Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

netfilter problem cause Gentoo router to crash
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245
PostPosted: Sun Feb 03, 2008 7:06 pm    Post subject: netfilter problem cause Gentoo router to crash Reply with quote
Hi,

I've been experience problems with my Gentoo router and it look like it is may be related to NAT/nf_conntrack. The router is directly connected to the internet via an ADSL modem. The router has shorewall installed and uses netfilter to do the routing as well as protect my internal network. I first notice the problem when I was still on 2.6.22-hardened-r8. I'm now on linux-2.6.23-hardened-r4 and I still see the problem.

The first sign of trouble was when I first saw this error message in my logs:

Code:
Dec 12 05:17:33 router nf_conntrack: table full, dropping packet.


I see lots of it in the logs and when they start to appear, my internal network seems to be down. After I've Googled a lot, I found that most is pointing to nf_conntrack and all the solution I've seen is to make the nf_conntrack_max bigger. Some even suggest making the hashsize bigger as well. I did that and eventually, the same thing happened but it only took longer. This time when I start to see packet drop in my logs, the effect was even worse. I believe this time the system managed to crash a few things including the USB connection to my UPS.

At some point before the second crash, I've started to monitor the nf_conntrack by counting the lines in /proc/net/nf_conntrack with:

Code:
wc -l /proc/net/nf_conntrack


The numbers keeps getting higher and higher every time I look and eventually the router will not be able to take it.

Apart from that I've also found odd looking logs entries that I suspect may be an indication to the cause of the runaway nf_conntrack above:

Code:
Feb 4 01:31:55 router Shorewall:loc2fw:REJECT:IN=eth1 OUT= MAC=00:50:ba:56:ee:db:00:18:f3:a0:ce:61:08:00 SRC=192.168.1.2 DST=74.167.108.178 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=52212 DF PROTO=TCP SPT=3833 DPT=22200 WINDOW=65535 RES=0x00 SYN URGP=0


192.168.1.2 is my desktop running WinXP and 74.167.108.178 is my isp assign dynamic IP for the current session. DPT=22200 is the port I've open for my bittorrent client. The strange thing is that Shorewall is reporting that my desktop is trying to connect to the public IP address of my current session to the port 22200. I'm fairly sure that the log line above is related to my bittorrent client because if I stop it, the logs with DPT=22200 does not show up. Once I've start the client, these lines returns.

I've seen similar logs line with same source and destination IP but different destination port but very few compare to the bittorrent port (ratio is like a few K lines vs a few lines). So I suspect I may have had this problem before but bittorrent usage I've started recently aggravates the problem to a point that crashes my router.

After more Googleing, I've also found this thread in the netfilter mailing list:

http://lists.netfilter.org/pipermail/netfilter/2007-July/069196.html

It kind of look similar with the wrong source and destination problem I'm having but the symptom is a little different. Obviously because at the end of the thread, a patch was introduced into the nf_conntrack module and it is suppose to be fixed. However, I'm thinking did that fix caught all the issue or has it introduced a new issue.

I'm at a lost as to what else I can do to diagnose where is the real problem. I know I've left out some details but I'm hoping someone can first help by telling me what info to post here. Also, the problem seem to need tools like tcpdump to trace which I have no experiences with those tools.

Any help is greatly appreciated.
_________________
Han.
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 23062
PostPosted: Sun Feb 03, 2008 9:15 pm    Post subject: Reply with quote
Please post the output of emerge --info ; free -m -l -t ; iptables-save -c ; ip addr ; ip route. How many systems do you have inside the network? What operating systems do they run? What purposes do they serve (general desktop, PVR, filer, HTTP server, FTP server, etc.)? What is the highest value you have seen for wc -l /proc/net/nf_conntrack?

The last person I saw with this problem traced it to an infected Windows system on the internal network. The infected system was making an excessive number of outbound connections and filling up the connection tracking table. The problem went away when he disinfected the Windows system by wiping its drive.
Back to top
View user's profile Send private message
weyhan
Apprentice
Apprentice


Joined: 27 May 2003
Posts: 245
PostPosted: Sun Feb 03, 2008 10:16 pm    Post subject: Reply with quote
Hi Hu,

Thanks for the help. I did read the other thread where you help found an infected machine that is causing the problem but I don't think it is malware at work here. The reason I doubt it is because I have AVG (I know it's not 100% safe) and I found the REJECT lines from the logs goes down a lot after I've stop the bittorrent. I'm using uTorrent 1.7.7 BTW.

I have 3 zones in my network. DMZ has one server which is off now for rebuilding. I have a samba fileserver on the local network also in the process of rebuilding. Apart from a mostly on WinXP desktop, the others network points are usually for notebooks which none are connected at the moment. So, what is left is just the WinXP desktop. Since I've failrly certain the desktop is clean, I don't think that is the problem.

The biggest number I’ve seen from the line count of nf_conntrack is really huge, somewhere in the 6 digits zone. I know when I have the hashsize at 4096; the nf_conntrack_max is 16384, so the largest number is more then that. I have boots up the numbers now from reading some advice on the net to hashsize= 524288 and nf_conntrack_max= 4194304. I did not choose the nf_conntrack_max number because Gentoo does the calculation with this formula:

hashsize * 4 = nf_conntrack_max

The advice I’ve read is that if the box is only for routing, it is better to set the hashsize = nf_conntrack_max but I have not figure out how to do that in Gentoo without editing the init scripts (or was it in the kernel source, I can’t remember).

emerge --info
Code:
Portage 2.1.3.19 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-hardened-r4 i686)
=================================================================
System uname: 2.6.23-hardened-r4 i686 Pentium II (Deschutes)
Timestamp of tree: Sun, 03 Feb 2008 16:16:01 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.isu.edu.tw/pub/Linux/Gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.asia.gentoo.org/gentoo-portage"
USE="acl acpi alsa berkdb bitmap-fonts bzlib cli cracklib crypt cups dri emacs iconv ipv6 isdnlog lirc logrotate midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl posix pppd prelude python readline reflection ruby session ssl tcpd unicode usb x86 zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

free -m -l -t
Code:
             total       used       free     shared    buffers     cached
Mem:           250        232         18          0         87        105
Low:           250        232         18
High:            0          0          0
-/+ buffers/cache:         39        211
Swap:          953          0        953
Total:        1204        232        972

iptables-save -c
Code:
# Generated by iptables-save v1.3.8 on Mon Feb  4 05:19:24 2008
*raw
:PREROUTING ACCEPT [12316802:6682114260]
:OUTPUT ACCEPT [210683:108205846]
COMMIT
# Completed on Mon Feb  4 05:19:24 2008
# Generated by iptables-save v1.3.8 on Mon Feb  4 05:19:24 2008
*nat
:PREROUTING ACCEPT [302436:24275086]
:POSTROUTING ACCEPT [488221:53781073]
:OUTPUT ACCEPT [4462:320172]
:eth0_masq - [0:0]
:net_dnat - [0:0]
:ppp0_masq - [0:0]
-A PREROUTING -i ppp0 -j net_dnat
-A POSTROUTING -o ppp0 -j ppp0_masq
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 192.168.1.0/255.255.255.0 -j MASQUERADE
-A net_dnat -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.2.2
-A net_dnat -p tcp -m multiport --dports 18768,18788:18790 -j DNAT --to-destination 192.168.1.2
-A net_dnat -p udp -m multiport --dports 18768,18788:18790 -j DNAT --to-destination 192.168.1.2
-A ppp0_masq -s 192.168.1.0/255.255.255.0 -j MASQUERADE
-A ppp0_masq -s 192.168.2.0/255.255.255.0 -j MASQUERADE
COMMIT
# Completed on Mon Feb  4 05:19:25 2008
# Generated by iptables-save v1.3.8 on Mon Feb  4 05:19:25 2008
*mangle
:PREROUTING ACCEPT [12316455:6682097404]
:INPUT ACCEPT [174784:34151999]
:FORWARD ACCEPT [12112106:6604486566]
:OUTPUT ACCEPT [210687:108206250]
:POSTROUTING ACCEPT [12322757:6712687255]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Mon Feb  4 05:19:25 2008
# Generated by iptables-save v1.3.8 on Mon Feb  4 05:19:25 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [6:2952]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:dmz2all - [0:0]
:dmz2fw - [0:0]
:dmz2loc - [0:0]
:dmz2net - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:eth1_out - [0:0]
:eth2_fwd - [0:0]
:eth2_in - [0:0]
:eth2_out - [0:0]
:fw2all - [0:0]
:fw2dmz - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2adsl - [0:0]
:loc2all - [0:0]
:loc2dmz - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2all - [0:0]
:net2dmz - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:norfc1918 - [0:0]
:ppp0_fwd - [0:0]
:ppp0_in - [0:0]
:ppp0_out - [0:0]
:reject - [0:0]
:rfc1918 - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -j ppp0_in
-A INPUT -i eth0 -j eth0_in
-A INPUT -i eth1 -j eth1_in
-A INPUT -i eth2 -j eth2_in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -j reject
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i ppp0 -j ppp0_fwd
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -i eth2 -j eth2_fwd
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -j reject
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ppp0 -j ppp0_out
-A OUTPUT -o eth0 -j eth0_out
-A OUTPUT -o eth1 -j eth1_out
-A OUTPUT -o eth2 -j eth2_out
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -j reject
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j Reject
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6
-A all2all -j reject
-A dmz2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dmz2all -j Reject
-A dmz2all -j LOG --log-prefix "Shorewall:dmz2all:REJECT:" --log-level 6
-A dmz2all -j reject
-A dmz2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dmz2fw -p udp -m udp --dport 53 -j ACCEPT
-A dmz2fw -p tcp -m tcp --dport 53 -j ACCEPT
-A dmz2fw -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A dmz2fw -p udp -m udp --dport 123 -j ACCEPT
-A dmz2fw -j Reject
-A dmz2fw -j LOG --log-prefix "Shorewall:dmz2fw:REJECT:" --log-level 6
-A dmz2fw -j reject
-A dmz2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dmz2loc -j Reject
-A dmz2loc -j LOG --log-prefix "Shorewall:dmz2loc:REJECT:" --log-level 6
-A dmz2loc -j reject
-A dmz2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A dmz2net -p tcp -m tcp --dport 80 -j ACCEPT
-A dmz2net -p tcp -m tcp --dport 443 -j ACCEPT
-A dmz2net -p tcp -m tcp --dport 21 -j ACCEPT
-A dmz2net -p tcp -m tcp --dport 873 -j ACCEPT
-A dmz2net -j Reject
-A dmz2net -j LOG --log-prefix "Shorewall:dmz2net:REJECT:" --log-level 6
-A dmz2net -j reject
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -m state --state INVALID,NEW -j smurfs
-A eth0_fwd -p tcp -j tcpflags
-A eth0_fwd -s 192.168.0.0/255.255.255.0 -o ppp0 -j all2all
-A eth0_fwd -s 192.168.0.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -j all2all
-A eth0_fwd -s 192.168.0.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -o eth2 -j all2all
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -m state --state INVALID,NEW -j smurfs
-A eth0_in -p tcp -j tcpflags
-A eth0_in -s 192.168.0.0/255.255.255.0 -j all2all
-A eth0_out -d 192.168.0.0/255.255.255.0 -j fw2all
-A eth0_out -d 255.255.255.255 -j fw2all
-A eth0_out -d 224.0.0.0/240.0.0.0 -j fw2all
-A eth1_fwd -m state --state INVALID,NEW -j dynamic
-A eth1_fwd -m state --state INVALID,NEW -j smurfs
-A eth1_fwd -p tcp -j tcpflags
-A eth1_fwd -s 192.168.1.0/255.255.255.0 -o ppp0 -j loc2net
-A eth1_fwd -s 192.168.1.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o eth0 -j loc2adsl
-A eth1_fwd -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -o eth2 -j loc2dmz
-A eth1_in -m state --state INVALID,NEW -j dynamic
-A eth1_in -m state --state INVALID,NEW -j smurfs
-A eth1_in -p tcp -j tcpflags
-A eth1_in -s 192.168.1.0/255.255.255.0 -j loc2fw
-A eth1_out -d 192.168.1.0/255.255.255.0 -j fw2loc
-A eth1_out -d 255.255.255.255 -j fw2loc
-A eth1_out -d 224.0.0.0/240.0.0.0 -j fw2loc
-A eth2_fwd -m state --state INVALID,NEW -j dynamic
-A eth2_fwd -m state --state INVALID,NEW -j smurfs
-A eth2_fwd -p tcp -j tcpflags
-A eth2_fwd -s 192.168.2.0/255.255.255.0 -o ppp0 -j dmz2net
-A eth2_fwd -s 192.168.2.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -o eth0 -j dmz2all
-A eth2_fwd -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o eth1 -j dmz2loc
-A eth2_in -m state --state INVALID,NEW -j dynamic
-A eth2_in -m state --state INVALID,NEW -j smurfs
-A eth2_in -p tcp -j tcpflags
-A eth2_in -s 192.168.2.0/255.255.255.0 -j dmz2fw
-A eth2_out -d 192.168.2.0/255.255.255.0 -j fw2dmz
-A eth2_out -d 255.255.255.255 -j fw2dmz
-A eth2_out -d 224.0.0.0/240.0.0.0 -j fw2dmz
-A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2all -j Reject
-A fw2all -j LOG --log-prefix "Shorewall:fw2all:REJECT:" --log-level 6
-A fw2all -j reject
-A fw2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2dmz -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A fw2dmz -j Reject
-A fw2dmz -j LOG --log-prefix "Shorewall:fw2dmz:REJECT:" --log-level 6
-A fw2dmz -j reject
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A fw2loc -p icmp -j ACCEPT
-A fw2loc -j Reject
-A fw2loc -j LOG --log-prefix "Shorewall:fw2loc:REJECT:" --log-level 6
-A fw2loc -j reject
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p tcp -m tcp --dport 587 -j ACCEPT
-A fw2net -p udp -m udp --dport 53 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 53 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 80 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 443 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 21 -j ACCEPT
-A fw2net -p tcp -m tcp --dport 873 -j ACCEPT
-A fw2net -p udp -m udp --dport 123 -j ACCEPT
-A fw2net -p icmp -j ACCEPT
-A fw2net -j Reject
-A fw2net -j LOG --log-prefix "Shorewall:fw2net:REJECT:" --log-level 6
-A fw2net -j reject
-A loc2adsl -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2adsl -p tcp -m tcp --dport 80 -j ACCEPT
-A loc2adsl -p tcp -m tcp --dport 443 -j ACCEPT
-A loc2adsl -p tcp -m tcp --dport 23 -j ACCEPT
-A loc2adsl -j loc2all
-A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2all -j Reject
-A loc2all -j LOG --log-prefix "Shorewall:loc2all:REJECT:" --log-level 6
-A loc2all -j reject
-A loc2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2dmz -p tcp -m tcp --dport 22 -j ACCEPT
-A loc2dmz -j Reject
-A loc2dmz -j LOG --log-prefix "Shorewall:loc2dmz:REJECT:" --log-level 6
-A loc2dmz -j reject
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -p udp -m udp --dport 53 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 22 -j ACCEPT
-A loc2fw -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 3493 -j ACCEPT
-A loc2fw -p udp -m udp --dport 3493 -j ACCEPT
-A loc2fw -p udp -m udp --dport 123 -j ACCEPT
-A loc2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A loc2fw -j Reject
-A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6
-A loc2fw -j reject
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -j ACCEPT
-A logdrop -j LOG --log-prefix "Shorewall:logdrop:DROP:" --log-level 6
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6
-A logflags -j DROP
-A logreject -j LOG --log-prefix "Shorewall:logreject:REJECT:" --log-level 6
-A logreject -j reject
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A net2dmz -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2dmz -d 192.168.2.2 -p tcp -m tcp --dport 22 -j ACCEPT
-A net2dmz -j Drop
-A net2dmz -j LOG --log-prefix "Shorewall:net2dmz:DROP:" --log-level 6
-A net2dmz -j DROP
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 8 -j reject
-A net2fw -j Drop
-A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
-A net2fw -j DROP
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -d 192.168.1.2 -p tcp -m multiport --dports 18768,18788:18790 -j ACCEPT
-A net2loc -d 192.168.1.2 -p udp -m multiport --dports 18768,18788:18790 -j ACCEPT
-A net2loc -j Drop
-A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
-A net2loc -j DROP
-A norfc1918 -s 172.16.0.0/255.240.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918
-A norfc1918 -s 192.168.0.0/255.255.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918
-A norfc1918 -s 10.0.0.0/255.0.0.0 -j rfc1918
-A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918
-A ppp0_fwd -m state --state INVALID,NEW -j dynamic
-A ppp0_fwd -m state --state INVALID,NEW -j smurfs
-A ppp0_fwd -m state --state NEW -j norfc1918
-A ppp0_fwd -p tcp -j tcpflags
-A ppp0_fwd -d 192.168.0.0/255.255.255.0 -o eth0 -j net2all
-A ppp0_fwd -d 192.168.1.0/255.255.255.0 -o eth1 -j net2loc
-A ppp0_fwd -d 192.168.2.0/255.255.255.0 -o eth2 -j net2dmz
-A ppp0_in -m state --state INVALID,NEW -j dynamic
-A ppp0_in -m state --state INVALID,NEW -j smurfs
-A ppp0_in -m state --state NEW -j norfc1918
-A ppp0_in -p tcp -j tcpflags
-A ppp0_in -j net2fw
-A ppp0_out -j fw2net
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A rfc1918 -j LOG --log-prefix "Shorewall:rfc1918:DROP:" --log-level 6
-A rfc1918 -j DROP
-A smurfs -s 192.168.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.0.255 -j DROP
-A smurfs -s 192.168.1.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.1.255 -j DROP
-A smurfs -s 192.168.2.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.2.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags
COMMIT
# Completed on Mon Feb  4 05:19:25 2008

ip addr
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:b0:d0:33:a8:a5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.10/24 brd 192.168.0.255 scope global eth0
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:04:5a:79:4b:99 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.10/24 brd 192.168.2.255 scope global eth2
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:ba:56:ee:db brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global eth1
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet 74.167.108.178 peer 74.167.218.177/32 scope global ppp0

ip route
Code:
74.167.218.177 dev ppp0  proto kernel  scope link  src 74.167.108.178
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.10
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.10
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.10
127.0.0.0/8 dev lo  scope link
default via 74.167.218.177 dev ppp0

_________________
Han.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy