Como barrar o tráfego entre redes? -

Marcado: blue, green, inter-zone, iptables, redes

Este tópico contém 38 respostas, 4 vozes e foi atualizado pela última vez 13 anos, 10 meses atrás por tnol2.

Visualizando 38 respostas da discussão

Autor

Posts
- junho 4, 2010 às 12:20 pm #337
  
  tnol2
  Participante
  
  Pessoal, não estou conseguindo barrar o tráfego da zona blue para zona green, já criei a regra de várias maneiras, até deixando somente ela habilitada, mas mesmo assim consigo pingar de uma rede para outra. Existe algum bug nessa parte do Inter-zone traffic?
  
  Wireguard_webadmin
  
  Sistema gratuito (Open Source) para gestão de VPN's WireGuard com uma Web interface intuitiva e fácil de usar.
  
  Principais funcionalidades:
  - Sistema de Firewall completo e flexível.
  - Encaminhamento de portas
  - Suporte a multi usuário com níveis diferentes de acesso
  - Múltiplas instâncias do Wireguard
  - Crypto key routing para configuração de VPN site-to-site
  
  O projeto é Open Source, fácil de instalar e está disponível em wireguard_webadmin
- junho 4, 2010 às 12:54 pm #4855
  
  Albaney Baylão
  Participante
  
  Já verificou se não há uma regra em outgoingFw liberando este tráfego?
- junho 4, 2010 às 12:57 pm #4856
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  O interzone traffic funciona perfeitamente aqui… que tipo de tráfego você está tentando barrar?
  
  Se for http ou algum outro protocolo que utilize proxy no endian, você irá precisar realizar o bloqueio diretamente no respectivo proxy.
  
  Rode um tcpdump no endian para analisar o tráfego que está passando, com certeza se você estiver esquecendo algum detalhe vai aparecer no tcpdump.
  
  Escrevi um pequeno tutorial em: http://linux.eduardosilva.eti.br/canivete-suico-para-redes
- junho 4, 2010 às 1:45 pm #4857
  
  Victor Fiorante
  Participante
  
  Pelo o que pude entender vc quer deixar apenas acesso HTTP,não acesso a rede interna,correto?Caso sim fazer como Albaney falou ,só que bloqueando o trafego!
- junho 4, 2010 às 1:52 pm #4858
  
  tnol2
  Participante
  
  Pessoal, por exemplo, estou querendo barrar o PING (ICMP) da rede blue para a rede green, então devo criar essa regra (deny) no inter-zone traffic correto? Mas quando eu crio a mesma não funciona, continuto pigando normal. E no outgoing traffic, a regra esta permitindo ping somente para a zona RED.
- junho 4, 2010 às 2:34 pm #4859
  
  tnol2
  Participante
  
  Meu cenário é o seguinte, tenho 4 interfaces em uso no endian, a green na rede interna, a blue na rede wireless, a orange na dmz, e a red ligada a internet. Quero que a rede blue não tenha nenhun acesso as outras redes, apenas porta 80. Mas por mais que eu crie regras no interzone traffic, essas regras não têm efeito.
- junho 4, 2010 às 2:36 pm #4860
  
  tnol2
  Participante
  
  Já criei uma regra em interzone traffic, na primeira posição, barrando tudo da zona blue para a green, e no outgoing, na primeira posição tambem, barrando tudo. Mas mesmo assim o tráfego passa.
- junho 4, 2010 às 2:39 pm #4861
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  Poste uma screenshot do seu interzone firewall no imageshack. Também forneça informações como endereçamento das redes green e blue.
  
  []’s
- junho 4, 2010 às 2:42 pm #4862
  
  Eduardo Silva
  Participante
  
  Tópico movido de “Dicas e Tutoriais” para forum de suporte.
- junho 4, 2010 às 2:46 pm #4863
  
  tnol2
  Participante
  
  Coloquei o screenshot da interzone no link abaixo.
  
  http://img20.imageshack.us/img20/4162/endian01interzone.jpg
- junho 4, 2010 às 3:44 pm #4864
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  Logue por SSH no endian e digite
  
  iptables -L ZONEFW -nv
  
  cole o output no pastebin.
  
  (Estou saindo para o final de semana agora, mas vou tentar acompanhar este post)
  
  []’s
- junho 4, 2010 às 4:35 pm #4865
  
  Albaney Baylão
  Participante
  
  Na regra que você criou bloqueando o tráfego, você só está bloqueando o tráfego HTTP (tcp/80). Para bloquear tudo o serviço deveria ser ANY.
  
  Coloque também uma imagem da GREEN e diga quais são as subnets (se forem privadas) da BLUE e da GREEN.
- junho 4, 2010 às 5:34 pm #4866
  
  tnol2
  Participante
  
  Eduardo, segue o resultado do comando iptables -L ZONEFW -nv
  
  root@servfw:~ # iptables -L ZONEFW -nv
  
  Chain ZONEFW (9 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 DROP tcp — br2 br0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
  
  25269 15M ACCEPT all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ALLOW tcp — br0 br1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ALLOW udp — br0 br1 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 ACCEPT all — br1 br1 0.0.0.0/0 0.0.0.0/0
  
  0 0 ACCEPT tcp — * * 172.16.1.4 192.168.0.2 tcp dpt:25
  
  0 0 ACCEPT icmp — * br0 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br0 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT icmp — * br2 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br2 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  315 26460 ACCEPT icmp — * br1 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br1 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  4 160 ACCEPT all — br0 * 0.0.0.0/0 172.16.1.3
  
  0 0 ALLOW tcp — br2 br0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ALLOW udp — br2 br0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ALLOW tcp — br0 br2 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ALLOW udp — br0 br2 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  root@servfw:~ #
- junho 4, 2010 às 7:27 pm #4867
  
  tnol2
  Participante
  
  Albaney, coloquei a regra para bloquear apenas a porta 80 somente como teste, pois como tentava com ANY e não funcionava, tentei com uma porta específica.
  
  E só para clarear mais, minhas interfaces estão assim:
  
  Green: 192.168.0.0/16
  
  Blue: 10.10.0.0/16
  
  Orange: 172.16.1.0/28
  
  Red: 200.133.17.0/22
- junho 7, 2010 às 6:35 pm #4868
  
  Eduardo Silva
  Participante
  
  tnol2, faça o seguinte teste:
  
  Em uma máquina da rede green, habilite o serviço de remote desktop, depois vá para uma máquina na rede blue, abra o prompt do dos e digite: “telnet ip_maquina_rede_green 3389”.
  
  Copie e cole aqui o resultado do telnet.
  
  []’s
- junho 8, 2010 às 3:26 pm #4869
  
  tnol2
  Participante
  
  Eduardo, fiz esse teste utilizando a porta 80, e consegui fechar a conexão com o telnet.
- junho 8, 2010 às 3:28 pm #4870
  
  tnol2
  Participante
  
  Mas vou fazer o teste com o remote desktop, e coloco resultado aqui.
- junho 8, 2010 às 5:47 pm #4871
  
  tnol2
  Participante
  
  Eduardo, fiz o seguinte teste:
  
  Numa máquina da rede blue, 10.10.0.7, fiz um telnet para minha máquina na rede green, 192.168.0.83, e foi feita a conexão:
  
  Trying 192.168.0.83…
  
  Connected to 192.168.0.83
  
  Escape character is ‘^]’.
  
  Depois, criei uma regra na interzone assim:
  
  source: blue destination:green service:tcp/3389 policy:deny
  
  E mesmo depois dessa regra, consegui fazer a conexão.
  
  Trying 192.168.0.83…
  
  Connected to 192.168.0.83
  
  Escape character is ‘^]’.
  
  Alguma idéia?
- junho 9, 2010 às 8:26 am #4872
  
  Eduardo Silva
  Participante
  
  Logue por ssh no endian e digite
  
  iptables -I FORWARD -d 192.168.0.83 -p tcp --dport 3389 -j DROP
  
  Tente fazer o telnet novamente na porta 3389 e cole o resultado aqui.
  
  Para remover a regra, utilize o mesmo comando substituindo o -I por -D
  
  []’s
- junho 9, 2010 às 2:39 pm #4873
  
  tnol2
  Participante
  
  Eduardo, após rodar comando: iptables -I FORWARD -d 192.168.0.83 -p tcp –dport 3389 -j DROP, não consegui mais fazer a conexão via telnet.
- junho 9, 2010 às 2:40 pm #4874
  
  tnol2
  Participante
  
  E depois mudei o comando para -D e voltei a fazer o telnet, conseguindo a conexão.
- junho 9, 2010 às 8:39 pm #4875
  
  Albaney Baylão
  Participante
  
  Tem como colocar a imagem do OutgoingFW e do VPNFW? Eu continuo achando que há uma regra em OutgoingFW permitindo este tráfego….
  
  Tente criar uma regra dropando tráfego com origem na rede 10.10.0.0/16 e destino na rede 192.168.0.0/16, primeiro em InterzoneFW e depois em OutgoingFW se não funcionar na primeira. O Endian tem um erro no QoS em que o tráfego não é bem redirecionado por zona mas o é por endereço. Talvez o mesmo erro aconteça aqui.
- junho 10, 2010 às 10:34 am #4876
  
  Eduardo Silva
  Participante
  
  Uma pergunta adicional:
  
  Você possui alguma regra inserida através da linha de comando?
- junho 10, 2010 às 5:05 pm #4877
  
  tnol2
  Participante
  
  Eduardo, realmente eu não lembro se cheguei a inserir alguma por linha de comando nessa instalação. Lembro que antes da versão 2.3, eu tinha outra instalação rodando, e estava com problema para habilitar o proxy, e lembro de ter testado algumas linhas de comando. Mas já estou até achando que nessa versão eu deva ter colocado tambem essa linha em algum arquivo. Qual o comando eu pode rodar para verificar isso, ou algum arquivo onde as regras ficam armazenadas?
- junho 10, 2010 às 5:14 pm #4878
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  De qualquer forma, forneça as informações que o Albaney pediu (imagem do OutgoingFW e do VPNFW?)… Elas são bem úteis.
  
  []’s
- junho 11, 2010 às 12:21 pm #4879
  
  tnol2
  Participante
  
  Segue abaixo um print screen do outgoing, e não coloquei do VPNFW porque não está nem habilitado.
  
  http://img218.imageshack.us/img218/8531/outgoing.jpg
- junho 11, 2010 às 12:43 pm #4880
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  Faça o outro teste que o Albaney citou, crie uma regra na primeira posição do interzone firewall recusando todo o tráfego da rede azul para a rede verde. Na segunda posição, crie uma regra bloqueando todo o tráfego da rede verde para a rede azul.
  
  Faça novamente o teste do telnet para observar se o tráfego foi barrado ou não.
  
  []’s
- junho 16, 2010 às 6:55 pm #4881
  
  tnol2
  Participante
  
  Eduardo e Albaney, fiz o teste que vocês pediram, criei uma regra na primeira posição no insterzone, e no outgoing, barrando o tráfego da rede 10.10.0.0/16 para a rede 192.168.0.0/16, e o tráfego continuou passando normalmente. :S
- junho 17, 2010 às 8:44 am #4882
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  Definitivamente tem algo de errado com o seu endian, o ideal seria revisar o seu iptables por completo e ver onde que o tráfego está sendo liberado.
  
  Faça um dump completo do seu iptables para que eu possa analisar ele.
  
  Logado via ssh no firewall digite:
  
  iptables -t filter -L -nv
  
  iptables -t nat -L -nv
  
  iptables -t mangle -L -nv
  
  Utilize o pastebin para colar os resultados de cada tabela. (um documento do pastebin para cada comando)
  
  Não esqueça de “ocultar” os endereços públicos mantendo eles como únicos: exemplo
  
  onde for 201.1.1.1 substitua por 201.1.X.X.
  
  onde for 201.1.1.2 substitua por 201.1.X.Y
  
  A tabela filter é a mais importante, provavelmente é lá que está a nossa resposta, mas por via das dúvidas, poste todas as outras.
  
  []’s
- junho 17, 2010 às 11:44 am #4883
  
  tnol2
  Participante
  
  Tabela FILTER
  
  Chain ALLOW (196 references)
  
  pkts bytes target prot opt in out source destination
  
  1449M 1059G ALLOW_HOOKS all — * * 0.0.0.0/0 0.0.0.0/0
  
  888M 650G ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain ALLOW_HOOKS (1 references)
  
  pkts bytes target prot opt in out source destination
  
  2610K 1996M SNORT all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain BADTCP (2 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 BADTCP_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
  
  0 0 BADTCP_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
  
  25 1048 BADTCP_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
  
  17 18566 BADTCP_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
  
  0 0 BADTCP_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
  
  82 3688 BADTCP_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0
  
  3 1427 BADTCP_LOGDROP udp — * * 0.0.0.0/0 0.0.0.0/0 udp spt:0
  
  20 920 BADTCP_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:0
  
  134 12615 BADTCP_LOGDROP udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:0
  
  Chain BADTCP_LOGDROP (9 references)
  
  pkts bytes target prot opt in out source destination
  
  281 38264 DROP all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain CUSTOMFORWARD (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain CUSTOMINPUT (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain CUSTOMOUTPUT (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain HAFORWARD (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain ICMP_LOGDROP (2 references)
  
  pkts bytes target prot opt in out source destination
  
  536K 38M RETURN icmp — * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
  
  0 0 RETURN icmp — * * 0.0.0.0/0 0.0.0.0/0 icmp type 30
  
  7388 531K DROP all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain INCOMINGFW (1 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 ALLOW icmp — eth1 * 200.133.x.y 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ALLOW icmp — eth1 * 200.133.x.y 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  Chain INPUT (policy DROP 1710K packets, 116M bytes)
  
  pkts bytes target prot opt in out source destination
  
  1303M 977G ipac~o all — * * 0.0.0.0/0 0.0.0.0/0
  
  1303M 977G REDINPUT all — * * 0.0.0.0/0 0.0.0.0/0
  
  1303M 977G BADTCP all — * * 0.0.0.0/0 0.0.0.0/0
  
  42311 30M NEWNOTSYN_LOGDROP tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
  
  4392K 201M tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 10/sec burst 5
  
  1303M 977G CUSTOMINPUT all — * * 0.0.0.0/0 0.0.0.0/0
  
  1275M 975G ALLOW all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  
  277K 17M ICMP_LOGDROP icmp — * * 0.0.0.0/0 0.0.0.0/0
  
  20M 885M ALLOW all — lo * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  0 0 DROP all — * * 127.0.0.0/8 0.0.0.0/0 state NEW
  
  0 0 DROP all — * * 0.0.0.0/0 127.0.0.0/8 state NEW
  
  6820K 457M INPUTTRAFFIC all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  1710K 116M LOG_INPUT all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain FORWARD (policy DROP 1133K packets, 72M bytes)
  
  pkts bytes target prot opt in out source destination
  
  156M 84G ipac~fi all — * * 0.0.0.0/0 0.0.0.0/0
  
  156M 84G ipac~fo all — * * 0.0.0.0/0 0.0.0.0/0
  
  156M 84G OPENVPNCLIENTDHCP all — * * 0.0.0.0/0 0.0.0.0/0
  
  156M 84G OPENVPNDHCP all — * * 0.0.0.0/0 0.0.0.0/0
  
  156M 84G BADTCP all — * * 0.0.0.0/0 0.0.0.0/0
  
  156M 84G CUSTOMFORWARD all — * * 0.0.0.0/0 0.0.0.0/0
  
  147M 82G ALLOW all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  
  267K 21M ICMP_LOGDROP icmp — * * 0.0.0.0/0 0.0.0.0/0
  
  0 0 ALLOW all — lo * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  0 0 DROP all — * * 127.0.0.0/8 0.0.0.0/0 state NEW
  
  0 0 DROP all — * * 0.0.0.0/0 127.0.0.0/8 state NEW
  
  9420K 1329M HAFORWARD all — * * 0.0.0.0/0 0.0.0.0/0
  
  8500K 1250M PORTFWACCESS all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  7746K 1233M VPNTRAFFIC all — * * 0.0.0.0/0 0.0.0.0/0
  
  6826K 1154M OUTGOINGFW all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  2040K 856M INCOMINGFW all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  2960K 935M ZONETRAFFIC all — * * 0.0.0.0/0 0.0.0.0/0
  
  1133K 72M LOG_FORWARD all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain INPUTFW (7 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 ACCEPT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
  
  0 0 ACCEPT tcp — br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
  
  0 0 ACCEPT tcp — br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
  
  4628 222K ACCEPT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10443
  
  0 0 ACCEPT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001
  
  0 0 ACCEPT tcp — br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001
  
  0 0 ACCEPT tcp — br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001
  
  60480 3645K ACCEPT icmp — br0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — br0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT icmp — br2 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — br2 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT icmp — br1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — br1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT icmp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8 PHYSDEV match –physdev-in tap0
  
  0 0 ACCEPT icmp — * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30 PHYSDEV match –physdev-in tap0
  
  0 0 ACCEPT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ACCEPT udp — br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT tcp — br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ACCEPT udp — br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT tcp — br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ACCEPT udp — br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT tcp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ACCEPT udp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 PHYSDEV match –physdev-in tap0
  
  0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 PHYSDEV match –physdev-in tap0
  
  2 96 ACCEPT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
  
  0 0 ACCEPT udp — br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
  
  0 0 ACCEPT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
  
  0 0 ACCEPT udp — br2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
  
  0 0 ACCEPT tcp — br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
  
  0 0 ACCEPT udp — br1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
  
  0 0 ACCEPT tcp — br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
  
  0 0 ACCEPT udp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
  
  0 0 ACCEPT tcp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123
  
  0 0 ACCEPT udp — * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 PHYSDEV match –physdev-in tap0
  
  0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123 PHYSDEV match –physdev-in tap0
  
  152 8532 ACCEPT tcp — br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
  
  244 14640 ACCEPT tcp — br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
  
  4637K 229M ACCEPT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
  
  0 0 ACCEPT tcp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128
  
  0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3128 PHYSDEV match –physdev-in tap0
  
  Chain INPUTFW_LOGDROP (6 references)
  
  pkts bytes target prot opt in out source destination
  
  1427K 177M DROP all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain INPUTTRAFFIC (1 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 INPUTFW all — ipsec+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 INPUTFW_LOGDROP all — ipsec+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 INPUTFW all — tap+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 INPUTFW_LOGDROP all — tap+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 INPUTFW all — * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in tap+
  
  0 0 INPUTFW_LOGDROP all — * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in tap+
  
  0 0 REJECT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable
  
  6114K 406M INPUTFW all — br0 * 0.0.0.0/0 0.0.0.0/0
  
  1411K 172M INPUTFW_LOGDROP all — br0 * 0.0.0.0/0 0.0.0.0/0
  
  0 0 REJECT tcp — br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable
  
  13720 4339K INPUTFW all — br2 * 0.0.0.0/0 0.0.0.0/0
  
  13568 4330K INPUTFW_LOGDROP all — br2 * 0.0.0.0/0 0.0.0.0/0
  
  0 0 REJECT tcp — br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable
  
  2685 560K INPUTFW all — br1 * 0.0.0.0/0 0.0.0.0/0
  
  2441 545K INPUTFW_LOGDROP all — br1 * 0.0.0.0/0 0.0.0.0/0
  
  690K 46M INPUTFW all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain LOG_FORWARD (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain LOG_INPUT (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain NEWNOTSYN (0 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 RETURN all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — br1 br1 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — tap+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — * tap+ 0.0.0.0/0 0.0.0.0/0
  
  0 0 NEWNOTSYN_LOGDROP all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain NEWNOTSYN_LOGDROP (2 references)
  
  pkts bytes target prot opt in out source destination
  
  42311 30M DROP all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain OPENVPNCLIENTDHCP (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain OPENVPNDHCP (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain OUTGOINGFW (1 references)
  
  pkts bytes target prot opt in out source destination
  
  57 3240 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 nflog-prefix “OUTGOINGFW:ALLOW:1”
  
  57 3240 ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
  
  27932 1357K NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 nflog-prefix “OUTGOINGFW:ALLOW:2”
  
  27932 1357K ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
  
  90318 4341K NFLOG tcp — * eth1 192.168.0.2 0.0.0.0/0 tcp dpt:25 nflog-prefix “OUTGOINGFW:ALLOW:4”
  
  90318 4341K ALLOW tcp — * eth1 192.168.0.2 0.0.0.0/0 tcp dpt:25
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 nflog-prefix “OUTGOINGFW:ALLOW:6”
  
  0 0 ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 nflog-prefix “OUTGOINGFW:ALLOW:8”
  
  0 0 ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 nflog-prefix “OUTGOINGFW:ALLOW:8”
  
  0 0 ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 nflog-prefix “OUTGOINGFW:ALLOW:9”
  
  0 0 ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
  
  28 1680 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 nflog-prefix “OUTGOINGFW:ALLOW:9”
  
  28 1680 ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:8999 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:8999
  
  0 0 NFLOG udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:8999 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:8999
  
  14 672 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:23000 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  14 672 ACCEPT tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:23000
  
  0 0 NFLOG udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:23000 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:23000
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3270 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3270
  
  0 0 NFLOG udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:3270 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:3270
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001
  
  0 0 NFLOG udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:3001 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:3001
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3456 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3456
  
  0 0 NFLOG udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:3456 nflog-prefix “OUTGOINGFW:ACCEPT:10”
  
  0 0 ACCEPT udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:3456
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53861 nflog-prefix “OUTGOINGFW:ACCEPT:11”
  
  0 0 ACCEPT tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53861
  
  0 0 NFLOG udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53861 nflog-prefix “OUTGOINGFW:ACCEPT:11”
  
  0 0 ACCEPT udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53861
  
  10789 902K NFLOG icmp — br0 eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8 nflog-prefix “OUTGOINGFW:ALLOW:12”
  
  10692 894K ALLOW icmp — br0 eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 NFLOG icmp — br0 eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30 nflog-prefix “OUTGOINGFW:ALLOW:12”
  
  0 0 ALLOW icmp — br0 eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  47 2748 NFLOG tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 nflog-prefix “OUTGOINGFW:ALLOW:13”
  
  47 2748 ALLOW tcp — br0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  98782 7052K NFLOG udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53 nflog-prefix “OUTGOINGFW:ALLOW:13”
  
  98782 7052K ALLOW udp — br0 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  10 600 NFLOG tcp — br1 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 nflog-prefix “OUTGOINGFW:ALLOW:13”
  
  10 600 ALLOW tcp — br1 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  45247 3527K NFLOG udp — br1 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53 nflog-prefix “OUTGOINGFW:ALLOW:13”
  
  45247 3527K ALLOW udp — br1 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 NFLOG tcp — br2 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 nflog-prefix “OUTGOINGFW:ALLOW:13”
  
  0 0 ALLOW tcp — br2 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 NFLOG udp — br2 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53 nflog-prefix “OUTGOINGFW:ALLOW:13”
  
  0 0 ALLOW udp — br2 eth1 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 NFLOG tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:21
  
  24 1152 NFLOG tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  24 1152 ALLOW tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:22 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:22
  
  0 0 NFLOG tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:22 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:22
  
  0 0 NFLOG tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:22 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:22
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:22 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:22
  
  0 0 NFLOG tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:24 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:24
  
  0 0 NFLOG tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:24 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:24
  
  0 0 NFLOG tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:24 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:24
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:24 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:24
  
  0 0 NFLOG tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:222 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.164 0.0.0.0/0 tcp dpt:222
  
  0 0 NFLOG tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:222 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:222
  
  0 0 NFLOG tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:222 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:222
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:222 nflog-prefix “OUTGOINGFW:ALLOW:14”
  
  0 0 ALLOW tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:222
  
  0 0 NFLOG tcp — * eth1 192.168.0.162 189.22.224.36 tcp dpt:22 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  0 0 ACCEPT tcp — * eth1 192.168.0.162 189.22.224.36 tcp dpt:22
  
  0 0 NFLOG udp — * eth1 192.168.0.162 189.22.224.36 udp dpt:22 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  0 0 ACCEPT udp — * eth1 192.168.0.162 189.22.224.36 udp dpt:22
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 189.22.224.36 tcp dpt:22 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  0 0 ACCEPT tcp — * eth1 192.168.0.83 189.22.224.36 tcp dpt:22
  
  0 0 NFLOG udp — * eth1 192.168.0.83 189.22.224.36 udp dpt:22 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  0 0 ACCEPT udp — * eth1 192.168.0.83 189.22.224.36 udp dpt:22
  
  33 1980 NFLOG tcp — * eth1 192.168.0.162 189.22.224.36 tcp dpt:3306 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  33 1980 ACCEPT tcp — * eth1 192.168.0.162 189.22.224.36 tcp dpt:3306
  
  0 0 NFLOG udp — * eth1 192.168.0.162 189.22.224.36 udp dpt:3306 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  0 0 ACCEPT udp — * eth1 192.168.0.162 189.22.224.36 udp dpt:3306
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 189.22.224.36 tcp dpt:3306 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  0 0 ACCEPT tcp — * eth1 192.168.0.83 189.22.224.36 tcp dpt:3306
  
  0 0 NFLOG udp — * eth1 192.168.0.83 189.22.224.36 udp dpt:3306 nflog-prefix “OUTGOINGFW:ACCEPT:15”
  
  0 0 ACCEPT udp — * eth1 192.168.0.83 189.22.224.36 udp dpt:3306
  
  0 0 NFLOG tcp — * eth1 192.168.0.65 0.0.0.0/0 tcp dpt:1720 nflog-prefix “OUTGOINGFW:ACCEPT:16”
  
  0 0 ACCEPT tcp — * eth1 192.168.0.65 0.0.0.0/0 tcp dpt:1720
  
  0 0 NFLOG all — * eth1 192.168.0.23 0.0.0.0/0 nflog-prefix “OUTGOINGFW:ALLOW:17”
  
  0 0 ALLOW all — * eth1 192.168.0.23 0.0.0.0/0
  
  0 0 NFLOG all — * eth1 192.168.0.65 0.0.0.0/0 nflog-prefix “OUTGOINGFW:ACCEPT:18”
  
  0 0 ACCEPT all — * eth1 192.168.0.65 0.0.0.0/0
  
  0 0 NFLOG tcp — * eth1 192.168.0.62 0.0.0.0/0 tcp dpt:25 nflog-prefix “OUTGOINGFW:ALLOW:19”
  
  0 0 ALLOW tcp — * eth1 192.168.0.62 0.0.0.0/0 tcp dpt:25
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 200.20.215.194 tcp dpt:8080 nflog-prefix “OUTGOINGFW:ALLOW:20”
  
  0 0 ALLOW tcp — br0 eth1 0.0.0.0/0 200.20.215.194 tcp dpt:8080
  
  0 0 NFLOG tcp — * eth1 192.168.0.18 200.129.168.18 tcp dpt:8080 nflog-prefix “OUTGOINGFW:ALLOW:21”
  
  0 0 ALLOW tcp — * eth1 192.168.0.18 200.129.168.18 tcp dpt:8080
  
  0 0 NFLOG tcp — * eth1 192.168.0.18 200.249.188.55 tcp dpt:8080 nflog-prefix “OUTGOINGFW:ALLOW:21”
  
  0 0 ALLOW tcp — * eth1 192.168.0.18 200.249.188.55 tcp dpt:8080
  
  0 0 NFLOG tcp — * eth1 192.168.0.18 200.137.128.16 tcp dpt:8080 nflog-prefix “OUTGOINGFW:ALLOW:21”
  
  0 0 ALLOW tcp — * eth1 192.168.0.18 200.137.128.16 tcp dpt:8080
  
  0 0 NFLOG tcp — * eth1 192.168.0.18 200.137.2.123 tcp dpt:8080 nflog-prefix “OUTGOINGFW:ALLOW:21”
  
  0 0 ALLOW tcp — * eth1 192.168.0.18 200.137.2.123 tcp dpt:8080
  
  0 0 NFLOG tcp — * eth1 192.168.0.16 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:22”
  
  0 0 ALLOW tcp — * eth1 192.168.0.16 0.0.0.0/0 tcp dpt:21
  
  1 60 NFLOG tcp — * eth1 192.168.0.26 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ACCEPT:23”
  
  1 60 ACCEPT tcp — * eth1 192.168.0.26 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:5223 nflog-prefix “OUTGOINGFW:ACCEPT:24”
  
  0 0 ACCEPT tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:5223
  
  0 0 NFLOG udp — * eth1 192.168.0.83 0.0.0.0/0 udp dpt:5223 nflog-prefix “OUTGOINGFW:ACCEPT:24”
  
  0 0 ACCEPT udp — * eth1 192.168.0.83 0.0.0.0/0 udp dpt:5223
  
  0 0 NFLOG tcp — * eth1 192.168.1.118 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:25”
  
  0 0 ALLOW tcp — * eth1 192.168.1.118 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.2.73 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:25”
  
  0 0 ALLOW tcp — * eth1 192.168.2.73 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.0.31 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:25”
  
  0 0 ALLOW tcp — * eth1 192.168.0.31 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:25”
  
  0 0 ALLOW tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.1.3 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ALLOW:25”
  
  0 0 ALLOW tcp — * eth1 192.168.1.3 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:80 nflog-prefix “OUTGOINGFW:ACCEPT:26”
  
  0 0 ACCEPT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:80
  
  0 0 NFLOG tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:443 nflog-prefix “OUTGOINGFW:ACCEPT:26”
  
  0 0 ACCEPT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:443
  
  0 0 NFLOG tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:21 nflog-prefix “OUTGOINGFW:ACCEPT:26”
  
  0 0 ACCEPT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:21
  
  0 0 NFLOG tcp — * eth1 192.168.0.180 0.0.0.0/0 tcp dpt:8000 nflog-prefix “OUTGOINGFW:ALLOW:27”
  
  0 0 ALLOW tcp — * eth1 192.168.0.180 0.0.0.0/0 tcp dpt:8000
  
  0 0 NFLOG tcp — * eth1 192.168.2.84 0.0.0.0/0 tcp dpt:3007 nflog-prefix “OUTGOINGFW:ALLOW:28”
  
  0 0 ALLOW tcp — * eth1 192.168.2.84 0.0.0.0/0 tcp dpt:3007
  
  0 0 NFLOG all — * eth1 192.168.1.177 0.0.0.0/0 nflog-prefix “OUTGOINGFW:ALLOW:30”
  
  0 0 ALLOW all — * eth1 192.168.1.177 0.0.0.0/0
  
  0 0 NFLOG tcp — * eth1 192.168.0.21 0.0.0.0/0 tcp dpt:25 nflog-prefix “OUTGOINGFW:ALLOW:31”
  
  0 0 ALLOW tcp — * eth1 192.168.0.21 0.0.0.0/0 tcp dpt:25
  
  0 0 NFLOG tcp — * eth1 192.168.0.21 0.0.0.0/0 tcp dpt:22 nflog-prefix “OUTGOINGFW:ALLOW:31”
  
  0 0 ALLOW tcp — * eth1 192.168.0.21 0.0.0.0/0 tcp dpt:22
  
  0 0 NFLOG tcp — br0 eth1 0.0.0.0/0 200.129.244.14 tcp dpt:8080 nflog-prefix “OUTGOINGFW:ALLOW:32”
  
  0 0 ALLOW tcp — br0 eth1 0.0.0.0/0 200.129.244.14 tcp dpt:8080
  
  0 0 NFLOG all — * eth1 192.168.8.1 200.179.172.186 nflog-prefix “OUTGOINGFW:ALLOW:33”
  
  0 0 ALLOW all — * eth1 192.168.8.1 200.179.172.186
  
  0 0 NFLOG all — * eth1 192.168.8.2 200.179.172.186 nflog-prefix “OUTGOINGFW:ALLOW:33”
  
  0 0 ALLOW all — * eth1 192.168.8.2 200.179.172.186
  
  0 0 NFLOG all — * eth1 192.168.8.3 200.179.172.186 nflog-prefix “OUTGOINGFW:ALLOW:33”
  
  0 0 ALLOW all — * eth1 192.168.8.3 200.179.172.186
  
  0 0 NFLOG all — br0 eth1 0.0.0.0/0 200.17.137.40 nflog-prefix “OUTGOINGFW:ACCEPT:34”
  
  0 0 ACCEPT all — br0 eth1 0.0.0.0/0 200.17.137.40
  
  0 0 NFLOG tcp — * eth1 192.168.1.23 0.0.0.0/0 tcp dpt:22 nflog-prefix “OUTGOINGFW:ACCEPT:35”
  
  0 0 ACCEPT tcp — * eth1 192.168.1.23 0.0.0.0/0 tcp dpt:22
  
  0 0 NFLOG udp — * eth1 192.168.1.23 0.0.0.0/0 udp dpt:22 nflog-prefix “OUTGOINGFW:ACCEPT:35”
  
  0 0 ACCEPT udp — * eth1 192.168.1.23 0.0.0.0/0 udp dpt:22
  
  0 0 NFLOG tcp — * eth1 192.168.1.23 0.0.0.0/0 tcp dpt:3306 nflog-prefix “OUTGOINGFW:ACCEPT:35”
  
  0 0 ACCEPT tcp — * eth1 192.168.1.23 0.0.0.0/0 tcp dpt:3306
  
  0 0 NFLOG udp — * eth1 192.168.1.23 0.0.0.0/0 udp dpt:3306 nflog-prefix “OUTGOINGFW:ACCEPT:35”
  
  0 0 ACCEPT udp — * eth1 192.168.1.23 0.0.0.0/0 udp dpt:3306
  
  0 0 NFLOG all — * eth1 192.168.5.6 0.0.0.0/0 nflog-prefix “OUTGOINGFW:ALLOW:36”
  
  0 0 ALLOW all — * eth1 192.168.5.6 0.0.0.0/0
  
  41 2528 NFLOG icmp — * eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8 nflog-prefix “OUTGOINGFW:ACCEPT:37”
  
  41 2528 ACCEPT icmp — * eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 NFLOG icmp — * eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30 nflog-prefix “OUTGOINGFW:ACCEPT:37”
  
  0 0 ACCEPT icmp — * eth1 0.0.0.0/0 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  Chain OUTPUT (policy ACCEPT 1316M packets, 986G bytes)
  
  pkts bytes target prot opt in out source destination
  
  1316M 986G ipac~i all — * * 0.0.0.0/0 0.0.0.0/0
  
  1316M 986G CUSTOMOUTPUT all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain PORTFWACCESS (1 references)
  
  pkts bytes target prot opt in out source destination
  
  169K 8964K ALLOW tcp — * * 0.0.0.0/0 192.168.1.23
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.1.23
  
  0 0 ALLOW tcp — * * 189.22.x.y 192.168.1.23
  
  0 0 ALLOW tcp — * * 189.22.x.y 192.168.1.23
  
  0 0 ALLOW tcp — * * 189.22.x.y 192.168.1.23
  
  180K 9526K ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  95941 4888K ALLOW tcp — * * 0.0.0.0/0 172.16.1.4
  
  280K 20M ALLOW udp — * * 0.0.0.0/0 172.16.1.4
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 172.16.1.4
  
  0 0 ALLOW udp — * * 0.0.0.0/0 172.16.1.4
  
  467 38239 ACCEPT 47 — * * 0.0.0.0/0 192.168.0.80
  
  1757 108K ACCEPT tcp — * * 0.0.0.0/0 192.168.0.80
  
  0 0 ACCEPT udp — * * 0.0.0.0/0 192.168.0.80
  
  61720 3702K ALLOW tcp — * * 0.0.0.0/0 192.168.0.2
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.2
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.2
  
  6505 355K ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.160
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.160
  
  19231 1109K ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.18
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.18
  
  1432 69260 ALLOW tcp — * * 0.0.0.0/0 192.168.0.161
  
  28 11312 ALLOW udp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.161
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.161
  
  480K 25M ALLOW tcp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.21
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.21
  
  12984 768K ALLOW tcp — * * 0.0.0.0/0 192.168.0.202
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.202
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.202
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  12 3085 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW udp — * * 0.0.0.0/0 192.168.0.162
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.167 tcp dpt:80
  
  17 2062 ACCEPT udp — * * 0.0.0.0/0 192.168.0.171
  
  80927 4429K ALLOW tcp — * * 0.0.0.0/0 192.168.0.30
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.30
  
  2374 127K ALLOW tcp — * * 0.0.0.0/0 192.168.0.25
  
  764 37784 ACCEPT tcp — eth1 * 0.0.0.0/0 192.168.0.65
  
  373 35566 ACCEPT all — * * 0.0.0.0/0 192.168.0.65
  
  10 600 ALLOW tcp — * * 200.179.x.y 192.168.0.4
  
  0 0 ALLOW udp — * * 200.179.x.y 192.168.0.4
  
  0 0 ALLOW tcp — * * 200.179.x.y 192.168.0.4
  
  0 0 ALLOW udp — * * 200.179.x.y 192.168.0.4
  
  19 912 ALLOW tcp — * * 201.38.x.y 192.168.0.4
  
  0 0 ALLOW tcp — * * 201.38.x.y 192.168.0.4
  
  0 0 ALLOW tcp — * * 200.133.x.y 192.168.0.4
  
  0 0 ALLOW tcp — * * 200.133.x.y 192.168.0.4
  
  0 0 ALLOW tcp — * * 201.38.x.y 192.168.0.30
  
  0 0 ALLOW tcp — * * 201.38.x.y 192.168.0.30
  
  0 0 ALLOW tcp — * * 201.38.x.y 192.168.0.33
  
  0 0 ALLOW tcp — * * 201.38.x.y 192.168.0.33
  
  12985 701K ALLOW tcp — * * 0.0.0.0/0 192.168.0.163
  
  0 0 ALLOW tcp — * * 0.0.0.0/0 192.168.0.163
  
  2662 148K ALLOW all — * * 0.0.0.0/0 192.168.0.83
  
  2099 119K ALLOW all — * * 0.0.0.0/0 192.168.0.23
  
  989 59340 ALLOW icmp — * * 200.133.x.y 192.168.0.31
  
  0 0 ALLOW icmp — * * 200.133.x.y 192.168.0.31
  
  53 2544 ALLOW tcp — * * 200.179.x.y 192.168.0.66
  
  39 1920 ALLOW tcp — * * 189.22.x.y 192.168.0.68
  
  61 3012 ALLOW tcp — * * 200.133.x.y 192.168.0.69
  
  164 7876 ALLOW tcp — * * 0.0.0.0/0 192.168.0.70
  
  107 5146 ALLOW tcp — * * 200.133.x.y 192.168.0.71
  
  1072 68208 ACCEPT all — * * 0.0.0.0/0 192.168.6.218
  
  Chain REDINPUT (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain SNORT (1 references)
  
  pkts bytes target prot opt in out source destination
  
  258 16600 RETURN tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
  
  0 0 RETURN tcp — * * 80.190.199.132 0.0.0.0/0 tcp spt:8991
  
  0 0 RETURN tcp — * * 80.190.199.132 0.0.0.0/0 tcp spt:443
  
  0 0 RETURN tcp — * * 80.190.199.132 0.0.0.0/0 tcp spt:22
  
  0 0 RETURN tcp — * * 80.190.199.131 0.0.0.0/0 tcp spt:8991
  
  0 0 RETURN tcp — * * 80.190.199.131 0.0.0.0/0 tcp spt:443
  
  0 0 RETURN tcp — * * 80.190.199.131 0.0.0.0/0 tcp spt:22
  
  0 0 RETURN tcp — * * 80.190.199.133 0.0.0.0/0 tcp spt:8991
  
  0 0 RETURN tcp — * * 80.190.199.133 0.0.0.0/0 tcp spt:443
  
  0 0 RETURN tcp — * * 80.190.199.133 0.0.0.0/0 tcp spt:22
  
  1713K 1291M RETURN all — lo * 0.0.0.0/0 0.0.0.0/0
  
  897K 705M QUEUE all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain VPNFW (6 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 ALLOW all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain VPNFWDST (2 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain VPNFW_LOGDROP (6 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 DROP all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain VPNTRAFFIC (1 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 VPNFW all — * ipsec+ 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW_LOGDROP all — * ipsec+ 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW all — ipsec+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW_LOGDROP all — ipsec+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW all — * tap+ 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW_LOGDROP all — * tap+ 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW all — tap+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW_LOGDROP all — tap+ * 0.0.0.0/0 0.0.0.0/0
  
  0 0 VPNFW all — * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-out tap+ –physdev-is-bridged
  
  0 0 VPNFW_LOGDROP all — * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-out tap+ –physdev-is-bridged
  
  0 0 VPNFW all — * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in tap+
  
  0 0 VPNFW_LOGDROP all — * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match –physdev-in tap+
  
  32 1944 VPNFWDST all — br2 br0 0.0.0.0/0 0.0.0.0/0
  
  62543 4516K VPNFWDST all — br1 br0 0.0.0.0/0 0.0.0.0/0
  
  Chain ZONEFW (9 references)
  
  pkts bytes target prot opt in out source destination
  
  34930 35M ACCEPT all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ALLOW tcp — br0 br1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ALLOW udp — br0 br1 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 ACCEPT all — br1 br1 0.0.0.0/0 0.0.0.0/0
  
  0 0 ACCEPT tcp — * * 172.16.1.4 192.168.0.2 tcp dpt:25
  
  0 0 ACCEPT icmp — * br0 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br0 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT icmp — * br2 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br2 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  2075 174K ACCEPT icmp — * br1 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br1 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT all — br0 * 0.0.0.0/0 172.16.1.3
  
  0 0 ALLOW tcp — br2 br0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ALLOW udp — br2 br0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ALLOW tcp — br0 br2 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  5 318 ALLOW udp — br0 br2 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  Chain ZONEFW_LOGDROP (9 references)
  
  pkts bytes target prot opt in out source destination
  
  168K 14M DROP all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain ZONETRAFFIC (1 references)
  
  pkts bytes target prot opt in out source destination
  
  1628K 846M ZONEFW all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW_LOGDROP all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  104K 9629K ZONEFW all — br0 br2 0.0.0.0/0 0.0.0.0/0
  
  104K 9627K ZONEFW_LOGDROP all — br0 br2 0.0.0.0/0 0.0.0.0/0
  
  32384 2714K ZONEFW all — br0 br1 0.0.0.0/0 0.0.0.0/0
  
  1261 106K ZONEFW_LOGDROP all — br0 br1 0.0.0.0/0 0.0.0.0/0
  
  32 1944 ZONEFW all — br2 br0 0.0.0.0/0 0.0.0.0/0
  
  24 1464 ZONEFW_LOGDROP all — br2 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW_LOGDROP all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW all — br2 br1 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW_LOGDROP all — br2 br1 0.0.0.0/0 0.0.0.0/0
  
  62543 4516K ZONEFW all — br1 br0 0.0.0.0/0 0.0.0.0/0
  
  62543 4516K ZONEFW_LOGDROP all — br1 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW all — br1 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW_LOGDROP all — br1 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW all — br1 br1 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW_LOGDROP all — br1 br1 0.0.0.0/0 0.0.0.0/0
  
  Chain ipac~fi (1 references)
  
  pkts bytes target prot opt in out source destination
  
  10335 5436K all — br0 * 0.0.0.0/0 0.0.0.0/0
  
  0 0 all — br2 * 0.0.0.0/0 0.0.0.0/0
  
  1647 792K all — br1 * 0.0.0.0/0 0.0.0.0/0
  
  10279 4629K all — eth1 * 0.0.0.0/0 0.0.0.0/0
  
  Chain ipac~fo (1 references)
  
  pkts bytes target prot opt in out source destination
  
  10387 5038K all — * br0 0.0.0.0/0 0.0.0.0/0
  
  15 1440 all — * br2 0.0.0.0/0 0.0.0.0/0
  
  1440 414K all — * br1 0.0.0.0/0 0.0.0.0/0
  
  10419 5403K all — * eth1 0.0.0.0/0 0.0.0.0/0
  
  Chain ipac~i (1 references)
  
  pkts bytes target prot opt in out source destination
  
  50737 66M all — * br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 all — * br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 all — * br1 0.0.0.0/0 0.0.0.0/0
  
  40124 4362K all — * eth1 0.0.0.0/0 0.0.0.0/0
  
  Chain ipac~o (1 references)
  
  pkts bytes target prot opt in out source destination
  
  36442 4406K all — br0 * 0.0.0.0/0 0.0.0.0/0
  
  1 320 all — br2 * 0.0.0.0/0 0.0.0.0/0
  
  0 0 all — br1 * 0.0.0.0/0 0.0.0.0/0
  
  50347 58M all — eth1 * 0.0.0.0/0 0.0.0.0/0
- junho 17, 2010 às 11:48 am #4884
  
  tnol2
  Participante
  
  Tabela MANGLE
  
  Chain PREROUTING (policy ACCEPT 572M packets, 410G bytes)
  
  pkts bytes target prot opt in out source destination
  
  888M 650G ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
  
  572M 410G ROUTING all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain INPUT (policy ACCEPT 415M packets, 327G bytes)
  
  pkts bytes target prot opt in out source destination
  
  888M 650G ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
  
  Chain FORWARD (policy ACCEPT 155M packets, 83G bytes)
  
  pkts bytes target prot opt in out source destination
  
  6775K 341M TCPMSS tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
  
  8501K 1250M ZONETRAFFIC all — * * 0.0.0.0/0 0.0.0.0/0 state NEW MARK match 0x0/0xfff80000
  
  147M 82G MARK all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED MARK and 0xfffbffff
  
  Chain OUTPUT (policy ACCEPT 428M packets, 336G bytes)
  
  pkts bytes target prot opt in out source destination
  
  888M 650G ACCEPT all — * lo 0.0.0.0/0 0.0.0.0/0
  
  428M 336G LOCALROUTING all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain POSTROUTING (policy ACCEPT 1475M packets, 1071G bytes)
  
  pkts bytes target prot opt in out source destination
  
  1475M 1071G QOS all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain CHECKIIF (2 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 MARK all — !eth2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x800/0x3f800 MARK and 0xfffff807
  
  0 0 MARK all — !eth3 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x1000/0x3f800 MARK and 0xfffff807
  
  0 0 MARK all — !eth0 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x1800/0x3f800 MARK and 0xfffff807
  
  44M 41G MARK all — !eth1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x2000/0x3f800 MARK and 0xfffff807
  
  44M 41G MARK all — !eth1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x2000/0x3f800 MARK or 0x7e0
  
  0 0 MARK all — !eth0.4 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x2800/0x3f800 MARK and 0xfffff807
  
  260M 343G MARK all — !br0 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x3000/0x3f800 MARK and 0xfffff807
  
  2206K 437M MARK all — !br1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x3800/0x3f800 MARK and 0xfffff807
  
  175K 173M MARK all — !br2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x4000/0x3f800 MARK and 0xfffff807
  
  Chain INCOMINGMARK (1 references)
  
  pkts bytes target prot opt in out source destination
  
  16M 1752M POLICYROUTING all — * * 0.0.0.0/0 0.0.0.0/0
  
  16M 1752M CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
  
  Chain LOCALMARK (1 references)
  
  pkts bytes target prot opt in out source destination
  
  11M 501M LOCALPOLICYROUTING all — * * 0.0.0.0/0 0.0.0.0/0
  
  11M 501M CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
  
  Chain LOCALPOLICYROUTING (1 references)
  
  pkts bytes target prot opt in out source destination
  
  311K 20M CONNMARK udp — * * 0.0.0.0/0 192.168.0.1 udp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  311K 20M RETURN udp — * * 0.0.0.0/0 192.168.0.1 udp dpt:53 CONNMARK match !0x0/0x7f8
  
  52 2288 CONNMARK tcp — * * 0.0.0.0/0 192.168.0.1 tcp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  52 2288 RETURN tcp — * * 0.0.0.0/0 192.168.0.1 tcp dpt:53 CONNMARK match !0x0/0x7f8
  
  396K 26M CONNMARK udp — * * 0.0.0.0/0 172.16.1.4 udp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  396K 26M RETURN udp — * * 0.0.0.0/0 172.16.1.4 udp dpt:53 CONNMARK match !0x0/0x7f8
  
  75 3300 CONNMARK tcp — * * 0.0.0.0/0 172.16.1.4 tcp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  75 3300 RETURN tcp — * * 0.0.0.0/0 172.16.1.4 tcp dpt:53 CONNMARK match !0x0/0x7f8
  
  Chain LOCALROUTING (1 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 RETURN all — lo * 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — * lo 0.0.0.0/0 0.0.0.0/0
  
  223M 314G CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID,RELATED,ESTABLISHED,UNTRACKED CONNMARK match !0x0 CONNMARK restore
  
  223M 314G CHECKIIF all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID,RELATED,ESTABLISHED,UNTRACKED CONNMARK match !0x0
  
  11M 501M MARKIIF all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  11M 501M LOCALMARK all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  Chain MARKIIF (2 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 CONNMARK all — eth2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x800/0x3f800
  
  0 0 CONNMARK all — eth3 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x1000/0x3f800
  
  0 0 CONNMARK all — eth0 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x1800/0x3f800
  
  2299K 144M CONNMARK all — eth1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x2000/0x3f800
  
  0 0 CONNMARK all — eth0.4 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x2800/0x3f800
  
  12M 1519M CONNMARK all — br0 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x3000/0x3f800
  
  1027K 84M CONNMARK all — br1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x3800/0x3f800
  
  14029 4359K CONNMARK all — br2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK set 0x4000/0x3f800
  
  Chain POLICYROUTING (1 references)
  
  pkts bytes target prot opt in out source destination
  
  31332 2262K CONNMARK udp — * * 0.0.0.0/0 192.168.0.1 udp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  31332 2262K RETURN udp — * * 0.0.0.0/0 192.168.0.1 udp dpt:53 CONNMARK match !0x0/0x7f8
  
  0 0 CONNMARK tcp — * * 0.0.0.0/0 192.168.0.1 tcp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  0 0 RETURN tcp — * * 0.0.0.0/0 192.168.0.1 tcp dpt:53 CONNMARK match !0x0/0x7f8
  
  76 5041 CONNMARK udp — * * 0.0.0.0/0 172.16.1.4 udp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  76 5041 RETURN udp — * * 0.0.0.0/0 172.16.1.4 udp dpt:53 CONNMARK match !0x0/0x7f8
  
  0 0 CONNMARK tcp — * * 0.0.0.0/0 172.16.1.4 tcp dpt:53 CONNMARK set 0x7e0/0x7f8
  
  0 0 RETURN tcp — * * 0.0.0.0/0 172.16.1.4 tcp dpt:53 CONNMARK match !0x0/0x7f8
  
  Chain QOS (1 references)
  
  pkts bytes target prot opt in out source destination
  
  299M 351G QOS_BR0 all — * br0 0.0.0.0/0 0.0.0.0/0
  
  Chain QOS_BR0 (1 references)
  
  pkts bytes target prot opt in out source destination
  
  12029 3461K CLASSIFY all — * br0 0.0.0.0/0 192.168.0.171 CLASSIFY set 2:3
  
  Chain ROUTING (1 references)
  
  pkts bytes target prot opt in out source destination
  
  0 0 RETURN all — lo * 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — * lo 0.0.0.0/0 0.0.0.0/0
  
  306M 106G CONNMARK all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID,RELATED,ESTABLISHED,UNTRACKED CONNMARK match !0x0 CONNMARK restore
  
  306M 106G CHECKIIF all — * * 0.0.0.0/0 0.0.0.0/0 state INVALID,RELATED,ESTABLISHED,UNTRACKED CONNMARK match !0x0
  
  16M 1752M MARKIIF all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  16M 1752M INCOMINGMARK all — * * 0.0.0.0/0 0.0.0.0/0 state NEW
  
  Chain VPNFWDST (3 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain ZONEFW (9 references)
  
  pkts bytes target prot opt in out source destination
  
  28598 35M ACCEPT all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ACCEPT tcp — br0 br1 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  2 182 ACCEPT udp — br0 br1 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  481 28860 ACCEPT all — br1 br1 0.0.0.0/0 0.0.0.0/0
  
  4061 244K ACCEPT tcp — * * 172.16.1.4 192.168.0.2 tcp dpt:25
  
  0 0 ACCEPT icmp — * br0 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br0 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT icmp — * br2 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br2 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  2173 183K ACCEPT icmp — * br1 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
  
  0 0 ACCEPT icmp — * br1 192.168.0.31 0.0.0.0/0 limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30
  
  0 0 ACCEPT all — br0 * 0.0.0.0/0 172.16.1.3
  
  0 0 ACCEPT tcp — br2 br0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  0 0 ACCEPT udp — br2 br0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  0 0 ACCEPT tcp — br0 br2 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
  
  5 318 ACCEPT udp — br0 br2 0.0.0.0/0 0.0.0.0/0 udp dpt:53
  
  Chain ZONETRAFFIC (1 references)
  
  pkts bytes target prot opt in out source destination
  
  971K 781M VPNFWDST all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  134K 8799K VPNFWDST all — br1 br0 0.0.0.0/0 0.0.0.0/0
  
  54 3324 VPNFWDST all — br2 br0 0.0.0.0/0 0.0.0.0/0
  
  971K 781M ZONEFW all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — br0 br0 0.0.0.0/0 0.0.0.0/0
  
  104K 9622K ZONEFW all — br0 br2 0.0.0.0/0 0.0.0.0/0
  
  104K 9620K RETURN all — br0 br2 0.0.0.0/0 0.0.0.0/0
  
  32327 2714K ZONEFW all — br0 br1 0.0.0.0/0 0.0.0.0/0
  
  2 96 RETURN all — br0 br1 0.0.0.0/0 0.0.0.0/0
  
  54 3324 ZONEFW all — br2 br0 0.0.0.0/0 0.0.0.0/0
  
  29 1836 RETURN all — br2 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — br2 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW all — br2 br1 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — br2 br1 0.0.0.0/0 0.0.0.0/0
  
  134K 8799K ZONEFW all — br1 br0 0.0.0.0/0 0.0.0.0/0
  
  62543 4516K RETURN all — br1 br0 0.0.0.0/0 0.0.0.0/0
  
  0 0 ZONEFW all — br1 br2 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — br1 br2 0.0.0.0/0 0.0.0.0/0
  
  7836 470K ZONEFW all — br1 br1 0.0.0.0/0 0.0.0.0/0
  
  0 0 RETURN all — br1 br1 0.0.0.0/0 0.0.0.0/0
- junho 17, 2010 às 11:49 am #4885
  
  tnol2
  Participante
  
  Tabela NAT
  
  Chain PREROUTING (policy ACCEPT 7673K packets, 614M bytes)
  
  pkts bytes target prot opt in out source destination
  
  14M 932M CUSTOMPREROUTING all — * * 0.0.0.0/0 0.0.0.0/0
  
  14M 932M PROXIES all — * * 0.0.0.0/0 0.0.0.0/0
  
  9239K 703M PORTFW all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain POSTROUTING (policy ACCEPT 23M packets, 1044M bytes)
  
  pkts bytes target prot opt in out source destination
  
  36M 1728M CUSTOMPOSTROUTING all — * * 0.0.0.0/0 0.0.0.0/0
  
  36M 1728M OPENVPNCLIENT all — * * 0.0.0.0/0 0.0.0.0/0
  
  36M 1728M SOURCENAT all — * * 0.0.0.0/0 0.0.0.0/0
  
  23M 1044M POSTPORTFW all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain OUTPUT (policy ACCEPT 31M packets, 1371M bytes)
  
  pkts bytes target prot opt in out source destination
  
  31M 1371M PORTFW all — * * 0.0.0.0/0 0.0.0.0/0
  
  Chain CUSTOMPOSTROUTING (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain CUSTOMPREROUTING (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain OPENVPNCLIENT (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain PORTFW (2 references)
  
  pkts bytes target prot opt in out source destination
  
  151K 7881K DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:80 to:192.168.1.23
  
  4 192 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:443 to:192.168.1.23
  
  0 0 DNAT tcp — * * 189.22.x.y 200.133.x.y tcp dpt:80 to:192.168.1.23
  
  0 0 DNAT tcp — * * 189.22.x.y 200.133.x.y tcp dpt:22 to:192.168.1.23
  
  6034 362K DNAT tcp — * * 189.22.x.y 200.133.x.y tcp dpt:3306 to:192.168.1.23
  
  154K 8018K DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:80 to:192.168.0.162
  
  13 688 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:443 to:192.168.0.162
  
  1590 73304 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:53 to:172.16.1.4
  
  272K 19M DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:53 to:172.16.1.4
  
  84869 4289K DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:25 to:172.16.1.4
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:25 to:172.16.1.4
  
  75 7484 DNAT 47 — * * 0.0.0.0/0 200.133.x.y54 to:192.168.0.80
  
  1757 108K DNAT tcp — * * 0.0.0.0/0 200.133.x.y54 tcp dpt:1723 to:192.168.0.80
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y54 udp dpt:1723 to:192.168.0.80
  
  142 8244 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:80 to:192.168.0.2
  
  84 4228 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:443 to:192.168.0.2
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:143 to:192.168.0.2
  
  4019 208K DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:80 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:80 to:192.168.0.160
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:443 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:443 to:192.168.0.160
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:880 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:880 to:192.168.0.160
  
  5 232 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:8000 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:8000 to:192.168.0.160
  
  1 40 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:53 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:53 to:192.168.0.160
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:69 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:69 to:192.168.0.160
  
  2524 148K DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:22 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:22 to:192.168.0.160
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:100 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:100 to:192.168.0.160
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:465 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:465 to:192.168.0.160
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y tcp dpt:993 to:192.168.0.160
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y udp dpt:993 to:192.168.0.160
  
  5727 316K DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:80 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:80 to:192.168.0.18
  
  13488 793K DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:22 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:22 to:192.168.0.18
  
  13 616 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:8080 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:8080 to:192.168.0.18
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:8181 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:8181 to:192.168.0.18
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:8686 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:8686 to:192.168.0.18
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:4848 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:4848 to:192.168.0.18
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:3920 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:3920 to:192.168.0.18
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:3820 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:3820 to:192.168.0.18
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:3700 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:3700 to:192.168.0.18
  
  3 144 DNAT tcp — * * 0.0.0.0/0 200.133.x.y8 tcp dpt:5901 to:192.168.0.18
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y8 udp dpt:5901 to:192.168.0.18
  
  60 3284 DNAT tcp — * * 0.0.0.0/0 200.133.x.y61 tcp dpt:22 to:192.168.0.161
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y61 udp dpt:22 to:192.168.0.161
  
  1242 59636 DNAT tcp — * * 0.0.0.0/0 200.133.x.y61 tcp dpt:3389 to:192.168.0.161
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y61 udp dpt:3389 to:192.168.0.161
  
  17 808 DNAT tcp — * * 0.0.0.0/0 200.133.x.y61 tcp dpt:80 to:192.168.0.161
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y61 udp dpt:80 to:192.168.0.161
  
  12 552 DNAT tcp — * * 0.0.0.0/0 200.133.x.y61 tcp dpt:8080 to:192.168.0.161
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y61 udp dpt:8080 to:192.168.0.161
  
  1 48 DNAT tcp — * * 0.0.0.0/0 200.133.x.y61 tcp dpt:3306 to:192.168.0.161
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y61 udp dpt:3306 to:192.168.0.161
  
  52 2144 DNAT tcp — * * 0.0.0.0/0 200.133.x.y61 tcp dpt:1433 to:192.168.0.161
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y61 udp dpt:1433 to:192.168.0.161
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y61 tcp dpt:1434 to:192.168.0.161
  
  28 11312 DNAT udp — * * 0.0.0.0/0 200.133.x.y61 udp dpt:1434 to:192.168.0.161
  
  478K 25M DNAT tcp — * * 0.0.0.0/0 200.133.x.y1 tcp dpt:80 to:192.168.0.21
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y1 udp dpt:80 to:192.168.0.21
  
  74 3536 DNAT tcp — * * 0.0.0.0/0 200.133.x.y1 tcp dpt:5900 to:192.168.0.21
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y1 udp dpt:5900 to:192.168.0.21
  
  38 2248 DNAT tcp — * * 0.0.0.0/0 200.133.x.y1 tcp dpt:3306 to:192.168.0.21
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y1 udp dpt:3306 to:192.168.0.21
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y1 tcp dpt:443 to:192.168.0.21
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y1 udp dpt:443 to:192.168.0.21
  
  1475 78352 DNAT tcp — * * 0.0.0.0/0 200.133.x.y1 tcp dpt:22 to:192.168.0.21
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y1 udp dpt:22 to:192.168.0.21
  
  12937 765K DNAT tcp — * * 0.0.0.0/0 200.133.x.y02 tcp dpt:22 to:192.168.0.202
  
  38 2168 DNAT tcp — * * 0.0.0.0/0 200.133.x.y02 tcp dpt:80 to:192.168.0.202
  
  2 88 DNAT tcp — * * 0.0.0.0/0 200.133.x.y02 tcp dpt:3306 to:192.168.0.202
  
  14618 774K DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:80 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:80 to:192.168.0.162
  
  14289 838K DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:22 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:22 to:192.168.0.162
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:24 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:24 to:192.168.0.162
  
  42 2128 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:8080 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:8080 to:192.168.0.162
  
  238 14208 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:3306 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:3306 to:192.168.0.162
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:443 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:443 to:192.168.0.162
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:5060 to:192.168.0.162
  
  6 2629 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:5060 to:192.168.0.162
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:4445 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:4445 to:192.168.0.162
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:4569 to:192.168.0.162
  
  0 0 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpt:4569 to:192.168.0.162
  
  5 224 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpts:10000:20000 to:192.168.0.162
  
  5 364 DNAT udp — * * 0.0.0.0/0 200.133.x.y0 udp dpts:10000:20000 to:192.168.0.162
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:8383 to:192.168.0.167:80
  
  6 291 DNAT udp — * * 0.0.0.0/0 200.133.x.y23 udp dpt:1194 to:192.168.0.171
  
  80996 4431K DNAT tcp — * * 0.0.0.0/0 200.133.x.y1 tcp dpt:80 to:192.168.0.30
  
  0 0 DNAT tcp — * * 0.0.0.0/0 200.133.x.y1 tcp dpt:443 to:192.168.0.30
  
  2376 127K DNAT tcp — * * 0.0.0.0/0 200.133.x.y5 tcp dpt:80 to:192.168.0.25
  
  1 40 DNAT tcp — eth1 * 0.0.0.0/0 200.133.x.y5 tcp dpt:1720 to:192.168.0.65
  
  819 56304 DNAT all — * * 0.0.0.0/0 200.133.x.y5 to:192.168.0.65
  
  10 600 DNAT tcp — * * 200.179.172.132 200.133.x.y0 tcp dpt:1433 to:192.168.0.4
  
  0 0 DNAT udp — * * 200.179.172.132 200.133.x.y0 udp dpt:1433 to:192.168.0.4
  
  0 0 DNAT tcp — * * 200.179.172.132 200.133.x.y0 tcp dpt:1434 to:192.168.0.4
  
  0 0 DNAT udp — * * 200.179.172.132 200.133.x.y0 udp dpt:1434 to:192.168.0.4
  
  19 912 DNAT tcp — * * 201.38.138.122 200.133.x.y0 tcp dpt:3389 to:192.168.0.4
  
  0 0 DNAT tcp — * * 201.38.138.121 200.133.x.y0 tcp dpt:3389 to:192.168.0.4
  
  0 0 DNAT tcp — * * 200.133.7.130 200.133.x.y0 tcp dpt:3389 to:192.168.0.4
  
  0 0 DNAT tcp — * * 200.133.8.6 200.133.x.y0 tcp dpt:3389 to:192.168.0.4
  
  0 0 DNAT tcp — * * 201.38.138.122 200.133.x.y1 tcp dpt:3389 to:192.168.0.30
  
  0 0 DNAT tcp — * * 201.38.138.121 200.133.x.y1 tcp dpt:3389 to:192.168.0.30
  
  0 0 DNAT tcp — * * 201.38.138.122 200.133.x.y2 tcp dpt:3389 to:192.168.0.33
  
  0 0 DNAT tcp — * * 201.38.138.121 200.133.x.y2 tcp dpt:3389 to:192.168.0.33
  
  12970 700K DNAT tcp — * * 0.0.0.0/0 200.133.x.y3 tcp dpt:80 to:192.168.0.163
  
  16 760 DNAT tcp — * * 0.0.0.0/0 200.133.x.y3 tcp dpt:8080 to:192.168.0.163
  
  2586 144K DNAT all — * * 0.0.0.0/0 200.133.x.y3 to:192.168.0.83
  
  1846 105K DNAT all — * * 0.0.0.0/0 200.133.x.y23 to:192.168.0.23
  
  989 59340 DNAT icmp — * * 200.133.0.62 200.133.x.y to:192.168.0.31
  
  0 0 DNAT icmp — * * 200.133.0.62 200.133.x.y to:192.168.0.31
  
  53 2544 DNAT tcp — * * 200.179.172.132 200.133.x.y6 tcp dpt:3389 to:192.168.0.66
  
  39 1920 DNAT tcp — * * 189.22.224.41 200.133.x.y8 tcp dpt:3389 to:192.168.0.68
  
  61 3012 DNAT tcp — * * 200.133.8.6 200.133.x.y9 tcp dpt:3389 to:192.168.0.69
  
  164 7872 DNAT tcp — * * 0.0.0.0/0 200.133.x.y0 tcp dpt:3389 to:192.168.0.70
  
  105 5050 DNAT tcp — * * 200.133.7.130 200.133.x.y1 tcp dpt:3389 to:192.168.0.71
  
  748 50981 DNAT all — * * 0.0.0.0/0 200.133.x.y18 to:192.168.6.218
  
  Chain POSTPORTFW (1 references)
  
  pkts bytes target prot opt in out source destination
  
  Chain PROXIES (1 references)
  
  pkts bytes target prot opt in out source destination
  
  404 21832 RETURN tcp — * * 0.0.0.0/0 200.17.202.1 tcp dpt:80
  
  204 12240 RETURN tcp — * * 0.0.0.0/0 208.100.4.53 tcp dpt:80
  
  5 300 RETURN tcp — * * 0.0.0.0/0 163.178.174.25 tcp dpt:80
  
  42 2172 RETURN tcp — * * 0.0.0.0/0 69.174.57.101 tcp dpt:80
  
  0 0 RETURN tcp — * * 192.168.0.164 0.0.0.0/0 tcp dpt:80
  
  7021 337K RETURN tcp — * * 192.168.0.32 0.0.0.0/0 tcp dpt:80
  
  2129K 106M DNAT tcp — br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.3.254:3128
  
  0 0 DNAT tcp — ipsec+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.3.254:3128
  
  0 0 DNAT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 PHYSDEV match –physdev-in tap0 to:192.168.3.254:3128
  
  79 4740 DNAT tcp — br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.16.1.1:3128
  
  49 2352 DNAT tcp — br2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.10.0.254:3128
  
  Chain SOURCENAT (1 references)
  
  pkts bytes target prot opt in out source destination
  
  3898K 172M SNAT tcp — * eth1 200.133.x.y 0.0.0.0/0 to:200.133.x.y
  
  2 96 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:53861 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:53861 to:200.133.x.y
  
  7110 346K SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:80 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:80 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:8080 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:8080 to:200.133.x.y
  
  272K 13M SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:443 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:443 to:200.133.x.y
  
  264 15348 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:53 to:200.133.x.y
  
  756K 54M SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:53 to:200.133.x.y
  
  109 5236 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:110 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:110 to:200.133.x.y
  
  1 48 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:993 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:993 to:200.133.x.y
  
  134 7956 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:465 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:465 to:200.133.x.y
  
  6 308 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:3456 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:3456 to:200.133.x.y
  
  5 240 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:587 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:587 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:8999 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:8999 to:200.133.x.y
  
  189 9072 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:23000 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:23000 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:3270 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:3270 to:200.133.x.y
  
  7 336 SNAT tcp — * eth1 192.168.0.0/16 0.0.0.0/0 tcp dpt:3001 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.0.0/16 0.0.0.0/0 udp dpt:3001 to:200.133.x.y
  
  450K 22M SNAT tcp — * eth1 192.168.0.2 0.0.0.0/0 tcp dpt:25 to:200.133.x.y
  
  127 7620 SNAT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:53 to:200.133.x.y
  
  307K 24M SNAT udp — * eth1 172.16.1.4 0.0.0.0/0 udp dpt:53 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:25 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 172.16.1.4 0.0.0.0/0 udp dpt:25 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:80 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:443 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 172.16.1.4 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  217 10476 SNAT tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  5 300 SNAT tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:22 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:22 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:22 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:24 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:24 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:24 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.160 0.0.0.0/0 tcp dpt:2222 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.158 0.0.0.0/0 tcp dpt:2222 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:2222 to:200.133.x.y
  
  7 556 SNAT tcp — * eth1 192.168.0.162 0.0.0.0/0 tcp dpt:22 to:200.133.x.y0
  
  0 0 SNAT udp — * eth1 192.168.0.162 0.0.0.0/0 udp dpt:22 to:200.133.x.y0
  
  248 14880 SNAT tcp — * eth1 192.168.0.162 0.0.0.0/0 tcp dpt:3306 to:200.133.x.y0
  
  0 0 SNAT udp — * eth1 192.168.0.162 0.0.0.0/0 udp dpt:3306 to:200.133.x.y0
  
  6 360 SNAT tcp — * eth1 192.168.0.26 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.65 0.0.0.0/0 tcp dpt:1720 to:200.133.x.y5
  
  0 0 SNAT all — * eth1 192.168.0.65 0.0.0.0/0 to:200.133.x.y5
  
  4 192 SNAT all — * eth1 192.168.0.23 0.0.0.0/0 to:200.133.x.y9
  
  0 0 SNAT tcp — * eth1 192.168.0.62 0.0.0.0/0 tcp dpt:25 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.18 0.0.0.0/0 tcp dpt:8080 to:200.133.x.y8
  
  20 960 SNAT tcp — * eth1 192.168.0.16 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.118 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.2.73 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.31 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.83 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.3 0.0.0.0/0 tcp dpt:21 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.2.84 0.0.0.0/0 tcp dpt:3007 to:200.133.x.y
  
  0 0 SNAT all — * eth1 192.168.1.177 0.0.0.0/0 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.21 0.0.0.0/0 tcp dpt:25 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.0.21 0.0.0.0/0 tcp dpt:22 to:200.133.x.y
  
  0 0 SNAT all — * eth1 192.168.8.1 0.0.0.0/0 to:200.133.x.y
  
  0 0 SNAT all — * eth1 192.168.8.2 0.0.0.0/0 to:200.133.x.y
  
  0 0 SNAT all — * eth1 192.168.8.3 0.0.0.0/0 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.23 0.0.0.0/0 tcp dpt:22 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.1.23 0.0.0.0/0 udp dpt:22 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 192.168.1.23 0.0.0.0/0 tcp dpt:3306 to:200.133.x.y
  
  0 0 SNAT udp — * eth1 192.168.1.23 0.0.0.0/0 udp dpt:3306 to:200.133.x.y
  
  0 0 SNAT tcp — * eth1 10.10.0.0/16 0.0.0.0/0 tcp dpt:80 to:200.133.x.y
  
  0 0 SNAT all — * eth1 192.168.5.6 0.0.0.0/0 to:200.133.x.y
  
  50572 3770K SNAT all — * eth1 0.0.0.0/0 0.0.0.0/0 to:200.133.x.y
- junho 17, 2010 às 4:00 pm #4886
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  Utilize o pastebin para colar e forneça apenas os 3 links.
  
  Se postar aqui o texto sai desalinhado, e fica dificil de compreender além de deixar o post quilométrico.
  
  Entre em pastebin.com e “cole” o output lá.
  
  []’s
- junho 17, 2010 às 4:31 pm #4887
  
  tnol2
  Participante
  
  Desculpa Eduardo, não conhecia esse site. Estou postando lá agora. Segue os links:
  
  Filter
  
  http://pastebin.com/n64bXDst
  
  Mangle
  
  http://pastebin.com/TCd78qN1
  
  Nat
  
  http://pastebin.com/K9gL11iW
- junho 21, 2010 às 8:09 pm #4888
  
  Eduardo Silva
  Participante
  
  tnol2,
  
  Dediquei um tempinho para revisar o seu firewall e não encontrei onde está a falha…
  
  Pelos testes que você realizou, eu pude observar que o seu iptables está funcionando como deveria, mas a principio tem alguma regra em algum lugar da tabela filter que está liberando acesso total ou parcial entre as zonas.
  
  Apesar de não ter encontrado nada sólido, eu fiquei com uma suspeita referente a sua chain PORTFWACCESS.
  
  Algum ip do campo destination desta tabela estava envolvido no teste que você realizou mais cedo?
  
  Pelo que eu observei, esta cadeia tem o potencial de liberar acesso entre as zonas dependendo das regras que você inserir. (De certa forma, isto está correto).
  
  Faça o seguinte teste fora do horário de expediente: (cuidado, alguns serviços vão parar de funcionar)
  
  logado via SSH digite:
  
  # iptables -F PORTFWACCESS
  
  Agora tente realizar novamente os testes de telnet entre as redes.
  
  ps: A maneira mais fácil para você reaplicar as regras removidas no comando acima é reinicializando o endian ou reaplicando o firewall pela web interface. (você definitivamente deve fazer isto após o teste)
  
  []’s
- junho 22, 2010 às 1:22 pm #4889
  
  tnol2
  Participante
  
  Ok Eduardo, primeiro queria agradecer a sua atenção em me ajudar a resolver esse probleminha. E estarei fazendo o teste que você sugeriu, no dia do jogo do brasil, já que todo mundo estará na frente da tv. Depois posto aqui o resultado do teste.
- junho 23, 2010 às 10:31 am #4890
  
  Eduardo Silva
  Participante
  
  Ok, ficarei no aguardo do resultado do jogo…. errr… quer dizer… dos testes 😛
  
  []’s
- junho 30, 2010 às 10:32 am #4891
  
  Eduardo Silva
  Participante
  
  tnol2, chegou a executar o teste mencionado?
  
  []’s
- junho 30, 2010 às 11:41 am #4892
  
  tnol2
  Participante
  
  Eduardo, não consegui fazer o teste ainda, vou tentar fazer de hoje para amanhã.
Autor

Posts

Visualizando 38 respostas da discussão

O tópico ‘Como barrar o tráfego entre redes?’ está fechado para novas respostas.

Como barrar o tráfego entre redes?

Wireguard_webadmin