Forums

nuke
nuke
Offline
Resolved
0 votes
Hi.

My ClearOS 7 gateway has been running well for some years except for the occasional device that won't properly connect to the internet on the WIFI segment. I think I have set up the IP addresses incorrectly. There are also occasional difficulties connecting between the network segments.

The server is in gateway mode. I have two segments, one wired LAN and one WIFI.

I have avoided the 192.168.{0|1}.0 segment advice and not used it as per advice from Nick.

My network segments are 192.168.101.0-192.168.101.254 (segment 1 - wired/ethernet) and 192.168.102.0-192.168.102.254 (segment 2 - WIFI). I can't remember why I set this up originally. Appears I'm getting forgetful. :D

Today while googling to try to solve a problem with a new WIFI access point that can't find the NTP server, I found an IP calculator that suggests that I probably should have used 192.168.100.0-192.168.100.254 (segment 1) and 192.168.101.0-192.168.101.254 (segment 2). I think this would have been 192.168.100.0/23 with 255.255.254.0.

Or perhaps I've set up the network interface for the ethernet incorrect? network card 192.168.101.10/255.255.255.0 and 192.168.102.10/255.255.255.0.

Can you suggest a resource where I can read about how I should have set this up properly? Looks like I need something basic as I'm stumped. My googling isn't finding a similar example and I think that is because I don't know what I should be searching for.

Thanks.
Wednesday, December 16 2020, 02:56 AM
Share this post:

Accepted Answer

Tuesday, December 29 2020, 09:13 AM - #Permalink
Resolved
0 votes
First off, note that from the command line you use the command "iptables", all lower case. In the custom firewall module you use "$IPTABLES" (all caps with a preceding $) which internally gets translated to "iptables -w" for IPv4 rules. Try always to test from the command line first. If there are no errors, then alter it accordingly and add it to the custom firewall.

You are not trying to add a route, just a firewall rule. The route already exists. The rule you are trying to add says "pretend that anything coming from the wired LAN segment and going to the WAP is really coming from the ClearOS WiFi segment IP". Also I made a mess of my rule and have edited it. I think you want:
$IPTABLES -I POSTROUTING -t nat -d 192.168.100.2 -s 192.168.101.0/24 -j SNAT --to-source your_ClearOS_WiFi_segment_LAN_IP
I don't know what your_ClearOS_WiFi_segment_LAN_IP is as 192.168.101.10 is on your wired segment. You need the equivalent for the WiFi NIC (192.168.100.10?).
The reply is currently minimized Show
Responses (14)
  • Accepted Answer

    Tuesday, December 29 2020, 04:26 PM - #Permalink
    Resolved
    0 votes
    nuke wrote:
    Now I have to figure out the Custom Firewall addition. I suspect this have to be added to the /etc/clearos/firewall.d/custom? Or can it be added to the GUI?
    Use the Custom Firewall app and its webconfig (with $IPTABLES and not iptables).
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Tuesday, December 29 2020, 04:13 PM - #Permalink
    Resolved
    0 votes
    Thanks so much Nick.

    I used the iptables command on the CLI and it worked. I can ping and access the WAP from the wired network. Thank you!

    I have added the command to the Custom Firewall in the GUI as per your instructions. I did a systemctl restart firewall and I can still access the WAP from the wired LAN.

    But I can't find the custom firewall rule in the list created by
    iptables -nvL
    . Shouldn't it be there?
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Tuesday, December 29 2020, 01:47 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    As the AP is a router, see if it has an option to allow access to it or management of it from the internet and enable it. Otherwise it could be firewalled just to allow access from its LAN. If it is really important, you may be able to add a custom firewall rule something like:
    $IPTABLES -I -d your_WAP_IP -s your_wired_LAN_subnet -j SNAT --to-source your_ClearOS_WiFi_segment_LAN_IP
    Try it from the command line first, changing "$IPTABLES" to "iptables".


    Hi Nick,
    I haven't been able to find an option in the AP to allow management from the internet. It appears to be an option only available when it is in Router mode.

    I'm learning more about the IPTABLES as I move forward in trying to figure out both your suggested command an also figuring out why the only F2B jail that seems to work is the cyrus-imap.

    Your suggested IPTABLE command has me a bit stumped. I am assuming this is to create a route from LAN to the WIFI Access Point (WAP) and fake the WAP to think it is being accessed via the WIFI segment?

    Are the _WAP_IP and _ClearOS_WiFi_segment_LAN_IP the same? I presume that "_WAP_IP" is "wireless access point"(192.168.100.2)? If not, is the "_ClearOS_WiFi_segment_LAN_IP" the ethernet card/gateway (192.168.101.10) that connects to the WAP?

    IPTABLES -I -d 192.168.100.2 -s 192.168.101.0/24 -j SNAT --to-source 192.168.101.10 
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, December 22 2020, 11:17 AM - #Permalink
    Resolved
    -1 votes
    As the AP is a router, see if it has an option to allow access to it or management of it from the internet and enable it. Otherwise it could be firewalled just to allow access from its LAN. If it is really important, you may be able to add a custom firewall rule something like:
    $IPTABLES -I POSTROUTING -t nat -d your_WAP_IP -s your_wired_LAN_subnet -j SNAT --to-source your_ClearOS_WiFi_segment_LAN_IP
    Try it from the command line first, changing "$IPTABLES" to "iptables".

    [edit]
    Rule edited
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Tuesday, December 22 2020, 01:08 AM - #Permalink
    Resolved
    0 votes
    Hi Nick,
    For some reason some of the devices on the WIFI segment are working properly now. I'm not sure what happened so I can't describe what fixed it. Maybe it was just moving from the xxx.102.2 to xxx.100.2 address unblocked/reset/set some setting somewhere.

    I'm still not able to connect to the WIFI access point when I'm on the wired segment.

    tcpdump shows the request going through the 192.168.100.0 ethernet card but there is no reply.

    I switched out the wifi access point and the second one has the same problem. Had this not happened, I would have thought that maybe it had a setting that only allows login to the admin console from the same network segment but I can't find any setting like that. I'll continue to research this. But it starts to look this this is an access point hardware/software issue as the ClearOS server appears to be routing traffic properly.

    Thanks again for your help.

    Happy holidays!
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Sunday, December 20 2020, 10:09 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    You really need to get f2b working. Note it does not create many firewall ruled. One per jail and only if it has a block for that jail. All blocks get added to ipset lists. Is there anything if you do:
    ipset list f2b-cyrus-imap


    I can see nothing blocking LAN<->LAN traffic. Note that Windows will probably block it as it normally only allows pings from its own LAN subnet and your two LANs will be seen as separate by Windows. Try stopping the firewall in Windows and see if it makes a difference, Also you can try monitoring packets with tcpdump and see if they pass from LAN to LAN but get no replies. That is an indication of the Windows firewall blocking as well.

    Nick, thanks.
    Here is the ipset list command. I'm actually surprised that there is something in the f2b list. Maybe it is working ... sort of.

    ipset list f2b-cyrus-imap
    Name: f2b-cyrus-imap
    Type: hash:ip
    Revision: 4
    Header: family inet hashsize 1024 maxelem 65536 timeout 600
    Size in memory: 7800
    References: 1
    Number of entries: 1
    Members:
    77.34.2.219 timeout 72941


    We have no Windows computers. We are running Macs, Linux, iPhones, iPads, Android phones, Android tablets.

    I've never used tcpdump but started reading about it this afternoon.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, December 20 2020, 09:54 PM - #Permalink
    Resolved
    0 votes
    You really need to get f2b working. Note it does not create many firewall ruled. One per jail and only if it has a block for that jail. All blocks get added to ipset lists. Is there anything if you do:
    ipset list f2b-cyrus-imap


    I can see nothing blocking LAN<->LAN traffic. Note that Windows will probably block it as it normally only allows pings from its own LAN subnet and your two LANs will be seen as separate by Windows. Try stopping the firewall in Windows and see if it makes a difference, Also you can try monitoring packets with tcpdump and see if they pass from LAN to LAN but get no replies. That is an indication of the Windows firewall blocking as well.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Sunday, December 20 2020, 09:03 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Did you by any chance set the either LAN as HotLAN? If so, it has internet only and no connectivity to other LAN's. What is the output to "iptables -nvL" (between code tags, please).


    Thanks again for taking some time to help me.

    This is extremely long and I apologize in advance. I have never been able to get fail2ban to work despite it saying that it is running it never creates and iptable block. So I ended up adding many offending IPs manually. Hence the very log DROP list.

    I suspect there is a route missing or the firewall isn't allowing the traffic back but I'm not sure why.

    iptables -n -v -L
    Chain INPUT (policy DROP 2475 packets, 197K bytes)
    pkts bytes target prot opt in out source destination
    17 1436 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 220,993 match-set f2b-cyrus-imap src
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    56 4256 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
    5 260 DROP tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128
    0 0 DROP all -- * * 101.188.165.241 0.0.0.0/0
    0 0 DROP all -- * * 103.107.236.182 0.0.0.0/0
    0 0 DROP all -- * * 103.224.182.243 0.0.0.0/0
    0 0 DROP all -- * * 104.153.108.74 0.0.0.0/0
    0 0 DROP all -- * * 104.194.218.51 0.0.0.0/0
    0 0 DROP all -- * * 109.236.32.0/22 0.0.0.0/0
    0 0 DROP all -- * * 113.96.223.207 0.0.0.0/0
    0 0 DROP all -- * * 115.231.220.215 0.0.0.0/0
    0 0 DROP all -- * * 119.27.184.92 0.0.0.0/0
    0 0 DROP all -- * * 122.114.151.106 0.0.0.0/0
    0 0 DROP all -- * * 120.76.0.0/14 0.0.0.0/0
    0 0 DROP all -- * * 122.144.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 122.228.10.51 0.0.0.0/0
    0 0 DROP all -- * * 122.96.29.23 0.0.0.0/0
    0 0 DROP all -- * * 124.149.199.6 0.0.0.0/0
    5 200 DROP all -- * * 125.36.0.0/14 0.0.0.0/0
    0 0 DROP all -- * * 13.113.224.207 0.0.0.0/0
    0 0 DROP all -- * * 13.77.46.77 0.0.0.0/0
    0 0 DROP all -- * * 13.77.58.33 0.0.0.0/0
    0 0 DROP all -- * * 137.226.113.9 0.0.0.0/0
    0 0 DROP all -- * * 149.56.149.29 0.0.0.0/0
    0 0 DROP all -- * * 163.172.23.6 0.0.0.0/0
    0 0 DROP all -- * * 164.160.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 164.52.24.140 0.0.0.0/0
    0 0 DROP all -- * * 167.114.15.64/29 0.0.0.0/0
    0 0 DROP all -- * * 167.114.189.192/29 0.0.0.0/0
    0 0 DROP all -- * * 169.229.3.91 0.0.0.0/0
    0 0 DROP all -- * * 172.192.14.51 0.0.0.0/0
    0 0 DROP all -- * * 176.57.180.22 0.0.0.0/0
    0 0 DROP all -- * * 177.84.136.0/22 0.0.0.0/0
    0 0 DROP all -- * * 182.151.211.213 0.0.0.0/0
    0 0 DROP all -- * * 183.136.202.244 0.0.0.0/0
    0 0 DROP all -- * * 185.143.220.13 0.0.0.0/0
    0 0 DROP all -- * * 185.143.223.191 0.0.0.0/0
    1 40 DROP all -- * * 185.200.118.0/25 0.0.0.0/0
    0 0 DROP all -- * * 185.202.103.51 0.0.0.0/0
    0 0 DROP all -- * * 185.246.210.0/24 0.0.0.0/0
    0 0 DROP all -- * * 185.30.166.0/24 0.0.0.0/0
    0 0 DROP all -- * * 187.49.236.185 0.0.0.0/0
    0 0 DROP all -- * * 191.53.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 192.102.6.0/23 0.0.0.0/0
    0 0 DROP all -- * * 192.99.98.104 0.0.0.0/0
    0 0 DROP all -- * * 193.104.68.17 0.0.0.0/0
    0 0 DROP all -- * * 193.112.190.175 0.0.0.0/0
    0 0 DROP all -- * * 194.74.181.123 0.0.0.0/0
    0 0 DROP all -- * * 195.22.22.20 0.0.0.0/0
    0 0 DROP all -- * * 200.229.202.176 0.0.0.0/0
    0 0 DROP all -- * * 202.104.118.193 0.0.0.0/0
    0 0 DROP all -- * * 206.128.153.219 0.0.0.0/0
    0 0 DROP all -- * * 208.100.26.231 0.0.0.0/0
    0 0 DROP all -- * * 213.202.230.144 0.0.0.0/0
    0 0 DROP all -- * * 218.75.37.18 0.0.0.0/0
    0 0 DROP all -- * * 218.75.40.149 0.0.0.0/0
    0 0 DROP all -- * * 23.101.224.255 0.0.0.0/0
    0 0 DROP all -- * * 34.209.137.10 0.0.0.0/0
    0 0 DROP all -- * * 34.244.30.148 0.0.0.0/0
    0 0 DROP all -- * * 37.187.148.221 0.0.0.0/0
    0 0 DROP all -- * * 37.49.224.0/22 0.0.0.0/0
    0 0 DROP all -- * * 38.123.205.178 0.0.0.0/0
    0 0 DROP all -- * * 38.69.156.147 0.0.0.0/0
    0 0 DROP all -- * * 46.161.27.27 0.0.0.0/0
    11 440 DROP all -- * * 46.161.27.0/24 0.0.0.0/0
    0 0 DROP all -- * * 46.161.55.106 0.0.0.0/0
    0 0 DROP all -- * * 46.229.170.197 0.0.0.0/0
    0 0 DROP all -- * * 5.101.40.82 0.0.0.0/0
    0 0 DROP all -- * * 5.39.218.36 0.0.0.0/0
    0 0 DROP all -- * * 54.186.17.27 0.0.0.0/0
    0 0 DROP all -- * * 54.205.74.35 0.0.0.0/0
    0 0 DROP all -- * * 54.207.11.46 0.0.0.0/0
    0 0 DROP all -- * * 54.233.236.68 0.0.0.0/0
    0 0 DROP all -- * * 58.48.28.220 0.0.0.0/0
    0 0 DROP all -- * * 60.191.29.20 0.0.0.0/0
    0 0 DROP all -- * * 60.191.38.77 0.0.0.0/0
    0 0 DROP all -- * * 61.139.77.172 0.0.0.0/0
    0 0 DROP all -- * * 63.251.20.151 0.0.0.0/0
    0 0 DROP all -- * * 66.240.205.34 0.0.0.0/0
    0 0 DROP all -- * * 66.240.236.119 0.0.0.0/0
    0 0 DROP all -- * * 69.16.196.163 0.0.0.0/0
    0 0 DROP all -- * * 72.141.23.160 0.0.0.0/0
    0 0 DROP all -- * * 73.65.208.195 0.0.0.0/0
    0 0 DROP all -- * * 74.91.122.249 0.0.0.0/0
    0 0 DROP all -- * * 77.220.180.235 0.0.0.0/0
    0 0 DROP all -- * * 80.82.70.210 0.0.0.0/0
    1 40 DROP all -- * * 80.82.77.0/24 0.0.0.0/0
    0 0 DROP all -- * * 85.94.204.144/28 0.0.0.0/0
    0 0 DROP all -- * * 91.197.232.11 0.0.0.0/0
    0 0 DROP all -- * * 91.200.12.179 0.0.0.0/0
    0 0 DROP all -- * * 91.200.12.28 0.0.0.0/0
    0 0 DROP all -- * * 92.60.16.0/23 0.0.0.0/0
    0 0 DROP all -- * * 93.55.122.185 0.0.0.0/0
    7 280 DROP all -- * * 94.102.48.0/20 0.0.0.0/0
    0 0 DROP all -- * * 95.25.165.0/24 0.0.0.0/0
    0 0 DROP all -- * * 95.25.225.197 0.0.0.0/0
    0 0 DROP all -- * * 185.17.120.0/22 0.0.0.0/0
    0 0 DROP all -- * * 154.118.32.0/23 0.0.0.0/0
    0 0 DROP all -- * * 62.210.77.54 0.0.0.0/0
    0 0 DROP all -- * * 199.66.88.0/21 0.0.0.0/0
    0 0 DROP all -- * * 183.160.0.0/16 0.0.0.0/0
    1 40 DROP all -- * * 146.88.240.0/20 0.0.0.0/0
    0 0 DROP all -- * * 192.241.219.147 0.0.0.0/0
    0 0 DROP all -- * * 181.56.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 85.217.192.0/20 0.0.0.0/0
    0 0 DROP all -- * * 195.24.192.0/19 0.0.0.0/0
    0 0 DROP all -- * * 185.202.2.0/24 0.0.0.0/0
    0 0 DROP all -- * * 111.160.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 113.58.0.0/16 0.0.0.0/0
    1 44 DROP all -- * * 71.6.135.0/24 0.0.0.0/0
    0 0 DROP all -- * * 119.112.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 119.39.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 123.160.0.0/14 0.0.0.0/0
    0 0 DROP all -- * * 182.128.0.0/12 0.0.0.0/0
    3 124 DROP all -- * * 222.176.0.0/12 0.0.0.0/0
    0 0 DROP all -- * * 58.48.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 180.163.113.82 0.0.0.0/0
    0 0 DROP all -- * * 122.228.19.64/27 0.0.0.0/0
    0 0 DROP all -- * * 115.238.44.0/24 0.0.0.0/0
    0 0 DROP all -- * * 95.170.72.0/24 0.0.0.0/0
    0 0 DROP all -- * * 37.97.254.27 0.0.0.0/0
    0 0 DROP all -- * * 185.138.248.0/22 0.0.0.0/0
    0 0 DROP all -- * * 194.0.16.0/20 0.0.0.0/0
    0 0 DROP all -- * * 185.234.219.63 0.0.0.0/0
    0 0 DROP all -- * * 103.37.114.0/24 0.0.0.0/0
    12 720 DROP all -- * * 69.94.128.0/19 0.0.0.0/0
    2 80 DROP all -- * * 172.104.0.0/15 0.0.0.0/0
    0 0 DROP all -- * * 41.217.96.0/19 0.0.0.0/0
    0 0 DROP all -- * * 180.212.37.64 0.0.0.0/0
    0 0 DROP all -- * * 195.22.126.0/23 0.0.0.0/0
    8 348 DROP all -- * * 83.97.20.0/24 0.0.0.0/0
    0 0 DROP all -- * * 5.136.0.0/13 0.0.0.0/0
    9 535 DROP all -- * * 95.24.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 176.208.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 178.64.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 178.154.0.0/17 0.0.0.0/0
    0 0 DROP all -- * * 178.154.128.0/17 0.0.0.0/0
    2 80 DROP all -- * * 37.9.0.0/20 0.0.0.0/0
    1025 61440 DROP all -- * * 45.150.206.0/23 0.0.0.0/0
    0 0 DROP all -- * * 212.70.149.0/24 0.0.0.0/0
    0 0 DROP all -- * * 92.63.194.0/24 0.0.0.0/0
    0 0 DROP all -- * * 45.141.86.0/24 0.0.0.0/0
    0 0 DROP all -- * * 142.4.0.0/19 0.0.0.0/0
    0 0 DROP all -- * * 162.144.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 103.89.88.86 0.0.0.0/0
    0 0 DROP all -- * * 91.150.64.0/18 0.0.0.0/0
    0 0 DROP all -- * * 177.8.248.0/22 0.0.0.0/0
    0 0 DROP all -- * * 198.108.66.0/23 0.0.0.0/0
    21 840 DROP all -- * * 185.153.196.0/22 0.0.0.0/0
    0 0 DROP all -- * * 185.10.184.0/22 0.0.0.0/0
    0 0 DROP all -- * * 174.136.14.0/24 0.0.0.0/0
    0 0 DROP all -- * * 109.236.32.0/22 0.0.0.0/0
    0 0 DROP all -- * * 193.32.161.0/24 0.0.0.0/0
    0 0 DROP all -- * * 61.219.11.0/24 0.0.0.0/0
    0 0 DROP all -- * * 195.62.47.0/24 0.0.0.0/0
    1 40 DROP all -- * * 150.109.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 66.240.192.138 0.0.0.0/0
    0 0 DROP all -- * * 60.191.40.196 0.0.0.0/0
    0 0 DROP all -- * * 138.121.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 185.100.87.191 0.0.0.0/0
    0 0 DROP all -- * * 185.100.87.247 0.0.0.0/0
    0 0 DROP all -- * * 185.222.211.0/24 0.0.0.0/0
    0 0 DROP all -- * * 14.128.0.0/10 0.0.0.0/0
    0 0 DROP all -- * * 199.254.28.0/22 0.0.0.0/0
    0 0 DROP all -- * * 199.249.112.0/20 0.0.0.0/0
    0 0 DROP all -- * * 192.200.202.0/24 0.0.0.0/0
    0 0 DROP all -- * * 185.138.250.0/27 0.0.0.0/0
    0 0 DROP all -- * * 10.195.126.108 0.0.0.0/0
    0 0 DROP all -- * * 103.103.196.97 0.0.0.0/0
    0 0 DROP all -- * * 193.188.22.0/24 0.0.0.0/0
    1144 85282 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
    117 23120 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
    0 0 DROP all -- ppp0 * 127.0.0.0/8 0.0.0.0/0
    1208K 1795M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    688K 901M ACCEPT all -- enp3s2 * 0.0.0.0/0 0.0.0.0/0
    497K 28M ACCEPT all -- p2p1 * 0.0.0.0/0 0.0.0.0/0
    243 7110 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
    0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
    236 18900 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
    0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
    0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
    0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:1875
    791 37226 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:80
    262 24956 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:443
    676 62787 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:993
    0 0 ACCEPT udp -- * * 0.0.0.0/0 76.10.xxx.xxx udp dpt:123
    0 0 ACCEPT udp -- * * 0.0.0.0/0 76.10.xxx.xxx udp dpt:1194
    3 120 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:1194
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:995
    1155 391K ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:25
    35 2322 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:587
    1612 155K ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:465
    33 1746 ACCEPT tcp -- * * 0.0.0.0/0 76.10.xxx.xxx tcp dpt:81
    6939 1085K ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
    695K 1002M ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
    0 0 DROP all -- * * 101.188.165.241 0.0.0.0/0
    0 0 DROP all -- * * 103.107.236.182 0.0.0.0/0
    0 0 DROP all -- * * 103.224.182.243 0.0.0.0/0
    0 0 DROP all -- * * 104.153.108.74 0.0.0.0/0
    0 0 DROP all -- * * 104.194.218.51 0.0.0.0/0
    0 0 DROP all -- * * 109.236.32.0/22 0.0.0.0/0
    0 0 DROP all -- * * 113.96.223.207 0.0.0.0/0
    0 0 DROP all -- * * 115.231.220.215 0.0.0.0/0
    0 0 DROP all -- * * 119.27.184.92 0.0.0.0/0
    0 0 DROP all -- * * 122.114.151.106 0.0.0.0/0
    0 0 DROP all -- * * 120.76.0.0/14 0.0.0.0/0
    0 0 DROP all -- * * 122.144.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 122.228.10.51 0.0.0.0/0
    0 0 DROP all -- * * 122.96.29.23 0.0.0.0/0
    0 0 DROP all -- * * 124.149.199.6 0.0.0.0/0
    0 0 DROP all -- * * 125.36.0.0/14 0.0.0.0/0
    0 0 DROP all -- * * 13.113.224.207 0.0.0.0/0
    0 0 DROP all -- * * 13.77.46.77 0.0.0.0/0
    0 0 DROP all -- * * 13.77.58.33 0.0.0.0/0
    0 0 DROP all -- * * 137.226.113.9 0.0.0.0/0
    0 0 DROP all -- * * 149.56.149.29 0.0.0.0/0
    0 0 DROP all -- * * 163.172.23.6 0.0.0.0/0
    0 0 DROP all -- * * 164.160.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 164.52.24.140 0.0.0.0/0
    0 0 DROP all -- * * 167.114.15.64/29 0.0.0.0/0
    0 0 DROP all -- * * 167.114.189.192/29 0.0.0.0/0
    0 0 DROP all -- * * 169.229.3.91 0.0.0.0/0
    0 0 DROP all -- * * 172.192.14.51 0.0.0.0/0
    0 0 DROP all -- * * 176.57.180.22 0.0.0.0/0
    0 0 DROP all -- * * 177.84.136.0/22 0.0.0.0/0
    0 0 DROP all -- * * 182.151.211.213 0.0.0.0/0
    0 0 DROP all -- * * 183.136.202.244 0.0.0.0/0
    0 0 DROP all -- * * 185.143.220.13 0.0.0.0/0
    0 0 DROP all -- * * 185.143.223.191 0.0.0.0/0
    0 0 DROP all -- * * 185.200.118.0/25 0.0.0.0/0
    0 0 DROP all -- * * 185.202.103.51 0.0.0.0/0
    0 0 DROP all -- * * 185.246.210.0/24 0.0.0.0/0
    0 0 DROP all -- * * 185.30.166.0/24 0.0.0.0/0
    0 0 DROP all -- * * 187.49.236.185 0.0.0.0/0
    0 0 DROP all -- * * 191.53.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 192.102.6.0/23 0.0.0.0/0
    0 0 DROP all -- * * 192.99.98.104 0.0.0.0/0
    0 0 DROP all -- * * 193.104.68.17 0.0.0.0/0
    0 0 DROP all -- * * 193.112.190.175 0.0.0.0/0
    0 0 DROP all -- * * 194.74.181.123 0.0.0.0/0
    0 0 DROP all -- * * 195.22.22.20 0.0.0.0/0
    0 0 DROP all -- * * 200.229.202.176 0.0.0.0/0
    0 0 DROP all -- * * 202.104.118.193 0.0.0.0/0
    0 0 DROP all -- * * 206.128.153.219 0.0.0.0/0
    0 0 DROP all -- * * 208.100.26.231 0.0.0.0/0
    0 0 DROP all -- * * 213.202.230.144 0.0.0.0/0
    0 0 DROP all -- * * 218.75.37.18 0.0.0.0/0
    0 0 DROP all -- * * 218.75.40.149 0.0.0.0/0
    0 0 DROP all -- * * 23.101.224.255 0.0.0.0/0
    0 0 DROP all -- * * 34.209.137.10 0.0.0.0/0
    0 0 DROP all -- * * 34.244.30.148 0.0.0.0/0
    0 0 DROP all -- * * 37.187.148.221 0.0.0.0/0
    0 0 DROP all -- * * 37.49.224.0/22 0.0.0.0/0
    0 0 DROP all -- * * 38.123.205.178 0.0.0.0/0
    0 0 DROP all -- * * 38.69.156.147 0.0.0.0/0
    0 0 DROP all -- * * 46.161.27.27 0.0.0.0/0
    0 0 DROP all -- * * 46.161.27.0/24 0.0.0.0/0
    0 0 DROP all -- * * 46.161.55.106 0.0.0.0/0
    0 0 DROP all -- * * 46.229.170.197 0.0.0.0/0
    0 0 DROP all -- * * 5.101.40.82 0.0.0.0/0
    0 0 DROP all -- * * 5.39.218.36 0.0.0.0/0
    0 0 DROP all -- * * 54.186.17.27 0.0.0.0/0
    0 0 DROP all -- * * 54.205.74.35 0.0.0.0/0
    0 0 DROP all -- * * 54.207.11.46 0.0.0.0/0
    0 0 DROP all -- * * 54.233.236.68 0.0.0.0/0
    0 0 DROP all -- * * 58.48.28.220 0.0.0.0/0
    0 0 DROP all -- * * 60.191.29.20 0.0.0.0/0
    0 0 DROP all -- * * 60.191.38.77 0.0.0.0/0
    0 0 DROP all -- * * 61.139.77.172 0.0.0.0/0
    0 0 DROP all -- * * 63.251.20.151 0.0.0.0/0
    0 0 DROP all -- * * 66.240.205.34 0.0.0.0/0
    0 0 DROP all -- * * 66.240.236.119 0.0.0.0/0
    0 0 DROP all -- * * 69.16.196.163 0.0.0.0/0
    0 0 DROP all -- * * 72.141.23.160 0.0.0.0/0
    0 0 DROP all -- * * 73.65.208.195 0.0.0.0/0
    0 0 DROP all -- * * 74.91.122.249 0.0.0.0/0
    0 0 DROP all -- * * 77.220.180.235 0.0.0.0/0
    0 0 DROP all -- * * 80.82.70.210 0.0.0.0/0
    0 0 DROP all -- * * 80.82.77.0/24 0.0.0.0/0
    0 0 DROP all -- * * 85.94.204.144/28 0.0.0.0/0
    0 0 DROP all -- * * 91.197.232.11 0.0.0.0/0
    0 0 DROP all -- * * 91.200.12.179 0.0.0.0/0
    0 0 DROP all -- * * 91.200.12.28 0.0.0.0/0
    0 0 DROP all -- * * 92.60.16.0/23 0.0.0.0/0
    0 0 DROP all -- * * 93.55.122.185 0.0.0.0/0
    0 0 DROP all -- * * 94.102.48.0/20 0.0.0.0/0
    0 0 DROP all -- * * 95.25.165.0/24 0.0.0.0/0
    0 0 DROP all -- * * 95.25.225.197 0.0.0.0/0
    0 0 DROP all -- * * 185.17.120.0/22 0.0.0.0/0
    0 0 DROP all -- * * 154.118.32.0/23 0.0.0.0/0
    0 0 DROP all -- * * 62.210.77.54 0.0.0.0/0
    0 0 DROP all -- * * 199.66.88.0/21 0.0.0.0/0
    0 0 DROP all -- * * 183.160.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 146.88.240.0/20 0.0.0.0/0
    0 0 DROP all -- * * 192.241.219.147 0.0.0.0/0
    0 0 DROP all -- * * 181.56.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 85.217.192.0/20 0.0.0.0/0
    0 0 DROP all -- * * 195.24.192.0/19 0.0.0.0/0
    0 0 DROP all -- * * 185.202.2.0/24 0.0.0.0/0
    0 0 DROP all -- * * 111.160.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 113.58.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 71.6.135.0/24 0.0.0.0/0
    0 0 DROP all -- * * 119.112.0.0/13 0.0.0.0/0
    1 340 DROP all -- * * 119.39.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 123.160.0.0/14 0.0.0.0/0
    0 0 DROP all -- * * 182.128.0.0/12 0.0.0.0/0
    0 0 DROP all -- * * 222.176.0.0/12 0.0.0.0/0
    0 0 DROP all -- * * 58.48.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 180.163.113.82 0.0.0.0/0
    0 0 DROP all -- * * 122.228.19.64/27 0.0.0.0/0
    0 0 DROP all -- * * 115.238.44.0/24 0.0.0.0/0
    0 0 DROP all -- * * 95.170.72.0/24 0.0.0.0/0
    0 0 DROP all -- * * 37.97.254.27 0.0.0.0/0
    0 0 DROP all -- * * 185.138.248.0/22 0.0.0.0/0
    0 0 DROP all -- * * 194.0.16.0/20 0.0.0.0/0
    0 0 DROP all -- * * 185.234.219.63 0.0.0.0/0
    0 0 DROP all -- * * 103.37.114.0/24 0.0.0.0/0
    0 0 DROP all -- * * 69.94.128.0/19 0.0.0.0/0
    6 458 DROP all -- * * 172.104.0.0/15 0.0.0.0/0
    0 0 DROP all -- * * 41.217.96.0/19 0.0.0.0/0
    0 0 DROP all -- * * 180.212.37.64 0.0.0.0/0
    0 0 DROP all -- * * 195.22.126.0/23 0.0.0.0/0
    0 0 DROP all -- * * 83.97.20.0/24 0.0.0.0/0
    0 0 DROP all -- * * 5.136.0.0/13 0.0.0.0/0
    3 1030 DROP all -- * * 95.24.0.0/13 0.0.0.0/0
    3 261 DROP all -- * * 176.208.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 178.64.0.0/13 0.0.0.0/0
    0 0 DROP all -- * * 178.154.0.0/17 0.0.0.0/0
    0 0 DROP all -- * * 178.154.128.0/17 0.0.0.0/0
    0 0 DROP all -- * * 37.9.0.0/20 0.0.0.0/0
    0 0 DROP all -- * * 45.150.206.0/23 0.0.0.0/0
    0 0 DROP all -- * * 212.70.149.0/24 0.0.0.0/0
    0 0 DROP all -- * * 92.63.194.0/24 0.0.0.0/0
    0 0 DROP all -- * * 45.141.86.0/24 0.0.0.0/0
    0 0 DROP all -- * * 142.4.0.0/19 0.0.0.0/0
    0 0 DROP all -- * * 162.144.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 103.89.88.86 0.0.0.0/0
    0 0 DROP all -- * * 91.150.64.0/18 0.0.0.0/0
    0 0 DROP all -- * * 177.8.248.0/22 0.0.0.0/0
    0 0 DROP all -- * * 198.108.66.0/23 0.0.0.0/0
    0 0 DROP all -- * * 185.153.196.0/22 0.0.0.0/0
    0 0 DROP all -- * * 185.10.184.0/22 0.0.0.0/0
    0 0 DROP all -- * * 174.136.14.0/24 0.0.0.0/0
    0 0 DROP all -- * * 109.236.32.0/22 0.0.0.0/0
    0 0 DROP all -- * * 193.32.161.0/24 0.0.0.0/0
    0 0 DROP all -- * * 61.219.11.0/24 0.0.0.0/0
    0 0 DROP all -- * * 195.62.47.0/24 0.0.0.0/0
    0 0 DROP all -- * * 150.109.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 66.240.192.138 0.0.0.0/0
    0 0 DROP all -- * * 60.191.40.196 0.0.0.0/0
    0 0 DROP all -- * * 138.121.0.0/16 0.0.0.0/0
    0 0 DROP all -- * * 185.100.87.191 0.0.0.0/0
    0 0 DROP all -- * * 185.100.87.247 0.0.0.0/0
    0 0 DROP all -- * * 185.222.211.0/24 0.0.0.0/0
    0 0 DROP all -- * * 14.128.0.0/10 0.0.0.0/0
    0 0 DROP all -- * * 199.254.28.0/22 0.0.0.0/0
    0 0 DROP all -- * * 199.249.112.0/20 0.0.0.0/0
    0 0 DROP all -- * * 192.200.202.0/24 0.0.0.0/0
    0 0 DROP all -- * * 185.138.250.0/27 0.0.0.0/0
    0 0 DROP all -- * * 10.195.126.108 0.0.0.0/0
    0 0 DROP all -- * * 103.103.196.97 0.0.0.0/0
    0 0 DROP all -- * * 193.188.22.0/24 0.0.0.0/0
    0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.101.10 udp dpt:123
    1406K 1104M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    4003 286K ACCEPT all -- enp3s2 * 0.0.0.0/0 0.0.0.0/0
    5130 774K ACCEPT all -- p2p1 * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_SELF src,dst,dst
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_EGRESS dst
    0 0 DROP all -- * * 0.0.0.0/0 101.188.165.241
    0 0 DROP all -- * * 0.0.0.0/0 103.107.236.182
    0 0 DROP all -- * * 0.0.0.0/0 103.224.182.243
    0 0 DROP all -- * * 0.0.0.0/0 104.153.108.74
    0 0 DROP all -- * * 0.0.0.0/0 104.194.218.51
    0 0 DROP all -- * * 0.0.0.0/0 109.236.32.0/22
    0 0 DROP all -- * * 0.0.0.0/0 113.96.223.207
    0 0 DROP all -- * * 0.0.0.0/0 115.231.220.215
    0 0 DROP all -- * * 0.0.0.0/0 119.27.184.92
    0 0 DROP all -- * * 0.0.0.0/0 122.114.151.106
    0 0 DROP all -- * * 0.0.0.0/0 120.76.0.0/14
    0 0 DROP all -- * * 0.0.0.0/0 122.144.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 122.228.10.51
    0 0 DROP all -- * * 0.0.0.0/0 122.96.29.23
    0 0 DROP all -- * * 0.0.0.0/0 124.149.199.6
    0 0 DROP all -- * * 0.0.0.0/0 125.36.0.0/14
    0 0 DROP all -- * * 0.0.0.0/0 13.113.224.207
    0 0 DROP all -- * * 0.0.0.0/0 13.77.46.77
    0 0 DROP all -- * * 0.0.0.0/0 13.77.58.33
    0 0 DROP all -- * * 0.0.0.0/0 137.226.113.9
    0 0 DROP all -- * * 0.0.0.0/0 149.56.149.29
    0 0 DROP all -- * * 0.0.0.0/0 163.172.23.6
    0 0 DROP all -- * * 0.0.0.0/0 164.160.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 164.52.24.140
    0 0 DROP all -- * * 0.0.0.0/0 167.114.15.64/29
    0 0 DROP all -- * * 0.0.0.0/0 167.114.189.192/29
    0 0 DROP all -- * * 0.0.0.0/0 169.229.3.91
    0 0 DROP all -- * * 0.0.0.0/0 172.192.14.51
    0 0 DROP all -- * * 0.0.0.0/0 176.57.180.22
    0 0 DROP all -- * * 0.0.0.0/0 177.84.136.0/22
    0 0 DROP all -- * * 0.0.0.0/0 182.151.211.213
    0 0 DROP all -- * * 0.0.0.0/0 183.136.202.244
    0 0 DROP all -- * * 0.0.0.0/0 185.143.220.13
    0 0 DROP all -- * * 0.0.0.0/0 185.143.223.191
    0 0 DROP all -- * * 0.0.0.0/0 185.200.118.0/25
    0 0 DROP all -- * * 0.0.0.0/0 185.202.103.51
    0 0 DROP all -- * * 0.0.0.0/0 185.246.210.0/24
    0 0 DROP all -- * * 0.0.0.0/0 185.30.166.0/24
    0 0 DROP all -- * * 0.0.0.0/0 187.49.236.185
    0 0 DROP all -- * * 0.0.0.0/0 191.53.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 192.102.6.0/23
    0 0 DROP all -- * * 0.0.0.0/0 192.99.98.104
    0 0 DROP all -- * * 0.0.0.0/0 193.104.68.17
    0 0 DROP all -- * * 0.0.0.0/0 193.112.190.175
    0 0 DROP all -- * * 0.0.0.0/0 194.74.181.123
    0 0 DROP all -- * * 0.0.0.0/0 195.22.22.20
    0 0 DROP all -- * * 0.0.0.0/0 200.229.202.176
    0 0 DROP all -- * * 0.0.0.0/0 202.104.118.193
    0 0 DROP all -- * * 0.0.0.0/0 206.128.153.219
    0 0 DROP all -- * * 0.0.0.0/0 208.100.26.231
    0 0 DROP all -- * * 0.0.0.0/0 213.202.230.144
    0 0 DROP all -- * * 0.0.0.0/0 218.75.37.18
    0 0 DROP all -- * * 0.0.0.0/0 218.75.40.149
    0 0 DROP all -- * * 0.0.0.0/0 23.101.224.255
    0 0 DROP all -- * * 0.0.0.0/0 34.209.137.10
    0 0 DROP all -- * * 0.0.0.0/0 34.244.30.148
    0 0 DROP all -- * * 0.0.0.0/0 37.187.148.221
    0 0 DROP all -- * * 0.0.0.0/0 37.49.224.0/22
    0 0 DROP all -- * * 0.0.0.0/0 38.123.205.178
    0 0 DROP all -- * * 0.0.0.0/0 38.69.156.147
    0 0 DROP all -- * * 0.0.0.0/0 46.161.27.27
    0 0 DROP all -- * * 0.0.0.0/0 46.161.27.0/24
    0 0 DROP all -- * * 0.0.0.0/0 46.161.55.106
    0 0 DROP all -- * * 0.0.0.0/0 46.229.170.197
    0 0 DROP all -- * * 0.0.0.0/0 5.101.40.82
    0 0 DROP all -- * * 0.0.0.0/0 5.39.218.36
    0 0 DROP all -- * * 0.0.0.0/0 54.186.17.27
    0 0 DROP all -- * * 0.0.0.0/0 54.205.74.35
    0 0 DROP all -- * * 0.0.0.0/0 54.207.11.46
    0 0 DROP all -- * * 0.0.0.0/0 54.233.236.68
    0 0 DROP all -- * * 0.0.0.0/0 58.48.28.220
    0 0 DROP all -- * * 0.0.0.0/0 60.191.29.20
    0 0 DROP all -- * * 0.0.0.0/0 60.191.38.77
    0 0 DROP all -- * * 0.0.0.0/0 61.139.77.172
    0 0 DROP all -- * * 0.0.0.0/0 63.251.20.151
    0 0 DROP all -- * * 0.0.0.0/0 66.240.205.34
    0 0 DROP all -- * * 0.0.0.0/0 66.240.236.119
    0 0 DROP all -- * * 0.0.0.0/0 69.16.196.163
    0 0 DROP all -- * * 0.0.0.0/0 72.141.23.160
    0 0 DROP all -- * * 0.0.0.0/0 73.65.208.195
    0 0 DROP all -- * * 0.0.0.0/0 74.91.122.249
    0 0 DROP all -- * * 0.0.0.0/0 77.220.180.235
    0 0 DROP all -- * * 0.0.0.0/0 80.82.70.210
    0 0 DROP all -- * * 0.0.0.0/0 80.82.77.0/24
    0 0 DROP all -- * * 0.0.0.0/0 85.94.204.144/28
    0 0 DROP all -- * * 0.0.0.0/0 91.197.232.11
    0 0 DROP all -- * * 0.0.0.0/0 91.200.12.179
    0 0 DROP all -- * * 0.0.0.0/0 91.200.12.28
    0 0 DROP all -- * * 0.0.0.0/0 92.60.16.0/23
    0 0 DROP all -- * * 0.0.0.0/0 93.55.122.185
    0 0 DROP all -- * * 0.0.0.0/0 94.102.48.0/20
    0 0 DROP all -- * * 0.0.0.0/0 95.25.165.0/24
    0 0 DROP all -- * * 0.0.0.0/0 95.25.225.197
    0 0 DROP all -- * * 0.0.0.0/0 185.17.120.0/22
    0 0 DROP all -- * * 0.0.0.0/0 154.118.32.0/23
    0 0 DROP all -- * * 0.0.0.0/0 62.210.77.54
    0 0 DROP all -- * * 0.0.0.0/0 199.66.88.0/21
    0 0 DROP all -- * * 0.0.0.0/0 183.160.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 146.88.240.0/20
    0 0 DROP all -- * * 0.0.0.0/0 192.241.219.147
    0 0 DROP all -- * * 0.0.0.0/0 181.56.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 85.217.192.0/20
    0 0 DROP all -- * * 0.0.0.0/0 195.24.192.0/19
    0 0 DROP all -- * * 0.0.0.0/0 185.202.2.0/24
    0 0 DROP all -- * * 0.0.0.0/0 111.160.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 113.58.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 71.6.135.0/24
    0 0 DROP all -- * * 0.0.0.0/0 119.112.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 119.39.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 123.160.0.0/14
    0 0 DROP all -- * * 0.0.0.0/0 182.128.0.0/12
    0 0 DROP all -- * * 0.0.0.0/0 222.176.0.0/12
    0 0 DROP all -- * * 0.0.0.0/0 58.48.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 180.163.113.82
    0 0 DROP all -- * * 0.0.0.0/0 122.228.19.64/27
    0 0 DROP all -- * * 0.0.0.0/0 115.238.44.0/24
    0 0 DROP all -- * * 0.0.0.0/0 95.170.72.0/24
    0 0 DROP all -- * * 0.0.0.0/0 37.97.254.27
    0 0 DROP all -- * * 0.0.0.0/0 185.138.248.0/22
    0 0 DROP all -- * * 0.0.0.0/0 194.0.16.0/20
    0 0 DROP all -- * * 0.0.0.0/0 185.234.219.63
    0 0 DROP all -- * * 0.0.0.0/0 103.37.114.0/24
    0 0 DROP all -- * * 0.0.0.0/0 69.94.128.0/19
    0 0 DROP all -- * * 0.0.0.0/0 172.104.0.0/15
    0 0 DROP all -- * * 0.0.0.0/0 41.217.96.0/19
    0 0 DROP all -- * * 0.0.0.0/0 180.212.37.64
    0 0 DROP all -- * * 0.0.0.0/0 195.22.126.0/23
    0 0 DROP all -- * * 0.0.0.0/0 83.97.20.0/24
    0 0 DROP all -- * * 0.0.0.0/0 5.136.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 95.24.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 176.208.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 178.64.0.0/13
    0 0 DROP all -- * * 0.0.0.0/0 178.154.0.0/17
    0 0 DROP all -- * * 0.0.0.0/0 178.154.128.0/17
    0 0 DROP all -- * * 0.0.0.0/0 37.9.0.0/20
    0 0 DROP all -- * * 0.0.0.0/0 45.150.206.0/23
    0 0 DROP all -- * * 0.0.0.0/0 212.70.149.0/24
    0 0 DROP all -- * * 0.0.0.0/0 92.63.194.0/24
    0 0 DROP all -- * * 0.0.0.0/0 45.141.86.0/24
    0 0 DROP all -- * * 0.0.0.0/0 142.4.0.0/19
    0 0 DROP all -- * * 0.0.0.0/0 162.144.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 103.89.88.86
    0 0 DROP all -- * * 0.0.0.0/0 91.150.64.0/18
    0 0 DROP all -- * * 0.0.0.0/0 177.8.248.0/22
    0 0 DROP all -- * * 0.0.0.0/0 198.108.66.0/23
    0 0 DROP all -- * * 0.0.0.0/0 185.153.196.0/22
    0 0 DROP all -- * * 0.0.0.0/0 185.10.184.0/22
    0 0 DROP all -- * * 0.0.0.0/0 174.136.14.0/24
    0 0 DROP all -- * * 0.0.0.0/0 109.236.32.0/22
    0 0 DROP all -- * * 0.0.0.0/0 193.32.161.0/24
    0 0 DROP all -- * * 0.0.0.0/0 61.219.11.0/24
    0 0 DROP all -- * * 0.0.0.0/0 195.62.47.0/24
    0 0 DROP all -- * * 0.0.0.0/0 150.109.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 66.240.192.138
    0 0 DROP all -- * * 0.0.0.0/0 60.191.40.196
    0 0 DROP all -- * * 0.0.0.0/0 138.121.0.0/16
    0 0 DROP all -- * * 0.0.0.0/0 185.100.87.191
    0 0 DROP all -- * * 0.0.0.0/0 185.100.87.247
    0 0 DROP all -- * * 0.0.0.0/0 185.222.211.0/24
    0 0 DROP all -- * * 0.0.0.0/0 14.128.0.0/10
    0 0 DROP all -- * * 0.0.0.0/0 199.254.28.0/22
    0 0 DROP all -- * * 0.0.0.0/0 199.249.112.0/20
    0 0 DROP all -- * * 0.0.0.0/0 192.200.202.0/24
    0 0 DROP all -- * * 0.0.0.0/0 185.138.250.0/27
    0 0 DROP all -- * * 0.0.0.0/0 10.195.126.108
    0 0 DROP all -- * * 0.0.0.0/0 103.103.196.97
    0 0 DROP all -- * * 0.0.0.0/0 193.188.22.0/24
    1208K 1795M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    301K 51M ACCEPT all -- * enp3s2 0.0.0.0/0 0.0.0.0/0
    1226K 1763M ACCEPT all -- * p2p1 0.0.0.0/0 0.0.0.0/0
    3938 592K ACCEPT icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
    0 0 ACCEPT tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
    0 0 ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:1875
    996 65492 ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:80
    288 87563 ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:443
    647 240K ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:993
    56 4256 ACCEPT udp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 udp spt:123
    0 0 ACCEPT udp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 udp spt:1194
    1 44 ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:1194
    0 0 ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:995
    1231 125K ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:25
    31 8547 ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:587
    1236 371K ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:465
    27 1388 ACCEPT tcp -- * ppp0 76.10.xxx.xxx 0.0.0.0/0 tcp spt:81
    690K 43M ACCEPT all -- * ppp0 0.0.0.0/0 0.0.0.0/0

    Chain DROP-lan (0 references)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, December 20 2020, 08:01 PM - #Permalink
    Resolved
    0 votes
    Did you by any chance set the either LAN as HotLAN? If so, it has internet only and no connectivity to other LAN's. What is the output to "iptables -nvL" (between code tags, please).
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Sunday, December 20 2020, 07:49 PM - #Permalink
    Resolved
    0 votes
    I have moved the WIFI segment to 192.168.100.x. That change was easy and seamless but didn't fix the problem. :-(

    The devices on the 192.168.100.x segment can access the internet OK but I still can't connect to devices from 192.168.101.x to 192.168.100.x. When I ping from 192.168.101.123 to 192.168.100.2 (WIFI access point), I get nothing; 100% packet loss.

    I thought the ClearOS 7 gateway was supposed to automatically route between multiple LAN segments?

    Is it possible that there is something missing in the default routing table or something like that?
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Thursday, December 17 2020, 02:33 AM - #Permalink
    Resolved
    0 votes
    Thanks again for your help, Nick.

    The idea of moving the WIFI to the 192.168.100 is brilliant. That would be the least amount of changing of IPs.
    Nick Howitt wrote:

    BTW what is acting as the DHCP server on your WiFi subnet? You indicate the WAP.

    For NTP, you can make ClearOS hand out its LAN address by DHCP by configuring the DHCP server, but I am not sure what devices use it. You can manually configure Windows to use it, but it is not automatic, I think.


    I have the server acting as the DHCP server for both subnets. This seemed to be the easiest and most logical for me. Besides, the DHCP is not an option on the WIFI access point because it's just acting as an access point.

    I have NTP pointing to the clear.ntp servers and have configured the server to also act as the local NTP server. Both segment DHCP have the server address as the NTP server. But for some reason the WIFI access point won't accept or find it.

    I still think there is something wrong in the network settings because I can't connect to the WIFI access point when I'm on the wired segment. I can only access the WIFI access point when I'm on the WIFI segment. This makes me think the routing is flawed somehow but I haven't a clue where I could have set it up wrong.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 16 2020, 03:27 PM - #Permalink
    Resolved
    0 votes
    I am not sure why you think you have goofed. Yes, you can't make a single /23 subnet out of them, but why do you want to? It can simplify setting up an IPsec VPN. If you want, you can change and the easiest way to do it is to switch the 102 subnet to 100. Many people would say keep the subnets further apart for future flexibility. Personally I use 172.17.2 for my LAN and .0 for OpenVPN with fixed OpenVPN IP's using .3 (a manual set up), and yes, it is a mess, but everything fits into a /22 subnet for IPsec. One of these days I may make the OpenVPN subnets adjacent,

    BTW what is acting as the DHCP server on your WiFi subnet? You indicate the WAP.

    For NTP, you can make ClearOS hand out its LAN address by DHCP by configuring the DHCP server, but I am not sure what devices use it. You can manually configure Windows to use it, but it is not automatic, I think.
    The reply is currently minimized Show
  • Accepted Answer

    nuke
    nuke
    Offline
    Wednesday, December 16 2020, 02:10 PM - #Permalink
    Resolved
    0 votes
    Thank you Nick.

    Nick Howitt wrote:

    What do you mean by LAN segments? Are they separate NIC's? Or two logical blocks on a single NIC?


    I have static IPs below 192.168.101.80 for a couple of printers and 2 VMs. From 192.168.101.100 to 254 are available for wired/ethernet devices with DHCP from the server. This is connected via 1 ethernet card (NIC) on the server.

    The IP range 192.168.102.100-254 are on a WIFI segment that has it's own network card (NIC) on the server.

    It looks like this:

    Internet modem <-> Network card <-> Clear server <1> network card <-> switch <-> wired/ethernet connected devices
    <2> network card <-> wifi access point <-> DHCP WIFI enabled devices


    Nick Howitt wrote:

    Are you using ClearOS as an NTP server or is it a separate device?


    Yes, I did try to do this. I don't know exactly if it is working properly for locally connected devices.

    As I mentioned in the initial post. It looks like I've goofed by using an IP range that spans two "normal" blocks. I don't know the correct terminology. The calculator suggested 192.168.100.x to 192.166.101.x for two segments rather than 192.168.101.x to 192.168.102.x. I think then it can have a proper 192.168.100.0/23 with 255.255.254.0 to span the two segments. ???
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, December 16 2020, 08:41 AM - #Permalink
    Resolved
    0 votes
    There are wrong way's of setting up your NIC's but no specific right way. There are some rules you have to follow. You can never use the network address (the bottom address of a subnet), so, in a /24 network, not the .0 address. You must also not use the broadcast address (the top address of a subnet), so, in a /24 subnet, not the .255 address. It is always advisable to leave a block free for static addresses. ClearOS also uses .80-.99 for the PPTP VPN. It then suggests using .100-.254 for DHCP which leaves .1-.79 for static IP's including the ClearOS LAN IP. Typically a gateway is given either a .1 or .254 address but there is no rule to say it has to. This would apply to the ClearOS LAN IP in gateway mode. It is very important that you don't have more than one device on the network with the same IP. In ClearOS you can allocate static leases both from inside and outside the DHCP server range of IP's and the DHCP server will work correctly, but not all routers work like this. Static IP's must be outside any DHCP or Static Lease scope.

    I personally try to work slightly differently in that I prefer to work with hex blocks. I have a VM server which I give a .16 address and the VM's on it are then .17-.31 which is a neat segment. My DHCP range is .128-.191. The advantage of this regime is that you can create rules for specific subnets, so all my DHCP IP's are in a /26 subnet. Where I can identify them, I give most devices a static IP lease and an entry in the hosts file, but, with the IOT, this is getting onerous even in a home. So many things are now internet enabled these days.

    What do you mean by LAN segments? Are they separate NIC's? Or two logical blocks on a single NIC?

    Are you using ClearOS as an NTP server or is it a separate device?
    The reply is currently minimized Show
Your Reply