У меня есть соединение IPsec (туннельный режим), которое после примерно 15 минут отсутствия трафика, ping перестает работать и может быть возобновлено, только если ping инициирован с другого конца.
Установка состоит из двух маршрутизаторов, которые используют Linux Openswan 1.5.13-6-g96f6187-dirty (klips)
Ниже приведены конфиги и логи, когда он работает, а когда нет.
Я довольно новичок в IPsec. Я пытался включить rekey и сжатие, но без удачи. Iptables выглядят одинаково, когда пинг работает и перестает работать.
DEVICE_1
config setup
interfaces="ipsec0=wwan0"
klipsdebug=all
plutodebug=all
plutostderrlog=/var/logs/ipsecerr.log
uniqueids=no
protostack=klips
conn %default
keyingtries=0
authby=secret
connaddrfamily=ipv4
type=tunnel
dpddelay=30
dpdtimeout=120
dpdaction=restart
compress=no
rekey=no
auto=start
leftupdown="ipsec _updown"
conn remote
leftid=@Device_1
left=82.79.119.159
leftsubnet=10.0.0.0/24
leftsourceip=10.0.0.250
#leftnexthop=
rightid=@Device_2
right=82.79.119.160
rightsubnet=10.0.1.5/24
#rightsourceip=
#rightnexthop=
auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn OEself
auto=ignore
Device_2
config setup
interfaces="ipsec0=wwan0"
klipsdebug=all
plutodebug=all
plutostderrlog=/var/logs/ipsecerr.log
uniqueids=no
protostack=klips
conn %default
keyingtries=0
authby=secret
connaddrfamily=ipv4
type=tunnel
dpddelay=30
dpdtimeout=120
dpdaction=restart
compress=no
rekey=no
auto=start
leftupdown="ipsec _updown"
conn remote
leftid=@Device_2
left=82.79.119.160
leftsubnet=10.0.1.0/24
leftsourceip=10.0.1.250
#leftnexthop=
rightid=@Device_1
right=82.79.119.159
rightsubnet=10.0.0.5/24
#rightsourceip=
#rightnexthop=
auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn OEself
auto=ignore
бревна
Когда пинг работает:
ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested.
ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c32f164c ilen=96 iv=c32f163c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29673 saddr:82.79.119.159 daddr:82.79.119.160
klips_debug: ipsec_rcv_init(st=0,nxt=1)
klips_debug:ipsec_rcv_init: <<< Info -- skb->dev=wwan0
klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device wwan0.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:61055 frag_off:0 ttl:63 proto:50 (ESP) chk:63702 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug: ipsec_rcv_decap_init(st=1,nxt=2)
klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3)
klips_debug: ipsec_rcv_auth_init(st=3,nxt=4)
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=158 of SA:esp.1f2673db@82.79.119.159 requested.
ipsec_sa_get: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159, src=82.79.119.160 of pkt agrees with expected SA source address policy.
klips_debug:ipsec_rcv_auth_init: SA:esp.1f2673db@82.79.119.159 First SA in group.
klips_debug:ipsec_rcv_auth_init: natt_type=0 tdbp->ips_natt_type=0 : ok
klips_debug:ipsec_rcv: packet from 82.79.119.160 received with seq=19 (iv)=0x77865e0e44db14b0 iplen=132 esplen=120 sa=esp.1f2673db@82.79.119.159
klips_debug: ipsec_rcv_auth_calc(st=5,nxt=6)
klips_debug:ipsec_rcv_auth_calc: encalg = 12, authalg = 3.
klips_debug: ipsec_rcv_auth_chk(st=6,nxt=7) - will check
klips_debug:ipsec_rcv_auth_chk: authentication successful.
klips_debug: ipsec_rcv_decrypt(st=7,nxt=8)
klips_debug:ipsec_rcv: encalg=12 esphlen=24
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308240 idat=c3bd223c ilen=96 iv=c3bd222c, encrypt=0
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_rcv_esp_post_decrypt: padlen=10, contents: 0x<offset>: 0x<value> 0x<value> ...
klips_debug: 00: 01 02 03 04 05 06 07 08 09 0a
klips_debug:ipsec_rcv_esp_post_decrypt: packet decrypted from 82.79.119.160: next_header = 4, padding = 10
klips_debug:ipsec_rcv: trimming to 84.
klips_debug: ipsec_rcv_decap_cont(st=8,nxt=9)
klips_debug: ipsec_rcv_auth_chk(st=8,nxt=9) - already checked
klips_debug:ipsec_rcv_decap_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.1f2673db@82.79.119.159:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:61055 frag_off:0 ttl:63 proto:4 chk:63796 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug:ipsec_rcv_decap_cont: SA:esp.1f2673db@82.79.119.159, Another IPSEC header to process.
klips_debug: ipsec_rcv_cleanup(st=9,nxt=11)
ipsec_sa_get: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (3++) incremented by ipsec_rcv_cleanup:1798.
ipsec_sa_get: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (3++) incremented by ipsec_rcv_cleanup:1815.
ipsec_sa_put: ipsec_sa c32a8000 SA:esp.1f2673db@82.79.119.159, ref:17 reference count (4--) decremented by ipsec_rcv_cleanup:1818.
klips_debug:ipsec_rcv_decap_ipip: IPIP tunnel stripped.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:34482 frag_off:0 ttl:63 proto:1 (ICMP) chk:57325 saddr:10.0.1.5 daddr:10.0.0.5 type:code=0:0
klips_debug:ipsec_rcv_decap_ipip: IPIP SA sets skb->nfmark=0x800f0000.
klips_debug: ipsec_rcv_complete(st=11,nxt=100)
klips_debug:ipsec_rcv_complete: netif_rx(ipsec0) called.
ipsec_sa_put: ipsec_sa c32a8800 SA:comp.b26d@82.79.119.159, ref:16 reference count (4--) decremented by ipsec_rsm:2019.
ipsec_sa_put: ipsec_sa c3191400 SA:tun.1006@82.79.119.159, ref:15 reference count (4--) decremented by ipsec_rsm:2024.
Когда пинг не работает:
ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:tun.1005@82.79.119.160 requested.
ipsec_sa_get: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:tun.1005@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:tun.1005@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:tun.1005@82.79.119.160, ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:comp.cdf5@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:comp.cdf5@82.79.119.160, ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c320cc4c ilen=96 iv=c320cc3c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:esp.6f6b7c4e@82.79.119.160:
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:esp.6f6b7c4e@82.79.119.160, ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug: IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29671 saddr:82.79.119.159 daddr:82.79.119.160
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface input */
0 0 ACCEPT udp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */
0 0 ACCEPT tcp -- wwan0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
342 49352 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow incoming WAN traffic in response to established connection */
0 0 DROP all -- wwan0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
35 11480 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
7 203 ACCEPT all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
27 2268 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Forward new connection attempts out WAN port */
464 38976 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Forward established connections (where?) */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control loopback interface output */
0 0 ACCEPT udp -- * wwan0 0.0.0.0/0 0.0.0.0/0 udp dpt:8080 /* Control web port connection attempts */
0 0 ACCEPT tcp -- * wwan0 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 state NEW /* Allow new outbound WAN connections */
360 52568 ACCEPT all -- * wwan0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */
0 0 ACCEPT all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 /* Control interface traffic */