SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
Anonymous | Login | 2022-05-19 22:55 UTC | ![]() |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0000543 | Endian Firewall | Firewall (iptables) | public | 2008-02-04 14:02 | 2008-04-23 17:41 | ||||
Reporter | Sota | ||||||||
Assigned To | peter-endian | ||||||||
Priority | normal | Severity | block | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 2.2-beta3 | ||||||||
Target Version | 2.2-beta4 | Fixed in Version | 2.2-beta4 | ||||||
Summary | 0000543: Port Forwarding not working | ||||||||
Description | I installed 2.2 Beta 3 and imported the backup from beta 2. I had three ports forwarded on Endian which had been working previously. Now, none of them work. | ||||||||
Additional Information | I tried deleting the entries and recreating them, but no change. A reinstallation didn't help either. Copy of output from iptables -L attached. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | ![]() ALLOW ah -- anywhere anywhere ALLOW udp -- anywhere anywhere udp dpt:isakmp ALLOW udp -- anywhere anywhere udp dpt:ipsec-nat-t ALLOW gre -- anywhere anywhere ALLOW esp -- anywhere anywhere ALLOW ah -- anywhere anywhere ALLOW udp -- anywhere anywhere udp dpt:isakmp ALLOW udp -- anywhere anywhere udp dpt:ipsec-nat-t NFLOG udp -- anywhere anywhere udp dpt:sip nflog-prefix "SIPROXD:ACCEPT:13" ALLOW udp -- anywhere anywhere udp dpt:sip NFLOG udp -- anywhere anywhere udp dpts:arcp:7090 nflog-prefix "SIPROXD:ACCEPT:13" ALLOW udp -- anywhere anywhere udp dpts:arcp:7090 NFLOG udp -- anywhere anywhere udp dpt:sip nflog-prefix "SIPROXD:ACCEPT:13" ALLOW udp -- anywhere anywhere udp dpt:sip NFLOG udp -- anywhere anywhere udp dpts:arcp:7090 nflog-prefix "SIPROXD:ACCEPT:13" ALLOW udp -- anywhere anywhere udp dpts:arcp:7090 ALLOW udp -- anywhere anywhere udp dpt:ntp ALLOW udp -- anywhere anywhere udp dpt:ntp ALLOW udp -- anywhere anywhere udp dpt:ntp ALLOW udp -- anywhere anywhere udp dpt:ntp ALLOW tcp -- anywhere anywhere tcp dpt:smtp ALLOW tcp -- anywhere anywhere tcp dpt:http-alt ALLOW tcp -- anywhere anywhere tcp dpt:http-alt ALLOW tcp -- anywhere anywhere tcp dpt:http-alt Chain INPUTFW_LOGDROP (5 references) target prot opt source destination DROP all -- anywhere anywhere Chain INPUTTRAFFIC (1 references) target prot opt source destination INPUTFW all -- anywhere anywhere INPUTFW_LOGDROP all -- anywhere anywhere INPUTFW all -- anywhere anywhere INPUTFW_LOGDROP all -- anywhere anywhere INPUTFW all -- anywhere anywhere PHYSDEV match --physdev-in tap+ INPUTFW_LOGDROP all -- anywhere anywhere PHYSDEV match --physdev-in tap+ REJECT tcp -- anywhere anywhere tcp dpt:ident reject-with icmp-port-unreachable INPUTFW all -- anywhere anywhere INPUTFW_LOGDROP all -- anywhere anywhere REJECT tcp -- anywhere anywhere tcp dpt:ident reject-with icmp-port-unreachable INPUTFW all -- anywhere anywhere INPUTFW_LOGDROP all -- anywhere anywhere INPUTFW all -- anywhere anywhere Chain IPSECBLUE (1 references) target prot opt source destination Chain IPSECORANGE (1 references) target prot opt source destination Chain IPSECRED (1 references) target prot opt source destination Chain LOG_BADTCP (1 references) target prot opt source destination Chain LOG_FORWARD (1 references) target prot opt source destination Chain LOG_INPUT (1 references) target prot opt source destination Chain LOG_NEWNOTSYN (1 references) target prot opt source destination Chain NEWNOTSYN (1 references) target prot opt source destination LOG_NEWNOTSYN all -- anywhere anywhere DROP all -- anywhere anywhere Chain OPENVPNCLIENTDHCP (1 references) target prot opt source destination Chain OPENVPNDHCP (1 references) target prot opt source destination Chain OUTGOINGFW (1 references) target prot opt source destination ALLOW tcp -- anywhere anywhere tcp dpt:http ALLOW tcp -- anywhere anywhere tcp dpt:http ALLOW tcp -- anywhere anywhere tcp dpt:https ALLOW tcp -- anywhere anywhere tcp dpt:https ALLOW tcp -- anywhere anywhere tcp dpt:ftp ALLOW tcp -- anywhere anywhere tcp dpt:smtp ALLOW tcp -- anywhere anywhere tcp dpt:pop3 ALLOW tcp -- anywhere anywhere tcp dpt:imap ALLOW tcp -- anywhere anywhere tcp dpt:pop3s ALLOW tcp -- anywhere anywhere tcp dpt:imaps ALLOW tcp -- anywhere anywhere tcp dpt:domain ALLOW udp -- anywhere anywhere udp dpt:domain ALLOW tcp -- anywhere anywhere tcp dpt:domain ALLOW udp -- anywhere anywhere udp dpt:domain ALLOW tcp -- anywhere anywhere tcp dpt:domain ALLOW udp -- anywhere anywhere udp dpt:domain ALLOW icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request ALLOW icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp type 30 ALLOW icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request ALLOW icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp type 30 ALLOW icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp echo-request ALLOW icmp -- anywhere anywhere limit: avg 1/sec burst 5 icmp type 30 ALLOW tcp -- anywhere anywhere tcp dpt:infowave ALLOW tcp -- anywhere anywhere tcp dpt:gnunet ALLOW tcp -- anywhere anywhere tcp dpt:eli ALLOW tcp -- anywhere anywhere tcp dpt:nbx-ser ALLOW tcp -- anywhere anywhere tcp dpt:10443 ALLOW tcp -- anywhere anywhere tcp dpt:ms-wbt-server ALLOW tcp -- anywhere anywhere tcp dpt:4125 ALLOW tcp -- 192.168.16.38 anywhere tcp ALLOW udp -- 192.168.16.38 anywhere udp ALLOW tcp -- anywhere anywhere tcp dpt:rsh-spx Chain OUTPUT (policy ACCEPT) target prot opt source destination ipac~i all -- anywhere anywhere CUSTOMOUTPUT all -- anywhere anywhere Chain PORTFWACCESS (1 references) target prot opt source destination ALLOW tcp -- anywhere 192.168.16.2 tcp dpt:ms-wbt-server ALLOW tcp -- anywhere 192.168.16.2 tcp dpt:4125 NFLOG tcp -- anywhere 192.168.16.2 tcp dpt:https nflog-prefix "PORTFWACCESS:ACCEPT:3" ALLOW tcp -- anywhere 192.168.16.2 tcp dpt:https Chain PORTSCAN (2 references) target prot opt source destination Chain REDINPUT (1 references) target prot opt source destination Chain VPNFW (7 references) target prot opt source destination ALLOW all -- anywhere anywhere Chain VPNFW_LOGDROP (6 references) target prot opt source destination DROP all -- anywhere anywhere Chain VPNTRAFFIC (1 references) target prot opt source destination VPNFW all -- anywhere anywhere VPNFW_LOGDROP all -- anywhere anywhere VPNFW all -- anywhere anywhere VPNFW_LOGDROP all -- anywhere anywhere VPNFW all -- anywhere anywhere VPNFW_LOGDROP all -- anywhere anywhere VPNFW all -- anywhere anywhere VPNFW_LOGDROP all -- anywhere anywhere VPNFW all -- anywhere anywhere PHYSDEV match --physdev-out tap+ --physdev-is-bridged VPNFW_LOGDROP all -- anywhere anywhere PHYSDEV match --physdev-out tap+ --physdev-is-bridged VPNFW all -- anywhere anywhere PHYSDEV match --physdev-in tap+ VPNFW_LOGDROP all -- anywhere anywhere PHYSDEV match --physdev-in tap+ VPNFW all -- anywhere anywhere Chain ZONEFW (4 references) target prot opt source destination ALLOW all -- anywhere anywhere ALLOW all -- anywhere anywhere ALLOW all -- anywhere anywhere ALLOW all -- anywhere anywhere ALLOW all -- anywhere anywhere Chain ZONEFW_LOGDROP (4 references) target prot opt source destination DROP all -- anywhere anywhere Chain ZONETRAFFIC (1 references) target prot opt source destination ZONEFW all -- anywhere anywhere ZONEFW_LOGDROP all -- anywhere anywhere ZONEFW all -- anywhere anywhere ZONEFW_LOGDROP all -- anywhere anywhere ZONEFW all -- anywhere anywhere ZONEFW_LOGDROP all -- anywhere anywhere ZONEFW all -- anywhere anywhere ZONEFW_LOGDROP all -- anywhere anywhere Chain ipac~fi (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere Chain ipac~fo (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere Chain ipac~i (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere Chain ipac~o (1 references) target prot opt source destination all -- anywhere anywhere all -- anywhere anywhere all -- anywhere anywhere root@asbestos:~ # ![]() root@asbestos:~ # setportfw.py --debug --force 2008-02-04 14:20:33,642 - endian.logger - DEBUG - Read settings file /var/efw/portfw/default/settings 2008-02-04 14:20:33,643 - endian.logger - DEBUG - Read settings file /var/efw/ethernet/settings 2008-02-04 14:20:33,643 - endian.logger - DEBUG - Restart PORTFW firewall 2008-02-04 14:20:33,643 - endian.logger - DEBUG - Generate iptables script 2008-02-04 14:20:33,644 - endian.logger - DEBUG - Create PORTFW rule nr '1' 2008-02-04 14:20:33,644 - endian.logger - DEBUG - Substitute VPN 'VPN:ANY' 2008-02-04 14:20:33,644 - endian.logger - DEBUG - Read settings file /var/efw/openvpnclients/default/settings 2008-02-04 14:20:33,645 - endian.logger - DEBUG - Connection 'ANY' has no Devices. 2008-02-04 14:20:33,645 - endian.logger - DEBUG - Traceback (most recent call last): File "/usr/local/bin/setportfw.py", line 418, in substIter value = cb(i, rule) File "/usr/local/bin/setportfw.py", line 371, in substVPNDev raise KeyError("Connection '%s' has no Devices."%openvpnconn) KeyError: "Connection 'ANY' has no Devices." 2008-02-04 14:20:33,645 - endian.logger - DEBUG - Substitute UPLINK 'UPLINK:ANY' 2008-02-04 14:20:33,646 - endian.logger - DEBUG - Initialize uplinks Pool with prefix '/var/efw/'. 2008-02-04 14:20:33,646 - endian.logger - DEBUG - Scanning for uplinks in '/var/efw/uplinks'... 2008-02-04 14:20:33,646 - endian.logger - DEBUG - Inizialize uplink 'main' with prefix '/var/efw/'. 2008-02-04 14:20:33,646 - endian.logger - DEBUG - Update information of uplink 'main' 2008-02-04 14:20:33,647 - endian.logger - DEBUG - Inizialize uplink 'uplink1' with prefix '/var/efw/'. 2008-02-04 14:20:33,648 - endian.logger - DEBUG - Update information of uplink 'uplink1' 2008-02-04 14:20:33,648 - endian.logger - DEBUG - Checking for vanished uplinks in '/var/efw/uplinks'... 2008-02-04 14:20:33,649 - endian.logger - DEBUG - Substituted UPLINK 'UPLINK:ANY' to: ['ppp0'] 2008-02-04 14:20:33,650 - endian.logger - DEBUG - Initialize uplinks Pool with prefix '/var/efw/'. 2008-02-04 14:20:33,650 - endian.logger - DEBUG - Scanning for uplinks in '/var/efw/uplinks'... 2008-02-04 14:20:33,651 - endian.logger - DEBUG - Inizialize uplink 'main' with prefix '/var/efw/'. 2008-02-04 14:20:33,651 - endian.logger - DEBUG - Update information of uplink 'main' 2008-02-04 14:20:33,652 - endian.logger - DEBUG - Inizialize uplink 'uplink1' with prefix '/var/efw/'. 2008-02-04 14:20:33,652 - endian.logger - DEBUG - Update information of uplink 'uplink1' 2008-02-04 14:20:33,653 - endian.logger - DEBUG - Checking for vanished uplinks in '/var/efw/uplinks'... 2008-02-04 14:20:33,654 - endian.logger - DEBUG - Create rule nr 1: iptables -t nat -A PORTFW -d 82.141.197.129 -j DNAT -p tcp --dport 3389 --to-destination 192.168.16.2:3389 2008-02-04 14:20:33,654 - endian.logger - DEBUG - Create REVERSENAT rulenr '1' 2008-02-04 14:20:33,655 - endian.logger - DEBUG - Create rule nr 1: iptables -t nat -A REVERSENAT -s 192.168.16.2 -p tcp --dport 3389 -o ppp0 -j SNAT --to-source 82.141.197.129 2008-02-04 14:20:33,655 - endian.logger - DEBUG - Create POSTPORTFW rulenr '1' 2008-02-04 14:20:33,656 - endian.logger - DEBUG - Substitute ZONEIPS 'ZONEIPS:INTERN' with 'ZONEIPS:GREEN&ZONEIPS:ORANGE&ZONEIPS:BLUE' 2008-02-04 14:20:33,656 - endian.logger - DEBUG - Zone 'ORANGE' has no subnets. 2008-02-04 14:20:33,656 - endian.logger - DEBUG - Traceback (most recent call last): File "/usr/local/bin/setportfw.py", line 418, in substIter value = cb(i, rule) File "/usr/local/bin/setportfw.py", line 403, in substZoneSubnet raise KeyError("Zone '%s' has no subnets."%zone) KeyError: "Zone 'ORANGE' has no subnets." 2008-02-04 14:20:33,657 - endian.logger - DEBUG - Exploded rules to 2 2008-02-04 14:20:33,658 - endian.logger - DEBUG - Create rule nr 1: iptables -t nat -A POSTPORTFW -s 192.168.16.0/24 -d 192.168.16.2 -p tcp --dport 3389 -j SNAT --to-source 192.168.16.254 2008-02-04 14:20:33,659 - endian.logger - DEBUG - Create rule nr 1: iptables -t nat -A POSTPORTFW -s 10.100.0.0/24 -d 192.168.16.2 -p tcp --dport 3389 -j SNAT --to-source 10.100.0.254 2008-02-04 14:20:33,659 - endian.logger - DEBUG - Create PORTFWACCESS rulenr '1' 2008-02-04 14:20:33,661 - endian.logger - DEBUG - Create rule nr 1: iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.16.2 -p tcp --dport 3389 -i ppp0 -j ALLOW 2008-02-04 14:20:33,661 - endian.logger - DEBUG - Create PORTFW rule nr '2' 2008-02-04 14:20:33,661 - endian.logger - DEBUG - Substitute VPN 'VPN:ANY' 2008-02-04 14:20:33,661 - endian.logger - DEBUG - Connection 'ANY' has no Devices. 2008-02-04 14:20:33,662 - endian.logger - DEBUG - Traceback (most recent call last): File "/usr/local/bin/setportfw.py", line 418, in substIter value = cb(i, rule) File "/usr/local/bin/setportfw.py", line 371, in substVPNDev raise KeyError("Connection '%s' has no Devices."%openvpnconn) KeyError: "Connection 'ANY' has no Devices." 2008-02-04 14:20:33,662 - endian.logger - DEBUG - Substitute UPLINK 'UPLINK:ANY' 2008-02-04 14:20:33,662 - endian.logger - DEBUG - Substituted UPLINK 'UPLINK:ANY' to: ['ppp0'] 2008-02-04 14:20:33,663 - endian.logger - DEBUG - Create rule nr 2: iptables -t nat -A PORTFW -d 82.141.197.129 -j DNAT -p tcp --dport 4125 --to-destination 192.168.16.2:4125 2008-02-04 14:20:33,663 - endian.logger - DEBUG - Create REVERSENAT rulenr '2' 2008-02-04 14:20:33,664 - endian.logger - DEBUG - Create rule nr 2: iptables -t nat -A REVERSENAT -s 192.168.16.2 -p tcp --dport 4125 -o ppp0 -j SNAT --to-source 82.141.197.129 2008-02-04 14:20:33,664 - endian.logger - DEBUG - Create POSTPORTFW rulenr '2' 2008-02-04 14:20:33,665 - endian.logger - DEBUG - Substitute ZONEIPS 'ZONEIPS:INTERN' with 'ZONEIPS:GREEN&ZONEIPS:ORANGE&ZONEIPS:BLUE' 2008-02-04 14:20:33,665 - endian.logger - DEBUG - Zone 'ORANGE' has no subnets. 2008-02-04 14:20:33,665 - endian.logger - DEBUG - Traceback (most recent call last): File "/usr/local/bin/setportfw.py", line 418, in substIter value = cb(i, rule) File "/usr/local/bin/setportfw.py", line 403, in substZoneSubnet raise KeyError("Zone '%s' has no subnets."%zone) KeyError: "Zone 'ORANGE' has no subnets." 2008-02-04 14:20:33,666 - endian.logger - DEBUG - Exploded rules to 2 2008-02-04 14:20:33,667 - endian.logger - DEBUG - Create rule nr 2: iptables -t nat -A POSTPORTFW -s 192.168.16.0/24 -d 192.168.16.2 -p tcp --dport 4125 -j SNAT --to-source 192.168.16.254 2008-02-04 14:20:33,668 - endian.logger - DEBUG - Create rule nr 2: iptables -t nat -A POSTPORTFW -s 10.100.0.0/24 -d 192.168.16.2 -p tcp --dport 4125 -j SNAT --to-source 10.100.0.254 2008-02-04 14:20:33,668 - endian.logger - DEBUG - Create PORTFWACCESS rulenr '2' 2008-02-04 14:20:33,670 - endian.logger - DEBUG - Create rule nr 2: iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.16.2 -p tcp --dport 4125 -i ppp0 -j ALLOW 2008-02-04 14:20:33,670 - endian.logger - DEBUG - Create PORTFW rule nr '3' 2008-02-04 14:20:33,670 - endian.logger - DEBUG - Substitute UPLINK 'UPLINK:ANY' 2008-02-04 14:20:33,670 - endian.logger - DEBUG - Substituted UPLINK 'UPLINK:ANY' to: ['ppp0'] 2008-02-04 14:20:33,671 - endian.logger - DEBUG - Create rule nr 3: iptables -t nat -A PORTFW -d 82.141.197.129 -j DNAT -p tcp --dport 443 --to-destination 192.168.16.2:443 2008-02-04 14:20:33,671 - endian.logger - DEBUG - Create REVERSENAT rulenr '3' 2008-02-04 14:20:33,672 - endian.logger - DEBUG - Create rule nr 3: iptables -t nat -A REVERSENAT -s 192.168.16.2 -p tcp --dport 443 -o ppp0 -j NFLOG --nflog-prefix 'REVERSENAT:ACCEPT:3' 2008-02-04 14:20:33,673 - endian.logger - DEBUG - Create rule nr 3: iptables -t nat -A REVERSENAT -s 192.168.16.2 -p tcp --dport 443 -o ppp0 -j SNAT --to-source 82.141.197.129 2008-02-04 14:20:33,673 - endian.logger - DEBUG - Create POSTPORTFW rulenr '3' 2008-02-04 14:20:33,673 - endian.logger - DEBUG - Substitute ZONEIPS 'ZONEIPS:INTERN' with 'ZONEIPS:GREEN&ZONEIPS:ORANGE&ZONEIPS:BLUE' 2008-02-04 14:20:33,673 - endian.logger - DEBUG - Zone 'ORANGE' has no subnets. 2008-02-04 14:20:33,674 - endian.logger - DEBUG - Traceback (most recent call last): File "/usr/local/bin/setportfw.py", line 418, in substIter value = cb(i, rule) File "/usr/local/bin/setportfw.py", line 403, in substZoneSubnet raise KeyError("Zone '%s' has no subnets."%zone) KeyError: "Zone 'ORANGE' has no subnets." 2008-02-04 14:20:33,675 - endian.logger - DEBUG - Exploded rules to 2 2008-02-04 14:20:33,675 - endian.logger - DEBUG - Create rule nr 3: iptables -t nat -A POSTPORTFW -s 192.168.16.0/24 -d 192.168.16.2 -p tcp --dport 443 -j NFLOG --nflog-prefix 'POSTPORTFW:ACCEPT:3' 2008-02-04 14:20:33,676 - endian.logger - DEBUG - Create rule nr 3: iptables -t nat -A POSTPORTFW -s 192.168.16.0/24 -d 192.168.16.2 -p tcp --dport 443 -j SNAT --to-source 192.168.16.254 2008-02-04 14:20:33,677 - endian.logger - DEBUG - Create rule nr 3: iptables -t nat -A POSTPORTFW -s 10.100.0.0/24 -d 192.168.16.2 -p tcp --dport 443 -j NFLOG --nflog-prefix 'POSTPORTFW:ACCEPT:3' 2008-02-04 14:20:33,678 - endian.logger - DEBUG - Create rule nr 3: iptables -t nat -A POSTPORTFW -s 10.100.0.0/24 -d 192.168.16.2 -p tcp --dport 443 -j SNAT --to-source 10.100.0.254 2008-02-04 14:20:33,678 - endian.logger - DEBUG - Create PORTFWACCESS rulenr '3' 2008-02-04 14:20:33,680 - endian.logger - DEBUG - Create rule nr 3: iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.16.2 -p tcp --dport 443 -i ppp0 -j NFLOG --nflog-prefix 'PORTFWACCESS:ACCEPT:3' 2008-02-04 14:20:33,680 - endian.logger - DEBUG - Create rule nr 3: iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.16.2 -p tcp --dport 443 -i ppp0 -j ALLOW 2008-02-04 14:20:33,680 - endian.logger - DEBUG - Save old state file /etc/firewall/portfw/iptablesportfw 2008-02-04 14:20:33,681 - endian.logger - DEBUG - Save script to state file '/etc/firewall/portfw/iptablesportfw' 2008-02-04 14:20:33,681 - endian.logger - DEBUG - Script has NOT been changed! 2008-02-04 14:20:33,681 - endian.logger - DEBUG - Call iptables script root@asbestos:~ # ****************************** root@asbestos:~ # root@asbestos:~ # iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 29693 packets, 8676K bytes) pkts bytes target prot opt in out source destination 0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 32505 8823K CUSTOMPREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 32500 8823K ENACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 32500 8823K SIPROXDPORTFW all -- * * 0.0.0.0/0 0.0.0.0/0 32499 8822K CONTENTFILTER all -- * * 0.0.0.0/0 0.0.0.0/0 32499 8822K SQUID all -- * * 0.0.0.0/0 0.0.0.0/0 30347 8716K DNSMASQ all -- * * 0.0.0.0/0 0.0.0.0/0 30255 8710K PORTFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 13404 packets, 610K bytes) pkts bytes target prot opt in out source destination 20631 1068K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 20631 1068K OPENVPNCLIENT all -- * * 0.0.0.0/0 0.0.0.0/0 20631 1068K REVERSENAT all -- * * 0.0.0.0/0 0.0.0.0/0 20630 1068K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0 13404 610K POSTPORTFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 17444 packets, 903K bytes) pkts bytes target prot opt in out source destination 17444 903K PORTFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain CONTENTFILTER (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMPOSTROUTING (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMPREROUTING (1 references) pkts bytes target prot opt in out source destination 99 5016 SMTPSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 Chain DNSMASQ (1 references) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 redir ports 53 92 5914 REDIRECT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 redir ports 53 0 0 REDIRECT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 redir ports 53 0 0 REDIRECT udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 redir ports 53 Chain ENACCESS (1 references) pkts bytes target prot opt in out source destination Chain OPENVPNCLIENT (1 references) pkts bytes target prot opt in out source destination Chain PORTFW (2 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 82.141.197.129 tcp dpt:3389 to:192.168.16.2:3389 0 0 DNAT tcp -- * * 0.0.0.0/0 82.141.197.129 tcp dpt:4125 to:192.168.16.2:4125 6 348 DNAT tcp -- * * 0.0.0.0/0 82.141.197.129 tcp dpt:443 to:192.168.16.2:443 Chain POSTPORTFW (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- * * 192.168.16.0/24 192.168.16.2 tcp dpt:3389 to:192.168.16.254 0 0 SNAT tcp -- * * 10.100.0.0/24 192.168.16.2 tcp dpt:3389 to:10.100.0.254 0 0 SNAT tcp -- * * 192.168.16.0/24 192.168.16.2 tcp dpt:4125 to:192.168.16.254 0 0 SNAT tcp -- * * 10.100.0.0/24 192.168.16.2 tcp dpt:4125 to:10.100.0.254 0 0 NFLOG tcp -- * * 192.168.16.0/24 192.168.16.2 tcp dpt:443 nflog-prefix "POSTPORTFW:ACCEPT:3" 0 0 SNAT tcp -- * * 192.168.16.0/24 192.168.16.2 tcp dpt:443 to:192.168.16.254 0 0 NFLOG tcp -- * * 10.100.0.0/24 192.168.16.2 tcp dpt:443 nflog-prefix "POSTPORTFW:ACCEPT:3" 0 0 SNAT tcp -- * * 10.100.0.0/24 192.168.16.2 tcp dpt:443 to:10.100.0.254 Chain REDNAT (1 references) pkts bytes target prot opt in out source destination 6008 320K SNAT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 to:82.141.197.129 Chain REVERSENAT (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT tcp -- * ppp0 192.168.16.2 0.0.0.0/0 tcp dpt:3389 to:82.141.197.129 0 0 SNAT tcp -- * ppp0 192.168.16.2 0.0.0.0/0 tcp dpt:4125 to:82.141.197.129 0 0 NFLOG tcp -- * ppp0 192.168.16.2 0.0.0.0/0 tcp dpt:443 nflog-prefix "REVERSENAT:ACCEPT:3" 0 0 SNAT tcp -- * ppp0 192.168.16.2 0.0.0.0/0 tcp dpt:443 to:82.141.197.129 Chain SIPROXDPORTFW (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN udp -- br0 * 0.0.0.0/0 192.168.0.0/16 udp dpt:5060 0 0 RETURN udp -- br0 * 0.0.0.0/0 172.16.0.0/12 udp dpt:5060 0 0 RETURN udp -- br0 * 0.0.0.0/0 169.254.0.0/16 udp dpt:5060 0 0 RETURN udp -- br0 * 0.0.0.0/0 10.0.0.0/8 udp dpt:5060 0 0 RETURN udp -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 0 0 RETURN udp -- tap+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 PHYSDEV match --physdev-in tap+ 0 0 ULOG udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state NEW ULOG copy_range 0 nlgroup 1 prefix `SIPROXD ' queue_threshold 1 0 0 ULOG udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5061 state NEW ULOG copy_range 0 nlgroup 1 prefix `SIPROXD ' queue_threshold 1 0 0 REDIRECT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 0 0 REDIRECT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5061 redir ports 5060 0 0 REDIRECT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5061 redir ports 5060 Chain SMTPSCAN (1 references) pkts bytes target prot opt in out source destination 5 240 ULOG tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW ULOG copy_range 0 nlgroup 1 prefix `SMTP ' queue_threshold 1 5 240 DNAT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 to:192.168.16.254:25 Chain SQUID (1 references) pkts bytes target prot opt in out source destination 2102 104K DNAT tcp -- br0 * 0.0.0.0/0 !192.168.16.0/24 tcp dpt:80 to:192.168.16.254:8080 0 0 DNAT tcp -- br2 * 0.0.0.0/0 !10.100.0.0/24 tcp dpt:80 to:10.100.0.254:8080 root@asbestos:~ # Chain OPENVPNDHCP (1 references) pkts bytes target prot opt in out source destination Chain OUTGOINGFW (1 references) pkts bytes target prot opt in out source destination 1828 88916 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ALLOW tcp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 608 31356 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ALLOW tcp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ALLOW tcp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ALLOW tcp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 4 240 ALLOW icmp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW icmp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW icmp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2082 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2086 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2087 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2095 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:10443 9 468 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:4125 52 2496 ALLOW tcp -- * ppp0 192.168.16.38 0.0.0.0/0 tcp 2 152 ALLOW udp -- * ppp0 192.168.16.38 0.0.0.0/0 udp 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 Chain OUTPUT (policy ACCEPT 558K packets, 292M bytes) pkts bytes target prot opt in out source destination 534K 287M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0 558K 292M CUSTOMOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PORTFWACCESS (1 references) pkts bytes target prot opt in out source destination 0 0 ALLOW tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:3389 0 0 ALLOW tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:4125 0 0 NFLOG tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:443 nflog-prefix "PORTFWACCESS:ACCEPT:3" 0 0 ALLOW tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:443 Chain PORTSCAN (2 references) pkts bytes target prot opt in out source destination Chain REDINPUT (1 references) pkts bytes target prot opt in out source destination Chain VPNFW (7 references) pkts bytes target prot opt in out source destination 5221 314K ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPNFW_LOGDROP (6 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPNTRAFFIC (1 references) pkts bytes target prot opt in out source destination 86 4576 VPNFW all -- * ipsec+ 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- * ipsec+ 0.0.0.0/0 0.0.0.0/0 92 7428 VPNFW all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW all -- * tap+ 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- * tap+ 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap+ --physdev-is-bridged 0 0 VPNFW_LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap+ --physdev-is-bridged 0 0 VPNFW all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap+ 0 0 VPNFW_LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap+ 5043 302K VPNFW all -- !br0 br0 0.0.0.0/0 0.0.0.0/0 Chain ZONEFW (4 references) pkts bytes target prot opt in out source destination 0 0 ALLOW all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br0 br2 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br0 br1 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br2 br2 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br1 br1 0.0.0.0/0 0.0.0.0/0 Chain ZONEFW_LOGDROP (4 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ZONETRAFFIC (1 references) pkts bytes target prot opt in out source destination 0 0 ZONEFW all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW all -- br0 br2 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br0 br2 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW all -- br2 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br2 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW all -- br2 br2 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br2 br2 0.0.0.0/0 0.0.0.0/0 Chain ipac~fi (1 references) pkts bytes target prot opt in out source destination 1850 123K all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 all -- br2 * 0.0.0.0/0 0.0.0.0/0 2836 174K all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 Chain ipac~fo (1 references) pkts bytes target prot opt in out source destination 3227 229K all -- * br0 0.0.0.0/0 0.0.0.0/0 0 0 all -- * br2 0.0.0.0/0 0.0.0.0/0 1547 109K all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain ipac~i (1 references) pkts bytes target prot opt in out source destination 400 107K all -- * br0 0.0.0.0/0 0.0.0.0/0 0 0 all -- * br2 0.0.0.0/0 0.0.0.0/0 608 75072 all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain ipac~o (1 references) pkts bytes target prot opt in out source destination 385 38266 all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 all -- br2 * 0.0.0.0/0 0.0.0.0/0 730 164K all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 root@asbestos:~ # ************************************************* iptables -vnL Chain ALLOW (96 references) pkts bytes target prot opt in out source destination 979K 492M ALLOW_HOOKS all -- * * 0.0.0.0/0 0.0.0.0/0 979K 492M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ALLOW_HOOKS (1 references) pkts bytes target prot opt in out source destination Chain BADTCP (2 references) pkts bytes target prot opt in out source destination 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 2 80 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 DROPBADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 22 32824 NEWNOTSYN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW Chain CUSTOMFORWARD (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMINPUT (1 references) pkts bytes target prot opt in out source destination Chain CUSTOMOUTPUT (1 references) pkts bytes target prot opt in out source destination Chain DROPBADTCP (5 references) pkts bytes target prot opt in out source destination 2 80 LOG_BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0 2 80 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain HAFORWARD (1 references) pkts bytes target prot opt in out source destination Chain ICMP_LOGDROP (2 references) pkts bytes target prot opt in out source destination 1102 66866 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 30 1 68 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy DROP 2542 packets, 733K bytes) pkts bytes target prot opt in out source destination 520K 277M ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0 549K 293M REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 549K 293M PORTSCAN all -- * * 0.0.0.0/0 0.0.0.0/0 549K 293M BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0 7496 344K tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5 549K 293M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 522K 290M ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 359 21589 ICMP_LOGDROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 13231 607K ALLOW all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW 0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW 13554 2896K IPSECRED all -- * * 0.0.0.0/0 0.0.0.0/0 13554 2896K IPSECBLUE all -- * * 0.0.0.0/0 0.0.0.0/0 13554 2896K IPSECORANGE all -- * * 0.0.0.0/0 0.0.0.0/0 13544 2895K INPUTTRAFFIC all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 2542 733K LOG_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 12731 packets, 5196K bytes) pkts bytes target prot opt in out source destination 268K 39M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0 268K 39M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0 450K 205M OPENVPNCLIENTDHCP all -- * * 0.0.0.0/0 0.0.0.0/0 450K 205M OPENVPNDHCP all -- * * 0.0.0.0/0 0.0.0.0/0 450K 205M PORTSCAN all -- * * 0.0.0.0/0 0.0.0.0/0 450K 205M BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0 450K 205M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 430K 199M ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 744 45345 ICMP_LOGDROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW 0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW 20564 5640K HAFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 20564 5640K VPNTRAFFIC all -- * * 0.0.0.0/0 0.0.0.0/0 14632 5296K OUTGOINGFW all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 12057 5169K PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 12057 5169K ZONETRAFFIC all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 12731 5196K LOG_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUTFW (6 references) pkts bytes target prot opt in out source destination 0 0 ALLOW tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ALLOW tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ALLOW tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 772 40012 ALLOW tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10443 67 3939 ALLOW icmp -- br0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW icmp -- br2 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br2 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW icmp -- br1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW icmp -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001 0 0 ALLOW tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001 0 0 ALLOW tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001 0 0 ALLOW tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 95 6109 ALLOW udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ALLOW tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ALLOW tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ALLOW tcp -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 9 468 ALLOW tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ALLOW 47 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 13 1896 ALLOW esp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW ah -- ppp0 * 0.0.0.0/0 0.0.0.0/0 3077 1482K ALLOW udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 ALLOW udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 0 0 ALLOW 47 -- br2 * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW esp -- br2 * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW ah -- br2 * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 ALLOW udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 0 0 ALLOW 47 -- br1 * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW esp -- br1 * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW ah -- br1 * 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 ALLOW udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 1 575 NFLOG udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 nflog-prefix "SIPROXD:ACCEPT:13" 1 575 ALLOW udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 0 0 NFLOG udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:7070:7090 nflog-prefix "SIPROXD:ACCEPT:13" 0 0 ALLOW udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:7070:7090 1 354 NFLOG udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 nflog-prefix "SIPROXD:ACCEPT:13" 1 354 ALLOW udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 0 0 NFLOG udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:7070:7090 nflog-prefix "SIPROXD:ACCEPT:13" 0 0 ALLOW udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:7070:7090 188 14288 ALLOW udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ALLOW udp -- br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ALLOW udp -- br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ALLOW udp -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 61 3092 ALLOW tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 2163 107K ALLOW tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 0 0 ALLOW tcp -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 0 0 ALLOW tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 Chain INPUTFW_LOGDROP (5 references) pkts bytes target prot opt in out source destination 4339 490K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUTTRAFFIC (1 references) pkts bytes target prot opt in out source destination 0 0 INPUTFW all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 INPUTFW_LOGDROP all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 INPUTFW all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 INPUTFW_LOGDROP all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 INPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap+ 0 0 INPUTFW_LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap+ 0 0 REJECT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable 7865 675K INPUTFW all -- br0 * 0.0.0.0/0 0.0.0.0/0 4339 490K INPUTFW_LOGDROP all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT tcp -- br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable 0 0 INPUTFW all -- br2 * 0.0.0.0/0 0.0.0.0/0 0 0 INPUTFW_LOGDROP all -- br2 * 0.0.0.0/0 0.0.0.0/0 5679 2220K INPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IPSECBLUE (1 references) pkts bytes target prot opt in out source destination Chain IPSECORANGE (1 references) pkts bytes target prot opt in out source destination Chain IPSECRED (1 references) pkts bytes target prot opt in out source destination Chain LOG_BADTCP (1 references) pkts bytes target prot opt in out source destination Chain LOG_FORWARD (1 references) pkts bytes target prot opt in out source destination Chain LOG_INPUT (1 references) pkts bytes target prot opt in out source destination Chain LOG_NEWNOTSYN (1 references) pkts bytes target prot opt in out source destination Chain NEWNOTSYN (1 references) pkts bytes target prot opt in out source destination 22 32824 LOG_NEWNOTSYN all -- * * 0.0.0.0/0 0.0.0.0/0 22 32824 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OPENVPNCLIENTDHCP (1 references) pkts bytes target prot opt in out source destination Chain OPENVPNDHCP (1 references) pkts bytes target prot opt in out source destination Chain OUTGOINGFW (1 references) pkts bytes target prot opt in out source destination 1828 88916 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ALLOW tcp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 680 35100 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ALLOW tcp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ALLOW tcp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ALLOW tcp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ALLOW udp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 4 240 ALLOW icmp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW icmp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br1 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW icmp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8 0 0 ALLOW icmp -- br2 ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 30 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2082 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2086 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2087 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:2095 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:10443 9 468 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:4125 52 2496 ALLOW tcp -- * ppp0 192.168.16.38 0.0.0.0/0 tcp 2 152 ALLOW udp -- * ppp0 192.168.16.38 0.0.0.0/0 udp 0 0 ALLOW tcp -- br0 ppp0 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 Chain OUTPUT (policy ACCEPT 564K packets, 294M bytes) pkts bytes target prot opt in out source destination 540K 288M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0 564K 294M CUSTOMOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PORTFWACCESS (1 references) pkts bytes target prot opt in out source destination 0 0 ALLOW tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:3389 0 0 ALLOW tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:4125 0 0 NFLOG tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:443 nflog-prefix "PORTFWACCESS:ACCEPT:3" 0 0 ALLOW tcp -- ppp0 * 0.0.0.0/0 192.168.16.2 tcp dpt:443 Chain PORTSCAN (2 references) pkts bytes target prot opt in out source destination Chain REDINPUT (1 references) pkts bytes target prot opt in out source destination Chain VPNFW (7 references) pkts bytes target prot opt in out source destination 5258 317K ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPNFW_LOGDROP (6 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain VPNTRAFFIC (1 references) pkts bytes target prot opt in out source destination 86 4576 VPNFW all -- * ipsec+ 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- * ipsec+ 0.0.0.0/0 0.0.0.0/0 93 7533 VPNFW all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- ipsec+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW all -- * tap+ 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- * tap+ 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW_LOGDROP all -- tap+ * 0.0.0.0/0 0.0.0.0/0 0 0 VPNFW all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap+ --physdev-is-bridged 0 0 VPNFW_LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap+ --physdev-is-bridged 0 0 VPNFW all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap+ 0 0 VPNFW_LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap+ 5079 305K VPNFW all -- !br0 br0 0.0.0.0/0 0.0.0.0/0 Chain ZONEFW (4 references) pkts bytes target prot opt in out source destination 0 0 ALLOW all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br0 br2 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br0 br1 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br2 br2 0.0.0.0/0 0.0.0.0/0 0 0 ALLOW all -- br1 br1 0.0.0.0/0 0.0.0.0/0 Chain ZONEFW_LOGDROP (4 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ZONETRAFFIC (1 references) pkts bytes target prot opt in out source destination 0 0 ZONEFW all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br0 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW all -- br0 br2 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br0 br2 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW all -- br2 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br2 br0 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW all -- br2 br2 0.0.0.0/0 0.0.0.0/0 0 0 ZONEFW_LOGDROP all -- br2 br2 0.0.0.0/0 0.0.0.0/0 Chain ipac~fi (1 references) pkts bytes target prot opt in out source destination 134 5360 all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 all -- br2 * 0.0.0.0/0 0.0.0.0/0 250 13500 all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 Chain ipac~fo (1 references) pkts bytes target prot opt in out source destination 259 14098 all -- * br0 0.0.0.0/0 0.0.0.0/0 0 0 all -- * br2 0.0.0.0/0 0.0.0.0/0 125 5000 all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain ipac~i (1 references) pkts bytes target prot opt in out source destination 53 6424 all -- * br0 0.0.0.0/0 0.0.0.0/0 0 0 all -- * br2 0.0.0.0/0 0.0.0.0/0 36 4692 all -- * ppp0 0.0.0.0/0 0.0.0.0/0 Chain ipac~o (1 references) pkts bytes target prot opt in out source destination 53 3524 all -- br0 * 0.0.0.0/0 0.0.0.0/0 0 0 all -- br2 * 0.0.0.0/0 0.0.0.0/0 37 5436 all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 [1;33mroot[1;37m@[1;32masbestos[1;37m:[1;31m~ [1;36m# [0m ![]() ![]() iptables-save # Generated by iptables-save v1.3.8 on Tue Feb 5 14:56:09 2008 *mangle :PREROUTING ACCEPT [1440037:482200536] :INPUT ACCEPT [511818:237113262] :FORWARD ACCEPT [914120:241342876] :OUTPUT ACCEPT [546117:245516134] :POSTROUTING ACCEPT [1955529:927637199] :CHECKIIF - [0:0] :INCOMINGMARK - [0:0] :LVS - [0:0] :LVSSMTPSCAN - [0:0] :MARKIIF - [0:0] :POLICYROUTING - [0:0] :PORTFW - [0:0] :ROUTING - [0:0] :VPNFW - [0:0] :VPNTRAFFIC - [0:0] :ZONEFW - [0:0] :ZONETRAFFIC - [0:0] -A PREROUTING -i lo -j ACCEPT -A PREROUTING -j ROUTING -A INPUT -i lo -j ACCEPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m state --state NEW -m mark --mark 0x0/0xfff80000 -j VPNTRAFFIC -A FORWARD -m state --state NEW -m mark --mark 0x0/0xfff80000 -j ZONETRAFFIC -A FORWARD -m state --state RELATED,ESTABLISHED -j MARK --and-mark 0xffbfffff -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ROUTING -A CHECKIIF -i ! eth0 -m connmark --mark 0x800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! eth1 -m connmark --mark 0x1000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! eth2 -m connmark --mark 0x1800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond0 -m connmark --mark 0x2000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond1 -m connmark --mark 0x2800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond2 -m connmark --mark 0x3000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond3 -m connmark --mark 0x3800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond4 -m connmark --mark 0x4000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond5 -m connmark --mark 0x4800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond6 -m connmark --mark 0x5000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond7 -m connmark --mark 0x5800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond8 -m connmark --mark 0x6000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond9 -m connmark --mark 0x6800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! br0 -m connmark --mark 0x7000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! br2 -m connmark --mark 0x7800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec0 -m connmark --mark 0x8000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec1 -m connmark --mark 0x8800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec2 -m connmark --mark 0x9000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec3 -m connmark --mark 0x9800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ppp0 -m connmark --mark 0xa000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ppp0 -m connmark --mark 0xa000/0x3f800 -j MARK --or-mark 0x7e0 -A INCOMINGMARK -j POLICYROUTING -A INCOMINGMARK -j PORTFW -A INCOMINGMARK -j CONNMARK --restore-mark -A MARKIIF -i eth0 -j CONNMARK --set-mark 0x800/0x3f800 -A MARKIIF -i eth1 -j CONNMARK --set-mark 0x1000/0x3f800 -A MARKIIF -i eth2 -j CONNMARK --set-mark 0x1800/0x3f800 -A MARKIIF -i bond0 -j CONNMARK --set-mark 0x2000/0x3f800 -A MARKIIF -i bond1 -j CONNMARK --set-mark 0x2800/0x3f800 -A MARKIIF -i bond2 -j CONNMARK --set-mark 0x3000/0x3f800 -A MARKIIF -i bond3 -j CONNMARK --set-mark 0x3800/0x3f800 -A MARKIIF -i bond4 -j CONNMARK --set-mark 0x4000/0x3f800 -A MARKIIF -i bond5 -j CONNMARK --set-mark 0x4800/0x3f800 -A MARKIIF -i bond6 -j CONNMARK --set-mark 0x5000/0x3f800 -A MARKIIF -i bond7 -j CONNMARK --set-mark 0x5800/0x3f800 -A MARKIIF -i bond8 -j CONNMARK --set-mark 0x6000/0x3f800 -A MARKIIF -i bond9 -j CONNMARK --set-mark 0x6800/0x3f800 -A MARKIIF -i br0 -j CONNMARK --set-mark 0x7000/0x3f800 -A MARKIIF -i br2 -j CONNMARK --set-mark 0x7800/0x3f800 -A MARKIIF -i ipsec0 -j CONNMARK --set-mark 0x8000/0x3f800 -A MARKIIF -i ipsec1 -j CONNMARK --set-mark 0x8800/0x3f800 -A MARKIIF -i ipsec2 -j CONNMARK --set-mark 0x9000/0x3f800 -A MARKIIF -i ipsec3 -j CONNMARK --set-mark 0x9800/0x3f800 -A MARKIIF -i ppp0 -j CONNMARK --set-mark 0xa000/0x3f800 -A POLICYROUTING -d 213.94.190.194 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A POLICYROUTING -d 213.94.190.194 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A POLICYROUTING -d 213.94.190.236 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A POLICYROUTING -d 213.94.190.236 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A ROUTING -i lo -j RETURN -A ROUTING -o lo -j RETURN -A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CONNMARK --restore-mark -A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CHECKIIF -A ROUTING -m state --state NEW -j MARKIIF -A ROUTING -m state --state NEW -j INCOMINGMARK -A VPNTRAFFIC -o ipsec+ -j VPNFW -A VPNTRAFFIC -o ipsec+ -j RETURN -A VPNTRAFFIC -i ipsec+ -j VPNFW -A VPNTRAFFIC -i ipsec+ -j RETURN -A VPNTRAFFIC -o tap+ -j VPNFW -A VPNTRAFFIC -o tap+ -j RETURN -A VPNTRAFFIC -i tap+ -j VPNFW -A VPNTRAFFIC -i tap+ -j RETURN -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j RETURN -A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW -A VPNTRAFFIC -m physdev --physdev-in tap+ -j RETURN -A VPNTRAFFIC -i ! br0 -o br0 -j VPNFW -A VPNTRAFFIC -i ! br0 -o br0 -m mark --mark 0x0/0xfff80000 -j MARK --or-mark 0xc0000 -A ZONEFW -i br0 -o br0 -j ACCEPT -A ZONEFW -i br0 -o br2 -j ACCEPT -A ZONEFW -i br0 -o br1 -j ACCEPT -A ZONEFW -i br2 -o br2 -j ACCEPT -A ZONEFW -i br1 -o br1 -j ACCEPT -A ZONETRAFFIC -i br0 -o br0 -j ZONEFW -A ZONETRAFFIC -i br0 -o br0 -j RETURN -A ZONETRAFFIC -i br0 -o br2 -j ZONEFW -A ZONETRAFFIC -i br0 -o br2 -j RETURN -A ZONETRAFFIC -i br2 -o br0 -j ZONEFW -A ZONETRAFFIC -i br2 -o br0 -j RETURN -A ZONETRAFFIC -i br2 -o br2 -j ZONEFW -A ZONETRAFFIC -i br2 -o br2 -j RETURN COMMIT # Completed on Tue Feb 5 14:56:09 2008 # Generated by iptables-save v1.3.8 on Tue Feb 5 14:56:09 2008 *filter :ALLOW - [0:0] :ALLOW_HOOKS - [0:0] :BADTCP - [0:0] :CUSTOMFORWARD - [0:0] :CUSTOMINPUT - [0:0] :CUSTOMOUTPUT - [0:0] :DROPBADTCP - [0:0] :HAFORWARD - [0:0] :ICMP_LOGDROP - [0:0] :INPUT DROP [5720:1644674] :FORWARD DROP [27993:11037206] :INPUTFW - [0:0] :INPUTFW_LOGDROP - [0:0] :INPUTTRAFFIC - [0:0] :IPSECBLUE - [0:0] :IPSECORANGE - [0:0] :IPSECRED - [0:0] :LOG_BADTCP - [0:0] :LOG_FORWARD - [0:0] :LOG_INPUT - [0:0] :LOG_NEWNOTSYN - [0:0] :NEWNOTSYN - [0:0] :OPENVPNCLIENTDHCP - [0:0] :OPENVPNDHCP - [0:0] :OUTGOINGFW - [0:0] :OUTPUT ACCEPT [1068781:696933562] :PORTFWACCESS - [0:0] :PORTSCAN - [0:0] :REDINPUT - [0:0] :VPNFW - [0:0] :VPNFW_LOGDROP - [0:0] :VPNTRAFFIC - [0:0] :ZONEFW - [0:0] :ZONEFW_LOGDROP - [0:0] :ZONETRAFFIC - [0:0] :ipac~fi - [0:0] :ipac~fo - [0:0] :ipac~i - [0:0] :ipac~o - [0:0] -A ALLOW -j ALLOW_HOOKS -A ALLOW -j ACCEPT -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPBADTCP -A BADTCP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN -A DROPBADTCP -j LOG_BADTCP -A DROPBADTCP -j DROP -A ICMP_LOGDROP -p icmp -m icmp --icmp-type 8 -j RETURN -A ICMP_LOGDROP -p icmp -m icmp --icmp-type 30 -j RETURN -A ICMP_LOGDROP -j DROP -A INPUT -j ipac~o -A INPUT -j REDINPUT -A INPUT -j PORTSCAN -A INPUT -j BADTCP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec -A INPUT -j CUSTOMINPUT -A INPUT -m state --state RELATED,ESTABLISHED -j ALLOW -A INPUT -p icmp -j ICMP_LOGDROP -A INPUT -i lo -m state --state NEW -j ALLOW -A INPUT -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A INPUT -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A INPUT -j IPSECRED -A INPUT -j IPSECBLUE -A INPUT -j IPSECORANGE -A INPUT -m state --state NEW -j INPUTTRAFFIC -A INPUT -j LOG_INPUT -A FORWARD -j ipac~fi -A FORWARD -j ipac~fo -A FORWARD -j OPENVPNCLIENTDHCP -A FORWARD -j OPENVPNDHCP -A FORWARD -j PORTSCAN -A FORWARD -j BADTCP -A FORWARD -j CUSTOMFORWARD -A FORWARD -m state --state RELATED,ESTABLISHED -j ALLOW -A FORWARD -p icmp -j ICMP_LOGDROP -A FORWARD -i lo -m state --state NEW -j ALLOW -A FORWARD -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A FORWARD -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A FORWARD -j HAFORWARD -A FORWARD -j VPNTRAFFIC -A FORWARD -m state --state NEW -j OUTGOINGFW -A FORWARD -m state --state NEW -j PORTFWACCESS -A FORWARD -m state --state NEW -j ZONETRAFFIC -A FORWARD -j LOG_FORWARD -A INPUTFW -i br0 -p tcp -m tcp --dport 80 -j ALLOW -A INPUTFW -i br2 -p tcp -m tcp --dport 80 -j ALLOW -A INPUTFW -i br1 -p tcp -m tcp --dport 80 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 10443 -j ALLOW -A INPUTFW -i br0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i br0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i br2 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i br2 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i br1 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i br1 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i ipsec+ -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i ipsec+ -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 3001 -j ALLOW -A INPUTFW -i br2 -p tcp -m tcp --dport 3001 -j ALLOW -A INPUTFW -i br1 -p tcp -m tcp --dport 3001 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i br0 -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i br2 -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i br1 -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i ipsec+ -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i ipsec+ -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 22 -j ALLOW -A INPUTFW -i ppp0 -p gre -j ALLOW -A INPUTFW -i ppp0 -p esp -j ALLOW -A INPUTFW -i ppp0 -p ah -j ALLOW -A INPUTFW -i ppp0 -p udp -m udp --dport 500 -j ALLOW -A INPUTFW -i ppp0 -p udp -m udp --dport 4500 -j ALLOW -A INPUTFW -i br2 -p gre -j ALLOW -A INPUTFW -i br2 -p esp -j ALLOW -A INPUTFW -i br2 -p ah -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 500 -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 4500 -j ALLOW -A INPUTFW -i br1 -p gre -j ALLOW -A INPUTFW -i br1 -p esp -j ALLOW -A INPUTFW -i br1 -p ah -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 500 -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 4500 -j ALLOW -A INPUTFW -i br0 -p udp -m udp --dport 5060 -j NFLOG --nflog-prefix "SIPROXD:ACCEPT:13" -A INPUTFW -i br0 -p udp -m udp --dport 5060 -j ALLOW -A INPUTFW -i br0 -p udp -m udp --dport 7070:7090 -j NFLOG --nflog-prefix "SIPROXD:ACCEPT:13" -A INPUTFW -i br0 -p udp -m udp --dport 7070:7090 -j ALLOW -A INPUTFW -i ppp0 -p udp -m udp --dport 5060 -j NFLOG --nflog-prefix "SIPROXD:ACCEPT:13" -A INPUTFW -i ppp0 -p udp -m udp --dport 5060 -j ALLOW -A INPUTFW -i ppp0 -p udp -m udp --dport 7070:7090 -j NFLOG --nflog-prefix "SIPROXD:ACCEPT:13" -A INPUTFW -i ppp0 -p udp -m udp --dport 7070:7090 -j ALLOW -A INPUTFW -i br0 -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -i ipsec+ -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -p tcp -m tcp --dport 25 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 8080 -j ALLOW -A INPUTFW -i ipsec+ -p tcp -m tcp --dport 8080 -j ALLOW -A INPUTFW -i br2 -p tcp -m tcp --dport 8080 -j ALLOW -A INPUTFW_LOGDROP -j DROP -A INPUTTRAFFIC -i ipsec+ -j INPUTFW -A INPUTTRAFFIC -i ipsec+ -j INPUTFW_LOGDROP -A INPUTTRAFFIC -i tap+ -j INPUTFW -A INPUTTRAFFIC -i tap+ -j INPUTFW_LOGDROP -A INPUTTRAFFIC -m physdev --physdev-in tap+ -j INPUTFW -A INPUTTRAFFIC -m physdev --physdev-in tap+ -j INPUTFW_LOGDROP -A INPUTTRAFFIC -i br0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A INPUTTRAFFIC -i br0 -j INPUTFW -A INPUTTRAFFIC -i br0 -j INPUTFW_LOGDROP -A INPUTTRAFFIC -i br2 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A INPUTTRAFFIC -i br2 -j INPUTFW -A INPUTTRAFFIC -i br2 -j INPUTFW_LOGDROP -A INPUTTRAFFIC -j INPUTFW -A NEWNOTSYN -j LOG_NEWNOTSYN -A NEWNOTSYN -j DROP -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 80 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p tcp -m tcp --dport 80 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 443 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p tcp -m tcp --dport 443 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 21 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 25 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 110 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 143 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 995 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 993 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 53 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p udp -m udp --dport 53 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p tcp -m tcp --dport 53 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p udp -m udp --dport 53 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p tcp -m tcp --dport 53 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p udp -m udp --dport 53 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 2082 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 2086 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 2087 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 2095 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 10443 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 3389 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 4125 -j ALLOW -A OUTGOINGFW -s 192.168.16.38 -o ppp0 -p tcp -m tcp -j ALLOW -A OUTGOINGFW -s 192.168.16.38 -o ppp0 -p udp -m udp -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 222 -j ALLOW -A OUTPUT -j ipac~i -A OUTPUT -j CUSTOMOUTPUT -A PORTFWACCESS -d 192.168.16.2 -i ppp0 -p tcp -m tcp --dport 3389 -j ALLOW -A PORTFWACCESS -d 192.168.16.2 -i ppp0 -p tcp -m tcp --dport 4125 -j ALLOW -A PORTFWACCESS -d 192.168.16.2 -i ppp0 -p tcp -m tcp --dport 443 -j NFLOG --nflog-prefix "PORTFWACCESS:ACCEPT:3" -A PORTFWACCESS -d 192.168.16.2 -i ppp0 -p tcp -m tcp --dport 443 -j ALLOW -A VPNFW -j ALLOW -A VPNFW_LOGDROP -j DROP -A VPNTRAFFIC -o ipsec+ -j VPNFW -A VPNTRAFFIC -o ipsec+ -j VPNFW_LOGDROP -A VPNTRAFFIC -i ipsec+ -j VPNFW -A VPNTRAFFIC -i ipsec+ -j VPNFW_LOGDROP -A VPNTRAFFIC -o tap+ -j VPNFW -A VPNTRAFFIC -o tap+ -j VPNFW_LOGDROP -A VPNTRAFFIC -i tap+ -j VPNFW -A VPNTRAFFIC -i tap+ -j VPNFW_LOGDROP -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW_LOGDROP -A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW -A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW_LOGDROP -A VPNTRAFFIC -i ! br0 -o br0 -j VPNFW -A ZONEFW -i br0 -o br0 -j ALLOW -A ZONEFW -i br0 -o br2 -j ALLOW -A ZONEFW -i br0 -o br1 -j ALLOW -A ZONEFW -i br2 -o br2 -j ALLOW -A ZONEFW -i br1 -o br1 -j ALLOW -A ZONEFW_LOGDROP -j DROP -A ZONETRAFFIC -i br0 -o br0 -j ZONEFW -A ZONETRAFFIC -i br0 -o br0 -j ZONEFW_LOGDROP -A ZONETRAFFIC -i br0 -o br2 -j ZONEFW -A ZONETRAFFIC -i br0 -o br2 -j ZONEFW_LOGDROP -A ZONETRAFFIC -i br2 -o br0 -j ZONEFW -A ZONETRAFFIC -i br2 -o br0 -j ZONEFW_LOGDROP -A ZONETRAFFIC -i br2 -o br2 -j ZONEFW -A ZONETRAFFIC -i br2 -o br2 -j ZONEFW_LOGDROP -A ipac~fi -i br0 -A ipac~fi -i br2 -A ipac~fi -i ppp0 -A ipac~fo -o br0 -A ipac~fo -o br2 -A ipac~fo -o ppp0 -A ipac~i -o br0 -A ipac~i -o br2 -A ipac~i -o ppp0 -A ipac~o -i br0 -A ipac~o -i br2 -A ipac~o -i ppp0 COMMIT # Completed on Tue Feb 5 14:56:09 2008 # Generated by iptables-save v1.3.8 on Tue Feb 5 14:56:09 2008 *nat :PREROUTING ACCEPT [58813:18634105] :POSTROUTING ACCEPT [24294:1112149] :OUTPUT ACCEPT [32403:2095204] :CONTENTFILTER - [0:0] :CUSTOMPOSTROUTING - [0:0] :CUSTOMPREROUTING - [0:0] :DNSMASQ - [0:0] :ENACCESS - [0:0] :OPENVPNCLIENT - [0:0] :PORTFW - [0:0] :POSTPORTFW - [0:0] :REDNAT - [0:0] :REVERSENAT - [0:0] :SIPROXDPORTFW - [0:0] :SMTPSCAN - [0:0] :SQUID - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -A PREROUTING -j CUSTOMPREROUTING -A PREROUTING -j ENACCESS -A PREROUTING -j SIPROXDPORTFW -A PREROUTING -j CONTENTFILTER -A PREROUTING -j SQUID -A PREROUTING -j DNSMASQ -A PREROUTING -j PORTFW -A POSTROUTING -j CUSTOMPOSTROUTING -A POSTROUTING -j OPENVPNCLIENT -A POSTROUTING -j REVERSENAT -A POSTROUTING -j REDNAT -A POSTROUTING -j POSTPORTFW -A OUTPUT -j PORTFW -A CUSTOMPREROUTING -p tcp -m tcp --dport 25 -j SMTPSCAN -A DNSMASQ -i br0 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 -A DNSMASQ -i br0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 -A DNSMASQ -i br2 -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 53 -A DNSMASQ -i br2 -p udp -m udp --dport 53 -j REDIRECT --to-ports 53 -A PORTFW -d 82.141.197.129 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.16.2:3389 -A PORTFW -d 82.141.197.129 -p tcp -m tcp --dport 4125 -j DNAT --to-destination 192.168.16.2:4125 -A PORTFW -d 82.141.197.129 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.16.2:443 -A POSTPORTFW -s 192.168.16.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 3389 -j SNAT --to-source 192.168.16.254 -A POSTPORTFW -s 10.100.0.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 3389 -j SNAT --to-source 10.100.0.254 -A POSTPORTFW -s 192.168.16.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 4125 -j SNAT --to-source 192.168.16.254 -A POSTPORTFW -s 10.100.0.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 4125 -j SNAT --to-source 10.100.0.254 -A POSTPORTFW -s 192.168.16.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 443 -j NFLOG --nflog-prefix "POSTPORTFW:ACCEPT:3" -A POSTPORTFW -s 192.168.16.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 443 -j SNAT --to-source 192.168.16.254 -A POSTPORTFW -s 10.100.0.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 443 -j NFLOG --nflog-prefix "POSTPORTFW:ACCEPT:3" -A POSTPORTFW -s 10.100.0.0/255.255.255.0 -d 192.168.16.2 -p tcp -m tcp --dport 443 -j SNAT --to-source 10.100.0.254 -A REDNAT -o ppp0 -j SNAT --to-source 82.141.197.129 -A REVERSENAT -s 192.168.16.2 -o ppp0 -p tcp -m tcp --dport 3389 -j SNAT --to-source 82.141.197.129 -A REVERSENAT -s 192.168.16.2 -o ppp0 -p tcp -m tcp --dport 4125 -j SNAT --to-source 82.141.197.129 -A REVERSENAT -s 192.168.16.2 -o ppp0 -p tcp -m tcp --dport 443 -j NFLOG --nflog-prefix "REVERSENAT:ACCEPT:3" -A REVERSENAT -s 192.168.16.2 -o ppp0 -p tcp -m tcp --dport 443 -j SNAT --to-source 82.141.197.129 -A SIPROXDPORTFW -d 192.168.0.0/255.255.0.0 -i br0 -p udp -m udp --dport 5060 -j RETURN -A SIPROXDPORTFW -d 172.16.0.0/255.240.0.0 -i br0 -p udp -m udp --dport 5060 -j RETURN -A SIPROXDPORTFW -d 169.254.0.0/255.255.0.0 -i br0 -p udp -m udp --dport 5060 -j RETURN -A SIPROXDPORTFW -d 10.0.0.0/255.0.0.0 -i br0 -p udp -m udp --dport 5060 -j RETURN -A SIPROXDPORTFW -i ipsec+ -p udp -m udp --dport 5060 -j RETURN -A SIPROXDPORTFW -i tap+ -p udp -m udp --dport 5060 -j RETURN -A SIPROXDPORTFW -p udp -m udp --dport 5060 -m physdev --physdev-in tap+ -j RETURN -A SIPROXDPORTFW -i br0 -p udp -m udp --dport 5060 -m state --state NEW -j ULOG --ulog-prefix "SIPROXD " -A SIPROXDPORTFW -i br0 -p udp -m udp --dport 5061 -m state --state NEW -j ULOG --ulog-prefix "SIPROXD " -A SIPROXDPORTFW -i br0 -p udp -m udp --dport 5060 -j REDIRECT -A SIPROXDPORTFW -i ppp0 -p udp -m udp --dport 5061 -j REDIRECT --to-ports 5060 -A SIPROXDPORTFW -i br0 -p udp -m udp --dport 5061 -j REDIRECT --to-ports 5060 -A SMTPSCAN -i br0 -p tcp -m state --state NEW -j ULOG --ulog-prefix "SMTP " -A SMTPSCAN -i br0 -p tcp -j DNAT --to-destination 192.168.16.254:25 -A SQUID -d ! 192.168.16.0/255.255.255.0 -i br0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.16.254:8080 -A SQUID -d ! 10.100.0.0/255.255.255.0 -i br2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.100.0.254:8080 COMMIT # Completed on Tue Feb 5 14:56:09 2008 ip rule 0: from all lookup local 5: from all to 192.168.16.254/24 lookup main 5: from all to 10.100.0.254/24 lookup main 199: from all fwmark 0x7e0/0x7f8 lookup uplink-main 200: from 82.141.197.129 lookup uplink-main 32766: from all lookup main 32767: from all lookup default ip route 82.141.197.129 dev ppp0 proto kernel scope link src 82.141.197.129 159.134.155.28 dev ppp0 proto kernel scope link src 82.141.197.129 159.134.155.28 dev ipsec0 proto kernel scope link src 82.141.197.129 192.168.23.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.22.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.0.5.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.21.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.20.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.0.7.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.50.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.19.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.17.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.1.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.0.2.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.0.3.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.0.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.16.0/24 dev br0 proto kernel scope link src 192.168.16.254 10.0.12.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.0.13.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.200.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.0.8.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.26.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.100.0.0/24 dev br2 proto kernel scope link src 10.100.0.254 10.0.10.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 192.168.24.0/24 via 159.134.155.28 dev ipsec0 src 192.168.16.254 10.0.0.0/23 via 159.134.155.28 dev ipsec0 src 192.168.16.254 default via 159.134.155.28 dev ppp0 ip route show table uplink-main 82.141.197.129 dev ppp0 proto kernel scope link default via 159.134.155.28 dev ppp0 proto kernel src 82.141.197.129 [1;33mroot[1;37m@[1;32masbestos[1;37m:[1;31m~ [1;36m# [0m [1;33mroot[1;37m@[1;32masbestos[1;37m:[1;31m~ [1;36m# [0m [1;33mroot[1;37m@[1;32masbestos[1;37m:[1;31m~ [1;36m# [0m ![]() ![]() # Generated by iptables-save v1.3.8 on Wed Feb 6 14:30:34 2008 *mangle :PREROUTING ACCEPT [4025622:1916069173] :INPUT ACCEPT [1267461:628929413] :FORWARD ACCEPT [2743587:1281824773] :OUTPUT ACCEPT [1201092:653596654] :POSTROUTING ACCEPT [5512813:2917561708] :CHECKIIF - [0:0] :INCOMINGMARK - [0:0] :LVS - [0:0] :LVSSMTPSCAN - [0:0] :MARKIIF - [0:0] :POLICYROUTING - [0:0] :PORTFW - [0:0] :ROUTING - [0:0] :VPNFW - [0:0] :VPNTRAFFIC - [0:0] :ZONEFW - [0:0] :ZONETRAFFIC - [0:0] -A PREROUTING -i lo -j ACCEPT -A PREROUTING -j ROUTING -A INPUT -i lo -j ACCEPT -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -m state --state NEW -m mark --mark 0x0/0xfff80000 -j VPNTRAFFIC -A FORWARD -m state --state NEW -m mark --mark 0x0/0xfff80000 -j ZONETRAFFIC -A FORWARD -m state --state RELATED,ESTABLISHED -j MARK --and-mark 0xffbfffff -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ROUTING -A CHECKIIF -i ! eth0 -m connmark --mark 0x800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! eth1 -m connmark --mark 0x1000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond0 -m connmark --mark 0x1800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond1 -m connmark --mark 0x2000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond2 -m connmark --mark 0x2800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond3 -m connmark --mark 0x3000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond4 -m connmark --mark 0x3800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond5 -m connmark --mark 0x4000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond6 -m connmark --mark 0x4800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond7 -m connmark --mark 0x5000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond8 -m connmark --mark 0x5800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! bond9 -m connmark --mark 0x6000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! br0 -m connmark --mark 0x6800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ppp0 -m connmark --mark 0x7000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ppp0 -m connmark --mark 0x7000/0x3f800 -j MARK --or-mark 0x7e0 -A CHECKIIF -i ! tap1 -m connmark --mark 0x7800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec0 -m connmark --mark 0x8000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec1 -m connmark --mark 0x8800/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec2 -m connmark --mark 0x9000/0x3f800 -j MARK --and-mark 0xfffff807 -A CHECKIIF -i ! ipsec3 -m connmark --mark 0x9800/0x3f800 -j MARK --and-mark 0xfffff807 -A INCOMINGMARK -j POLICYROUTING -A INCOMINGMARK -j PORTFW -A INCOMINGMARK -j CONNMARK --restore-mark -A MARKIIF -i eth0 -j CONNMARK --set-mark 0x800/0x3f800 -A MARKIIF -i eth1 -j CONNMARK --set-mark 0x1000/0x3f800 -A MARKIIF -i bond0 -j CONNMARK --set-mark 0x1800/0x3f800 -A MARKIIF -i bond1 -j CONNMARK --set-mark 0x2000/0x3f800 -A MARKIIF -i bond2 -j CONNMARK --set-mark 0x2800/0x3f800 -A MARKIIF -i bond3 -j CONNMARK --set-mark 0x3000/0x3f800 -A MARKIIF -i bond4 -j CONNMARK --set-mark 0x3800/0x3f800 -A MARKIIF -i bond5 -j CONNMARK --set-mark 0x4000/0x3f800 -A MARKIIF -i bond6 -j CONNMARK --set-mark 0x4800/0x3f800 -A MARKIIF -i bond7 -j CONNMARK --set-mark 0x5000/0x3f800 -A MARKIIF -i bond8 -j CONNMARK --set-mark 0x5800/0x3f800 -A MARKIIF -i bond9 -j CONNMARK --set-mark 0x6000/0x3f800 -A MARKIIF -i br0 -j CONNMARK --set-mark 0x6800/0x3f800 -A MARKIIF -i ppp0 -j CONNMARK --set-mark 0x7000/0x3f800 -A MARKIIF -i tap1 -j CONNMARK --set-mark 0x7800/0x3f800 -A MARKIIF -i ipsec0 -j CONNMARK --set-mark 0x8000/0x3f800 -A MARKIIF -i ipsec1 -j CONNMARK --set-mark 0x8800/0x3f800 -A MARKIIF -i ipsec2 -j CONNMARK --set-mark 0x9000/0x3f800 -A MARKIIF -i ipsec3 -j CONNMARK --set-mark 0x9800/0x3f800 -A POLICYROUTING -d 200.51.212.7 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A POLICYROUTING -d 200.51.212.7 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A POLICYROUTING -d 200.51.211.7 -p udp -m udp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A POLICYROUTING -d 200.51.211.7 -p tcp -m tcp --dport 53 -j CONNMARK --set-mark 0x7e0/0x7f8 -A POLICYROUTING -m connmark ! --mark 0x0/0x7f8 -j RETURN -A ROUTING -i lo -j RETURN -A ROUTING -o lo -j RETURN -A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CONNMARK --restore-mark -A ROUTING -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -m connmark ! --mark 0x0 -j CHECKIIF -A ROUTING -m state --state NEW -j MARKIIF -A ROUTING -m state --state NEW -j INCOMINGMARK -A VPNTRAFFIC -o ipsec+ -j VPNFW -A VPNTRAFFIC -o ipsec+ -j RETURN -A VPNTRAFFIC -i ipsec+ -j VPNFW -A VPNTRAFFIC -i ipsec+ -j RETURN -A VPNTRAFFIC -o tap+ -j VPNFW -A VPNTRAFFIC -o tap+ -j RETURN -A VPNTRAFFIC -i tap+ -j VPNFW -A VPNTRAFFIC -i tap+ -j RETURN -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j RETURN -A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW -A VPNTRAFFIC -m physdev --physdev-in tap+ -j RETURN -A VPNTRAFFIC -i ! br0 -o br0 -j VPNFW -A VPNTRAFFIC -i ! br0 -o br0 -m mark --mark 0x0/0xfff80000 -j MARK --or-mark 0xc0000 -A ZONEFW -i br0 -o br0 -j ACCEPT -A ZONEFW -i br0 -o br2 -j ACCEPT -A ZONEFW -i br0 -o br1 -j ACCEPT -A ZONEFW -i br2 -o br2 -j ACCEPT -A ZONEFW -i br1 -o br1 -j ACCEPT -A ZONETRAFFIC -i br0 -o br0 -j ZONEFW -A ZONETRAFFIC -i br0 -o br0 -j RETURN COMMIT # Completed on Wed Feb 6 14:30:34 2008 # Generated by iptables-save v1.3.8 on Wed Feb 6 14:30:34 2008 *filter :ALLOW - [0:0] :ALLOW_HOOKS - [0:0] :BADTCP - [0:0] :CUSTOMFORWARD - [0:0] :CUSTOMINPUT - [0:0] :CUSTOMOUTPUT - [0:0] :DROPBADTCP - [0:0] :HAFORWARD - [0:0] :ICMP_LOGDROP - [0:0] :INPUT DROP [29810:2980317] :FORWARD DROP [3573:436885] :INPUTFW - [0:0] :INPUTFW_LOGDROP - [0:0] :INPUTTRAFFIC - [0:0] :IPSECBLUE - [0:0] :IPSECORANGE - [0:0] :IPSECRED - [0:0] :LOG_BADTCP - [0:0] :LOG_FORWARD - [0:0] :LOG_INPUT - [0:0] :LOG_NEWNOTSYN - [0:0] :NEWNOTSYN - [0:0] :OPENVPNCLIENTDHCP - [0:0] :OPENVPNDHCP - [0:0] :OUTGOINGFW - [0:0] :OUTPUT ACCEPT [2684573:1627852889] :PORTFWACCESS - [0:0] :PORTSCAN - [0:0] :REDINPUT - [0:0] :VPNFW - [0:0] :VPNFW_LOGDROP - [0:0] :VPNTRAFFIC - [0:0] :ZONEFW - [0:0] :ZONEFW_LOGDROP - [0:0] :ZONETRAFFIC - [0:0] :ipac~fi - [0:0] :ipac~fo - [0:0] :ipac~i - [0:0] :ipac~o - [0:0] -A ALLOW -j ALLOW_HOOKS -A ALLOW -j ACCEPT -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROPBADTCP -A BADTCP -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROPBADTCP -A BADTCP -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN -A DROPBADTCP -j LOG_BADTCP -A DROPBADTCP -j DROP -A ICMP_LOGDROP -p icmp -m icmp --icmp-type 8 -j RETURN -A ICMP_LOGDROP -p icmp -m icmp --icmp-type 30 -j RETURN -A ICMP_LOGDROP -j DROP -A INPUT -j ipac~o -A INPUT -j REDINPUT -A INPUT -j PORTSCAN -A INPUT -j BADTCP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec -A INPUT -j CUSTOMINPUT -A INPUT -m state --state RELATED,ESTABLISHED -j ALLOW -A INPUT -p icmp -j ICMP_LOGDROP -A INPUT -i lo -m state --state NEW -j ALLOW -A INPUT -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A INPUT -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A INPUT -j IPSECRED -A INPUT -j IPSECBLUE -A INPUT -j IPSECORANGE -A INPUT -m state --state NEW -j INPUTTRAFFIC -A INPUT -j LOG_INPUT -A FORWARD -j ipac~fi -A FORWARD -j ipac~fo -A FORWARD -j OPENVPNCLIENTDHCP -A FORWARD -j OPENVPNDHCP -A FORWARD -j PORTSCAN -A FORWARD -j BADTCP -A FORWARD -j CUSTOMFORWARD -A FORWARD -m state --state RELATED,ESTABLISHED -j ALLOW -A FORWARD -p icmp -j ICMP_LOGDROP -A FORWARD -i lo -m state --state NEW -j ALLOW -A FORWARD -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A FORWARD -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP -A FORWARD -j HAFORWARD -A FORWARD -j VPNTRAFFIC -A FORWARD -m state --state NEW -j OUTGOINGFW -A FORWARD -m state --state NEW -j PORTFWACCESS -A FORWARD -m state --state NEW -j ZONETRAFFIC -A FORWARD -j LOG_FORWARD -A INPUTFW -i br0 -p tcp -m tcp --dport 80 -j ALLOW -A INPUTFW -i br2 -p tcp -m tcp --dport 80 -j ALLOW -A INPUTFW -i br1 -p tcp -m tcp --dport 80 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 10443 -j ALLOW -A INPUTFW -i br0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i br0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i br2 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i br2 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i br1 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i br1 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i tap2 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i tap2 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i ipsec+ -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -i ipsec+ -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -p icmp -m physdev --physdev-in tap1 -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A INPUTFW -p icmp -m physdev --physdev-in tap1 -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 3001 -j ALLOW -A INPUTFW -i br2 -p tcp -m tcp --dport 3001 -j ALLOW -A INPUTFW -i br1 -p tcp -m tcp --dport 3001 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i br0 -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i br2 -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i br1 -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i tap2 -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i tap2 -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -i ipsec+ -p tcp -m tcp --dport 53 -j ALLOW -A INPUTFW -i ipsec+ -p udp -m udp --dport 53 -j ALLOW -A INPUTFW -p tcp -m physdev --physdev-in tap1 -m tcp --dport 53 -j ALLOW -A INPUTFW -p udp -m physdev --physdev-in tap1 -m udp --dport 53 -j ALLOW -A INPUTFW -p udp -m udp --dport 1194 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 22 -j ALLOW -A INPUTFW -i ppp0 -p gre -j ALLOW -A INPUTFW -i ppp0 -p esp -j ALLOW -A INPUTFW -i ppp0 -p ah -j ALLOW -A INPUTFW -i ppp0 -p udp -m udp --dport 500 -j ALLOW -A INPUTFW -i ppp0 -p udp -m udp --dport 4500 -j ALLOW -A INPUTFW -i br2 -p gre -j ALLOW -A INPUTFW -i br2 -p esp -j ALLOW -A INPUTFW -i br2 -p ah -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 500 -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 4500 -j ALLOW -A INPUTFW -i br1 -p gre -j ALLOW -A INPUTFW -i br1 -p esp -j ALLOW -A INPUTFW -i br1 -p ah -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 500 -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 4500 -j ALLOW -A INPUTFW -i br0 -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -i br2 -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -i br1 -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -i tap2 -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -i ipsec+ -p udp -m udp --dport 123 -j ALLOW -A INPUTFW -p udp -m physdev --physdev-in tap1 -m udp --dport 123 -j ALLOW -A INPUTFW -i br0 -p tcp -m tcp --dport 8080 -j ALLOW -A INPUTFW -i tap2 -p tcp -m tcp --dport 8080 -j ALLOW -A INPUTFW -i ipsec+ -p tcp -m tcp --dport 8080 -j ALLOW -A INPUTFW -p tcp -m physdev --physdev-in tap1 -m tcp --dport 8080 -j ALLOW -A INPUTFW_LOGDROP -j DROP -A INPUTTRAFFIC -i ipsec+ -j INPUTFW -A INPUTTRAFFIC -i ipsec+ -j INPUTFW_LOGDROP -A INPUTTRAFFIC -i tap+ -j INPUTFW -A INPUTTRAFFIC -i tap+ -j INPUTFW_LOGDROP -A INPUTTRAFFIC -m physdev --physdev-in tap+ -j INPUTFW -A INPUTTRAFFIC -m physdev --physdev-in tap+ -j INPUTFW_LOGDROP -A INPUTTRAFFIC -i br0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable -A INPUTTRAFFIC -i br0 -j INPUTFW -A INPUTTRAFFIC -i br0 -j INPUTFW_LOGDROP -A INPUTTRAFFIC -j INPUTFW -A NEWNOTSYN -j LOG_NEWNOTSYN -A NEWNOTSYN -j DROP -A OPENVPNDHCP -p udp -m udp --sport 67 --dport 68 -m physdev --physdev-in tap1 -j REJECT --reject-with icmp-port-unreachable -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 80 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p tcp -m tcp --dport 80 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 443 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p tcp -m tcp --dport 443 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 21 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 25 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 110 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 143 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 995 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 993 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 53 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p udp -m udp --dport 53 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p tcp -m tcp --dport 53 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p udp -m udp --dport 53 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p tcp -m tcp --dport 53 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p udp -m udp --dport 53 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A OUTGOINGFW -i br1 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ALLOW -A OUTGOINGFW -i br2 -o ppp0 -p icmp -m limit --limit 1/sec -m icmp --icmp-type 30 -j ALLOW -A OUTGOINGFW -o ppp0 -m mac --mac-source 00:14:A4:43:5D:2A -j ALLOW -A OUTGOINGFW -o ppp0 -m mac --mac-source 00:16:17:4E:18:DC -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 1863 -j ALLOW -A OUTGOINGFW -i br0 -o ppp0 -p tcp -m tcp --dport 1424 -j ALLOW -A OUTGOINGFW -o ppp0 -m mac --mac-source 00:13:D3:74:32:41 -j ALLOW -A OUTPUT -j ipac~i -A OUTPUT -j CUSTOMOUTPUT -A PORTFWACCESS -d 192.168.1.26 -i ppp0 -p tcp -m tcp --dport 28582 -j ALLOW -A PORTFWACCESS -d 192.168.1.26 -i tap2 -p tcp -m tcp --dport 28582 -j ALLOW -A PORTFWACCESS -d 192.168.1.26 -i ppp0 -p udp -m udp --dport 28746 -j ALLOW -A PORTFWACCESS -d 192.168.1.26 -i tap2 -p udp -m udp --dport 28746 -j ALLOW -A PORTFWACCESS -d 192.168.1.26 -i ppp0 -p tcp -m tcp --dport 23134 -j ALLOW -A PORTFWACCESS -d 192.168.1.26 -i tap2 -p tcp -m tcp --dport 23134 -j ALLOW -A PORTFWACCESS -d 192.168.1.21 -i ppp0 -p tcp -m tcp --dport 21640 -j ALLOW -A PORTFWACCESS -d 192.168.1.21 -i ppp0 -p tcp -m tcp --dport 6346 -j ALLOW -A PORTFWACCESS -d 192.168.1.21 -i ppp0 -p udp -m udp --dport 6346 -j ALLOW -A PORTFWACCESS -d 192.168.1.21 -i ppp0 -p udp -m udp --dport 21640 -j ALLOW -A VPNFW -j ALLOW -A VPNFW_LOGDROP -j DROP -A VPNTRAFFIC -o ipsec+ -j VPNFW -A VPNTRAFFIC -o ipsec+ -j VPNFW_LOGDROP -A VPNTRAFFIC -i ipsec+ -j VPNFW -A VPNTRAFFIC -i ipsec+ -j VPNFW_LOGDROP -A VPNTRAFFIC -o tap+ -j VPNFW -A VPNTRAFFIC -o tap+ -j VPNFW_LOGDROP -A VPNTRAFFIC -i tap+ -j VPNFW -A VPNTRAFFIC -i tap+ -j VPNFW_LOGDROP -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW -A VPNTRAFFIC -m physdev --physdev-out tap+ --physdev-is-bridged -j VPNFW_LOGDROP -A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW -A VPNTRAFFIC -m physdev --physdev-in tap+ -j VPNFW_LOGDROP -A VPNTRAFFIC -i ! br0 -o br0 -j VPNFW -A ZONEFW -i br0 -o br0 -j ALLOW -A ZONEFW -i br0 -o br2 -j ALLOW -A ZONEFW -i br0 -o br1 -j ALLOW -A ZONEFW -i br2 -o br2 -j ALLOW -A ZONEFW -i br1 -o br1 -j ALLOW -A ZONEFW_LOGDROP -j DROP -A ZONETRAFFIC -i br0 -o br0 -j ZONEFW -A ZONETRAFFIC -i br0 -o br0 -j ZONEFW_LOGDROP -A ipac~fi -i br0 -A ipac~fi -i ppp0 -A ipac~fo -o br0 -A ipac~fo -o ppp0 -A ipac~i -o br0 -A ipac~i -o ppp0 -A ipac~o -i br0 -A ipac~o -i ppp0 COMMIT # Completed on Wed Feb 6 14:30:34 2008 # Generated by iptables-save v1.3.8 on Wed Feb 6 14:30:34 2008 *nat :PREROUTING ACCEPT [181254:17783002] :POSTROUTING ACCEPT [74759:4258125] :OUTPUT ACCEPT [65805:3247638] :CONTENTFILTER - [0:0] :CUSTOMPOSTROUTING - [0:0] :CUSTOMPREROUTING - [0:0] :DNSMASQ - [0:0] :ENACCESS - [0:0] :OPENVPNCLIENT - [0:0] :PORTFW - [0:0] :POSTPORTFW - [0:0] :REDNAT - [0:0] :REVERSENAT - [0:0] :SIPROXDPORTFW - [0:0] :SMTPSCAN - [0:0] :SQUID - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -A PREROUTING -j CUSTOMPREROUTING -A PREROUTING -j ENACCESS -A PREROUTING -j SIPROXDPORTFW -A PREROUTING -j CONTENTFILTER -A PREROUTING -j SQUID -A PREROUTING -j DNSMASQ -A PREROUTING -j PORTFW -A POSTROUTING -j CUSTOMPOSTROUTING -A POSTROUTING -j OPENVPNCLIENT -A POSTROUTING -j REVERSENAT -A POSTROUTING -j REDNAT -A POSTROUTING -j POSTPORTFW -A OUTPUT -j PORTFW -A CUSTOMPREROUTING -p tcp -m tcp --dport 25 -j SMTPSCAN -A PORTFW -d 190.48.140.238 -p tcp -m tcp --dport 28582 -j DNAT --to-destination 192.168.1.26:28582 -A PORTFW -d 190.48.140.238 -p udp -m udp --dport 28746 -j DNAT --to-destination 192.168.1.26:28746 -A PORTFW -d 190.48.140.238 -p tcp -m tcp --dport 23134 -j DNAT --to-destination 192.168.1.26:23134 -A PORTFW -d 190.48.140.238 -p tcp -m tcp --dport 21640 -j DNAT --to-destination 192.168.1.21:21640 -A PORTFW -d 190.48.140.238 -p tcp -m tcp --dport 6346 -j DNAT --to-destination 192.168.1.21:6346 -A PORTFW -d 190.48.140.238 -p udp -m udp --dport 6346 -j DNAT --to-destination 192.168.1.21:6346 -A PORTFW -d 190.48.140.238 -p udp -m udp --dport 21640 -j DNAT --to-destination 192.168.1.21:21640 -A POSTPORTFW -s 192.168.1.0/255.255.255.0 -d 192.168.1.26 -p tcp -m tcp --dport 28582 -j SNAT --to-source 192.168.1.1 -A POSTPORTFW -s 192.168.1.0/255.255.255.0 -d 192.168.1.26 -p udp -m udp --dport 28746 -j SNAT --to-source 192.168.1.1 -A POSTPORTFW -s 192.168.1.0/255.255.255.0 -d 192.168.1.26 -p tcp -m tcp --dport 23134 -j SNAT --to-source 192.168.1.1 -A POSTPORTFW -s 192.168.1.0/255.255.255.0 -d 192.168.1.21 -p tcp -m tcp --dport 21640 -j SNAT --to-source 192.168.1.1 -A POSTPORTFW -s 192.168.1.0/255.255.255.0 -d 192.168.1.21 -p tcp -m tcp --dport 6346 -j SNAT --to-source 192.168.1.1 -A POSTPORTFW -s 192.168.1.0/255.255.255.0 -d 192.168.1.21 -p udp -m udp --dport 6346 -j SNAT --to-source 192.168.1.1 -A POSTPORTFW -s 192.168.1.0/255.255.255.0 -d 192.168.1.21 -p udp -m udp --dport 21640 -j SNAT --to-source 192.168.1.1 -A REDNAT -o ppp0 -j SNAT --to-source 190.48.140.238 -A REVERSENAT -s 192.168.1.26 -o ppp0 -p tcp -m tcp --dport 28582 -j SNAT --to-source 190.48.140.238 -A REVERSENAT -s 192.168.1.26 -o ppp0 -p udp -m udp --dport 28746 -j SNAT --to-source 190.48.140.238 -A REVERSENAT -s 192.168.1.26 -o ppp0 -p tcp -m tcp --dport 23134 -j SNAT --to-source 190.48.140.238 -A REVERSENAT -s 192.168.1.21 -o ppp0 -p tcp -m tcp --dport 21640 -j SNAT --to-source 190.48.140.238 -A REVERSENAT -s 192.168.1.21 -o ppp0 -p tcp -m tcp --dport 6346 -j SNAT --to-source 190.48.140.238 -A REVERSENAT -s 192.168.1.21 -o ppp0 -p udp -m udp --dport 6346 -j SNAT --to-source 190.48.140.238 -A REVERSENAT -s 192.168.1.21 -o ppp0 -p udp -m udp --dport 21640 -j SNAT --to-source 190.48.140.238 -A SQUID -d ! 192.168.1.0/255.255.255.0 -i br0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080 COMMIT # Completed on Wed Feb 6 14:30:34 2008 root@efw:~ # root@efw:~ # ip rule 0: from all lookup local 5: from all to 192.168.1.1/24 lookup main 5: from all to 192.168.6.0/24 lookup main 5: from all to 192.168.0.0/24 lookup main 199: from all fwmark 0x7e0/0x7f8 lookup uplink-main 200: from 190.48.140.238 lookup uplink-main 32766: from all lookup main 32767: from all lookup default root@efw:~ # ip route 200.51.241.211 dev ppp0 proto kernel scope link src 190.48.140.238 200.51.241.211 dev ipsec0 proto kernel scope link src 190.48.140.238 190.48.140.238 dev ppp0 proto kernel scope link src 190.48.140.238 192.168.7.0/24 via 200.51.241.211 dev ipsec0 src 192.168.1.1 192.168.6.0/24 via 192.168.1.102 dev br0 192.168.3.0/24 via 200.51.241.211 dev ipsec0 src 192.168.1.1 192.168.2.0/24 via 200.51.241.211 dev ipsec0 src 192.168.1.1 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 192.168.0.0/24 via 192.168.1.101 dev br0 1.1.1.0/24 dev eth1 proto kernel scope link src 1.1.1.1 default via 200.51.241.211 dev ppp0 root@efw:~ # ip route show table uplink-main 190.48.140.238 dev ppp0 proto kernel scope link default via 200.51.241.211 dev ppp0 proto kernel src 190.48.140.238 ![]() | ||||||||
![]() |
||||||||||||||||||||||||||||||||||||
|
![]() |
|
(0000884) peter-endian (administrator) 2008-02-04 14:07 |
Your output is ok, should work. I'm not able to reproduce this problem here, but there must be an issue. Could you please send me the output of: setportfw.py --debug --force and after that, the output of: iptables -t nat -vnL iptables -vnL does the portforward still not work after the setportfw call? |
(0000886) Sota (reporter) 2008-02-04 14:45 |
Portforwarding does not work after setportfw.py |
(0000894) peter-endian (administrator) 2008-02-05 12:04 |
this is wired. the rules in the output you provided (thank you!) are correct. hmm,. maybe there is something in routing which goes wrong, since we changed a lot there and it is not trivial anymore. Could you please post the output of the following: iptables-save ip rule ip route ip route show table uplink-main hope i can see the mistake with those output i try again to reproduce it here. |
(0000897) devorem (reporter) 2008-02-05 14:46 |
I'm having the same problem except my 2.2 Beta 3 system experiencing the issue did not have a configuration restored to it but was a fresh and clean install. I am trying to forward 3389 to 192.168.1.30 and 17311 to 192.168.1.110. I had these working successfully on test systems with Beta 2. I captured the output as requested of Sota. I will attach that as my next step. |
(0000898) kfason (reporter) 2008-02-05 15:05 |
I attached my output also Peter since this ticket is a dup of mine. |
(0000900) dmayan (reporter) 2008-02-06 17:35 |
Attached my output too, same problem!! Config restored from 2.2b2. |
(0000902) kfason (reporter) 2008-02-06 21:05 |
This also affects inter-zone as well. For my blue network I allow SSH and a port for an HP printer to GREEN, neither work from BLUE to GREEN. |
(0000905) Xahid (reporter) 2008-02-08 13:25 |
Same problem here ! Port forwarding broken ! |
(0000906) peter-endian (administrator) 2008-02-08 13:47 |
I could reproduce the problem now. It's a problem which is obvious on community version and subtile on enterprise version. Therefore it was not so easy to reproduce. Here is a work around: iptables -t mangle -I VPNFW -j ACCEPT |
(0000907) Sota (reporter) 2008-02-08 13:50 |
That appears to work - thank you! Will this hold across a reboot? |
(0000908) peter-endian (administrator) 2008-02-08 13:56 |
no, but i will fix it now and provide a rpm |
(0000910) juanlock (reporter) 2008-02-08 21:01 |
Thanks you. is work, you cant sendme one rpm too.. |
(0000921) rwebb616 (reporter) 2008-02-17 05:15 |
Where could one find this RPM? |
(0000922) peter-endian (administrator) 2008-02-18 11:16 |
as soon as i post it.. here. it is fixed right now, but need to do some more testing, then i'll post it |
(0000923) efee428 (reporter) 2008-02-18 15:08 |
On your workaround post 0000906, after applying the "iptables -t mangle -I VPNFW -j ACCEPT" on the firewall I encountered unwanted traffic on GREEN. I have another back fire-walled server which was giving me reports of scanning and probing from traffic that would have been on RED now showing up on GREEN through the DMZ. So although it was a workaround it seems to give card banch access from my DMZ to GREEN. I can SSH, Telnet, etc... all from ORANGE. |
(0000925) peter-endian (administrator) 2008-02-19 19:16 |
The update is attached here. Please install it with rpm -U efw-firewall-2.2.45-0.endian11.i586.rpm --nodeps since the requirement-tree it would require does not exist yet within last beta release. That requirements are only necessary for ebtables logging, so that logging for now would not work. You will also get errors that ebtables nflog rules could not be created. Just ignore them for now. Next release will contain all necessary requirements. |
(0000942) yylaw (reporter) 2008-03-03 06:05 |
After installing the rpm patch, TCP port forwording from red to green ok. But UDP port forwarding from red to green still not working. |
(0000947) peter-endian (administrator) 2008-03-03 17:06 |
do you have multiple uplinks and forward from a second uplink or it is a simple setup? It did not happen in our test environment. I will retry to reproduce.. |
(0000950) yylaw (reporter) 2008-03-04 11:21 |
I have a simple set up consisting of single RED (DHCP) and single green only. My TCP port forwarding from "Uplink ANY : 25(SMTP)" to my internal server is working and tested reachable from www.checkor.com My other UDP port forwarding rule from "Uplink ANY :20100 - 20199" cannot reach my app. No matter "ANY", "Any Uplink" or "Main" is used the port forwarding still doesn't work Strange thing occured during my testing: after I removed the 2nd rule (total 5 rules), in the "Source" field all "Uplink ANY" is changed to "ANY". I then rebooted EFW but I cannot browse internet anymore. On the main status page it shows "Connected". I can ping the EFW Green ip from inside green. When I ping www.google.com, it can resolve the ip address but there is no ping response. |
(0000951) peter-endian (administrator) 2008-03-04 12:01 |
I can confirm the change from Uplink ANY to ANY. Think this must be a migration script (confguration migration from 2.1 to 2.2) which run amok. I filed that bug as 0000592 Thank you! |
(0000952) peter-endian (administrator) 2008-03-04 12:16 |
The problem you have that after reboot there is no more connection to the outside could be this issue: 0000560 Still trying to reproduce the portforwarding udp issue |
(0000953) peter-endian (administrator) 2008-03-04 17:37 edited on: 2008-03-04 17:42 |
was able to reproduce also the port forward problem. it happens only with destination port ranges. if you use a single port number it does not happen. I filed the bug as 0000596. Now it's not easy to provide a workaround right now. It has to many dependencies which will break thinks if not installed. The fix will be part of the next release |
(0000964) z71crazyman (reporter) 2008-03-18 00:29 |
when is the next release scheduled team? |
![]() |
|||
Date Modified | Username | Field | Change |
2008-02-04 14:02 | Sota | New Issue | |
2008-02-04 14:02 | Sota | Status | new => assigned |
2008-02-04 14:02 | Sota | Assigned To | => peter-endian |
2008-02-04 14:02 | Sota | File Added: iptables.txt | |
2008-02-04 14:07 | peter-endian | Note Added: 0000884 | |
2008-02-04 14:07 | peter-endian | Status | assigned => feedback |
2008-02-04 14:18 | ra-endian | Target Version | => 2.2-rc1 |
2008-02-04 14:45 | Sota | Note Added: 0000886 | |
2008-02-04 14:45 | Sota | File Added: logging.txt | |
2008-02-05 08:27 | ra-endian | Relationship added | has duplicate 0000547 |
2008-02-05 12:04 | peter-endian | Note Added: 0000894 | |
2008-02-05 14:46 | devorem | Note Added: 0000897 | |
2008-02-05 14:47 | devorem | File Added: devorem-putty.log | |
2008-02-05 15:02 | Sota | File Added: logging2.txt | |
2008-02-05 15:05 | kfason | File Added: putty_kfason.log | |
2008-02-05 15:05 | kfason | Note Added: 0000898 | |
2008-02-06 17:34 | dmayan | File Added: putty_log_dmayan.txt | |
2008-02-06 17:35 | dmayan | Note Added: 0000900 | |
2008-02-06 21:05 | kfason | Note Added: 0000902 | |
2008-02-08 13:25 | Xahid | Note Added: 0000905 | |
2008-02-08 13:47 | peter-endian | Note Added: 0000906 | |
2008-02-08 13:50 | Sota | Note Added: 0000907 | |
2008-02-08 13:55 | peter-endian | Status | feedback => confirmed |
2008-02-08 13:56 | peter-endian | Note Added: 0000908 | |
2008-02-08 19:15 | peter-endian | Relationship added | has duplicate 0000555 |
2008-02-08 21:01 | juanlock | Note Added: 0000910 | |
2008-02-17 05:15 | rwebb616 | Note Added: 0000921 | |
2008-02-18 11:16 | peter-endian | Note Added: 0000922 | |
2008-02-18 15:08 | efee428 | Note Added: 0000923 | |
2008-02-19 19:02 | peter-endian | File Added: efw-firewall-2.2.45-0.endian11.i586.rpm | |
2008-02-19 19:16 | peter-endian | Status | confirmed => resolved |
2008-02-19 19:16 | peter-endian | Fixed in Version | => 2.2-rc1 |
2008-02-19 19:16 | peter-endian | Resolution | open => fixed |
2008-02-19 19:16 | peter-endian | Note Added: 0000925 | |
2008-02-19 19:20 | peter-endian | Relationship added | related to 0000452 |
2008-03-03 06:05 | yylaw | Status | resolved => feedback |
2008-03-03 06:05 | yylaw | Resolution | fixed => reopened |
2008-03-03 06:05 | yylaw | Note Added: 0000942 | |
2008-03-03 14:45 | juanlock | Note Added: 0000945 | |
2008-03-03 14:47 | juanlock | Note Deleted: 0000945 | |
2008-03-03 17:06 | peter-endian | Note Added: 0000947 | |
2008-03-04 11:21 | yylaw | Note Added: 0000950 | |
2008-03-04 12:01 | peter-endian | Note Added: 0000951 | |
2008-03-04 12:03 | peter-endian | Relationship added | related to 0000592 |
2008-03-04 12:16 | peter-endian | Note Added: 0000952 | |
2008-03-04 14:42 | ra-endian | Target Version | 2.2-rc1 => 2.2-beta4 |
2008-03-04 14:43 | ra-endian | Fixed in Version | 2.2-rc1 => 2.2-beta4 |
2008-03-04 17:37 | peter-endian | Relationship added | related to 0000596 |
2008-03-04 17:37 | peter-endian | Note Added: 0000953 | |
2008-03-04 17:42 | peter-endian | Note Edited: 0000953 | |
2008-03-18 00:29 | z71crazyman | Note Added: 0000964 | |
2008-04-08 07:57 | peter-endian | Relationship added | has duplicate 0000662 |
2008-04-22 13:27 | ra-endian | Status | feedback => resolved |
2008-04-22 13:27 | ra-endian | Resolution | reopened => fixed |
2008-04-23 17:41 | peter-endian | Status | resolved => closed |
2009-03-17 06:54 | raphael-endian | Relationship added | related to 0000014 |
Copyright © 2000 - 2012 MantisBT Group |