Souci shorewall / iptables

Erreur shorewall, et iptables grand ouvert Cauldron, la prochaine version de Mageia

Trex78 Membre non connecté

Le 18/01/2014 à 12h00

Bonjour,

En enquêtant sur des messages msec dans /dead.letter, j'ai voulu vérifier mes règles iptables. Je tombe là dessus :

Code :


root@MEDMGA4 ~]# iptables --list-rules -v

-P INPUT ACCEPT -c 6904 8187288

-P FORWARD ACCEPT -c 0 0

-P OUTPUT ACCEPT -c 4457 328590

root@MEDMGA4 ~]#

Diable diable !!!
Je regarde alors /var/log/shorewall-init.log, et je tombe sur des messages très louches :

Code :


Jan 12 11:34:33 Processing /etc/shorewall/params ...

Jan 12 11:34:33 Processing /etc/shorewall/shorewall.conf...

Jan 12 11:34:33 Loading Modules...

Jan 12 11:34:34    ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

Jan 12 11:49:02 Processing /etc/shorewall/params ...

Jan 12 11:49:02 Processing /etc/shorewall/shorewall.conf...

 ...

Jan 12 17:58:57 Processing /etc/shorewall/params ...

Jan 12 17:58:57 Processing /etc/shorewall/shorewall.conf...

Jan 12 17:58:57 Loading Modules...

Jan 12 17:58:58    ERROR: Cannot Create Mangle chain fooX2654

Jan 12 20:05:52 Processing /etc/shorewall/params ...

Jan 12 20:05:53 Processing /etc/shorewall/shorewall.conf...

Jan 12 20:05:53 Loading Modules...

Jan 12 20:05:55    ERROR: Log level INFO requires LOG Target in your kernel and iptables

Jan 13 11:07:51 Processing /etc/shorewall/params ...

Jan 13 11:07:51 Processing /etc/shorewall/shorewall.conf...

...

Jan 16 11:54:46 Processing /etc/shorewall/params ...

Jan 16 11:54:46 Processing /etc/shorewall/shorewall.conf...

Jan 16 11:54:46 Loading Modules...

Jan 16 11:54:50    ERROR: UNTRACKED state requires Raw Table in your kernel and iptables

Jan 16 18:23:25 Processing /etc/shorewall/params ...

Jan 16 18:23:25 Processing /etc/shorewall/shorewall.conf...

Jan 16 18:23:25 Loading Modules...

Jan 16 18:23:28    ERROR: Shorewall 4.5.20 requires Multi-port Match in your kernel and iptables

Jan 17  7:07:17 Processing /etc/shorewall/params ...

Jan 17  7:07:17 Processing /etc/shorewall/shorewall.conf...

Ces erreurs font que shorewall ne charge aucune règle iptables, manifestement.
Comme j'ai bien galéré, avec des arrêts à la sauvage, je me dis que c'est peut-être une conséquence.
Mais ce matin, démarrage tout ce qu'il y a de plus normal, et cependant :

Code :


Jan 18  9:43:07 Processing /etc/shorewall/params ...

Jan 18  9:43:07 Processing /etc/shorewall/shorewall.conf...

Jan 18  9:43:07 Loading Modules...

Jan 18 09:43:08    ERROR: Cannot Create Mangle chain fooX1329

C'est là que je fais mon iptables --list-rules -v du début.
Je relance shorewall, et cette fois, ça passe bien :

Code :


Jan 18 10:15:20 Processing /etc/shorewall/params ...

Jan 18 10:15:20 Processing /etc/shorewall/shorewall.conf...

Jan 18 10:15:20 Loading Modules...

Jan 18 10:15:22 Compiling /etc/shorewall/zones...

Jan 18 10:15:22 Compiling /etc/shorewall/interfaces...

Jan 18 10:15:22    Interface "net enp0s4 detect" Validated

Jan 18 10:15:22    Interface "net + detect" Validated

Jan 18 10:15:22 Determining Hosts in Zones...

Jan 18 10:15:22    net (ipv4)

Jan 18 10:15:22       +:0.0.0.0/0

Jan 18 10:15:22       enp0s4:0.0.0.0/0

Jan 18 10:15:22    fw (firewall)

Jan 18 10:15:22 Locating Action Files...

Jan 18 10:15:22 Compiling /etc/shorewall/policy...

Jan 18 10:15:22    Policy for fw to net is ACCEPT using chain fw2net

etc.

Code :


[root@MEDMGA4 ~]# iptables --list-rules -v

-P INPUT DROP -c 0 0

-P FORWARD DROP -c 0 0

-P OUTPUT DROP -c 0 0

-N +_fwd

-N +_in

-N Broadcast

-N Drop

-N Ifw

-N OKFbxMulti

-N OKPartageLocal

etc.

J'ai donc 5 erreurs qui reviennent aléatoirement au démarrage de shorewall, et qui l’empêchent de paramétrer correctement iptables :

Code :


ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system

ERROR: Cannot Create Mangle chain fooX2654

ERROR: Log level INFO requires LOG Target in your kernel and iptables

ERROR: UNTRACKED state requires Raw Table in your kernel and iptables

ERROR: Shorewall 4.5.20 requires Multi-port Match in your kernel and iptables

J'ai la fort désagréable sensation d'avoir vécu pas mal de temps sans firewall (comme je suis derrière une Freebox en NAT, je ne pense pas que cela soit trop grave, mais tout de même ... )
Ce matin, le système est à jour, je viens de vérifier. Dernières mises à jour hier 17/01 à 10h34.

Comment corriger ces diverses erreurs ?
Je croyais qu'en cas de souci, iptables démarrait avec DROP par défaut, mais il semble bien que ce soit ACCEPT. Est-il possible de changer cela ?

D'avance merci.

Visiteur

Le 21/01/2014 à 19h39

#167127

chez moi tout fonctionne bien

[root@powerlinux /]# /sbin/iptables --list-rules -v

Caché :

-P INPUT DROP -c 0 0

-P FORWARD DROP -c 0 0

-P OUTPUT DROP -c 0 0

-N Broadcast

-N Drop

-N Ifw

-N Invalid

-N NotSyn

-N Reject

-N blacklst

-N dynamic

-N eth0_fop

-N eth1_fop

-N fw2net

-N logdrop

-N logreject

-N net2fw

-N net2net

-N net_frwd

-N reject

-N sfilter

-N shorewall

-N wlan0_fop

-A INPUT -c 27977907 11475974600 -j Ifw

-A INPUT -i wlan0 -c 0 0 -j net2fw

-A INPUT -i eth1 -c 0 0 -j net2fw

-A INPUT -i eth0 -c 9537346 10289449337 -j net2fw

-A INPUT -i lo -c 18440562 1186525470 -j ACCEPT

-A INPUT -c 0 0 -j Reject

-A INPUT -c 0 0 -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6

-A INPUT -c 0 0 -g reject

-A FORWARD -i wlan0 -c 0 0 -j net_frwd

-A FORWARD -i eth1 -c 0 0 -j net_frwd

-A FORWARD -i eth0 -c 0 0 -j net_frwd

-A FORWARD -c 0 0 -j Reject

-A FORWARD -c 0 0 -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6

-A FORWARD -c 0 0 -g reject

-A OUTPUT -o wlan0 -c 0 0 -j fw2net

-A OUTPUT -o eth1 -c 0 0 -j fw2net

-A OUTPUT -o eth0 -c 6102383 573044545 -j fw2net

-A OUTPUT -o lo -c 18440562 1186525470 -j ACCEPT

-A OUTPUT -c 0 0 -j Reject

-A OUTPUT -c 0 0 -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6

-A OUTPUT -c 0 0 -g reject

-A Broadcast -m addrtype --dst-type BROADCAST -c 2047 491292 -j DROP

-A Broadcast -m addrtype --dst-type MULTICAST -c 2241 165785 -j DROP

-A Broadcast -m addrtype --dst-type ANYCAST -c 0 0 -j DROP

-A Broadcast -d 224.0.0.0/4 -c 0 0 -j DROP

-A Drop -c 7205 904790

-A Drop -p tcp -m tcp --dport 113 -m comment --comment Auth -c 0 0 -j reject

-A Drop -c 7205 904790 -j Broadcast

-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -c 0 0 -j ACCEPT

-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -c 1 56 -j ACCEPT

-A Drop -c 2916 247657 -j Invalid

-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -c 0 0 -j DROP

-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -c 0 0 -j DROP

-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -c 0 0 -j DROP

-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -c 17 812 -j DROP

-A Drop -p udp -m udp --dport 1900 -m comment --comment UPnP -c 2 238 -j DROP

-A Drop -p tcp -c 1668 84001 -j NotSyn

-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -c 1 134 -j DROP

-A Ifw -m set --match-set ifw_wl src -c 0 0 -j RETURN

-A Ifw -m set --match-set ifw_bl src -c 0 0 -j DROP

-A Ifw -m conntrack --ctstate INVALID,NEW -m psd--psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1 -c 98 30143 -j IFWLOG--log-prefix "SCAN"

-A Ifw -p udp -m conntrack --ctstate NEW -m udp --dport 111 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p udp -m conntrack --ctstate NEW -m udp --dport 2049 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p udp -m conntrack --ctstate NEW -m udp --dport 4002 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p udp -m conntrack --ctstate NEW -m udp --dport 4001 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p udp -m conntrack --ctstate NEW -m udp --dport 4003 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p udp -m conntrack --ctstate NEW -m udp --dport 4004 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p udp -m conntrack --ctstate NEW -m multiport --dports 47850:47854 -c 13891 1372595 -j IFWLOG--log-prefix "NEW"

-A Ifw -p udp -m conntrack --ctstate NEW -m udp --dport 662 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 20 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -c 6 340 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 111 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 2049 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 4002 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 4001 -c 1 60 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 4003 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 4004 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m multiport --dports 47850:47854 -c 11345 585688 -j IFWLOG--log-prefix "NEW"

-A Ifw -p tcp -m conntrack --ctstate NEW -m tcp --dport 662 -c 0 0 -j IFWLOG--log-prefix "NEW"

-A Invalid -m conntrack --ctstate INVALID -c 746 38653 -j DROP

-A NotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -c 306 19725 -j DROP

-A Reject -c 0 0

-A Reject -p tcp -m tcp --dport 113 -m comment --comment Auth -c 0 0 -j reject

-A Reject -c 0 0 -j Broadcast

-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -c 0 0 -j ACCEPT

-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -c 0 0 -j ACCEPT

-A Reject -c 0 0 -j Invalid

-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -c 0 0 -j reject

-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -c 0 0 -j reject

-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment SMB -c 0 0 -j reject

-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB -c 0 0 -j reject

-A Reject -p udp -m udp --dport 1900 -m comment --comment UPnP -c 0 0 -j DROP

-A Reject -p tcp -c 0 0 -j NotSyn

-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -c 0 0 -j DROP

-A blacklst -s 1.234.4.0/24 -c 0 0 -j DROP

-A blacklst -s 141.212.121.0/24 -c 7 280 -j DROP

-A blacklst -s 124.232.138.0/24 -c 0 0 -j DROP

-A blacklst -s 209.126.230.0/24 -c 10 451 -j DROP

-A blacklst -s 117.21.127.0/24 -c 1 48 -j DROP

-A blacklst -s 178.19.111.0/24 -c 0 0 -j DROP

-A blacklst -s 178.249.154.0/24 -c 0 0 -j DROP

-A blacklst -s 211.81.31.0/24 -c 0 0 -j DROP

-A blacklst -s 198.20.69.0/24 -c 4 307 -j DROP

-A blacklst -s 65.99.254.0/24 -c 0 0 -j DROP

-A blacklst -s 219.159.218.0/24 -c 0 0 -j DROP

-A blacklst -s 66.192.113.0/24 -c 0 0 -j DROP

-A blacklst -s 195.178.109.0/24 -c 0 0 -j DROP

-A blacklst -s 188.54.6.0/24 -c 0 0 -j DROP

-A blacklst -s 77.75.166.0/24 -c 0 0 -j DROP

-A blacklst -s 91.208.16.0/24 -c 0 0 -j DROP

-A blacklst -s 194.106.140.0/24 -c 0 0 -j DROP

-A blacklst -s 62.149.24.0/24 -c 1 40 -j DROP

-A blacklst -s 61.147.116.0/24 -c 18 720 -j DROP

-A blacklst -s 77.68.57.0/24 -c 0 0 -j DROP

-A blacklst -s 1.32.0.0/16 -c 0 0 -j DROP

-A blacklst -s 2.56.0.0/14 -c 0 0 -j DROP

-A blacklst -s 5.34.242.0/23 -c 0 0 -j DROP

-A blacklst -s 5.72.0.0/14 -c 0 0 -j DROP

-A blacklst -s 5.180.0.0/14 -c 0 0 -j DROP

-A blacklst -s 14.129.0.0/16 -c 0 0 -j DROP

-A blacklst -s 14.192.48.0/21 -c 0 0 -j DROP

-A blacklst -s 14.192.56.0/22 -c 0 0 -j DROP

-A blacklst -s 31.11.43.0/24 -c 0 0 -j DROP

-A blacklst -s 31.222.200.0/21 -c 0 0 -j DROP

-A blacklst -s 37.139.49.0/24 -c 0 0 -j DROP

-A blacklst -s 37.148.216.0/21 -c 0 0 -j DROP

-A blacklst -s 42.1.128.0/17 -c 0 0 -j DROP

-A blacklst -s 46.29.248.0/22 -c 0 0 -j DROP

-A blacklst -s 46.148.112.0/20 -c 0 0 -j DROP

-A blacklst -s 49.8.0.0/14 -c 0 0 -j DROP

-A blacklst -s 58.83.8.0/22 -c 0 0 -j DROP

-A blacklst -s 62.122.72.0/23 -c 0 0 -j DROP

-A blacklst -s 62.182.152.0/21 -c 0 0 -j DROP

-A blacklst -s 64.15.0.0/20 -c 0 0 -j DROP

-A blacklst -s 64.44.0.0/16 -c 0 0 -j DROP

-A blacklst -s 64.112.0.0/17 -c 0 0 -j DROP

-A blacklst -s 64.112.128.0/18 -c 0 0 -j DROP

-A blacklst -s 64.185.224.0/20 -c 0 0 -j DROP

-A blacklst -s 64.234.224.0/20 -c 0 0 -j DROP

-A blacklst -s 66.11.112.0/20 -c 0 0 -j DROP

-A blacklst -s 66.198.240.0/20 -c 0 0 -j DROP

-A blacklst -s 66.231.64.0/20 -c 0 0 -j DROP

-A blacklst -s 67.209.112.0/20 -c 0 0 -j DROP

-A blacklst -s 67.211.208.0/20 -c 0 0 -j DROP

-A blacklst -s 67.213.128.0/20 -c 0 0 -j DROP

-A blacklst -s 67.218.208.0/20 -c 0 0 -j DROP

-A blacklst -s 68.66.192.0/18 -c 0 0 -j DROP

-A blacklst -s 70.32.0.0/19 -c 0 0 -j DROP

-A blacklst -s 72.13.16.0/20 -c 0 0 -j DROP

-A blacklst -s 74.123.96.0/21 -c 0 0 -j DROP

-A blacklst -s 78.31.184.0/21 -c 0 0 -j DROP

-A blacklst -s 78.31.211.0/24 -c 0 0 -j DROP

-A blacklst -s 79.110.16.0/20 -c 0 0 -j DROP

-A blacklst -s 79.110.48.0/20 -c 0 0 -j DROP

-A blacklst -s 79.173.104.0/21 -c 0 0 -j DROP

-A blacklst -s 81.22.152.0/23 -c 0 0 -j DROP

-A blacklst -s 85.121.39.0/24 -c 0 0 -j DROP

-A blacklst -s 85.202.160.0/20 -c 0 0 -j DROP

-A blacklst -s 86.55.40.0/23 -c 0 0 -j DROP

-A blacklst -s 86.55.42.0/23 -c 0 0 -j DROP

-A blacklst -s 86.55.140.0/24 -c 0 0 -j DROP

-A blacklst -s 86.55.210.0/23 -c 0 0 -j DROP

-A blacklst -s 88.135.16.0/20 -c 0 0 -j DROP

-A blacklst -s 89.114.9.0/24 -c 0 0 -j DROP

-A blacklst -s 89.114.97.0/24 -c 0 0 -j DROP

-A blacklst -s 91.108.181.0/24 -c 0 0 -j DROP

-A blacklst -s 91.195.254.0/23 -c 0 0 -j DROP

-A blacklst -s 91.197.96.0/22 -c 0 0 -j DROP

-A blacklst -s 91.198.40.0/24 -c 0 0 -j DROP

-A blacklst -s 91.198.127.0/24 -c 0 0 -j DROP

-A blacklst -s 91.200.164.0/22 -c 0 0 -j DROP

-A blacklst -s 91.200.248.0/22 -c 0 0 -j DROP

-A blacklst -s 91.201.124.0/22 -c 0 0 -j DROP

-A blacklst -s 91.201.236.0/22 -c 0 0 -j DROP

-A blacklst -s 91.203.20.0/22 -c 0 0 -j DROP

-A blacklst -s 91.207.116.0/23 -c 0 0 -j DROP

-A blacklst -s 91.208.16.0/24 -c 0 0 -j DROP

-A blacklst -s 91.209.12.0/24 -c 0 0 -j DROP

-A blacklst -s 91.212.45.0/24 -c 0 0 -j DROP

-A blacklst -s 91.212.104.0/24 -c 0 0 -j DROP

-A blacklst -s 91.212.135.0/24 -c 0 0 -j DROP

-A blacklst -s 91.212.198.0/24 -c 0 0 -j DROP

-A blacklst -s 91.212.201.0/24 -c 0 0 -j DROP

-A blacklst -s 91.212.220.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.29.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.72.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.93.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.94.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.121.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.126.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.148.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.172.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.174.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.175.0/24 -c 0 0 -j DROP

-A blacklst -s 91.213.217.0/24 -c 0 0 -j DROP

-A blacklst -s 91.216.3.0/24 -c 0 0 -j DROP

-A blacklst -s 91.216.73.0/24 -c 0 0 -j DROP

-A blacklst -s 91.217.162.0/24 -c 0 0 -j DROP

-A blacklst -s 91.217.249.0/24 -c 0 0 -j DROP

-A blacklst -s 91.220.35.0/24 -c 0 0 -j DROP

-A blacklst -s 91.220.62.0/24 -c 0 0 -j DROP

-A blacklst -s 91.220.63.0/24 -c 0 0 -j DROP

-A blacklst -s 91.220.90.0/24 -c 0 0 -j DROP

-A blacklst -s 91.220.163.0/24 -c 1 40 -j DROP

-A blacklst -s 91.223.77.0/24 -c 0 0 -j DROP

-A blacklst -s 91.223.231.0/24 -c 0 0 -j DROP

-A blacklst -s 91.226.97.0/24 -c 0 0 -j DROP

-A blacklst -s 91.228.132.0/24 -c 0 0 -j DROP

-A blacklst -s 91.229.60.0/22 -c 0 0 -j DROP

-A blacklst -s 91.229.210.0/24 -c 0 0 -j DROP

-A blacklst -s 91.229.248.0/24 -c 0 0 -j DROP

-A blacklst -s 91.230.110.0/24 -c 0 0 -j DROP

-A blacklst -s 91.230.143.0/24 -c 0 0 -j DROP

-A blacklst -s 91.230.147.0/24 -c 0 0 -j DROP

-A blacklst -s 91.230.252.0/23 -c 0 0 -j DROP

-A blacklst -s 91.231.156.0/24 -c 0 0 -j DROP

-A blacklst -s 91.234.36.0/24 -c 0 0 -j DROP

-A blacklst -s 91.235.2.0/24 -c 0 0 -j DROP

-A blacklst -s 91.236.120.0/24 -c 0 0 -j DROP

-A blacklst -s 91.237.249.0/24 -c 0 0 -j DROP

-A blacklst -s 91.238.82.0/24 -c 0 0 -j DROP

-A blacklst -s 91.239.15.0/24 -c 0 0 -j DROP

-A blacklst -s 91.239.24.0/24 -c 0 0 -j DROP

-A blacklst -s 91.239.238.0/24 -c 0 0 -j DROP

-A blacklst -s 91.240.165.0/24 -c 0 0 -j DROP

-A blacklst -s 91.242.217.0/24 -c 0 0 -j DROP

-A blacklst -s 91.243.115.0/24 -c 0 0 -j DROP

-A blacklst -s 93.175.240.0/20 -c 0 0 -j DROP

-A blacklst -s 94.26.112.0/20 -c 0 0 -j DROP

-A blacklst -s 94.60.121.0/24 -c 0 0 -j DROP

-A blacklst -s 94.60.122.0/23 -c 0 0 -j DROP

-A blacklst -s 94.61.247.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.146.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.147.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.149.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.150.0/23 -c 0 0 -j DROP

-A blacklst -s 94.63.240.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.243.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.244.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.245.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.246.0/24 -c 0 0 -j DROP

-A blacklst -s 94.63.247.0/24 -c 0 0 -j DROP

-A blacklst -s 94.130.0.0/15 -c 0 0 -j DROP

-A blacklst -s 94.154.128.0/18 -c 0 0 -j DROP

-A blacklst -s 94.158.240.0/20 -c 0 0 -j DROP

-A blacklst -s 95.215.140.0/22 -c 0 0 -j DROP

-A blacklst -s 95.216.0.0/15 -c 0 0 -j DROP

-A blacklst -s 100.42.192.0/20 -c 0 0 -j DROP

-A blacklst -s 101.192.0.0/14 -c 0 0 -j DROP

-A blacklst -s 101.248.0.0/15 -c 0 0 -j DROP

-A blacklst -s 101.252.0.0/15 -c 0 0 -j DROP

-A blacklst -s 103.2.44.0/22 -c 0 0 -j DROP

-A blacklst -s 103.10.68.0/22 -c 0 0 -j DROP

-A blacklst -s 103.12.216.0/22 -c 0 0 -j DROP

-A blacklst -s 103.246.72.0/22 -c 0 0 -j DROP

-A blacklst -s 106.96.0.0/16 -c 0 0 -j DROP

-A blacklst -s 109.94.208.0/20 -c 0 0 -j DROP

-A blacklst -s 109.196.96.0/20 -c 0 0 -j DROP

-A blacklst -s 110.44.128.0/20 -c 0 0 -j DROP

-A blacklst -s 110.232.160.0/20 -c 0 0 -j DROP

-A blacklst -s 113.20.160.0/19 -c 0 0 -j DROP

-A blacklst -s 116.144.0.0/15 -c 0 0 -j DROP

-A blacklst -s 116.146.0.0/15 -c 0 0 -j DROP

-A blacklst -s 116.197.152.0/21 -c 0 0 -j DROP

-A blacklst -s 121.46.64.0/18 -c 0 0 -j DROP

-A blacklst -s 122.202.96.0/19 -c 0 0 -j DROP

-A blacklst -s 124.70.0.0/16 -c 0 0 -j DROP

-A blacklst -s 128.168.0.0/16 -c 0 0 -j DROP

-A blacklst -s 129.76.64.0/18 -c 0 0 -j DROP

-A blacklst -s 130.201.0.0/16 -c 0 0 -j DROP

-A blacklst -s 130.222.0.0/16 -c 0 0 -j DROP

-A blacklst -s 132.145.0.0/16 -c 0 0 -j DROP

-A blacklst -s 132.232.0.0/16 -c 0 0 -j DROP

-A blacklst -s 134.23.0.0/16 -c 0 0 -j DROP

-A blacklst -s 134.33.0.0/16 -c 0 0 -j DROP

-A blacklst -s 134.127.0.0/16 -c 0 0 -j DROP

-A blacklst -s 134.172.0.0/16 -c 0 0 -j DROP

-A blacklst -s 134.209.0.0/16 -c 0 0 -j DROP

-A blacklst -s 136.228.0.0/16 -c 0 0 -j DROP

-A blacklst -s 137.76.0.0/16 -c 0 0 -j DROP

-A blacklst -s 138.43.0.0/16 -c 0 0 -j DROP

-A blacklst -s 139.150.0.0/16 -c 0 0 -j DROP

-A blacklst -s 139.167.0.0/16 -c 0 0 -j DROP

-A blacklst -s 140.170.0.0/16 -c 0 0 -j DROP

-A blacklst -s 141.136.16.0/24 -c 0 0 -j DROP

-A blacklst -s 141.136.17.0/24 -c 0 0 -j DROP

-A blacklst -s 141.136.22.0/24 -c 0 0 -j DROP

-A blacklst -s 141.136.27.0/24 -c 0 0 -j DROP

-A blacklst -s 143.49.0.0/16 -c 0 0 -j DROP

-A blacklst -s 143.64.0.0/16 -c 0 0 -j DROP

-A blacklst -s 143.135.0.0/16 -c 0 0 -j DROP

-A blacklst -s 147.50.0.0/16 -c 0 0 -j DROP

-A blacklst -s 148.105.0.0/16 -c 0 0 -j DROP

-A blacklst -s 148.178.0.0/16 -c 0 0 -j DROP

-A blacklst -s 148.248.0.0/16 -c 0 0 -j DROP

-A blacklst -s 149.118.0.0/16 -c 0 0 -j DROP

-A blacklst -s 149.143.64.0/18 -c 0 0 -j DROP

-A blacklst -s 150.126.0.0/16 -c 0 0 -j DROP

-A blacklst -s 150.141.0.0/16 -c 0 0 -j DROP

-A blacklst -s 151.123.0.0/16 -c 0 0 -j DROP

-A blacklst -s 151.192.0.0/16 -c 0 0 -j DROP

-A blacklst -s 151.237.184.0/22 -c 0 0 -j DROP

-A blacklst -s 152.147.0.0/16 -c 0 0 -j DROP

-A blacklst -s 154.10.0.0/16 -c 0 0 -j DROP

-A blacklst -s 155.190.0.0/16 -c 0 0 -j DROP

-A blacklst -s 157.186.0.0/16 -c 0 0 -j DROP

-A blacklst -s 157.226.0.0/16 -c 0 0 -j DROP

-A blacklst -s 157.231.0.0/16 -c 0 0 -j DROP

-A blacklst -s 157.232.0.0/16 -c 0 0 -j DROP

-A blacklst -s 159.135.0.0/16 -c 0 0 -j DROP

-A blacklst -s 159.141.0.0/16 -c 0 0 -j DROP

-A blacklst -s 159.223.0.0/16 -c 0 0 -j DROP

-A blacklst -s 161.232.0.0/16 -c 0 0 -j DROP

-A blacklst -s 162.125.0.0/16 -c 0 0 -j DROP

-A blacklst -s 162.211.236.0/22 -c 0 0 -j DROP

-A blacklst -s 162.217.4.0/22 -c 0 0 -j DROP

-A blacklst -s 163.182.0.0/16 -c 0 0 -j DROP

-A blacklst -s 163.253.0.0/16 -c 0 0 -j DROP

-A blacklst -s 165.192.0.0/16 -c 0 0 -j DROP

-A blacklst -s 165.209.0.0/16 -c 0 0 -j DROP

-A blacklst -s 165.225.0.0/17 -c 0 0 -j DROP

-A blacklst -s 165.225.192.0/18 -c 0 0 -j DROP

-A blacklst -s 167.28.0.0/16 -c 0 0 -j DROP

-A blacklst -s 167.74.0.0/18 -c 0 0 -j DROP

-A blacklst -s 167.97.0.0/16 -c 0 0 -j DROP

-A blacklst -s 167.224.0.0/19 -c 0 0 -j DROP

-A blacklst -s 170.67.0.0/16 -c 0 0 -j DROP

-A blacklst -s 170.113.0.0/16 -c 0 0 -j DROP

-A blacklst -s 170.120.0.0/16 -c 0 0 -j DROP

-A blacklst -s 173.205.0.0/21 -c 0 0 -j DROP

-A blacklst -s 173.205.8.0/21 -c 0 0 -j DROP

-A blacklst -s 173.205.16.0/21 -c 0 0 -j DROP

-A blacklst -s 173.205.24.0/21 -c 0 0 -j DROP

-A blacklst -s 173.205.32.0/21 -c 0 0 -j DROP

-A blacklst -s 173.205.40.0/21 -c 0 0 -j DROP

-A blacklst -s 173.205.48.0/21 -c 0 0 -j DROP

-A blacklst -s 173.249.160.0/19 -c 0 0 -j DROP

-A blacklst -s 174.136.192.0/18 -c 0 0 -j DROP

-A blacklst -s 176.47.0.0/16 -c 0 0 -j DROP

-A blacklst -s 176.61.136.0/22 -c 0 0 -j DROP

-A blacklst -s 176.110.101.0/24 -c 0 0 -j DROP

-A blacklst -s 177.21.64.0/20 -c 0 0 -j DROP

-A blacklst -s 177.36.16.0/20 -c 0 0 -j DROP

-A blacklst -s 178.159.176.0/20 -c 0 0 -j DROP

-A blacklst -s 185.11.140.0/24 -c 0 0 -j DROP

-A blacklst -s 185.11.143.0/24 -c 0 0 -j DROP

-A blacklst -s 185.24.108.0/22 -c 0 0 -j DROP

-A blacklst -s 186.190.224.0/21 -c 0 0 -j DROP

-A blacklst -s 188.247.135.0/24 -c 0 0 -j DROP

-A blacklst -s 188.247.230.0/24 -c 0 0 -j DROP

-A blacklst -s 192.26.25.0/24 -c 0 0 -j DROP

-A blacklst -s 192.31.212.0/23 -c 0 0 -j DROP

-A blacklst -s 192.43.153.0/24 -c 0 0 -j DROP

-A blacklst -s 192.43.154.0/23 -c 0 0 -j DROP

-A blacklst -s 192.43.156.0/22 -c 0 0 -j DROP

-A blacklst -s 192.43.160.0/24 -c 0 0 -j DROP

-A blacklst -s 192.43.175.0/24 -c 0 0 -j DROP

-A blacklst -s 192.43.176.0/21 -c 0 0 -j DROP

-A blacklst -s 192.43.184.0/24 -c 0 0 -j DROP

-A blacklst -s 192.54.39.0/24 -c 0 0 -j DROP

-A blacklst -s 192.54.73.0/24 -c 0 0 -j DROP

-A blacklst -s 192.67.16.0/24 -c 0 0 -j DROP

-A blacklst -s 192.67.160.0/22 -c 0 0 -j DROP

-A blacklst -s 192.86.85.0/24 -c 0 0 -j DROP

-A blacklst -s 192.101.200.0/21 -c 0 0 -j DROP

-A blacklst -s 192.101.240.0/21 -c 0 0 -j DROP

-A blacklst -s 192.101.248.0/23 -c 0 0 -j DROP

-A blacklst -s 192.112.112.0/20 -c 0 0 -j DROP

-A blacklst -s 192.160.44.0/24 -c 0 0 -j DROP

-A blacklst -s 192.171.64.0/19 -c 0 0 -j DROP

-A blacklst -s 192.197.87.0/24 -c 0 0 -j DROP

-A blacklst -s 192.219.120.0/21 -c 0 0 -j DROP

-A blacklst -s 192.219.128.0/18 -c 0 0 -j DROP

-A blacklst -s 192.219.192.0/20 -c 0 0 -j DROP

-A blacklst -s 192.219.208.0/21 -c 0 0 -j DROP

-A blacklst -s 192.229.32.0/19 -c 0 0 -j DROP

-A blacklst -s 193.0.129.0/24 -c 0 0 -j DROP

-A blacklst -s 193.0.146.0/23 -c 0 0 -j DROP

-A blacklst -s 193.16.213.0/24 -c 0 0 -j DROP

-A blacklst -s 193.23.126.0/24 -c 0 0 -j DROP

-A blacklst -s 193.26.64.0/19 -c 0 0 -j DROP

-A blacklst -s 193.43.134.0/24 -c 0 0 -j DROP

-A blacklst -s 193.46.211.0/24 -c 0 0 -j DROP

-A blacklst -s 193.104.12.0/24 -c 0 0 -j DROP

-A blacklst -s 193.104.34.0/24 -c 0 0 -j DROP

-A blacklst -s 193.104.41.0/24 -c 0 0 -j DROP

-A blacklst -s 193.104.94.0/24 -c 0 0 -j DROP

-A blacklst -s 193.104.110.0/24 -c 0 0 -j DROP

-A blacklst -s 193.104.176.0/24 -c 0 0 -j DROP

-A blacklst -s 193.105.141.0/24 -c 0 0 -j DROP

-A blacklst -s 193.105.154.0/24 -c 0 0 -j DROP

-A blacklst -s 193.105.184.0/24 -c 0 0 -j DROP

-A blacklst -s 193.105.207.0/24 -c 0 0 -j DROP

-A blacklst -s 193.105.245.0/24 -c 0 0 -j DROP

-A blacklst -s 193.106.32.0/22 -c 0 0 -j DROP

-A blacklst -s 193.107.16.0/22 -c 0 0 -j DROP

-A blacklst -s 193.108.178.0/24 -c 0 0 -j DROP

-A blacklst -s 193.110.136.0/24 -c 0 0 -j DROP

-A blacklst -s 193.111.235.0/24 -c 0 0 -j DROP

-A blacklst -s 193.148.47.0/24 -c 0 0 -j DROP

-A blacklst -s 193.150.168.0/24 -c 0 0 -j DROP

-A blacklst -s 193.164.10.0/24 -c 0 0 -j DROP

-A blacklst -s 193.164.11.0/24 -c 0 0 -j DROP

-A blacklst -s 193.178.120.0/22 -c 0 0 -j DROP

-A blacklst -s 193.200.0.0/24 -c 0 0 -j DROP

-A blacklst -s 193.200.167.0/24 -c 0 0 -j DROP

-A blacklst -s 193.227.240.0/23 -c 0 0 -j DROP

-A blacklst -s 193.228.145.0/24 -c 0 0 -j DROP

-A blacklst -s 193.243.166.0/24 -c 0 0 -j DROP

-A blacklst -s 194.0.177.0/24 -c 0 0 -j DROP

-A blacklst -s 194.1.152.0/24 -c 0 0 -j DROP

-A blacklst -s 194.1.184.0/24 -c 0 0 -j DROP

-A blacklst -s 194.1.220.0/23 -c 0 0 -j DROP

-A blacklst -s 194.29.185.0/24 -c 0 0 -j DROP

-A blacklst -s 194.50.116.0/24 -c 0 0 -j DROP

-A blacklst -s 194.54.156.0/22 -c 0 0 -j DROP

-A blacklst -s 194.60.242.0/24 -c 0 0 -j DROP

-A blacklst -s 194.63.144.0/22 -c 0 0 -j DROP

-A blacklst -s 194.110.160.0/22 -c 0 0 -j DROP

-A blacklst -s 194.126.251.0/24 -c 0 0 -j DROP

-A blacklst -s 194.140.237.0/24 -c 0 0 -j DROP

-A blacklst -s 194.242.2.0/23 -c 0 0 -j DROP

-A blacklst -s 195.2.212.0/23 -c 0 0 -j DROP

-A blacklst -s 195.3.144.0/22 -c 0 0 -j DROP

-A blacklst -s 195.5.161.0/24 -c 0 0 -j DROP

-A blacklst -s 195.28.10.0/23 -c 0 0 -j DROP

-A blacklst -s 195.68.222.0/23 -c 0 0 -j DROP

-A blacklst -s 195.78.108.0/23 -c 0 0 -j DROP

-A blacklst -s 195.85.204.0/24 -c 0 0 -j DROP

-A blacklst -s 195.88.190.0/23 -c 0 0 -j DROP

-A blacklst -s 195.88.226.0/23 -c 0 0 -j DROP

-A blacklst -s 195.93.184.0/23 -c 0 0 -j DROP

-A blacklst -s 195.93.208.0/23 -c 0 0 -j DROP

-A blacklst -s 195.95.155.0/24 -c 0 0 -j DROP

-A blacklst -s 195.114.8.0/23 -c 0 0 -j DROP

-A blacklst -s 195.149.88.0/24 -c 0 0 -j DROP

-A blacklst -s 195.149.90.0/24 -c 0 0 -j DROP

-A blacklst -s 195.162.6.0/23 -c 0 0 -j DROP

-A blacklst -s 195.182.57.0/24 -c 0 0 -j DROP

-A blacklst -s 195.184.86.0/23 -c 0 0 -j DROP

-A blacklst -s 195.190.157.0/24 -c 0 0 -j DROP

-A blacklst -s 195.191.56.0/23 -c 0 0 -j DROP

-A blacklst -s 195.191.102.0/23 -c 0 0 -j DROP

-A blacklst -s 195.225.176.0/22 -c 0 0 -j DROP

-A blacklst -s 195.226.197.0/24 -c 0 0 -j DROP

-A blacklst -s 195.226.220.0/24 -c 0 0 -j DROP

-A blacklst -s 195.234.76.0/22 -c 0 0 -j DROP

-A blacklst -s 195.246.200.0/24 -c 0 0 -j DROP

-A blacklst -s 196.63.0.0/16 -c 0 0 -j DROP

-A blacklst -s 196.193.0.0/16 -c 0 0 -j DROP

-A blacklst -s 198.13.0.0/20 -c 0 0 -j DROP

-A blacklst -s 198.14.128.0/19 -c 0 0 -j DROP

-A blacklst -s 198.14.160.0/19 -c 0 0 -j DROP

-A blacklst -s 198.20.16.0/20 -c 0 0 -j DROP

-A blacklst -s 198.23.32.0/20 -c 0 0 -j DROP

-A blacklst -s 198.45.32.0/20 -c 0 0 -j DROP

-A blacklst -s 198.45.64.0/19 -c 0 0 -j DROP

-A blacklst -s 198.48.16.0/20 -c 0 0 -j DROP

-A blacklst -s 198.56.64.0/18 -c 0 0 -j DROP

-A blacklst -s 198.57.64.0/20 -c 0 0 -j DROP

-A blacklst -s 198.96.224.0/20 -c 0 0 -j DROP

-A blacklst -s 198.151.64.0/18 -c 0 0 -j DROP

-A blacklst -s 198.151.152.0/22 -c 0 0 -j DROP

-A blacklst -s 198.162.208.0/20 -c 0 0 -j DROP

-A blacklst -s 198.167.255.0/24 -c 0 0 -j DROP

-A blacklst -s 198.176.48.0/21 -c 0 0 -j DROP

-A blacklst -s 198.178.64.0/19 -c 0 0 -j DROP

-A blacklst -s 198.181.32.0/20 -c 0 0 -j DROP

-A blacklst -s 198.181.64.0/19 -c 0 0 -j DROP

-A blacklst -s 198.183.32.0/19 -c 0 0 -j DROP

-A blacklst -s 198.184.64.0/18 -c 0 0 -j DROP

-A blacklst -s 198.186.25.0/24 -c 0 0 -j DROP

-A blacklst -s 198.187.64.0/18 -c 0 0 -j DROP

-A blacklst -s 198.204.0.0/21 -c 0 0 -j DROP

-A blacklst -s 198.205.64.0/19 -c 0 0 -j DROP

-A blacklst -s 199.5.152.0/23 -c 0 0 -j DROP

-A blacklst -s 199.9.24.0/21 -c 0 0 -j DROP

-A blacklst -s 199.26.96.0/19 -c 0 0 -j DROP

-A blacklst -s 199.33.145.0/24 -c 0 0 -j DROP

-A blacklst -s 199.34.128.0/18 -c 0 0 -j DROP

-A blacklst -s 199.46.32.0/19 -c 0 0 -j DROP

-A blacklst -s 199.58.248.0/21 -c 0 0 -j DROP

-A blacklst -s 199.60.102.0/24 -c 0 0 -j DROP

-A blacklst -s 199.71.192.0/20 -c 0 0 -j DROP

-A blacklst -s 199.84.64.0/19 -c 0 0 -j DROP

-A blacklst -s 199.84.96.0/19 -c 0 0 -j DROP

-A blacklst -s 199.87.208.0/21 -c 0 0 -j DROP

-A blacklst -s 199.88.32.0/20 -c 0 0 -j DROP

-A blacklst -s 199.88.48.0/22 -c 0 0 -j DROP

-A blacklst -s 199.89.16.0/20 -c 0 0 -j DROP

-A blacklst -s 199.120.163.0/24 -c 0 0 -j DROP

-A blacklst -s 199.165.32.0/19 -c 0 0 -j DROP

-A blacklst -s 199.166.200.0/22 -c 0 0 -j DROP

-A blacklst -s 199.185.192.0/20 -c 0 0 -j DROP

-A blacklst -s 199.196.192.0/19 -c 0 0 -j DROP

-A blacklst -s 199.198.160.0/20 -c 0 0 -j DROP

-A blacklst -s 199.198.176.0/21 -c 0 0 -j DROP

-A blacklst -s 199.198.184.0/23 -c 0 0 -j DROP

-A blacklst -s 199.198.188.0/22 -c 0 0 -j DROP

-A blacklst -s 199.200.64.0/19 -c 0 0 -j DROP

-A blacklst -s 199.212.96.0/20 -c 0 0 -j DROP

-A blacklst -s 199.223.0.0/20 -c 0 0 -j DROP

-A blacklst -s 199.230.64.0/19 -c 0 0 -j DROP

-A blacklst -s 199.230.96.0/21 -c 0 0 -j DROP

-A blacklst -s 199.245.138.0/24 -c 0 0 -j DROP

-A blacklst -s 199.246.137.0/24 -c 0 0 -j DROP

-A blacklst -s 199.246.213.0/24 -c 0 0 -j DROP

-A blacklst -s 199.246.215.0/24 -c 0 0 -j DROP

-A blacklst -s 199.248.64.0/18 -c 0 0 -j DROP

-A blacklst -s 199.249.64.0/19 -c 0 0 -j DROP

-A blacklst -s 199.253.224.0/20 -c 0 0 -j DROP

-A blacklst -s 199.254.32.0/20 -c 0 0 -j DROP

-A blacklst -s 200.3.115.0/24 -c 0 0 -j DROP

-A blacklst -s 200.3.128.0/20 -c 0 0 -j DROP

-A blacklst -s 200.22.0.0/16 -c 0 0 -j DROP

-A blacklst -s 200.105.32.0/20 -c 0 0 -j DROP

-A blacklst -s 202.61.108.0/24 -c 0 0 -j DROP

-A blacklst -s 202.68.0.0/18 -c 0 0 -j DROP

-A blacklst -s 203.31.88.0/23 -c 0 0 -j DROP

-A blacklst -s 203.34.70.0/23 -c 0 0 -j DROP

-A blacklst -s 203.34.71.0/24 -c 0 0 -j DROP

-A blacklst -s 204.44.32.0/20 -c 0 0 -j DROP

-A blacklst -s 204.44.192.0/20 -c 0 0 -j DROP

-A blacklst -s 204.44.224.0/20 -c 0 0 -j DROP

-A blacklst -s 204.52.255.0/24 -c 0 0 -j DROP

-A blacklst -s 204.57.16.0/20 -c 0 0 -j DROP

-A blacklst -s 204.86.16.0/20 -c 0 0 -j DROP

-A blacklst -s 204.89.224.0/24 -c 0 0 -j DROP

-A blacklst -s 204.106.128.0/18 -c 0 0 -j DROP

-A blacklst -s 204.106.192.0/19 -c 0 0 -j DROP

-A blacklst -s 204.107.208.0/24 -c 0 0 -j DROP

-A blacklst -s 204.126.244.0/23 -c 0 0 -j DROP

-A blacklst -s 204.130.167.0/24 -c 0 0 -j DROP

-A blacklst -s 204.147.240.0/20 -c 0 0 -j DROP

-A blacklst -s 204.152.224.0/21 -c 0 0 -j DROP

-A blacklst -s 204.155.128.0/20 -c 0 0 -j DROP

-A blacklst -s 204.187.155.0/24 -c 0 0 -j DROP

-A blacklst -s 204.187.156.0/22 -c 0 0 -j DROP

-A blacklst -s 204.187.160.0/19 -c 0 0 -j DROP

-A blacklst -s 204.187.192.0/19 -c 0 0 -j DROP

-A blacklst -s 204.187.224.0/20 -c 0 0 -j DROP

-A blacklst -s 204.187.240.0/21 -c 0 0 -j DROP

-A blacklst -s 204.187.248.0/22 -c 0 0 -j DROP

-A blacklst -s 204.187.252.0/23 -c 0 0 -j DROP

-A blacklst -s 204.187.254.0/24 -c 0 0 -j DROP

-A blacklst -s 204.194.184.0/21 -c 0 0 -j DROP

-A blacklst -s 204.225.159.0/24 -c 0 0 -j DROP

-A blacklst -s 204.225.210.0/24 -c 0 0 -j DROP

-A blacklst -s 204.236.0.0/19 -c 0 0 -j DROP

-A blacklst -s 204.237.136.0/21 -c 0 0 -j DROP

-A blacklst -s 204.237.168.0/21 -c 0 0 -j DROP

-A blacklst -s 204.237.232.0/21 -c 0 0 -j DROP

-A blacklst -s 204.237.240.0/21 -c 0 0 -j DROP

-A blacklst -s 205.137.0.0/20 -c 0 0 -j DROP

-A blacklst -s 205.142.104.0/22 -c 0 0 -j DROP

-A blacklst -s 205.144.0.0/20 -c 0 0 -j DROP

-A blacklst -s 205.144.176.0/20 -c 0 0 -j DROP

-A blacklst -s 205.151.128.0/19 -c 0 0 -j DROP

-A blacklst -s 205.159.180.0/24 -c 0 0 -j DROP

-A blacklst -s 205.172.244.0/22 -c 0 0 -j DROP

-A blacklst -s 205.175.160.0/19 -c 0 0 -j DROP

-A blacklst -s 205.186.208.0/20 -c 0 0 -j DROP

-A blacklst -s 205.189.71.0/24 -c 0 0 -j DROP

-A blacklst -s 205.189.72.0/23 -c 0 0 -j DROP

-A blacklst -s 205.203.0.0/19 -c 0 0 -j DROP

-A blacklst -s 205.203.224.0/19 -c 0 0 -j DROP

-A blacklst -s 205.214.128.0/19 -c 0 0 -j DROP

-A blacklst -s 205.233.224.0/20 -c 0 0 -j DROP

-A blacklst -s 205.236.189.0/24 -c 0 0 -j DROP

-A blacklst -s 206.81.0.0/19 -c 0 0 -j DROP

-A blacklst -s 206.123.128.0/19 -c 0 0 -j DROP

-A blacklst -s 206.127.192.0/19 -c 0 0 -j DROP

-A blacklst -s 206.195.224.0/19 -c 0 0 -j DROP

-A blacklst -s 206.197.28.0/24 -c 0 0 -j DROP

-A blacklst -s 206.197.29.0/24 -c 0 0 -j DROP

-A blacklst -s 206.201.48.0/20 -c 0 0 -j DROP

-A blacklst -s 206.203.64.0/18 -c 0 0 -j DROP

-A blacklst -s 206.209.80.0/20 -c 0 0 -j DROP

-A blacklst -s 206.224.160.0/19 -c 0 0 -j DROP

-A blacklst -s 206.226.0.0/19 -c 0 0 -j DROP

-A blacklst -s 206.226.32.0/19 -c 0 0 -j DROP

-A blacklst -s 206.227.64.0/18 -c 0 0 -j DROP

-A blacklst -s 206.246.64.0/18 -c 0 0 -j DROP

-A blacklst -s 207.22.192.0/18 -c 0 0 -j DROP

-A blacklst -s 207.32.128.0/19 -c 0 0 -j DROP

-A blacklst -s 207.45.224.0/20 -c 0 0 -j DROP

-A blacklst -s 207.110.64.0/19 -c 0 0 -j DROP

-A blacklst -s 207.110.96.0/19 -c 0 0 -j DROP

-A blacklst -s 207.110.128.0/18 -c 0 0 -j DROP

-A blacklst -s 207.183.192.0/19 -c 0 0 -j DROP

-A blacklst -s 207.189.0.0/19 -c 0 0 -j DROP

-A blacklst -s 207.199.128.0/18 -c 0 0 -j DROP

-A blacklst -s 207.226.192.0/20 -c 0 0 -j DROP

-A blacklst -s 207.230.96.0/19 -c 0 0 -j DROP

-A blacklst -s 207.231.96.0/19 -c 0 0 -j DROP

-A blacklst -s 207.234.0.0/17 -c 0 0 -j DROP

-A blacklst -s 207.254.128.0/21 -c 0 0 -j DROP

-A blacklst -s 208.70.168.0/21 -c 0 0 -j DROP

-A blacklst -s 208.81.136.0/21 -c 0 0 -j DROP

-A blacklst -s 208.90.0.0/21 -c 0 0 -j DROP

-A blacklst -s 208.93.96.0/21 -c 0 0 -j DROP

-A blacklst -s 208.117.80.0/20 -c 0 0 -j DROP

-A blacklst -s 209.51.32.0/20 -c 0 0 -j DROP

-A blacklst -s 209.66.128.0/19 -c 0 0 -j DROP

-A blacklst -s 209.95.192.0/19 -c 0 0 -j DROP

-A blacklst -s 209.145.0.0/19 -c 0 0 -j DROP

-A blacklst -s 209.147.64.0/19 -c 0 0 -j DROP

-A blacklst -s 209.182.64.0/19 -c 0 0 -j DROP

-A blacklst -s 209.198.176.0/20 -c 0 0 -j DROP

-A blacklst -s 213.109.96.0/22 -c 0 0 -j DROP

-A blacklst -s 213.109.208.0/20 -c 0 0 -j DROP

-A blacklst -s 216.30.144.0/20 -c 0 0 -j DROP

-A blacklst -s 216.155.0.0/18 -c 0 0 -j DROP

-A blacklst -s 216.162.112.0/20 -c 0 0 -j DROP

-A blacklst -s 216.212.192.0/19 -c 0 0 -j DROP

-A blacklst -s 222.224.0.0/16 -c 0 0 -j DROP

-A blacklst -s 223.168.0.0/16 -c 0 0 -j DROP

-A blacklst -s 223.169.0.0/16 -c 0 0 -j DROP

-A blacklst -s 223.170.0.0/16 -c 0 0 -j DROP

-A blacklst -s 223.171.0.0/16 -c 0 0 -j DROP

-A blacklst -s 223.172.0.0/16 -c 0 0 -j DROP

-A blacklst -s 223.173.0.0/16 -c 0 0 -j DROP

-A eth0_fop -o eth0 -c 0 0 -g sfilter

-A eth0_fop -m conntrack --ctstate INVALID,NEW,UNTRACKED -c 0 0 -j dynamic

-A eth1_fop -o eth1 -c 0 0 -g sfilter

-A eth1_fop -m conntrack --ctstate INVALID,NEW,UNTRACKED -c 0 0 -j dynamic

-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -c 6016560 567161877 -j ACCEPT

-A fw2net -c 85823 5882668 -j ACCEPT

-A logdrop -c 0 0 -j DROP

-A logreject -c 0 0 -j reject

-A net2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -c 32464 2863186 -j blacklst

-A net2fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -c 32422 2861300 -j dynamic

-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -c 9504882 10286586151 -j ACCEPT

-A net2fw -p udp -m multiport --dports 111,2049,4002,4001,4003,4004,47850:47854,662 -c 13890 1372502 -j ACCEPT

-A net2fw -p tcp -m multiport --dports 20,21,111,2049,4002,4001,4003,4004,47850:47854,662 -c 11327 584008 -j ACCEPT

-A net2fw -c 7205 904790 -j Drop

-A net2fw -c 1844 188095 -j LOG --log-prefix "Shorewall:net2fw

ROP:" --log-level 6

-A net2fw -c 1844 188095 -j DROP

-A net2net -i wlan0 -c 0 0 -j wlan0_fop

-A net2net -i eth1 -c 0 0 -j eth1_fop

-A net2net -i eth0 -c 0 0 -j eth0_fop

-A net2net -m conntrack --ctstate RELATED,ESTABLISHED -c 0 0 -j ACCEPT

-A net2net -c 0 0 -j ACCEPT

-A net_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -c 0 0 -j blacklst

-A net_frwd -o wlan0 -c 0 0 -j net2net

-A net_frwd -o eth1 -c 0 0 -j net2net

-A net_frwd -o eth0 -c 0 0 -j net2net

-A reject -m addrtype --src-type BROADCAST -c 0 0 -j DROP

-A reject -s 224.0.0.0/4 -c 0 0 -j DROP

-A reject -p igmp -c 0 0 -j DROP

-A reject -p tcp -c 0 0 -j REJECT --reject-with tcp-reset

-A reject -p udp -c 0 0 -j REJECT --reject-with icmp-port-unreachable

-A reject -p icmp -c 0 0 -j REJECT --reject-with icmp-host-unreachable

-A reject -c 0 0 -j REJECT --reject-with icmp-host-prohibited

-A sfilter -c 0 0 -j LOG --log-prefix "Shorewall:sfilter

ROP:" --log-level 6

-A sfilter -c 0 0 -j DROP

-A wlan0_fop -o wlan0 -c 0 0 -g sfilter

-A wlan0_fop -m conntrack --ctstate INVALID,NEW,UNTRACKED -c 0 0 -j dynamic

Code BASH :

shorewall check

ca te renvoie quoi?

Trex78 Membre non connecté

Le 22/01/2014 à 08h50

#167156

Bonjour,

Ca semble s'être rétabli depuis quelques jours. En fait, depuis que shorewall6 ne tente plus de démarrer. Je suppose que c'est à la suite d'une des mises à jour du système, mais comme j'avais envisagé de le désactiver moi-même, je ne ne peux pas garantir à 100% que je ne l'ai pas fait ...
Je pense que les deux (shorewall et shorewall6), démarrant ensemble, devaient se marcher quelque peu sur les pieds.

@MadTuX : shorewall check passe normalement, et se termine bien par "Shorewall configuration verified", sans aucun message d'erreur. :
[hide[root@MEDMGA4 ~]# shorewall check
Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /etc/shorewall/action.OKFbxMulti for chain OKFbxMulti...
Checking /etc/shorewall/action.OKPartageLocal for chain OKPartageLocal...
Checking /etc/shorewall/conntrack...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Checking /usr/share/shorewall/action.Drop for chain Drop...
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...
Shorewall configuration verified
[root@MEDMGA4 ~]#][/hide]
@Troumad : j'utilise shorewall depuis ma Mandriva 2005 (enfin, c'est un bien grand mot : il est livré, donc je l'utilise ... ), je ne vois pas de raison de créer à la main mes règles iptables. Quand je repense au temps que j'ai mis à simplement paramétrer l'utilisation du multiposte de la Freebox, je n'ai pas envie de m'y coller en iptables.

Cependant, je trouve que shorewall ne se met pas en place très tôt : j'ai réussi une fois ou deux à me logger sous KDE, passer iptables --list-rules -v, avoir les ACCEPT, et quelques secondes plus tard, ça passe à DROP.
Il faut que je tente de bien comprendre le fonctionnement de systemd, et les messages dans la log, pour vérifier que le réseau n'est pas ouvert avant que les règles iptables ne soient bien en place.

Aujourd'hui, je suis en IP V4. Ai-je l'utilité d'un shorewall V6 ?
Et si demain, j'activais IP V6, devrai-je conserver shorewall V4 ?

Trex78 Membre non connecté

Le 25/01/2014 à 15h01

#167374

J'ai creusé un peu plus la question.

Pour bien cerner la chronologie des évènements, j'ai écrit un petit script qui envoie le résultat de "iptables --list-rules -v" et de "ifconfig enp0s4" dans un fichier (enp0s4 est le nom de mon interface ethernet) + un message sur la log.

Ce script est défini comme un service, qui est lancé après le service iptables.

Je peux ainsi constater que iptables démarre avec -P ACCEPT pour INPUT, FORWARD, et OUTPUT.

A ce moment là, l'interface ethernet n'est pas activée, donc ça va encore :

Caché :

1 20140125-124519 : iptables :

-P INPUT ACCEPT -c 0 0 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 0 0

===

enp0s4 Link encap:Ethernet HWaddr 00:0C:76:68:F6:5B inet6 addr: fe80::20c:76ff:fe68:f65b/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:258 (258.0 b)

Par contre, en examinant le journal, je trouve des choses inquiétantes :

Caché :

# journalctl -b -u shorewall -u iptablesTest -u iptables -u NetworkManager -u network

-- Logs begin at dim. 2014-01-12 10:48:22 CET, end at sam. 2014-01-25 13:01:04 CET. --

janv. 25 12:45:13 MEDMGA4.maison systemd[1]: Starting Network Manager...

janv. 25 12:45:13 MEDMGA4.maison systemd[1]: Starting iptables Firewall for IPv4...

janv. 25 12:45:13 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager (version 0.9.8.8) is starting...

janv. 25 12:45:13 MEDMGA4.maison NetworkManager[970]: <info> Read config file /etc/NetworkManager/NetworkManager.conf

janv. 25 12:45:13 MEDMGA4.maison NetworkManager[970]: <info> WEXT support is enabled

janv. 25 12:45:14 MEDMGA4.maison NetworkManager[970]: ifcfg-rh: Acquired D-Bus service com.redhat.ifcfgrh1

janv. 25 12:45:14 MEDMGA4.maison NetworkManager[970]: <info> Loaded plugin ifcfg-rh: (c) 2007 - 2010 Red Hat, Inc. To report bugs please use the NetworkManager mailing list.

janv. 25 12:45:14 MEDMGA4.maison NetworkManager[970]: <info> Loaded plugin keyfile: (c) 2007 - 2010 Red Hat, Inc. To report bugs please use the NetworkManager mailing list.

janv. 25 12:45:14 MEDMGA4.maison NetworkManager[970]: ifcfg-rh: parsing /etc/sysconfig/network-scripts/ifcfg-lo ...

janv. 25 12:45:14 MEDMGA4.maison NetworkManager[970]: ifcfg-rh: parsing /etc/sysconfig/network-scripts/ifcfg-enp0s4 ...

janv. 25 12:45:14 MEDMGA4.maison NetworkManager[970]: <warn> failed to allocate link cache: (-10) Operation not supported

janv. 25 12:45:14 MEDMGA4.maison NetworkManager[970]: ifcfg-rh: read connection 'System enp0s4'

janv. 25 12:45:13 MEDMGA4.maison systemd[1]: Started iptables Firewall for IPv4.

janv. 25 12:45:15 MEDMGA4.maison systemd[1]: Started Network Manager.

janv. 25 12:45:15 MEDMGA4.maison systemd[1]: Starting LSB: Bring up/down networking...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> monitoring kernel firmware directory '/lib/firmware'.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> WiFi enabled by radio killswitch; enabled by state file

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> WWAN enabled by radio killswitch; enabled by state file

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> WiMAX enabled by radio killswitch; enabled by state file

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Networking is enabled by state file

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <warn> failed to allocate link cache: (-10) Operation not supported

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): carrier is OFF

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): new Ethernet device (driver: 'sis900' ifindex: 2)

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): exported as /org/freedesktop/NetworkManager/Devices/0

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: unmanaged -> unavailable (reason 'managed') [10 20 2]

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): bringing up device.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): carrier now ON (device state 20)

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): preparing device.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): deactivating device (reason 'managed') [2]

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <warn> /sys/devices/virtual/net/lo: couldn't determine device driver; ignoring...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <warn> /sys/devices/virtual/net/lo: couldn't determine device driver; ignoring...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: unavailable -> disconnected (reason 'none') [20 30 0]

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <warn> Couldn't acquire object manager proxy: Error calling StartServiceByName for org.bluez: GDBus.Error:org.freedesktop.systemd1.LoadFailed: Unit dbus-org.bluez.service failed to load: No such file or directory.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Auto-activating connection 'System enp0s4'.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) starting connection 'System enp0s4'

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: disconnected -> prepare (reason 'none') [30 40 0]

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager state is now CONNECTING

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) scheduled...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) started...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) scheduled...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) complete.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> ModemManager available in the bus

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) starting...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: prepare -> config (reason 'none') [40 50 0]

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) successful.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) scheduled.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) complete.

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) started...

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: config -> ip-config (reason 'none') [50 70 0]

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Beginning DHCPv4 transaction (timeout in 45 seconds)

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> dhclient started with pid 1147

janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) complete.

janv. 25 12:45:15 MEDMGA4.maison dhclient[1147]: Internet Systems Consortium DHCP Client 4.2.5-P1

janv. 25 12:45:15 MEDMGA4.maison dhclient[1147]: Copyright 2004-2013 Internet Systems Consortium.

janv. 25 12:45:15 MEDMGA4.maison dhclient[1147]: All rights reserved.

janv. 25 12:45:15 MEDMGA4.maison dhclient[1147]: For info, please visit https://www.isc.org/software/dhcp/

janv. 25 12:45:15 MEDMGA4.maison dhclient[1147]: janv. 25 12:45:15 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): DHCPv4 state changed nbi -> preinit

janv. 25 12:45:16 MEDMGA4.maison dhclient[1147]: Listening on LPF/enp0s4/00:0c:76:68:f6:5b

janv. 25 12:45:16 MEDMGA4.maison dhclient[1147]: Sending on LPF/enp0s4/00:0c:76:68:f6:5b

janv. 25 12:45:16 MEDMGA4.maison dhclient[1147]: Sending on Socket/fallback

janv. 25 12:45:16 MEDMGA4.maison dhclient[1147]: DHCPREQUEST on enp0s4 to 255.255.255.255 port 67

janv. 25 12:45:16 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): carrier now OFF (device state 70, deferring action for 4 seconds)

janv. 25 12:45:16 MEDMGA4.maison network[1071]: Démarrage de l'interface loopback : ./ifup: interface ifcfg-lo is controlled by NetworkManager; skipping.

janv. 25 12:45:16 MEDMGA4.maison network[1071]: [ OK ]

janv. 25 12:45:16 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): disconnecting for new activation request.

janv. 25 12:45:16 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: ip-config -> disconnected (reason 'none') [70 30 0]

janv. 25 12:45:16 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): deactivating device (reason 'none') [0]

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): canceled DHCP transaction, DHCP client pid 1147

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager state is now DISCONNECTED

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) starting connection 'System enp0s4'

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: disconnected -> prepare (reason 'none') [30 40 0]

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager state is now CONNECTING

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) scheduled...

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) started...

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) scheduled...

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) complete.

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) starting...

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: prepare -> config (reason 'none') [40 50 0]

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) successful.

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) scheduled.

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) complete.

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) started...

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: config -> ip-config (reason 'none') [50 70 0]

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Beginning DHCPv4 transaction (timeout in 45 seconds)

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> dhclient started with pid 1192

janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) complete.

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: Internet Systems Consortium DHCP Client 4.2.5-P1

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: Copyright 2004-2013 Internet Systems Consortium.

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: All rights reserved.

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: For info, please visit https://www.isc.org/software/dhcp/

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: janv. 25 12:45:17 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): DHCPv4 state changed nbi -> preinit

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: Listening on LPF/enp0s4/00:0c:76:68:f6:5b

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: Sending on LPF/enp0s4/00:0c:76:68:f6:5b

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: Sending on Socket/fallback

janv. 25 12:45:17 MEDMGA4.maison dhclient[1192]: DHCPREQUEST on enp0s4 to 255.255.255.255 port 67

janv. 25 12:45:19 MEDMGA4.maison iptablesTest.sh[1013]: iptablesTest 20140125-124519

janv. 25 12:45:20 MEDMGA4.maison dhclient[1192]: DHCPREQUEST on enp0s4 to 255.255.255.255 port 67

janv. 25 12:45:20 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: ip-config -> unavailable (reason 'carrier-changed') [70 20 40]

janv. 25 12:45:20 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): deactivating device (reason 'carrier-changed') [40]

janv. 25 12:45:20 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): canceled DHCP transaction, DHCP client pid 1192

janv. 25 12:45:20 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager state is now DISCONNECTED

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): carrier now ON (device state 20)

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: unavailable -> disconnected (reason 'carrier-changed') [20 30 40]

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Auto-activating connection 'System enp0s4'.

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) starting connection 'System enp0s4'

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: disconnected -> prepare (reason 'none') [30 40 0]

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager state is now CONNECTING

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) scheduled...

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) started...

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) scheduled...

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 1 of 5 (Device Prepare) complete.

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) starting...

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: prepare -> config (reason 'none') [40 50 0]

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) successful.

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) scheduled.

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 2 of 5 (Device Configure) complete.

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) started...

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: config -> ip-config (reason 'none') [50 70 0]

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Beginning DHCPv4 transaction (timeout in 45 seconds)

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> dhclient started with pid 1276

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 3 of 5 (IP Configure Start) complete.

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: Internet Systems Consortium DHCP Client 4.2.5-P1

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: Copyright 2004-2013 Internet Systems Consortium.

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: All rights reserved.

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: For info, please visit https://www.isc.org/software/dhcp/

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): DHCPv4 state changed nbi -> preinit

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: Listening on LPF/enp0s4/00:0c:76:68:f6:5b

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: Sending on LPF/enp0s4/00:0c:76:68:f6:5b

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: Sending on Socket/fallback

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: DHCPREQUEST on enp0s4 to 255.255.255.255 port 67

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: DHCPACK from 192.168.0.254

janv. 25 12:45:21 MEDMGA4.maison dhclient[1276]: bound to 192.168.0.200 -- renewal in 363919 seconds.

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): DHCPv4 state changed preinit -> reboot

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> address 192.168.0.200

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> prefix 24 (255.255.255.0)

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> gateway 192.168.0.254

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> nameserver '212.27.40.241'

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> nameserver '212.27.40.240'

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 5 of 5 (IPv4 Configure Commit) scheduled...

janv. 25 12:45:21 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 5 of 5 (IPv4 Commit) started...

janv. 25 12:45:22 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: ip-config -> secondaries (reason 'none') [70 90 0]

janv. 25 12:45:22 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) Stage 5 of 5 (IPv4 Commit) complete.

janv. 25 12:45:22 MEDMGA4.maison NetworkManager[970]: <info> (enp0s4): device state change: secondaries -> activated (reason 'none') [90 100 0]

janv. 25 12:45:22 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager state is now CONNECTED_GLOBAL

janv. 25 12:45:22 MEDMGA4.maison NetworkManager[970]: <info> Policy set 'System enp0s4' (enp0s4) as default for IPv4 routing and DNS.

janv. 25 12:45:22 MEDMGA4.maison NetworkManager[970]: <info> Writing DNS information to /sbin/resolvconf

janv. 25 12:45:22 MEDMGA4.maison NetworkManager[970]: <info> Activation (enp0s4) successful, device activated.

janv. 25 12:46:47 MEDMGA4.maison network[1071]: Activation de l'interface enp0s4 : Error: Timeout 90 sec expired.

janv. 25 12:46:47 MEDMGA4.maison network[1071]: [ÉCHEC ]

janv. 25 12:46:47 MEDMGA4.maison systemd[1]: network.service: control process exited, code=exited status=1

janv. 25 12:46:47 MEDMGA4.maison systemd[1]: Failed to start LSB: Bring up/down networking.

janv. 25 12:46:47 MEDMGA4.maison systemd[1]: Unit network.service entered failed state.

janv. 25 12:46:47 MEDMGA4.maison systemd[1]: Starting Shorewall IPv4 firewall...

janv. 25 12:46:48 MEDMGA4.maison shorewall[2008]: Compiling...

janv. 25 12:46:49 MEDMGA4.maison shorewall[2008]: Processing /etc/shorewall/params ...

janv. 25 12:46:50 MEDMGA4.maison shorewall[2008]: Processing /etc/shorewall/shorewall.conf...

janv. 25 12:46:50 MEDMGA4.maison shorewall[2008]: Loading Modules...

janv. 25 12:46:52 MEDMGA4.maison shorewall[2008]: Compiling /etc/shorewall/zones...

janv. 25 12:46:52 MEDMGA4.maison shorewall[2008]: Compiling /etc/shorewall/interfaces...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Determining Hosts in Zones...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Locating Action Files...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /etc/shorewall/policy...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Running /etc/shorewall/initdone...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling Kernel Route Filtering...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling Martian Logging...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling MAC Filtration -- Phase 1...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /etc/shorewall/rules...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /etc/shorewall/action.OKFbxMulti for chain OKFbxMulti...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /etc/shorewall/action.OKPartageLocal for chain OKPartageLocal...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /etc/shorewall/conntrack...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling MAC Filtration -- Phase 2...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Applying Policies...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /usr/share/shorewall/action.Drop for chain Drop...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Generating Rule Matrix...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Compiling /usr/share/shorewall/action.Reject for chain Reject...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Creating iptables-restore input...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Shorewall configuration compiled to /var/lib/shorewall/.start

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Starting Shorewall....

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Initializing...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Processing /etc/shorewall/init ...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Processing /etc/shorewall/tcclear ...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Setting up Route Filtering...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Setting up Martian Logging...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Setting up Proxy ARP...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Preparing iptables-restore input...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Running /sbin/iptables-restore...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Processing /etc/shorewall/start ...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: Processing /etc/shorewall/started ...

janv. 25 12:46:53 MEDMGA4.maison shorewall[2008]: done.

janv. 25 12:46:53 MEDMGA4.maison systemd[1]: Started Shorewall IPv4 firewall.

Morceaux choisis :

12:45:13 MEDMGA4.maison systemd[1]: Starting iptables Firewall for IPv4...

12:45:13 MEDMGA4.maison systemd[1]: Started iptables Firewall for IPv4.

12:45:15 MEDMGA4.maison NetworkManager[970]: <info> NetworkManager state is now CONNECTING

12:45:19 MEDMGA4.maison iptablesTest.sh[1013]: iptablesTest 20140125-124519 <=== message de mon script ***

12:45:20 MEDMGA4.maison dhclient[1192]: DHCPREQUEST on enp0s4 to 255.255.255.255 port 67

12:45:21 MEDMGA4.maison dhclient[1276]: DHCPACK from 192.168.0.254

12:45:21 MEDMGA4.maison dhclient[1276]: bound to 192.168.0.200 -- renewal in 363919 seconds.

12:46:48 MEDMGA4.maison shorewall[2008]: Compiling...

12:46:53 MEDMGA4.maison systemd[1]: Started Shorewall IPv4 firewall.

Il s'écoule 1 minute 27 secondes entre l'activation de l'interface ethernet et le démarrage de shorewall !

Et pendant ce temps, iptables est grand ouvert, si j'en crois le résultat de mon script.

En y regardant de plus près, on voit que le service network se termine en échec, après un timeout sur l'activation de enp0s4, qui est pourtant bel et bien démarrée depuis 12:45:21 :

Caché :

12:45:21 MEDMGA4.maison dhclient[1276]: bound to 192.168.0.200 -- renewal in 363919 seconds.

...

12:46:47 MEDMGA4.maison network[1071]: Activation de l'interface enp0s4 : Error: Timeout 90 sec expired.

12:46:47 MEDMGA4.maison network[1071]: [ÉCHEC ]

12:46:47 MEDMGA4.maison systemd[1]: network.service: control process exited, code=exited status=1

12:46:47 MEDMGA4.maison systemd[1]: Failed to start LSB: Bring up/down networking.

12:46:47 MEDMGA4.maison systemd[1]: Unit network.service entered failed state.

En fait, network essaye plusieurs fois de démarrer enp0s4, il y parvient, mais une des tentatives reste certainement vivante jusqu’à son timeout.

Et comme shorewall est placé après network dans /usr/lib/systemd/system/shorewall.service, il attend la fin du timeout de 90 secondes pour démarrer :

Code :


[Unit]

Description=Shorewall IPv4 firewall

After=syslog.target

After=network.target

C'est très visible en examinant le résultat d'un systemd-analyze plot.

Question 1 : est-il normal que iptables démarre avec -P ACCEPT partout, je n'arrive pas à comprendre comment c'est censé fonctionner ?

Peut-être en mettant quelque chose dans /etc/sysconfig/iptables, qui me semble pouvoir contenir une config par défaut ?

Question 2 : y aurait-il un moyen d’empêcher network de bégayer au démarrage de enp0s4 (c'est peut-être ma carte ethernet qui est en cause, mais on peut peut-être faire quelque chose côté soft) ?

D'avance merci.

Répondre

Vous n'êtes pas autorisé à écrire dans cette catégorie

Notre Mission	Liens du site	Nous joindre	MLO est hébergé par
MLO est le forum francophone de la distribution Mageia et vous propose également un portail dédié aux débutants. MLO vous apporte un support sur la distribution grâce à son forum et vous offre des nouvelles de la distribution, des logiciels libres et de l'Open Source en général. Notre site a aussi pour but de vous montrer que Mageia est un système d'exploitation complet et facile à prendre en main. Vous apprendrez à installer simplement et à administrer efficacement votre système en un temps record.	Forum Documentation News du libre Mageia	Contacter MLO Mastodon MLO Flux RSS	MLO est un projet soutenu par Nos partenaires et amis
MLO est mis à disposition selon les termes de la licence Creative Commons.

Trex78 Membre non connecté

Troumad Membre non connecté

Visiteur

Dupo Membre non connecté

Trex78 Membre non connecté

Visiteur

Trex78 Membre non connecté

christian_fisch Membre non connecté

christian_fisch Membre non connecté

Trex78 Membre non connecté

Dupo Membre non connecté

Visiteur