qemu-kvm 0.11.0-0ubuntu5, virtualized proxy, useless

Hello,

since qemu-kvm-0.11.0-0ubuntu5, my virtualized proxy is completely useless.

What works:

* ping from anyhost to anyhost
* tcp/udp from virtualized proxy to any host
* tcp/udp from any host in the local network to any host in the local network.

What doesn't work:

* tcp/udp from vms and host to internet (virtualized proxy is the only vm that works)
* tcp/udp to vms and host from internet (virtualized proxy is the only vm that works)

Maybe a virtualized proxy is not a typical application for VMs, but this was working before qemu-kvm, and I can't see why it shouldn't work anymore.

Below is the configuration for host (venkman) and proxy vm (gozer). If something is missing and/or you need more info, please let me know.

Host machine:

This shows ping (icmp) works:

zoolook@venkman:~$ sudo tracepath -n www.google.com
[sudo] password for zoolook:
 1: 10.11.101.200 0.137ms pmtu 1500
 1: 10.11.101.254 0.468ms
 1: 10.11.101.254 0.506ms
 2: 10.0.0.1 1.844ms
 3: no reply
 4: no reply
 5: no reply
 6: 200.89.165.209 16.644ms asymm 11
 7: 200.89.165.198 16.033ms asymm 10
 8: 200.42.42.165 19.561ms
 9: 200.42.42.113 22.620ms
10: 200.42.42.125 21.520ms asymm 9
11: 64.214.130.253 191.095ms asymm 28
12: no reply
13: 129.250.4.161 191.672ms asymm 21
14: 129.250.2.184 197.352ms asymm 19
15: no reply
16: 129.250.12.114 191.514ms asymm 19
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
^C

zoolook@venkman:~$ ping www.google.com
PING google.navigation.opendns.com (208.69.32.231) 56(84) bytes of data.
64 bytes from google.navigation.opendns.com (208.69.32.231): icmp_seq=1 ttl=43 time=193 ms
64 bytes from google.navigation.opendns.com (208.69.32.231): icmp_seq=2 ttl=44 time=206 ms
64 bytes from google.navigation.opendns.com (208.69.32.231): icmp_seq=3 ttl=45 time=189 ms
^C
--- google.navigation.opendns.com ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3000ms
rtt min/avg/max/mdev = 189.028/196.364/206.533/7.439 ms

(links2, wget, apt-get, firefox, kopete, all die after some time, I wag from dropped packets)

zoolook@venkman:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto br0
iface br0 inet static
        address 10.11.101.200
        netmask 255.255.255.0
        gateway 10.11.101.254
        bridge_ports eth0
        bridge_stp off
        bridge_maxwait 0
        bridge_maxage 2
        bridge_fd 2

auto br1
iface br1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_maxwait 0
        bridge_maxage 2
        bridge_fd 2

zoolook@venkman:~$ ifconfig
br0 Link encap:Ethernet HWaddr 00:1b:fc:fb:82:08
          inet addr:10.11.101.200 Bcast:10.11.101.255 Mask:255.255.255.0
          inet6 addr: fe80::21b:fcff:fefb:8208/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:983 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1305 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:126739 (126.7 KB) TX bytes:251271 (251.2 KB)

br1 Link encap:Ethernet HWaddr 00:50:bf:0e:78:18
          inet6 addr: fe80::250:bfff:fe0e:7818/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:360 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14846 (14.8 KB) TX bytes:468 (468.0 B)

eth0 Link encap:Ethernet HWaddr 00:1b:fc:fb:82:08
          inet6 addr: fe80::21b:fcff:fefb:8208/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:275 errors:0 dropped:0 overruns:0 frame:0
          TX packets:947 errors:0 dropped:0 overruns:0 carrier:1
          collisions:0 txqueuelen:1000
          RX bytes:75605 (75.6 KB) TX bytes:183221 (183.2 KB)

eth1 Link encap:Ethernet HWaddr 00:50:bf:0e:78:18
          inet6 addr: fe80::250:bfff:fe0e:7818/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:598 errors:0 dropped:0 overruns:0 frame:0
          TX packets:711 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:59581 (59.5 KB) TX bytes:204324 (204.3 KB)
          Interrupt:17 Base address:0xe800

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:3856 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3856 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3631789 (3.6 MB) TX bytes:3631789 (3.6 MB)

virbr0 Link encap:Ethernet HWaddr c2:45:55:73:0d:2c
          inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B) TX bytes:16399 (16.3 KB)

virbr1 Link encap:Ethernet HWaddr 5e:52:04:df:06:1d
          inet addr:192.168.16.1 Bcast:192.168.16.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:79 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B) TX bytes:16393 (16.3 KB)

vnet0 Link encap:Ethernet HWaddr ca:3f:8b:06:8a:25
          inet6 addr: fe80::c83f:8bff:fe06:8a25/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:97 errors:0 dropped:0 overruns:0 frame:0
          TX packets:563 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:7376 (7.3 KB) TX bytes:40218 (40.2 KB)

vnet1 Link encap:Ethernet HWaddr 12:ed:8f:71:11:6b
          inet6 addr: fe80::10ed:8fff:fe71:116b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:419 errors:0 dropped:0 overruns:0 frame:0
          TX packets:625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:142157 (142.1 KB) TX bytes:58367 (58.3 KB)

vnet2 Link encap:Ethernet HWaddr 72:ce:13:77:af:54
          inet6 addr: fe80::70ce:13ff:fe77:af54/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:702 errors:0 dropped:0 overruns:0 frame:0
          TX packets:571 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:201058 (201.0 KB) TX bytes:58017 (58.0 KB)

vnet3 Link encap:Ethernet HWaddr 82:e3:40:6a:40:72
          inet6 addr: fe80::80e3:40ff:fe6a:4072/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:648 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1420 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:105466 (105.4 KB) TX bytes:294402 (294.4 KB)

zoolook@venkman:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.16.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr1
10.11.101.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 br0
0.0.0.0 10.11.101.254 0.0.0.0 UG 100 0 0 br0

zoolook@venkman:~$ sudo iptables-save
# Generated by iptables-save v1.4.4 on Thu Oct 15 22:34:49 2009
*nat
:PREROUTING ACCEPT [190:92311]
:POSTROUTING ACCEPT [979:285298]
:OUTPUT ACCEPT [810:196732]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Oct 15 22:34:49 2009
# Generated by iptables-save v1.4.4 on Thu Oct 15 22:34:49 2009
*filter
:INPUT ACCEPT [4923:3811220]
:FORWARD ACCEPT [1515:460557]
:OUTPUT ACCEPT [5311:3978185]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
COMMIT

Guest Machine (proxy)

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
        address 10.11.101.254
        netmask 255.255.255.0
        network 10.11.101.0
        broadcast 10.11.101.255
        dns-search bensa.ar
        dns-servers 10.11.101.254 10.11.101.1

norberto@gozer:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.15.3.1 10.15.3.5 255.255.255.255 UGH 0 0 0 tun1
10.15.3.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.11.101.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 10.15.3.5 255.255.252.0 UG 0 0 0 tun1
0.0.0.0 10.0.0.1 0.0.0.0 UG 100 0 0 eth0

(tun+, just in case you are wondering, are vpn tunnels)

(eth0 goes to a router physically connected to eth1/br1 in the host machine)

norberto@gozer:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 54:52:00:4c:b8:a3
          inet addr:10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
          inet6 addr: fe80::5652:ff:fe4c:b8a3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:491 errors:0 dropped:0 overruns:0 frame:0
          TX packets:690 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:49919 (48.7 KB) TX bytes:233747 (228.2 KB)

eth1 Link encap:Ethernet HWaddr 54:52:00:17:1b:2d
          inet addr:10.11.101.254 Bcast:10.11.101.255 Mask:255.255.255.0
          inet6 addr: fe80::5652:ff:fe17:1b2d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:1713 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1389 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:329799 (322.0 KB) TX bytes:237190 (231.6 KB)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:35 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4147 (4.0 KB) TX bytes:4147 (4.0 KB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.15.3.6 P-t-P:10.15.3.5 Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1664 (1.6 KB) TX bytes:1432 (1.3 KB)

norberto@gozer:~$ sudo iptables-save
# Generated by iptables-save v1.3.8 on Thu Oct 15 22:40:05 2009
*raw
:PREROUTING ACCEPT [2731:431306]
:OUTPUT ACCEPT [2251:385227]
COMMIT
# Completed on Thu Oct 15 22:40:05 2009
# Generated by iptables-save v1.3.8 on Thu Oct 15 22:40:05 2009
*nat
:PREROUTING ACCEPT [1571:246818]
:POSTROUTING ACCEPT [154:11540]
:OUTPUT ACCEPT [140:10476]
:eth0_masq - [0:0]
:net_dnat - [0:0]
-A PREROUTING -i eth0 -j net_dnat
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 10.11.101.0/255.255.255.0 -j MASQUERADE
-A net_dnat -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.11.101.200
COMMIT
# Completed on Thu Oct 15 22:40:05 2009
# Generated by iptables-save v1.3.8 on Thu Oct 15 22:40:05 2009
*mangle
:PREROUTING ACCEPT [2737:431618]
:INPUT ACCEPT [2159:162767]
:FORWARD ACCEPT [554:262092]
:OUTPUT ACCEPT [2264:387343]
:POSTROUTING ACCEPT [2621:561887]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Thu Oct 15 22:40:05 2009
# Generated by iptables-save v1.3.8 on Thu Oct 15 22:40:05 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:eth1_out - [0:0]
:fw2all - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:fw2vpn - [0:0]
:loc2all - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:loc2vpn - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2all - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:tun+_fwd - [0:0]
:tun+_in - [0:0]
:tun+_out - [0:0]
:vpn2fw - [0:0]
:vpn2loc - [0:0]
-A INPUT -i eth0 -j eth0_in
-A INPUT -i eth1 -j eth1_in
-A INPUT -i tun+ -j tun+_in
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -j reject
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -i tun+ -j tun+_fwd
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -j reject
-A OUTPUT -o eth0 -j eth0_out
-A OUTPUT -o eth1 -j eth1_out
-A OUTPUT -o tun+ -j tun+_out
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j reject
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j Reject
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6
-A all2all -j reject
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP
-A dropBcast -d 224.0.0.0/240.0.0.0 -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -m state --state INVALID,NEW -j smurfs
-A eth0_fwd -p tcp -j tcpflags
-A eth0_fwd -o eth1 -j net2loc
-A eth0_fwd -o tun+ -j net2all
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -m state --state INVALID,NEW -j smurfs
-A eth0_in -p udp -m udp --dport 67:68 -j ACCEPT
-A eth0_in -p tcp -j tcpflags
-A eth0_in -j net2fw
-A eth0_out -p udp -m udp --dport 67:68 -j ACCEPT
-A eth0_out -j fw2net
-A eth1_fwd -m state --state INVALID,NEW -j dynamic
-A eth1_fwd -m state --state INVALID,NEW -j smurfs
-A eth1_fwd -p tcp -j tcpflags
-A eth1_fwd -o eth0 -j loc2net
-A eth1_fwd -o tun+ -j loc2vpn
-A eth1_in -m state --state INVALID,NEW -j dynamic
-A eth1_in -m state --state INVALID,NEW -j smurfs
-A eth1_in -p tcp -j tcpflags
-A eth1_in -j loc2fw
-A eth1_out -j fw2loc
-A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2all -j Reject
-A fw2all -j reject
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -j ACCEPT
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p udp -m udp --dport 1194 -j ACCEPT
-A fw2net -j ACCEPT
-A fw2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2vpn -p udp -m udp --dport 53 -j ACCEPT
-A fw2vpn -p tcp -m tcp --dport 53 -j ACCEPT
-A fw2vpn -p tcp -m tcp --dport 3551 -j ACCEPT
-A fw2vpn -j fw2all
-A loc2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2all -j Reject
-A loc2all -j reject
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -p udp -m udp --dport 123 -j ACCEPT
-A loc2fw -j ACCEPT
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -j ACCEPT
-A loc2vpn -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2vpn -j ACCEPT
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A net2fw -p udp -m udp --dport 1194 -j ACCEPT
-A net2fw -j Drop
-A net2fw -j DROP
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -s 10.0.0.100 -d 10.11.101.200 -p tcp -m tcp --dport 631 -j ACCEPT
-A net2loc -j Drop
-A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
-A net2loc -j DROP
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 0.0.0.0 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -m addrtype --src-type BROADCAST -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags
-A tun+_fwd -m state --state INVALID,NEW -j dynamic
-A tun+_fwd -o eth0 -j all2all
-A tun+_fwd -o eth1 -j vpn2loc
-A tun+_in -m state --state INVALID,NEW -j dynamic
-A tun+_in -j vpn2fw
-A tun+_out -j fw2vpn
-A vpn2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A vpn2fw -j Reject
-A vpn2fw -j LOG --log-prefix "Shorewall:vpn2fw:REJECT:" --log-level 6
-A vpn2fw -j reject
-A vpn2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A vpn2loc -s 192.168.0.11 -d 10.11.101.111 -j ACCEPT
-A vpn2loc -s 10.8.0.10 -d 10.11.101.111 -j ACCEPT
-A vpn2loc -j Reject
-A vpn2loc -j LOG --log-prefix "Shorewall:vpn2loc:REJECT:" --log-level 6
-A vpn2loc -j reject
COMMIT
# Completed on Thu Oct 15 22:40:05 2009

(I use shorewall-perl in the proxy; I could disable it if you want but I 100% sure shorewall is not the problem)

Thanks,
Norberto