport=60848 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 5 CLOSE src=176.16.50.2 dst=72.21.206.56 sport=53134 dport=443 src=72.21.206.56 dst=[exernIP] sport=443 dport=53134 [ASSURED] mark=0 zone=0 use=2
ipv4     2 udp      17 114 src=176.16.50.2 dst=173.194.207.189 sport=53843 dport=443 src=173.194.207.189 dst=[exernIP] sport=443 dport=53843 [ASSURED] mark=0 zone=0 use=2
ipv4     2 tcp      6 431996 ESTABLISHED src=176.16.50.2 dst=162.125.18.133 sport=60228 dport=443 src=162.125.18.133 dst=[exernIP] sport=443 dport=60228 [ASSURED] mark=0 zone=0 use=2

IP Configuration

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: intern1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 176.16.50.1/24 brd 176.16.50.255 scope global intern1
       valid_lft forever preferred_lft forever
3: intern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global intern0
       valid_lft forever preferred_lft forever
4: extern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet [exernIP]/22 brd 24.189.15.255 scope global noprefixroute extern0
       valid_lft forever preferred_lft forever

IP Stats

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    RX: bytes  packets  errors  dropped overrun mcast   
    560        5        0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    560        5        0       0       0       0       
2: intern1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:72:63:dc:89:78 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    1211739718 13517644 0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    67814373278 46720981 0       0       0       0       
3: intern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:72:63:dc:89:5f brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    4711077    48294    0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    143317839  111700   0       0       0       0       
4: extern0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether bc:5f:f4:9c:12:f7 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    68500520233 50747827 0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    1218858023 13617909 0       0       0       0       

Routing Rules

0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Table default:


Table local:

local [exernIP] dev extern0 proto kernel scope host src [exernIP]
local 176.16.50.1 dev intern1 proto kernel scope host src 176.16.50.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 10.0.0.1 dev intern0 proto kernel scope host src 10.0.0.1
broadcast 24.189.15.255 dev extern0 proto kernel scope link src [exernIP]
broadcast 24.189.12.0 dev extern0 proto kernel scope link src [exernIP]
broadcast 176.16.50.255 dev intern1 proto kernel scope link src 176.16.50.1
broadcast 176.16.50.0 dev intern1 proto kernel scope link src 176.16.50.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 10.0.0.255 dev intern0 proto kernel scope link src 10.0.0.1
broadcast 10.0.0.0 dev intern0 proto kernel scope link src 10.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

Table main:

176.16.50.0/24 dev intern1 proto kernel scope link src 176.16.50.1
10.0.0.0/24 dev intern0 proto kernel scope link src 10.0.0.1
24.189.12.0/22 dev extern0 proto dhcp scope link src [exernIP] metric 204
default via 24.189.12.1 dev extern0 proto dhcp src [exernIP] metric 204

Per-IP Counters

   iptaccount is not installed

NF Accounting

No NF Accounting defined (nfacct not found)

Events


PFKEY SPD


PFKEY SAD


/proc

   /proc/version = Linux version 5.2.1-arch1-1-ARCH (builduser@heftig-55221) (gcc version 9.1.0 (GCC)) #1 SMP PREEMPT Sun Jul 14 14:52:52 UTC 2019
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/extern0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/extern0/arp_filter = 0
   /proc/sys/net/ipv4/conf/extern0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/extern0/rp_filter = 1
   /proc/sys/net/ipv4/conf/extern0/log_martians = 1
   /proc/sys/net/ipv4/conf/intern0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/intern0/arp_filter = 0
   /proc/sys/net/ipv4/conf/intern0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/intern0/rp_filter = 1
   /proc/sys/net/ipv4/conf/intern0/log_martians = 1
   /proc/sys/net/ipv4/conf/intern1/proxy_arp = 0
   /proc/sys/net/ipv4/conf/intern1/arp_filter = 0
   /proc/sys/net/ipv4/conf/intern1/arp_ignore = 0
   /proc/sys/net/ipv4/conf/intern1/rp_filter = 1
   /proc/sys/net/ipv4/conf/intern1/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1

ARP

24.189.12.1 dev extern0 lladdr 00:01:5c:7d:b4:4f DELAY
10.0.0.62 dev intern0 lladdr e8:40:f2:a6:a2:a1 STALE
176.16.50.2 dev intern1 lladdr 04:92:26:8c:c4:98 REACHABLE

Modules

ip_tables              36864  10 iptable_filter,iptable_raw,iptable_nat,iptable_mangle
ipt_REJECT             16384  4
iptable_filter         16384  1
iptable_mangle         16384  1
iptable_nat            16384  1
iptable_raw            16384  1
nf_conntrack          172032  25 xt_conntrack,nf_nat_irc,nf_nat,nf_conntrack_tftp,nf_nat_ftp,nf_conntrack_pptp,nf_conntrack_netbios_ns,nf_conntrack_sane,xt_nat,nf_nat_tftp,nf_nat_amanda,nf_conntrack_sip,nf_conntrack_h323,nf_nat_pptp,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_amanda,nf_conntrack_netlink,nf_conntrack_ftp,xt_CT,nf_nat_h323,nf_conntrack_snmp,nf_nat_snmp_basic,xt_MASQUERADE,nf_nat_sip
nf_conntrack_amanda    16384  3 nf_nat_amanda
nf_conntrack_broadcast    16384  2 nf_conntrack_netbios_ns,nf_conntrack_snmp
nf_conntrack_ftp       24576  3 nf_nat_ftp
nf_conntrack_h323      86016  5 nf_nat_h323
nf_conntrack_irc       20480  3 nf_nat_irc
nf_conntrack_netbios_ns    16384  2
nf_conntrack_netlink    61440  0
nf_conntrack_pptp      20480  3 nf_nat_pptp
nf_conntrack_sane      20480  2
nf_conntrack_sip       40960  3 nf_nat_sip
nf_conntrack_snmp      16384  3 nf_nat_snmp_basic
nf_conntrack_tftp      20480  3 nf_nat_tftp
nf_defrag_ipv4         16384  1 nf_conntrack
nf_defrag_ipv6         24576  1 nf_conntrack
nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6
nf_log_ipv4            16384  14
nf_log_ipv6            16384  0
nf_nat                 53248  10 nf_nat_irc,nf_nat_ftp,xt_nat,nf_nat_tftp,nf_nat_amanda,nf_nat_pptp,nf_nat_h323,iptable_nat,xt_MASQUERADE,nf_nat_sip
nf_nat_amanda          16384  0
nf_nat_ftp             20480  0
nf_nat_h323            24576  0
nf_nat_irc             20480  0
nf_nat_pptp            20480  0
nf_nat_sip             20480  0
nf_nat_snmp_basic      20480  0
nf_nat_tftp            16384  0
nf_reject_ipv4         16384  1 ipt_REJECT
nf_reject_ipv6         20480  1 ip6t_REJECT
xt_CT                  16384  22
xt_LOG                 20480  14
xt_MASQUERADE          20480  2
xt_NFLOG               16384  0
xt_TCPMSS              16384  1
xt_addrtype            16384  38
xt_comment             16384  14
xt_conntrack           16384  26
xt_hashlimit           20480  14
xt_hl                  16384  0
xt_limit               16384  0
xt_mark                16384  1
xt_multiport           20480  1
xt_nat                 16384  2
xt_recent              24576  1
xt_tcpudp              20480  42

Shorewall has detected the following iptables/netfilter capabilities:
   --nflog-size support (NFLOG_SIZE): Available
   ACCOUNT Target (ACCOUNT_TARGET): Not available
   AUDIT Target (AUDIT_TARGET): Not available
   Address Type Match (ADDRTYPE): Available
   Amanda Helper: Available
   Arptables JF (ARPTABLESJF): Not available
   Basic Ematch (BASIC_EMATCH): Available
   Basic Filter (BASIC_FILTER): Available
   CLASSIFY Target (CLASSIFY_TARGET): Not available
   CONNMARK Target (CONNMARK): Not available
   CT Target (CT_TARGET): Available
   Capabilities Version (CAPVERSION): 50200
   Checksum Target (CHECKSUM_TARGET): Not available
   Comments (COMMENTS): Available
   Condition Match (CONDITION_MATCH): Not available
   Connection Tracking Match (CONNTRACK_MATCH): Available
   Connlimit Match (CONNLIMIT_MATCH): Not available
   Connmark Match (CONNMARK_MATCH): Not available
   DSCP Match (DSCP_MATCH): Not available
   DSCP Target (DSCP_TARGET): Not available
   Enhanced Multi-port Match (EMULIPORT): Available
   Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
   Extended MARK Target (XMARK): Available
   Extended MARK Target 2 (EXMARK): Available
   Extended Multi-port Match (XMULIPORT): Available
   Extended REJECT (ENHANCED_REJECT): Available
   FLOW Classifier (FLOW_FILTER): Available
   FTP Helper: Available
   FTP-0 Helper: Not available
   Geo IP Match (GEOIP_MATCH): Not available
   Goto Support (GOTO_TARGET): Available
   H323 Helper: Available
   Hashlimit Match (HASHLIMIT_MATCH): Available
   Header Match (HEADER_MATCH): Not available
   Helper Match (HELPER_MATCH): Not available
   IMQ Target (IMQ_TARGET): Not available
   INPUT chain in nat table (NAT_INPUT_CHAIN): Available
   IP range Match(IPRANGE_MATCH): Not available
   IPMARK Target (IPMARK_TARGET): Not available
   IPP2P Match (IPP2P_MATCH): Not available
   IRC Helper: Available
   IRC-0 Helper: Not available
   Iface Match (IFACE_MATCH): Not available
   Ipset Match (IPSET_MATCH): Not available
   Kernel Version (KERNELVERSION): 50201
   LOG Target (LOG_TARGET): Available
   LOGMARK Target (LOGMARK_TARGET): Not available
   MARK Target (MARK): Available
   MASQUERADE Target (MASQUERADE_TGT): Available
   Mangle FORWARD Chain (MANGLE_FORWARD): Available
   Mark in the filter table (MARK_ANYWHERE): Available
   Multi-port Match (MULTIPORT): Available
   NAT (NAT_ENABLED): Available
   NETMAP Target (NETMAP_TARGET): Not available
   NFAcct Match: Not available
   NFLOG Target (NFLOG_TARGET): Available
   NFQUEUE CPU Fanout (CPU_FANOUT): Not available
   NFQUEUE Target (NFQUEUE_TARGET): Not available
   Netbios_ns Helper: Available
   New tos Match (NEW_TOS_MATCH): Not available
   Owner Match (OWNER_MATCH): Not available
   Owner Name Match (OWNER_NAME_MATCH): Not available
   PPTP Helper: Available
   Packet Mangling (MANGLE_ENABLED): Available
   Packet length Match (LENGTH_MATCH): Not available
   Persistent SNAT (PERSISTENT_SNAT): Available
   Physdev Match (PHYSDEV_MATCH): Not available
   Physdev-is-bridged Support (PHYSDEV_BRIDGE): Not available
   Policy Match (POLICY_MATCH): Not available
   RPFilter Match (RPFILTER_MATCH): Not available
   Raw Table (RAW_TABLE): Available
   Realm Match (REALM_MATCH): Not available
   Recent Match "--reap" option (REAP_OPTION): Available
   Recent Match (RECENT_MATCH): Available
   Repeat match (KLUDGEFREE): Not available
   SANE Helper: Available
   SANE-0 Helper: Not available
   SIP Helper: Available
   SIP-0 Helper: Not available
   SNMP Helper: Available
   Statistic Match (STATISTIC_MATCH): Not available
   TARPIT Target (TARPIT_TARGET): Not available
   TCPMSS Match (TCPMSS_MATCH): Not available
   TCPMSS Target (TCPMSS_TARGET): Available
   TFTP Helper: Available
   TFTP-0 Helper: Not available
   TPROXY Target (TPROXY_TARGET): Not available
   Time Match (TIME_MATCH): Not available
   UDPLITE Port Redirection (UDPLITEREDIRECT): Not available
   ULOG Target (ULOG_TARGET): Not available
   fwmark route mask (FWMARK_RT_MASK): Available
   ipset V5 (IPSET_V5): Not available
   iptables --wait option (WAIT_OPTION): Available
   iptables -S (IPTABLES_S): Available
   iptables-restore --wait option (RESTORE_WAIT_OPTION): Available

Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port                                                                                   
udp     UNCONN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("dnsmasq",pid=501,fd=6))                                               
udp     UNCONN   0        0                0.0.0.0:67            0.0.0.0:*       users:(("dnsmasq",pid=501,fd=4))                                               
udp     UNCONN   0        0                0.0.0.0:68            0.0.0.0:*       users:(("dhcpcd",pid=428,fd=13))                                               
tcp     LISTEN   0        0                0.0.0.0:6222          0.0.0.0:*       users:(("sshd",pid=4698,fd=3))                                                 
tcp     LISTEN   0        0                0.0.0.0:53            0.0.0.0:*       users:(("dnsmasq",pid=501,fd=7))                                               
tcp     ESTAB    0        0            176.16.50.1:6222      176.16.50.2:50176   users:(("sshd",pid=12101,fd=4),("sshd",pid=12099,fd=4))                        

Traffic Control

Device lo:
qdisc noqueue 0: root refcnt 2 
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
 backlog 0b 0p requeues 0


Device intern1:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 67815075800 bytes 46721465 pkt (dropped 0, overlimits 0 requeues 7757) 
 backlog 0b 0p requeues 7757
  maxpacket 27252 drop_overlimit 0 new_flow_count 1759 ecn_mark 0
  new_flows_len 0 old_flows_len 0


Device intern0:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 143317839 bytes 111700 pkt (dropped 0, overlimits 0 requeues 1) 
 backlog 0b 0p requeues 1
  maxpacket 1514 drop_overlimit 0 new_flow_count 15 ecn_mark 0
  new_flows_len 0 old_flows_len 0


Device extern0:
qdisc fq_codel 0: root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn 
 Sent 1179649692 bytes 13618270 pkt (dropped 0, overlimits 0 requeues 373) 
 backlog 0b 0p requeues 373
  maxpacket 17208 drop_overlimit 0 new_flow_count 106 ecn_mark 0
  new_flows_len 0 old_flows_len 0



TC Filters

Device lo:

Device intern1:

Device intern0:

Device extern0:

Note that there were several attempts to login from a outside, cell phone tethered, client since resetting counters (per DNAT FAQ 1b) the number of packets is non zero right??
Here is the current shorewall/rules:

$ cat /etc/shorewall/rules
#
# Shorewall - Sample Rules File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-rules"
######################################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

#       Don't allow connection pickup from the net
#
Invalid(DROP)	net		all		tcp
#
#	Accept DNS connections from the firewall to the Internet
#
DNS(ACCEPT)	$FW		net
#
#
#	Accept SSH connections from the other networks to the firewall and DMZ
#
SSH(ACCEPT)     loc             $FW		tcp	6222
SSH(ACCEPT)     loc             dmz		tcp	22
SSH(ACCEPT)	net		$FW		tcp	6222
SSH(ACCEPT)	net		dmz		tcp	22
#
#	DMZ DNS access to the Internet
#
DNS(ACCEPT)	dmz		net


# Drop Ping from the "bad" net zone.

Ping(DROP)   	net             $FW

#
#       Make ping work bi-directionally between the dmz, net, Firewall and local zone
#       (assumes that the loc-> net policy is ACCEPT).
#

Ping(ACCEPT)    loc             $FW
Ping(ACCEPT)    dmz             $FW
Ping(ACCEPT)    loc             dmz
Ping(ACCEPT)    dmz             loc
Ping(ACCEPT)    dmz             net
Ping(ACCEPT)	loc		net

ACCEPT		$FW		net		icmp
ACCEPT		$FW		loc		icmp
ACCEPT		$FW		dmz		icmp

# Uncomment this if using Proxy ARP and static NAT and you want to allow ping from
# the net zone to the dmz and loc

Ping(ACCEPT)    net             dmz
#Ping(ACCEPT)    net             loc

# ------------FW's--------------
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
#							PORT	PORT(S)		DEST		LIMIT		GROUP
DNS(ACCEPT)	loc		$FW
DNS(ACCEPT)	dmz		$FW
# ------for server
DNAT		net		dmz:10.0.0.62:22 tcp	22		

DNAT		net		dmz:10.0.0.62:8080 tcp	80,443	-		&extern0

As said before, I've tried many, many differnt versions of that last DNAT rule. The one that is their now was suggested in the three-interface port forwarding guide for people who have a dynamic IP from their ISP.
Here is the rest of my config:

$ cat /etc/shorewall/snat
#
# Shorewall - Sample SNAT/Masqueradee File for three-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
#
# Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
#
MASQUERADE		176.16.50.0/24		extern0
MASQUERADE		10.0.0.62		extern0
$ cat /etc/shorewall/zones  
#
# Shorewall - Sample Zones File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE	TYPE	OPTIONS			IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net	ipv4
loc	ipv4
dmz	ipv4
$ cat /etc/shorewall/interfaces
#
# Shorewall - Sample Interfaces File for three-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE	INTERFACE	OPTIONS
net     extern0          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=extern0
loc     intern1          tcpflags,nosmurfs,routefilter,logmartians,physical=intern1
dmz     intern0          tcpflags,nosmurfs,routefilter,logmartians,physical=intern0
$ cat /etc/shorewall/policy
#
# Shorewall - Sample Policy File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-policy"
###############################################################################
#SOURCE	DEST		POLICY		LOGLEVEL	RATE	CONNLIMIT
$FW	net		ACCEPT
loc	net		ACCEPT
dmz	net		ACCEPT
net	all		DROP		$LOG_LEVEL
# THE FOLLOWING POLICY MUST BE LAST
all	all		REJECT		$LOG_LEVEL
$ cat /etc/shorewall/shorewall.conf
###############################################################################
#
# Shorewall - Sample shorewall.conf for three-interface
#                         configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#
# For information about the settings in this file, type "man shorewall.conf"
#
# The manpage is also online at
# http://shorewall.net/manpages/shorewall.conf.html
#
###############################################################################
STARTUP_ENABLED=Yes

###############################################################################
#		              V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#			        P A G E R
###############################################################################

PAGER=

###############################################################################
#			     F I R E W A L L
###############################################################################

FIREWALL=

###############################################################################
#		                L O G G I N G
###############################################################################

LOG_LEVEL="info"

BLACKLIST_LOG_LEVEL=

INVALID_LOG_LEVEL=

LOG_BACKEND=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOG_ZONE=Both

LOGALLNEW=

LOGFILE=/var/log/messages

LOGFORMAT="%s %s "

LOGTAGONLY=No

LOGLIMIT="s:1/sec:10"

MACLIST_LOG_LEVEL="$LOG_LEVEL"

RELATED_LOG_LEVEL=

RPFILTER_LOG_LEVEL="$LOG_LEVEL"

SFILTER_LOG_LEVEL="$LOG_LEVEL"

SMURF_LOG_LEVEL="$LOG_LEVEL"

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"

UNTRACKED_LOG_LEVEL=

###############################################################################
#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
###############################################################################

ARPTABLES=

CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

GEOIPDIR=/usr/share/xt_geoip/LE

IPTABLES=

IP=

IPSET=

LOCKFILE=

MODULESDIR=

NFACCT=

PERL=/usr/bin/perl

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

RESTOREFILE=restore

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=

TC=

###############################################################################
#		D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'

###############################################################################
#			F I R E W A L L	  O P T I O N S
###############################################################################

ACCOUNTING=Yes

ACCOUNTING_TABLE=filter

ADD_IP_ALIASES=No

ADD_SNAT_ALIASES=No

ADMINISABSENTMINDED=Yes

AUTOCOMMENT=Yes

AUTOHELPERS=Yes

AUTOMAKE=Yes

BALANCE_PROVIDERS=No

BASIC_FILTERS=No

BLACKLIST="NEW,INVALID,UNTRACKED"

CLAMPMSS=Yes

CLEAR_TC=Yes

COMPLETE=No

DEFER_DNS_RESOLUTION=Yes

DISABLE_IPV6=No

DOCKER=No

DELETE_THEN_ADD=Yes

DETECT_DNAT_IPADDRS=No

DONT_LOAD=

DYNAMIC_BLACKLIST=Yes

EXPAND_POLICIES=Yes

EXPORTMODULES=Yes

FASTACCEPT=No

FORWARD_CLEAR_MARK=

HELPERS=

IGNOREUNKNOWNVARIABLES=No

IMPLICIT_CONTINUE=No

IPSET_WARNINGS=Yes

IP_FORWARDING=On

KEEP_RT_TABLES=No

MACLIST_TABLE=filter

MACLIST_TTL=

MANGLE_ENABLED=Yes

MINIUPNPD=No

MARK_IN_FORWARD_CHAIN=No

MULTICAST=No

MUTEX_TIMEOUT=60

NULL_ROUTE_RFC1918=No

OPTIMIZE=All

OPTIMIZE_ACCOUNTING=No

PERL_HASH_SEED=0

REJECT_ACTION=

RENAME_COMBINED=Yes

REQUIRE_INTERFACE=No

RESTART=restart

RESTORE_DEFAULT_ROUTE=Yes

RESTORE_ROUTEMARKS=Yes

RETAIN_ALIASES=No

ROUTE_FILTER=No

SAVE_ARPTABLES=No

SAVE_IPSETS=No

TC_ENABLED=Internal

TC_EXPERT=No

TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

TRACK_PROVIDERS=Yes

TRACK_RULES=No

USE_DEFAULT_RT=Yes

USE_NFLOG_SIZE=No

USE_PHYSICAL_NAMES=No

USE_RT_NAMES=No

VERBOSE_MESSAGES=Yes

WARNOLDCAPVERSION=Yes

WORKAROUNDS=No

ZERO_MARKS=No

ZONE2ZONE=-

###############################################################################
#			P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

INVALID_DISPOSITION=CONTINUE

MACLIST_DISPOSITION=REJECT

RELATED_DISPOSITION=ACCEPT

RPFILTER_DISPOSITION=DROP

SMURF_DISPOSITION=DROP

SFILTER_DISPOSITION=DROP

TCP_FLAGS_DISPOSITION=DROP

UNTRACKED_DISPOSITION=CONTINUE

################################################################################
#			P A C K E T  M A R K  L A Y O U T
################################################################################

TC_BITS=

PROVIDER_BITS=

PROVIDER_OFFSET=

MASK_BITS=

ZONE_BITS=0

Let me know if there is anything else that is needed. I'm using dnsmasq as well (per the router/shorewall wikis) I can post that too (I feel a little bad about how much is here alreadyEDIT: posted dnsmasq config below (still feel bad)- its okay though cause the code boxes are scrollable right? please advise!) I am also fully aware that this very well maybe an issue with the server or waitress or the flask app and py script. Any advice on how to further probe if this is a packet forward issue or not would also be appreciated (and taken to its proper spot on fourm!) for the record, here is the state of the packet filter on the server itself:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
8080                       ALLOW IN    Anywhere                  
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
8080 (v6)                  ALLOW IN    Anywhere (v6)             

The server is running Ubuntu server. I know from reading the shorewall docs the gateway on this host MUST be the firewall's internal IP (internal right?) here is where I set the gateway in Ubuntu's netplan:

$ cat /etc/netplan/01-netcfg.yaml
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp3s0:
      dhcp4: no
      addresses: [10.0.0.62/24]
      gateway4: 10.0.0.1
      nameservers:
        addresses: [10.0.0.1]

Yet when I run route:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    0      0        0 enp3s0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp3s0

the gateway is 0.0.0.0?! So this is what I will be working on while I wait for any potential advice here. I've already tried this WikiHow but the results from route are the same. Will keep at it though! While its been a intense so far the feeling of accomplishment after winning each of the battles (OS wouldnt install, then I couldnt boot, then we had no internet..) has 100% got me hooked on figuring this dang box out! Thank you for any help or advice you may be able to provide!

EDIT: ran ip route instead of route:

$ ip route
default via 10.0.0.1 dev enp3s0 proto static 
10.0.0.0/24 dev enp3s0 proto kernel scope link src 10.0.0.62

The gateway is set correctly after all? That was the one thing I was counting on working.. No ideas now. Will read up on snat to see if this rule in /etc/shorewall/snat is inappropreiate here?

MASQUERADE		10.0.0.62		extern0

I haven't messed with this because this was what got the server internet access in the first place.
Probably dnsmasq as well, here is the config why not?

$ cat /etc/dnsmasq.conf  
# Configuration