I am happy to forward any further data if required like firewall rules etc. Would appreciate if someone can skim through my config and see if there are any glaring errors.
Problem:
Everything working perfectly well then suddenly the system stopped working... (without any changes from administrator) (perhaps as a result of an auto update??)
All sessions through the firewall to the internet time out.
Sessions from or to the firewall (eg. proxy, ssh, mail, etc) all working fine.
Ping through the firewall works fine (because its sessionless?)
Browsing through the server works 100% if using the proxy but times out if going direct
Environment:
Ubuntu 10.4LTS server
Kernel linux 2.6.32-37-generic-pae
Shorewall 4.4.6
Iptables 1.4.4
pppoe v3.8
webmin manager v1.570
Configuration
IPTABLE LIST
root@gateway2:~# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2fw all -- anywhere anywhere
eth1_in all -- anywhere anywhere
ppp0_in all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `INPUT:REJECT:'
reject all -- anywhere anywhere [goto]
Chain FORWARD (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc_frwd all -- anywhere anywhere
eth1_fwd all -- anywhere anywhere
ppp0_fwd all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `FORWARD:REJECT:'
reject all -- anywhere anywhere [goto]
Chain OUTPUT (policy DROP)
target prot opt source destination
fw2loc all -- anywhere anywhere
fw2net all -- anywhere anywhere
fw2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `OUTPUT:REJECT:'
reject all -- anywhere anywhere [goto]
Chain Drop (2 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain Reject (4 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:1900 /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */
Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere base-address.mcast.net/4
Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
Chain dynamic (2 references)
target prot opt source destination
Chain eth1_fwd (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
net_frwd all -- anywhere anywhere
Chain eth1_in (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain fw2loc (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `fw2loc:REJECT:'
reject all -- anywhere anywhere [goto]
Chain fw2net (2 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain loc2fw (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc2net (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain loc_frwd (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
loc2net all -- anywhere anywhere
loc2net all -- anywhere anywhere
Chain log0 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level crit prefix `net2fw:ACCEPT:'
ACCEPT all -- anywhere anywhere
Chain log1 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere /* Permit incoming traffic on certain ports */ LOG level info prefix `net2fw:ACCEPT:'
ACCEPT all -- anywhere anywhere /* Permit incoming traffic on certain ports */
Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `logflags:DROP:'
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere
Chain net2fw (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
log0 tcp -- 192.168.1.99 anywhere [goto] tcp dpt:ssh
DROP icmp -- anywhere anywhere icmp echo-request /* Ping */
log1 tcp -- anywhere anywhere [goto] tcp dpt:ssh /* Permit incoming traffic on certain ports */
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:submission /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 /* Allow mail on SMTP, submission and IMAP */
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps /* Allow mail on SMTP, submission and IMAP */
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `net2fw:DROP:'
DROP all -- anywhere anywhere
Chain net2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `net2loc:DROP:'
DROP all -- anywhere anywhere
Chain net_frwd (2 references)
target prot opt source destination
net2loc all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain ppp0_fwd (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
net_frwd all -- anywhere anywhere
Chain ppp0_in (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
net2fw all -- anywhere anywhere
Chain reject (11 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain shorewall (0 references)
target prot opt source destination
Chain smurfs (6 references)
target prot opt source destination
RETURN all -- default anywhere
LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `smurfs:DROP:'
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
LOG all -- base-address.mcast.net/4 anywhere LOG level info prefix `smurfs:DROP:'
DROP all -- base-address.mcast.net/4 anywhere
Chain tcpflags (6 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
sudo iptables -Z, try to connect to the server, then post (pastebin) the output ofiptables -L -v -n– Panther Apr 03 '12 at 22:16