[Openswan Users]
Opens/wan on kernel 2.6 <-> opens/wan on kernel 2.4 = failure
Itai Tavor
itai at iinet.net.au
Tue Nov 30 19:51:03 CET 2004
Hi,
And I'm back... my attempts to get a new opens/wan gateway to connect
to an existing frees/wan system went nowhere, so I decided that having
opens/wan on both sides might improve my luck. No luck :(
I'm now running the following setup:
right (amber): FC2, openswan-2.2.0-2 rpm, kernel 2.6.10-rc1, shorewall
Left (edo): FC1, kernel 2.4.22-1.2199 (atrmps version, with openswan
support), openswan-2.2.0-17 rpm, shorewall
Both sides act as LAN gateways, left with a fixed IP, right connected
to ADSL with a dynamic IP. The connection (triggered from right) starts
fine but pings don't work in either direction. I tried both with the
firewall on and off on both sides, with identical results.
Attached ipsec barf on both sides.
Any suggestions?
TIA, Itai
edo
Tue Nov 30 17:42:37 JST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.22-1.2199.nptl_52.rhfc1.at (bachbuilder at n27) (gcc
version 3.2.3 20030422 (Red Hat Linux 3.2.3-6)) #1 Wed Aug 11 19:48:01
EDT 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
154.33.4.102 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
154.33.4.102 0.0.0.0 255.255.255.255 UH 0 0
0 ipsec0
10.0.2.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 154.33.4.102 0.0.0.0 UG 0 0
0 ppp0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260(1454) -> 1454
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_netlink debug_pfkey
debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform
icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec0/ppp0 210.229.239.65
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "Tir-Na-Nogth-IM":
10.0.2.0/24===210.229.239.65[@edo.insentiv.co.jp]--
-154.33.4.102...%any[@amber.tir-na-nogth.net]===10.0.1.0/24; unrouted;
eroute owner: #0
000 "Tir-Na-Nogth-IM": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "Tir-Na-Nogth-IM": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "Tir-Na-Nogth-IM": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "Tir-Na-Nogth-IM": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "Tir-Na-Nogth-IM": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:00:F4:60:9B:31
inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22833 errors:0 dropped:0 overruns:0 frame:0
TX packets:26013 errors:3 dropped:0 overruns:3 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5865514 (5.5 Mb) TX bytes:22076060 (21.0 Mb)
Interrupt:11 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 00:90:CC:51:B9:77
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27319 errors:0 dropped:0 overruns:0 frame:0
TX packets:23200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:21802621 (20.7 Mb) TX bytes:5886159 (5.6 Mb)
Interrupt:10 Base address:0x9000
ipsec0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.65 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:13278 errors:0 dropped:0 overruns:0 frame:0
TX packets:13278 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:901831 (880.6 Kb) TX bytes:901831 (880.6 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.65 P-t-P:154.33.4.102
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:27181 errors:0 dropped:0 overruns:0 frame:0
TX packets:23063 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:21197609 (20.2 Mb) TX bytes:5377413 (5.1 Mb)
ppp0:0 Link encap:Point-to-Point Protocol
inet addr:210.229.239.99 P-t-P:210.229.239.99
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0:1 Link encap:Point-to-Point Protocol
inet addr:210.229.239.98 P-t-P:210.229.239.98
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0:2 Link encap:Point-to-Point Protocol
inet addr:210.229.239.102 P-t-P:210.229.239.102
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1454 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: edo
[MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse dns zone: 65.239.229.210.in-addr.arpa.
[MISSING]
Looking for TXT in reverse dns zone: 99.239.229.210.in-addr.arpa.
[MISSING]
Looking for TXT in reverse dns zone: 98.239.229.210.in-addr.arpa.
[MISSING]
Looking for TXT in reverse dns zone: 102.239.229.210.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-FD flow-control, link ok
product info: Davicom DM9101 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:07:49, model 1 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
edo
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
17:42:51 up 42 min, 1 user, load average: 1.11, 0.60, 0.27
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
0 0 7571 3199 19 0 4516 936 wait4 S pts/1 0:00
\_ /bin/sh /usr/libexec/ipsec/barf
0 0 7667 7571 20 0 2912 392 pipe_w S pts/1 0:00
\_ egrep -i ppid|pluto|ipsec|klips
1 0 7502 1 19 0 2428 984 wait4 S pts/1 0:00
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wai
1 0 7503 7502 19 0 2428 996 wait4 S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog -
4 0 7504 7503 16 0 3368 916 schedu S pts/1 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --uniqueids
0 0 7515 7504 23 0 1728 240 schedu S pts/1 0:00 |
\_ _pluto_adns
0 0 7505 7502 15 0 2612 984 pipe_w S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 7507 1 19 0 1904 292 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# edo.isentiv.co.jp
#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
uniqueids=yes
# Standard server security definition (left)
conn %default
# Allow only 1 try since we are the passive end
keyingtries=1
#
# Security gateway - left
left=210.229.239.65
leftsubnet=10.0.2.0/24
leftnexthop=154.33.4.102
leftupdown=/usr/lib/ipsec/_updown
#
# Add but don't start connection on startup
auto=add
#
#
# RSA authentication
authby=rsasig
leftid=@edo.insentiv.co.jp
leftrsasigkey=[keyid AQOrd0max]
# Load client (right) definitions from subdirectory
#< /etc/ipsec.d/remote.tir-na-nogth.conn 1
# /etc/ipsec.d/remote.tir-na-nogth.conn - FreeS/WAN IPsec remote
connection file
# Connection from Tir-Na-Nog'th gateway
conn Tir-Na-Nogth-IM
# Right - Tir-Na-Nog'th security gateway
right=%any
rightsubnet=10.0.1.0/24
#
rightid=@amber.tir-na-nogth.net
rightrsasigkey=[keyid AQN/IxlHw]
#> /etc/ipsec.conf 37
#
# Disable opportunistic encryption
#
#< /etc/ipsec.d/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 42
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ ipsec _include /etc/ipsec.secrets
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits edo.insentiv.co.jp Fri Jan 30 20:14:18 2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQOrd0max]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Nov 30 17:42:21 2004, 2192 RSA Key AQN/IxlHw, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@amber.tir-na-nogth.net'
000 Nov 30 17:42:21 2004, 2192 RSA Key AQOrd0max, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@edo.insentiv.co.jp'
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 100
-rwxr-xr-x 1 root root 15403 Sep 19 09:25 _confread
-rwxr-xr-x 1 root root 4620 Sep 19 09:25 _copyright
-rwxr-xr-x 1 root root 2379 Sep 19 09:25 _include
-rwxr-xr-x 1 root root 1475 Sep 19 09:25 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 19 09:25 _plutoload
-rwxr-xr-x 1 root root 7167 Sep 19 09:25 _plutorun
-rwxr-xr-x 1 root root 10493 Sep 19 09:25 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 19 09:25 _secretcensor
-rwxr-xr-x 1 root root 9010 Sep 19 09:25 _startklips
-rwxr-xr-x 1 root root 12313 Sep 19 09:25 _updown
-rwxr-xr-x 1 root root 7572 Sep 19 09:25 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 19 09:25
ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 1240
-rwxr-xr-x 1 root root 9860 Sep 19 09:25 _pluto_adns
-rwxr-xr-x 1 root root 19220 Sep 19 09:25 auto
-rwxr-xr-x 1 root root 10224 Sep 19 09:25 barf
-rwxr-xr-x 1 root root 816 Sep 19 09:25 calcgoo
-rwxr-xr-x 1 root root 77984 Sep 19 09:25 eroute
-rwxr-xr-x 1 root root 58180 Sep 19 09:25 klipsdebug
-rwxr-xr-x 1 root root 2461 Sep 19 09:25 look
-rwxr-xr-x 1 root root 7118 Sep 19 09:25 mailkey
-rwxr-xr-x 1 root root 16188 Sep 19 09:25 manual
-rwxr-xr-x 1 root root 1874 Sep 19 09:25 newhostkey
-rwxr-xr-x 1 root root 52784 Sep 19 09:25 pf_key
-rwxr-xr-x 1 root root 562204 Sep 19 09:25 pluto
-rwxr-xr-x 1 root root 6592 Sep 19 09:25 ranbits
-rwxr-xr-x 1 root root 18656 Sep 19 09:25 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 19 09:25 secrets
-rwxr-xr-x 1 root root 17578 Sep 19 09:25 send-pr
lrwxrwxrwx 1 root root 22 Nov 30 16:39 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Sep 19 09:25 showdefaults
-rwxr-xr-x 1 root root 4364 Sep 19 09:25 showhostkey
-rwxr-xr-x 1 root root 114364 Sep 19 09:25 spi
-rwxr-xr-x 1 root root 68480 Sep 19 09:25 spigrp
-rwxr-xr-x 1 root root 77824 Sep 19 09:25 starter
-rwxr-xr-x 1 root root 9808 Sep 19 09:25 tncfg
-rwxr-xr-x 1 root root 10189 Sep 19 09:25 verify
-rwxr-xr-x 1 root root 43036 Sep 19 09:25 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 901831 13278 0 0 0 0 0 0
901831 13278 0 0 0 0 0 0
eth0: 5882368 22931 0 0 0 0 0 0
22238289 26152 3 0 3 0 0 0
eth1:21971096 27520 0 0 0 0 0 0
5946139 23414 0 0 0 0 0 0
ppp0:21360158 27380 0 0 0 0 0 0
5429781 23275 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ppp0 6604219A 00000000 0005 0 0 0
FFFFFFFF0 0 0
ipsec0 6604219A 00000000 0005 0 0 0
FFFFFFFF0 0 0
eth0 0002000A 00000000 0001 0 0 0
00FFFFFF0 0 0
eth0 0000FEA9 00000000 0001 0 0 0
0000FFFF0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF0 0 0
ppp0 00000000 6604219A 0003 0 0 0
000000000 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter
ipsec0/rp_filter lo/rp_filter ppp0/rp_filter
all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
ipsec0/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux edo 2.4.22-1.2199.nptl_52.rhfc1.at #1 Wed Aug 11 19:48:01 EDT
2004 i586 i586 i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 1 (Yarrow)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.1.2rc3
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 4 packets, 1016 bytes)
pkts bytes target prot opt in out source
destination
1216 85468 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
842 527K ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
280 83367 eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 7 packets, 364 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
32 1644 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
379 403K ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
320 24887 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
9 444 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:REJECT:'
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1216 85468 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
894 179K fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
533 507K fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 fw2vpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:REJECT:'
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:all2all:REJECT:'
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain blacklst (2 references)
pkts bytes target prot opt in out source
destination
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
3 144 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
6 300 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP all -- * * 0.0.0.0/0
10.0.2.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
8 480 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
320 24887 loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 loc2vpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
31 4996 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
280 83367 loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
533 507K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
775 171K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
4 282 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
115 6900 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 all2all all -- * ppp0 0.0.0.0/0
0.0.0.0/0
0 0 vpn2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 vpn2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
249 78371 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
31 4996 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
312 24407 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
8 480 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain logdrop (58 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
842 527K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.1 state NEW tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp spt:500 dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
370 403K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.61 multiport dports 80,21 state NEW ctorigdst
210.229.239.99
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.62 state NEW tcp dpt:80 ctorigdst 210.229.239.102
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,81,443 state NEW ctorigdst
210.229.239.98
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,443 state NEW ctorigdst
210.229.239.100
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 multiport dports 80,443 state NEW ctorigdst
210.229.239.101
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 state NEW tcp dpt:21 ctorigdst 210.229.239.101
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.2.60 state NEW tcp dpt:22 ctorigdst 210.229.239.98
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.2.20 state NEW udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.2.20 state NEW udp dpts:16384:16403
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (12 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
9 444 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
9 444 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
9 444 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
370 403K net2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 net2all all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
842 527K net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (11 references)
pkts bytes target prot opt in out source
destination
9 444 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 255.255.255.255
0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 255.255.255.255
0 0 DROP all -- * * 169.254.0.0/16
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 169.254.0.0/16
0 0 logdrop all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 logdrop all -- * * 192.0.2.0/24
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.0.2.0/24
0 0 logdrop all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 logdrop all -- * * 0.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 0.0.0.0/7
0 0 logdrop all -- * * 2.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 2.0.0.0/8
0 0 logdrop all -- * * 5.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 5.0.0.0/8
0 0 logdrop all -- * * 7.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 7.0.0.0/8
0 0 logdrop all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
0 0 logdrop all -- * * 23.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 23.0.0.0/8
0 0 logdrop all -- * * 27.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 27.0.0.0/8
0 0 logdrop all -- * * 31.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 31.0.0.0/8
0 0 logdrop all -- * * 36.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 36.0.0.0/7
0 0 logdrop all -- * * 39.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 39.0.0.0/8
0 0 logdrop all -- * * 41.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 41.0.0.0/8
0 0 logdrop all -- * * 42.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 42.0.0.0/8
0 0 logdrop all -- * * 49.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 49.0.0.0/8
0 0 logdrop all -- * * 50.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 50.0.0.0/8
0 0 logdrop all -- * * 58.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 58.0.0.0/7
0 0 logdrop all -- * * 70.0.0.0/7
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 70.0.0.0/7
0 0 logdrop all -- * * 72.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 72.0.0.0/5
0 0 logdrop all -- * * 83.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 83.0.0.0/8
0 0 logdrop all -- * * 84.0.0.0/6
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 84.0.0.0/6
0 0 logdrop all -- * * 88.0.0.0/5
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 88.0.0.0/5
0 0 logdrop all -- * * 96.0.0.0/3
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 96.0.0.0/3
0 0 logdrop all -- * * 127.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 127.0.0.0/8
0 0 logdrop all -- * * 197.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 197.0.0.0/8
0 0 logdrop all -- * * 198.18.0.0/15
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 198.18.0.0/15
0 0 logdrop all -- * * 223.0.0.0/8
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 223.0.0.0/8
0 0 logdrop all -- * * 240.0.0.0/4
0.0.0.0/0
0 0 logdrop all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 240.0.0.0/4
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain vpn2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1639 packets, 159K bytes)
pkts bytes target prot opt in out source
destination
9 444 net_dnat all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
4 224 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
Chain POSTROUTING (policy ACCEPT 798 packets, 39071 bytes)
pkts bytes target prot opt in out source
destination
135 7949 ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 347 packets, 22747 bytes)
pkts bytes target prot opt in out source
destination
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 LOG flags 0 level 5 prefix
`Shorewall:net_dnat:DNAT:'
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 to:10.0.2.1:22
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.99 multiport dports 80,21 to:10.0.2.61
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.102 tcp dpt:80 to:10.0.2.62
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.98 multiport dports 80,81,443 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.100 multiport dports 80,443 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.101 multiport dports 80,443 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.101 tcp dpt:21 to:10.0.2.60
0 0 DNAT tcp -- * * 0.0.0.0/0
210.229.239.98 tcp dpt:223 to:10.0.2.60:22
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 to:10.0.2.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:16384:16403 to:10.0.2.20
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
8 480 MASQUERADE all -- * * 10.0.2.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 63204 packets, 28M bytes)
pkts bytes target prot opt in out source
destination
3067 1143K pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 24241 packets, 5685K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 38937 packets, 22M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 24251 packets, 6198K bytes)
pkts bytes target prot opt in out source
destination
2652 782K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 62597 packets, 28M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
93 55884 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4662 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4672 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4862 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4872 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4662 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4672 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:4862 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:4872 TOS set 0x08
0 0 TOS udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 TOS set 0x08
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
ipsec 244512 2
autofs 11156 0 (autoclean) (unused)
ipt_REDIRECT 1336 1 (autoclean)
ipt_TOS 1592 28 (autoclean)
ipt_MASQUERADE 2104 2 (autoclean)
ipt_REJECT 3960 4 (autoclean)
ipt_LOG 4152 8 (autoclean)
ipt_TCPMSS 2968 1 (autoclean)
ipt_state 1112 58 (autoclean)
ip_nat_irc 2896 0 (unused)
ip_nat_tftp 2288 0 (unused)
ip_nat_ftp 3568 0 (unused)
ip_conntrack_irc 3728 1
ip_conntrack_tftp 2192 1
ip_conntrack_ftp 4720 1
ipt_multiport 1176 8 (autoclean)
ipt_conntrack 1656 38 (autoclean)
iptable_filter 2348 1 (autoclean)
iptable_mangle 2712 1 (autoclean)
iptable_nat 20760 4 (autoclean) [ipt_REDIRECT
ipt_MASQUERADE ip_nat_irc ip_nat_tftp ip_nat_ftp]
ip_conntrack 27464 6 (autoclean) [ipt_REDIRECT
ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_tftp ip_nat_ftp
ip_conntrack_irc ip_conntrack_tftp ip_conntrack_ftp ipt_conntrack
iptable_nat]
ip_tables 14688 14 [ipt_REDIRECT ipt_TOS ipt_MASQUERADE
ipt_REJECT ipt_LOG ipt_TCPMSS ipt_state ipt_multiport ipt_conntrack
iptable_filter iptable_mangle iptable_nat]
ppp_synctty 6272 0 (unused)
ppp_async 7936 1
ppp_generic 23516 3 [ppp_synctty ppp_async]
slhc 6612 0 [ppp_generic]
tulip 40832 1 (autoclean)
via-rhine 14224 1
mii 3736 0 [via-rhine]
loop 10808 0 (autoclean)
keybdev 2464 0 (unused)
mousedev 5044 0 (unused)
hid 22724 0 (unused)
input 5664 0 [keybdev mousedev hid]
usb-ohci 20520 0 (unused)
usbcore 73120 1 [hid usb-ohci]
ext3 81576 4
jbd 47752 4 [ext3]
lvm-mod 63488 3
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 191524864 88002560 103522304 0 17108992 39497728
Swap: 394805248 0 394805248
MemTotal: 187036 kB
MemFree: 101096 kB
MemShared: 0 kB
Buffers: 16708 kB
Cached: 38572 kB
SwapCached: 0 kB
Active: 30436 kB
Inactive: 43596 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 187036 kB
LowFree: 101096 kB
SwapTotal: 385552 kB
SwapFree: 385552 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Nov 30 17:42
/proc/net/ipsec_eroute -> ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Nov 30 17:42
/proc/net/ipsec_klipsdebug -> ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Nov 30 17:42
/proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Nov 30 17:42
/proc/net/ipsec_spigrp -> ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Nov 30 17:42
/proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Nov 30 17:42
/proc/net/ipsec_version -> ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.4.22-1.2199.nptl_52.rhfc1.at/build/.config
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# MADE-BY-RP-PPPOE
nameserver 154.33.63.214
nameserver 154.33.63.210
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 8
drwxr-xr-x 4 root root 4096 Nov 30 16:37
2.4.22-1.2199.nptl_52.rhfc1.at
drwxr-xr-x 4 root root 4096 Nov 30 16:42
2.4.22-1.2115.nptl
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ egrep netif_rx /proc/ksyms
c0201b10 netif_rx_Rc41991c0
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.4.22-1.2115.nptl: U netif_rx_R07a1a075
2.4.22-1.2199.nptl_52.rhfc1.at: U netif_rx_Rc41991c0
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '35121,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Nov 30 17:42:18 edo ipsec_setup: Starting Openswan IPsec
cvs2002Mar11_19:19:03...
Nov 30 17:42:18 edo ipsec_setup: Using
/lib/modules/2.4.22-1.2199.nptl_52.rhfc1.at/kernel/net/ipsec/ipsec.o
+ _________________________ plog
+ sed -n '302,$p' /var/log/secure
+ egrep -i pluto
+ cat
Nov 30 17:42:18 edo ipsec__plutorun: Starting Pluto subsystem...
Nov 30 17:42:18 edo pluto[7504]: Starting Pluto (Openswan Version
cvs2002Mar11_19:19:03 X.509-1.5.4 PLUTO_USES_KEYRR)
Nov 30 17:42:18 edo pluto[7504]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Nov 30 17:42:18 edo pluto[7504]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 30 17:42:18 edo pluto[7504]: Using KLIPS IPsec interface code
Nov 30 17:42:18 edo pluto[7504]: Changing to directory
'/etc/ipsec.d/cacerts'
Nov 30 17:42:18 edo pluto[7504]: Could not change to directory
'/etc/ipsec.d/aacerts'
Nov 30 17:42:18 edo pluto[7504]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Nov 30 17:42:18 edo pluto[7504]: Changing to directory
'/etc/ipsec.d/crls'
Nov 30 17:42:18 edo pluto[7504]: Warning: empty directory
Nov 30 17:42:21 edo pluto[7504]: added connection description
"Tir-Na-Nogth-IM"
Nov 30 17:42:21 edo pluto[7504]: listening for IKE messages
Nov 30 17:42:21 edo pluto[7504]: adding interface ipsec0/ppp0
210.229.239.65
Nov 30 17:42:21 edo pluto[7504]: loading secrets from
"/etc/ipsec.secrets"
+ _________________________ date
+ date
Tue Nov 30 17:42:53 JST 2004
amber
Tue Nov 30 19:50:33 EST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan U2.2.0/K2.6.10-rc1 (native)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.6.10-rc1 (root at amber) (gcc version 3.3.3 20040412 (Red
Hat Linux 3.3.3-7)) #10 Sun Nov 28 17:34:20 EST 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
203.55.229.88 0.0.0.0 255.255.255.255 UH 0 0
0 ppp0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0
0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 203.55.229.88 0.0.0.0 UG 0 0
0 ppp0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ setkey-D
+ setkey -D
No SAD entries.
+ _________________________ setkey-D-P
+ setkey -D -P
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 30 19:42:17 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=763 seq=5 pid=11930
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 30 19:42:17 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=747 seq=4 pid=11930
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: Nov 30 19:42:17 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=731 seq=3 pid=11930
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 30 19:42:17 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=772 seq=2 pid=11930
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 30 19:42:17 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=756 seq=1 pid=11930
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: Nov 30 19:42:17 2004 lastused:
lifetime: 0(s) validtime: 0(s)
spid=740 seq=0 pid=11930
refcnt=1
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface br0/br0 10.0.1.1
000 interface ppp0/ppp0 203.206.236.211
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "Tir-Na-Nogth-IM":
10.0.1.0/24===203.206.236.211[@amber.tir-na-nogth.net]--
-203.55.229.88...154.33.4.102--
-210.229.239.65[@edo.insentiv.co.jp]===10.0.2.0/24; unrouted; eroute
owner: #0
000 "Tir-Na-Nogth-IM": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "Tir-Na-Nogth-IM": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio:
24,24; interface: ppp0;
000 "Tir-Na-Nogth-IM": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "Tir-Na-Nogth-IM": IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "Tir-Na-Nogth-IM": IKE algorithms found: 5_192-1_128-5,
5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "Tir-Na-Nogth-IM": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=-strict
000 "Tir-Na-Nogth-IM": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=-strict
000
000
+ _________________________ ifconfig-a
+ ifconfig -a
ath0 Link encap:Ethernet HWaddr 00:09:5B:E7:2A:2D
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:199
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Memory:e0960000-e0970000
br0 Link encap:Ethernet HWaddr 00:09:5B:E7:2A:2D
inet addr:10.0.1.1 Bcast:10.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5954536 errors:0 dropped:0 overruns:0 frame:0
TX packets:7560380 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1830850241 (1746.0 Mb) TX bytes:1119101574 (1067.2
Mb)
eth0 Link encap:Ethernet HWaddr 00:0E:A6:A1:3B:A3
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6030278 errors:0 dropped:0 overruns:0 frame:0
TX packets:7548416 errors:15 dropped:0 overruns:0 carrier:15
collisions:1066770 txqueuelen:1000
RX bytes:1936723007 (1847.0 Mb) TX bytes:1116968465 (1065.2
Mb)
Interrupt:9 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:02:44:47:8C:09
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5659346 errors:0 dropped:0 overruns:0 frame:0
TX packets:4889706 errors:0 dropped:0 overruns:0 carrier:0
collisions:28179 txqueuelen:1000
RX bytes:2528618074 (2411.4 Mb) TX bytes:1777788766 (1695.4
Mb)
Interrupt:5 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:26232 errors:0 dropped:0 overruns:0 frame:0
TX packets:26232 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6887876 (6.5 Mb) TX bytes:6887876 (6.5 Mb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:203.206.236.211 P-t-P:203.55.229.88
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:725811 errors:0 dropped:0 overruns:0 frame:0
TX packets:641466 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:302334472 (288.3 Mb) TX bytes:185060035 (176.4 Mb)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path
[OK]
Linux Openswan U2.2.0/K2.6.10-rc1 (native)
Checking for IPsec support in kernel
[OK]
Checking for RSA private key (/etc/ipsec.secrets)
[OK]
Checking that pluto is running
[OK]
Two or more interfaces found, checking IP forwarding
[OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command
[OK]
Checking for 'iptables' command
[OK]
Checking for 'setkey' command for native IPsec stack support
[OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: amber
[MISSING]
Does the machine have at least one non-private address?
[OK]
Looking for TXT in reverse dns zone: 211.236.206.203.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: negotiated 100baseTx-HD, link ok
product info: vendor 00:00:20, model 32 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-HD 10baseT-HD
eth1: autonegotiation failed, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
amber.tir-na-nogth.net
+ _________________________ hostname/ipaddress
+ hostname --ip-address
10.0.1.1
+ _________________________ uptime
+ uptime
19:50:34 up 1 day, 20:49, 1 user, load average: 0.59, 0.24, 0.22
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME
COMMAND
4 0 11904 27906 18 0 4084 960 wait S pts/1 0:00
\_ /bin/sh /usr/libexec/ipsec/barf
4 0 11993 11904 19 0 1508 396 pipe_w S pts/1 0:00
\_ egrep -i ppid|pluto|ipsec|klips
5 0 11119 1 23 0 2056 1032 wait S pts/1 0:00
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no
--pre --post --log daemon.error --pid /var/run/pluto.pid
5 0 11120 11119 23 0 2056 1044 wait S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes
--nocrsend --strictcrlpolicy --nat_traversal --keep_alive
--force_keepalive --disable_port_floating --virtual_private
--crlcheckinterval 0 --ocspuri --dump --opts --stderrlog --wait no
--pre --post --log daemon.error --pid /var/run/pluto.pid
4 0 11121 11120 16 0 2244 936 - S pts/1 0:00 |
\_ /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --uniqueids
4 0 11146 11121 23 0 1316 252 - S pts/1 0:00 |
\_ _pluto_adns
4 0 11147 11119 16 0 2056 1020 pipe_w S pts/1 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
4 0 11149 1 23 0 1380 288 pipe_w S pts/1 0:00
logger -s -p daemon.error -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
routephys=ppp0
routevirt=ipsec0
routeaddr=203.206.236.211
routenexthop=203.55.229.88
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - OpenS/WAN IPsec configuration file
#
# amber.tir-na-nogth.net
#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn %default
keyingtries=3
#
# Tir-Na-Nog'th to Insentiv Media tunnel
#
# Left: IM Right: Tir-Na-Nog'th
#
conn Tir-Na-Nogth-IM
right=%defaultroute
rightsubnet=10.0.1.0/24
#
left=210.229.239.65
leftsubnet=10.0.2.0/24
leftnexthop=154.33.4.102
#
auto=add
rightupdown=/usr/lib/ipsec/_updown
#
authby=rsasig
rightid=@amber.tir-na-nogth.net
leftid=@edo.insentiv.co.jp
rightrsasigkey=[keyid AQN/IxlHw]
leftrsasigkey=[keyid AQOrd0max]
#
#Disable Opportunistic Encryption
#
#< /etc/ipsec.d/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/freeswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 43
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA {
# RSA 2192 bits amber.tir-na-nogth.net Fri Sep 24 10:51:07
2004
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=[keyid AQN/IxlHw]
Modulus: [...]
PublicExponent: [...]
# everything after this point is secret
PrivateExponent: [...]
Prime1: [...]
Prime2: [...]
Exponent1: [...]
Exponent2: [...]
Coefficient: [...]
}
# do not change the indenting of that "[sums to 7d9d...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Nov 30 19:42:17 2004, 2192 RSA Key AQN/IxlHw, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@amber.tir-na-nogth.net'
000 Nov 30 19:42:17 2004, 2192 RSA Key AQOrd0max, until --- -- --:--:--
---- ok (expires never)
000 ID_FQDN '@edo.insentiv.co.jp'
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates
IPSEC,
# using encryption. This behaviour is also called "Opportunistic
Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear
otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 140
-rwxr-xr-x 1 root root 15403 Sep 17 01:40 _confread
-rwxr-xr-x 1 root root 45260 Sep 17 01:40 _copyright
-rwxr-xr-x 1 root root 2379 Sep 17 01:40 _include
-rwxr-xr-x 1 root root 1475 Sep 17 01:40 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 17 01:40 _plutoload
-rwxr-xr-x 1 root root 7167 Sep 17 01:40 _plutorun
-rwxr-xr-x 1 root root 10493 Sep 17 01:40 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 17 01:40 _secretcensor
-rwxr-xr-x 1 root root 9016 Sep 17 01:40 _startklips
-rwxr-xr-x 1 root root 12313 Sep 17 01:40 _updown
-rwxr-xr-x 1 root root 7572 Sep 17 01:40 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 17 01:40 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 5052
-rwxr-xr-x 1 root root 67890 Sep 17 01:40 _pluto_adns
-rwxr-xr-x 1 root root 19220 Sep 17 01:40 auto
-rwxr-xr-x 1 root root 10248 Sep 17 01:40 barf
-rwxr-xr-x 1 root root 816 Sep 17 01:40 calcgoo
-rwxr-xr-x 1 root root 308475 Sep 17 01:40 eroute
-rwxr-xr-x 1 root root 180611 Sep 17 01:40 klipsdebug
-rwxr-xr-x 1 root root 2461 Sep 17 01:40 look
-rwxr-xr-x 1 root root 7124 Sep 17 01:40 mailkey
-rwxr-xr-x 1 root root 16188 Sep 17 01:40 manual
-rwxr-xr-x 1 root root 1874 Sep 17 01:40 newhostkey
-rwxr-xr-x 1 root root 162486 Sep 17 01:40 pf_key
-rwxr-xr-x 1 root root 2650267 Sep 17 01:40 pluto
-rwxr-xr-x 1 root root 49208 Sep 17 01:40 ranbits
-rwxr-xr-x 1 root root 79770 Sep 17 01:40 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 17 01:40 secrets
-rwxr-xr-x 1 root root 17578 Sep 17 01:40 send-pr
lrwxr-xr-x 1 root root 22 Nov 30 17:54 setup ->
/etc/rc.d/init.d/ipsec
-rwxr-xr-x 1 root root 1048 Sep 17 01:40 showdefaults
-rwxr-xr-x 1 root root 4364 Sep 17 01:40 showhostkey
-rwxr-xr-x 1 root root 492709 Sep 17 01:40 spi
-rwxr-xr-x 1 root root 248367 Sep 17 01:40 spigrp
-rwxr-xr-x 1 root root 469542 Sep 17 01:40 starter
-rwxr-xr-x 1 root root 47746 Sep 17 01:40 tncfg
-rwxr-xr-x 1 root root 10195 Sep 17 01:40 verify
-rwxr-xr-x 1 root root 224503 Sep 17 01:40 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 6887876 26232 0 0 0 0 0 0
6887876 26232 0 0 0 0 0 0
eth0:1936745502 6030351 0 0 0 0 0 0
1117029051 7548508 15 0 0 1066770 15 0
br0:1830871570 5954609 0 0 0 0 0 0
1119162160 7560472 0 0 0 0 0 0
ath0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth1:2528652047 5659413 0 0 0 0 0 0
1777810981 4889769 0 0 0 28179 0 0
ppp0:302366965 725878 0 0 0 0 0 0
185080864 641529 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ppp0 58E537CB 00000000 0005 0 0 0
FFFFFFFF0 0 0
br0 0001000A 00000000 0001 0 0 0
00FFFFFF0 0 0
br0 0000FEA9 00000000 0001 0 0 0
0000FFFF0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF0 0 0
ppp0 00000000 58E537CB 0003 0 0 0
000000000 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter br0/rp_filter default/rp_filter lo/rp_filter
ppp0/rp_filter
all/rp_filter:0
br0/rp_filter:1
default/rp_filter:1
lo/rp_filter:1
ppp0/rp_filter:1
+ _________________________ uname-a
+ uname -a
Linux amber 2.6.10-rc1 #10 Sun Nov 28 17:34:20 EST 2004 i686 athlon
i386 GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ cat /etc/redhat-release
Fedora Core release 2 (Tettnang)
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ test -r /proc/net/pfkey
++ uname -r
+ echo 'native PFKEY (2.6.10-rc1) support detected '
native PFKEY (2.6.10-rc1) support detected
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy DROP 27 packets, 1368 bytes)
pkts bytes target prot opt in out source
destination
69 13000 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
15 802 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
224 102K ppp0_in all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
309 29340 br0_in all -- br0 * 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 22 packets, 1018 bytes)
pkts bytes target prot opt in out source
destination
47 1904 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
3231 159K TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
28308 14M ppp0_fwd all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
25114 6339K br0_fwd all -- br0 * 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:FORWARD:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
69 13000 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 ACCEPT udp -- * ppp0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
223 14296 fw2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
365 146K fw2loc all -- * br0 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:DROP:'
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (3 references)
pkts bytes target prot opt in out source
destination
0 0 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (3 references)
pkts bytes target prot opt in out source
destination
150 28902 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
150 28902 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
150 28902 dropInvalid all -- * * 0.0.0.0/0
0.0.0.0/0
150 28902 RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
51 13112 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
51 13112 dropNotSyn all -- * * 0.0.0.0/0
0.0.0.0/0
46 5852 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
99 15790 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain blacklst (2 references)
pkts bytes target prot opt in out source
destination
Chain br0_fwd (1 references)
pkts bytes target prot opt in out source
destination
1748 85725 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
25085 6334K loc2net all -- * ppp0 0.0.0.0/0
0.0.0.0/0
29 4339 ACCEPT all -- * br0 0.0.0.0/0
0.0.0.0/0
Chain br0_in (1 references)
pkts bytes target prot opt in out source
destination
129 16326 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
309 29340 loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropInvalid (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
Chain dropNotSyn (2 references)
pkts bytes target prot opt in out source
destination
5 7260 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
233 125K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.11
132 20914 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
34 5202 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
182 11583 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
10 613 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
10 840 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
21 1260 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
180 13014 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
2 120 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
7 360 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3128
120 15846 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
23366 6253K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
1719 81386 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
206 93669 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.1 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:500 dpt:500
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:50
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:51
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 8100,8041
18 7988 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
12 650 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
26680 14M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpt:4662
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:4672
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpt:4762
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:4772
1021 50688 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpt:4862
607 29932 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:4872
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.20 tcp dpts:6881:6889
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.1.101 tcp dpt:80
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0
10.0.1.20 udp dpts:16384:16403
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain norfc1918 (2 references)
pkts bytes target prot opt in out source
destination
0 0 rfc1918 all -- * * 172.16.0.0/12
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 172.16.0.0/12
0 0 rfc1918 all -- * * 192.168.0.0/16
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 192.168.0.0/16
0 0 rfc1918 all -- * * 10.0.0.0/8
0.0.0.0/0
0 0 rfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.0.0/8
Chain ppp0_fwd (1 references)
pkts bytes target prot opt in out source
destination
1628 80620 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
1628 80620 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
1628 80620 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
28308 14M net2loc all -- * br0 0.0.0.0/0
0.0.0.0/0
Chain ppp0_in (1 references)
pkts bytes target prot opt in out source
destination
18 7988 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
18 7988 blacklst all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
18 7988 norfc1918 all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
224 102K net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (10 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
6 288 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
139 21354 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain rfc1918 (6 references)
pkts bytes target prot opt in out source
destination
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:rfc1918:DROP:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 ULOG all -- * * 10.0.1.255
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:smurfs:DROP:' queue_threshold 1
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 ULOG all -- * * 255.255.255.255
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:smurfs:DROP:' queue_threshold 1
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 ULOG all -- * * 224.0.0.0/4
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:smurfs:DROP:' queue_threshold 1
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
+ _________________________
+ iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 121K packets, 12M bytes)
pkts bytes target prot opt in out source
destination
1647 88656 net_dnat all -- ppp0 * 0.0.0.0/0
0.0.0.0/0
1151 56516 loc_dnat all -- br0 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 417K packets, 21M bytes)
pkts bytes target prot opt in out source
destination
1143 55319 ppp0_masq all -- * ppp0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain loc_dnat (1 references)
pkts bytes target prot opt in out source
destination
7 360 REDIRECT tcp -- * * 0.0.0.0/0
!10.0.2.0/24 tcp dpt:80 redir ports 3128
Chain net_dnat (1 references)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4662 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4672 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4762 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4772 to:10.0.1.20
1022 50736 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:4862 to:10.0.1.20
607 29932 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:4872 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:888 to:10.0.1.1:80
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:222 to:10.0.1.1:22
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:6881:6889 to:10.0.1.20
0 0 DNAT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8888 to:10.0.1.101:80
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 to:10.0.1.20
0 0 DNAT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:16384:16403 to:10.0.1.20
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source
destination
1099 52546 MASQUERADE all -- * * 10.0.1.0/24
0.0.0.0/0
0 0 MASQUERADE all -- * * 169.254.0.0/16
0.0.0.0/0
+ _________________________
+ iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 12M packets, 4246M bytes)
pkts bytes target prot opt in out source
destination
54045 21M pretos all -- * * 0.0.0.0/0
0.0.0.0/0
54039 21M tcpre all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 1434K packets, 257M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 10M packets, 3986M bytes)
pkts bytes target prot opt in out source
destination
53504 21M tcfor all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2278K packets, 3000M bytes)
pkts bytes target prot opt in out source
destination
607 177K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
606 176K tcout all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 12M packets, 6983M bytes)
pkts bytes target prot opt in out source
destination
53991 21M tcpost all -- * * 0.0.0.0/0
0.0.0.0/0
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
132 66104 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
135 10044 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
Chain tcout (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpost (1 references)
pkts bytes target prot opt in out source
destination
Chain tcpre (1 references)
pkts bytes target prot opt in out source
destination
+ _________________________ proc/modules
+ test -f /proc/modules
+ cat /proc/modules
xfrm4_tunnel 2884 0 - Live 0xe0a85000
lt_serial 25712 1 - Live 0xe0d6d000
lt_modem 567728 3 lt_serial, Live 0xe0df1000
dvb_bt8xx 7236 5 - Live 0xe0ad6000
dvb_core 74736 6 dvb_bt8xx, Live 0xe0b17000
mt352 4996 1 dvb_bt8xx, Live 0xe0ad3000
sp887x 7428 1 dvb_bt8xx, Live 0xe0ab1000
dst 12040 1 dvb_bt8xx, Live 0xe0acf000
bt878 8696 2 dvb_bt8xx,dst, Live 0xe0aa9000
bttv 145488 2 dvb_bt8xx,bt878, Live 0xe0af2000
video_buf 16964 1 bttv, Live 0xe0a9f000
firmware_class 7616 3 dvb_bt8xx,sp887x,bttv, Live 0xe0a7c000
i2c_algo_bit 8328 1 bttv, Live 0xe0a78000
v4l2_common 4864 1 bttv, Live 0xe0a64000
btcx_risc 3720 1 bttv, Live 0xe0a48000
i2c_core 19216 6 dvb_bt8xx,mt352,sp887x,dst,bttv,i2c_algo_bit, Live
0xe0a7f000
videodev 7232 1 bttv, Live 0xe0a61000
v4l1_compat 12932 0 - Live 0xe0a73000
nfsd 100616 9 - Live 0xe0ab5000
exportfs 4928 1 nfsd, Live 0xe0a45000
lockd 64168 2 nfsd, Live 0xe0a87000
deflate 2688 0 - Live 0xe0a43000
zlib_deflate 21080 1 deflate, Live 0xe0a5a000
twofish 37120 0 - Live 0xe0a68000
serpent 13248 0 - Live 0xe0a55000
aes_i586 38452 0 - Live 0xe0a4a000
blowfish 8000 0 - Live 0xe0a40000
des 11264 0 - Live 0xe09f8000
sha256 8960 0 - Live 0xe0a38000
sha1 8512 0 - Live 0xe0a34000
md5 3648 0 - Live 0xe0974000
crypto_null 1984 0 - Live 0xe0981000
ipcomp 6472 0 - Live 0xe0a26000
esp4 6720 0 - Live 0xe0a23000
ah4 5312 0 - Live 0xe0a20000
af_key 27024 0 - Live 0xe0a2c000
ipt_LOG 6272 3 - Live 0xe0a29000
ipt_TOS 1984 12 - Live 0xe0a1e000
ipt_MASQUERADE 2880 2 - Live 0xe0a1c000
ipt_REDIRECT 1728 1 - Live 0xe0a08000
ipt_REJECT 5632 4 - Live 0xe0a10000
ipt_ULOG 6244 4 - Live 0xe0a0d000
ipt_TCPMSS 3520 1 - Live 0xe09fc000
ipt_state 1472 18 - Live 0xe0a06000
ipt_pkttype 1344 4 - Live 0xe0a04000
ipt_physdev 1808 0 - Live 0xe0a02000
ipt_multiport 1664 1 - Live 0xe0a00000
ipt_conntrack 1984 3 - Live 0xe09fe000
iptable_mangle 2176 1 - Live 0xe0996000
ip_nat_irc 3504 0 - Live 0xe0994000
ip_nat_tftp 2992 0 - Live 0xe097f000
ip_nat_ftp 4144 0 - Live 0xe0991000
iptable_nat 21960 6
ipt_MASQUERADE,ipt_REDIRECT,ip_nat_irc,ip_nat_tftp,ip_nat_ftp, Live
0xe09e0000
ip_conntrack_irc 70512 1 ip_nat_irc, Live 0xe09cd000
ip_conntrack_tftp 3056 0 - Live 0xe0908000
ip_conntrack_ftp 71408 1 ip_nat_ftp, Live 0xe09ba000
ip_conntrack 39732 10
ipt_MASQUERADE,ipt_state,ipt_conntrack,ip_nat_irc,ip_nat_tftp,ip_nat_ftp
,iptable_nat,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp, Live
0xe0983000
iptable_filter 2176 1 - Live 0xe08f0000
ip_tables 16000 15
ipt_LOG,ipt_TOS,ipt_MASQUERADE,ipt_REDIRECT,ipt_REJECT,ipt_ULOG,ipt_TCPM
SS,ipt_state,ipt_pkttype,ipt_physdev,ipt_multiport,ipt_conntrack,iptable
_mangle,iptable_nat,iptable_filter, Live 0xe08fd000
sunrpc 132388 13 nfsd,lockd, Live 0xe0998000
ppp_synctty 7936 0 - Live 0xe0971000
ppp_async 9024 1 - Live 0xe095c000
crc_ccitt 1664 1 ppp_async, Live 0xe08f2000
ppp_generic 21524 6 ppp_synctty,ppp_async, Live 0xe0918000
slhc 7232 1 ppp_generic, Live 0xe08fa000
8139too 20032 0 - Live 0xe0902000
ath_pci 50912 0 - Live 0xe090a000
ath_rate_onoe 6728 1 ath_pci, Live 0xe0820000
wlan 103964 3 ath_pci,ath_rate_onoe, Live 0xe0941000
ath_hal 131344 2 ath_pci, Live 0xe091f000
via_rhine 18308 0 - Live 0xe08f4000
mii 3904 2 8139too,via_rhine, Live 0xe084f000
crc32 3840 3 dvb_core,8139too,via_rhine, Live 0xe0823000
usblp 10816 0 - Live 0xe083a000
uhci_hcd 29712 0 - Live 0xe0844000
ehci_hcd 26052 0 - Live 0xe0832000
usbcore 102296 4 usblp,uhci_hcd,ehci_hcd, Live 0xe0851000
thermal 10568 0 - Live 0xe0804000
sata_via 4484 6 - Live 0xe081a000
libata 38916 1 sata_via, Live 0xe0827000
+ _________________________ proc/meminfo
+ cat /proc/meminfo
MemTotal: 515788 kB
MemFree: 2908 kB
Buffers: 15932 kB
Cached: 317296 kB
SwapCached: 868 kB
Active: 310204 kB
Inactive: 176300 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515788 kB
LowFree: 2908 kB
SwapTotal: 1052216 kB
SwapFree: 1049736 kB
Dirty: 680 kB
Writeback: 0 kB
Mapped: 180520 kB
Slab: 14996 kB
CommitLimit: 1310108 kB
Committed_AS: 504508 kB
CommitAvail: 805600 kB
PageTables: 1896 kB
VmallocTotal: 516056 kB
VmallocUsed: 7984 kB
VmallocChunk: 507528 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.6.10-rc1/build/.config
++ uname -r
+ cat /lib/modules/2.6.10-rc1/build/.config
+ egrep
'CONFIG_NETLINK|CONFIG_IPSEC|CONFIG_NET_KEY|CONFIG_INET|CONFIG_IP'
# CONFIG_NETLINK_DEV is not set
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_TUNNEL=m
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_CONNTRACK=m
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
# CONFIG_IP_NF_MATCH_IPRANGE is not set
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_PHYSDEV=m
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
# CONFIG_IP_NF_TARGET_NETMAP is not set
# CONFIG_IP_NF_TARGET_SAME is not set
# CONFIG_IP_NF_NAT_LOCAL is not set
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
# CONFIG_IP_NF_TARGET_CLASSIFY is not set
# CONFIG_IP_NF_RAW is not set
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_COMPAT_IPFWADM=m
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IPMI_HANDLER is not set
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 203.0.178.191
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
total 528
drwxr-xr-x 4 root root 4096 Oct 28 17:58 2.6.5-1.358
-rw-r--r-- 1 root root 262144 Oct 29 22:36 ivtv-fw-enc.bin
-rw-r--r-- 1 root root 262144 Oct 29 22:36 ivtv-fw-dec.bin
drwxr-xr-x 7 root root 4096 Nov 28 17:34 2.6.10-rc1
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ egrep netif_rx /proc/kallsyms
c02cbbd0 T netif_rx
c02cbd70 T netif_rx_ni
c02cbbd0 U netif_rx [dvb_core]
c02cbbd0 U netif_rx [ppp_generic]
c02cbbd0 U netif_rx [ath_pci]
c02cbbd0 U netif_rx [wlan]
c02cbbd0 U netif_rx [via_rhine]
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
2.6.10-rc1:
2.6.5-1.358:
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '4422295,$p' /var/log/messages
+ egrep -i 'ipsec|klips|pluto'
+ cat
Nov 30 19:42:17 amber ipsec_setup: Starting Openswan IPsec
U2.2.0/K2.6.10-rc1...
+ _________________________ plog
+ sed -n '538,$p' /var/log/secure
+ egrep -i pluto
+ cat
Nov 30 19:42:17 amber ipsec__plutorun: Starting Pluto subsystem...
Nov 30 19:42:17 amber pluto[11121]: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Nov 30 19:42:17 amber pluto[11121]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Nov 30 19:42:17 amber pluto[11121]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Nov 30 19:42:17 amber pluto[11121]: Using Linux 2.6 IPsec interface code
Nov 30 19:42:17 amber pluto[11121]: Changing to directory
'/etc/ipsec.d/cacerts'
Nov 30 19:42:17 amber pluto[11121]: Could not change to directory
'/etc/ipsec.d/aacerts'
Nov 30 19:42:17 amber pluto[11121]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Nov 30 19:42:17 amber pluto[11121]: Changing to directory
'/etc/ipsec.d/crls'
Nov 30 19:42:17 amber pluto[11121]: Warning: empty directory
Nov 30 19:42:17 amber pluto[11121]: added connection description
"Tir-Na-Nogth-IM"
Nov 30 19:42:17 amber pluto[11121]: listening for IKE messages
Nov 30 19:42:17 amber pluto[11121]: adding interface ppp0/ppp0
203.206.236.211
Nov 30 19:42:17 amber pluto[11121]: adding interface br0/br0 10.0.1.1
Nov 30 19:42:17 amber pluto[11121]: adding interface lo/lo 127.0.0.1
Nov 30 19:42:17 amber pluto[11121]: loading secrets from
"/etc/ipsec.secrets"
+ _________________________ date
+ date
Tue Nov 30 19:50:43 EST 2004
More information about the Users
mailing list