LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   firewall question (https://www.linuxquestions.org/questions/linux-networking-3/firewall-question-112117/)

misophist 11-04-2003 12:35 AM
firewall question
 
I have been having a lot of trouble with samba. The linux machine has full access to the win 98 machine but the win machine can't even ping the linux box. Port 139 is opened in the firewall but the firewall is still blocking everything incomming. What other port needs to be open, or what else do I need to do. I don't like taking the firewall down altogether.

peter_robb 11-04-2003 04:11 AM
You have a couple of options, both require a bit of work though..

SMB uses udp ports 137,138 & tcp ports 139,445

But if you can't even ping the linux box, you have something more serious to fix.
Problem is, it could be one or more of a many possible problems.. :(

Please post the output of iptables-save so we can identify where the problems are.
(And xxx.xxx. your external numbers for your privacy)
It is not very common to firewall an internal server from the local lan clients.
You can generally trust these pcs.

Robert0380 11-04-2003 04:13 AM
if u drop every packet, to make it pingable it's one of these, i forget which:


iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

OR

iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

i think its the 1st one.

peter_robb 11-04-2003 05:11 AM
It's the first one, the echo-request...

But why is there a drop policy on an internal server?

misophist 11-04-2003 09:00 AM
This is very large. Since the moderator wants it, here it is:

# Generated by iptables-save v1.2.7a on Tue Nov 4 06:37:57 2003
*mangle
:PREROUTING ACCEPT [362812:35968049]
:INPUT ACCEPT [362811:35967473]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [355781:372145681]
:POSTROUTING ACCEPT [355815:372147277]
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m udp --dport 514 -j TOS --set-tos 0x04
COMMIT
# Completed on Tue Nov 4 06:37:57 2003
# Generated by iptables-save v1.2.7a on Tue Nov 4 06:37:57 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_dmz - [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_dmz - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 137:138 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 192.168.1.103 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 192.168.1.103 -j DROP
-A INPUT -s 192.168.1.103 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 192.168.1.103 -j DROP
-A INPUT -d 192.168.1.103 -i eth0 -j input_ext
-A INPUT -d 192.168.1.103 -i eth0 -j input_int
-A INPUT -d 192.168.1.255 -i eth0 -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j DROP
-A INPUT -d 192.168.1.255 -i eth0 -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j DROP
-A INPUT -d 192.168.1.103 -i eth0 -j LOG --log-prefix "SuSE-FW-ACCESS_DENIED_INT " --log-tcp-options --log-ip-options
-A INPUT -d 192.168.1.103 -i eth0 -j DROP
-A INPUT -j LOG --log-prefix "SuSE-FW-ILLEGAL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SuSE-FW-TRACEROUTE-ATTEMPT " --log-tcp-options --log-ip-options
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/9 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/10 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/13 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "SuSE-FW-OUTPUT-ERROR " --log-tcp-options --log-ip-options
-A input_dmz -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF " --log-tcp-options --log-ip-options
-A input_dmz -s 192.168.1.0/255.255.255.0 -j DROP
-A input_dmz -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF " --log-tcp-options --log-ip-options
-A input_dmz -s 192.168.1.0/255.255.255.0 -j DROP
-A input_dmz -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -j DROP
-A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 831 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 831 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 1024 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 1024 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 1025 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 1025 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 7741 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 7741 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 8001 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 8001 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_dmz -s xxx.xxx.xxx.x -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_dmz -s xxx.xxx.xxx.x -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_dmz -p udp -m udp --dport 22 -j DROP
-A input_dmz -p udp -m udp --dport 68 -j DROP
-A input_dmz -p udp -m udp --dport 111 -j DROP
-A input_dmz -p udp -m udp --dport 111 -j DROP
-A input_dmz -p udp -m udp --dport 139 -j DROP
-A input_dmz -p udp -m udp --dport 631 -j DROP
-A input_dmz -p udp -m udp --dport 631 -j DROP
-A input_dmz -p udp -m udp --dport 748 -j DROP
-A input_dmz -p udp -m udp --dport 828 -j DROP
-A input_dmz -p udp -m udp --dport 831 -j DROP
-A input_dmz -p udp -m udp --dport 1024 -j DROP
-A input_dmz -p udp -m udp --dport 1024 -j DROP
-A input_dmz -p udp -m udp --dport 1025 -j DROP
-A input_dmz -p udp -m udp --dport 1026 -j DROP
-A input_dmz -p udp -m udp --dport 1027 -j DROP
-A input_dmz -p udp -m udp --dport 2049 -j DROP
-A input_dmz -p udp -m udp --dport 6000 -j DROP
-A input_dmz -p udp -m udp --dport 7741 -j DROP
-A input_dmz -p udp -m udp --dport 7741 -j DROP
-A input_dmz -p udp -m udp --dport 8001 -j DROP
-A input_dmz -p udp -m udp --dport 10000 -j DROP
-A input_dmz -p udp -m udp --dport 10000 -j DROP
-A input_dmz -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_dmz -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p udp -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -m state --state INVALID -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT-INVALID " --log-tcp-options --log-ip-options
-A input_dmz -j DROP
-A input_ext -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF " --log-tcp-options --log-ip-options
-A input_ext -s 192.168.1.0/255.255.255.0 -j DROP
-A input_ext -s 192.168.1.0/255.255.255.0 -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-ACCEPT-SOURCEQUENCH " --log-tcp-options --log-ip-options
-A input_ext -s 192.168.1.0/255.255.255.0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -j DROP
-A input_ext -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 139 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 631 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 831 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 831 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 1024 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1024 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 1025 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1025 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 7741 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 7741 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 8001 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8001 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -s 64.81.79.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -s 216.231.41.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -p udp -m udp --dport 22 -j DROP
-A input_ext -p udp -m udp --dport 68 -j DROP
-A input_ext -p udp -m udp --dport 111 -j DROP
-A input_ext -p udp -m udp --dport 111 -j DROP
-A input_ext -p udp -m udp --dport 631 -j DROP
-A input_ext -p udp -m udp --dport 748 -j DROP
-A input_ext -p udp -m udp --dport 828 -j DROP
-A input_ext -p udp -m udp --dport 831 -j DROP
-A input_ext -p udp -m udp --dport 1024 -j DROP
-A input_ext -p udp -m udp --dport 1024 -j DROP
-A input_ext -p udp -m udp --dport 1025 -j DROP
-A input_ext -p udp -m udp --dport 1026 -j DROP
-A input_ext -p udp -m udp --dport 1027 -j DROP
-A input_ext -p udp -m udp --dport 2049 -j DROP
-A input_ext -p udp -m udp --dport 6000 -j DROP
-A input_ext -p udp -m udp --dport 7741 -j DROP
-A input_ext -p udp -m udp --dport 7741 -j DROP
-A input_ext -p udp -m udp --dport 8001 -j DROP
-A input_ext -p udp -m udp --dport 10000 -j DROP
-A input_ext -p udp -m udp --dport 10000 -j DROP
-A input_ext -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_ext -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p udp -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -m state --state INVALID -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT-INVALID " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF " --log-tcp-options --log-ip-options
-A input_int -s 192.168.1.0/255.255.255.0 -j DROP
-A input_int -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -j DROP
-A input_int -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_int -s 64.81.79.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_int -s 216.231.41.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_int -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_int -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p udp -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -m state --state INVALID -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT-INVALID " --log-tcp-options --log-ip-options
-A input_int -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Tue Nov 4 06:37:57 2003
# Generated by iptables-save v1.2.7a on Tue Nov 4 06:37:57 2003
*nat
:PREROUTING ACCEPT [9100:1306391]
:POSTROUTING ACCEPT [2929:112077]
:OUTPUT ACCEPT [2929:112077]
COMMIT
# Completed on Tue Nov 4 06:37:57 2003

I looked twice and didn't see the line Robert0380 mentioned. Should it be inserted or appended? And where would I find this file to edit it?

peter_robb 11-04-2003 10:12 AM
Does this ip number belong to anyone special?
-A INPUT -s 192.168.1.103 -j DROP

Robert0380 was referring to the icmp rules you already have in the input_int chain. They have just been given numbers instead of names.

There are a few incorrect rule placements, eg DROP rules coming before LOG rules...

Have you tried setting these rules from the beginning again?

misophist 11-04-2003 04:17 PM
I thank you for your trouble. The problem seems to be fixed. Here's what I did. I learned about port 139 in the boot message so I entered that number in the firewall gui and nothing happened. I added the ports Robert0380 was kind enough to provide and nothing happened. Noticing that it would accept port numbers or service names, I entered netbios and nothing happened. NETBIOS, however works if you leave off the port numbers. Thank you for your efforts.

peter_robb 11-04-2003 04:59 PM
It would be nice to compare the 2 different outputs from iptables-save and see where the differences are.. grin grin beg beg.. ;)

misophist 11-04-2003 10:43 PM
Dear Moderator,

I feel bad, junking up the site with these long files. Please edit what isn't pertinent.

Note: 192.168.1.103 is the address currently assigned to the machine. Just DHCP.



# Generated by iptables-save v1.2.8 on Tue Nov 4 20:34:45 2003
*mangle
:PREROUTING ACCEPT [347:26849]
:INPUT ACCEPT [347:26849]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [342:25545]
:POSTROUTING ACCEPT [365:28188]
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m udp --dport 514 -j TOS --set-tos 0x04
COMMIT
# Completed on Tue Nov 4 20:34:45 2003
# Generated by iptables-save v1.2.8 on Tue Nov 4 20:34:45 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_dmz - [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_dmz - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 137:138 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 192.168.1.103 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 192.168.1.103 -j DROP
-A INPUT -s 192.168.1.103 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOFING " --log-tcp-options --log-ip-options
-A INPUT -s 192.168.1.103 -j DROP
-A INPUT -d 192.168.1.103 -i eth0 -j input_ext
-A INPUT -d 192.168.1.103 -i eth0 -j input_int
-A INPUT -d 192.168.1.255 -i eth0 -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j DROP
-A INPUT -d 192.168.1.255 -i eth0 -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j DROP
-A INPUT -d 192.168.1.103 -i eth0 -j LOG --log-prefix "SuSE-FW-ACCESS_DENIED_INT " --log-tcp-options --log-ip-options
-A INPUT -d 192.168.1.103 -i eth0 -j DROP
-A INPUT -j LOG --log-prefix "SuSE-FW-ILLEGAL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SuSE-FW-TRACEROUTE-ATTEMPT " --log-tcp-options --log-ip-options
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/9 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/10 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/13 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "SuSE-FW-OUTPUT-ERROR " --log-tcp-options --log-ip-options
-A input_dmz -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF-idmz " --log-tcp-options --log-ip-options
-A input_dmz -s 192.168.1.0/255.255.255.0 -j DROP
-A input_dmz -s 192.168.1.0/255.255.255.0 -j LOG --log-prefix "SuSE-FW-DROP-ANTI-SPOOF-idmz " --log-tcp-options --log-ip-options
-A input_dmz -s 192.168.1.0/255.255.255.0 -j DROP
-A input_dmz -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -j DROP
-A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_dmz -s 64.81.79.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_dmz -s xxx.xxx.xxx.xxx -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_dmz -p udp -m udp --dport 68 -j DROP
-A input_dmz -p udp -m udp --dport 111 -j DROP
-A input_dmz -p udp -m udp --dport 111 -j DROP
-A input_dmz -p udp -m udp --dport 137 -j DROP
-A input_dmz -p udp -m udp --dport 138 -j DROP
-A input_dmz -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_dmz -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -p udp -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_dmz -m state --state INVALID -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT-INVALID " --log-tcp-options --log-ip-options
-A input_dmz -j DROP
-A input_ext -s 192.168.1.0/255.255.255.0 -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-ACCEPT-SOURCEQUENCH " --log-tcp-options --log-ip-options
-A input_ext -s 192.168.1.0/255.255.255.0 -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -j DROP
-A input_ext -p tcp -m tcp --dport 139 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 139 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_ext -s xxx.xxx.xxx.xxx -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -s xxx.xxx.xxx.xxx -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_ext -p udp -m udp --dport 68 -j DROP
-A input_ext -p udp -m udp --dport 111 -j DROP
-A input_ext -p udp -m udp --dport 111 -j DROP
-A input_ext -p udp -m udp --dport 137 -j DROP
-A input_ext -p udp -m udp --dport 137 -j DROP
-A input_ext -p udp -m udp --dport 138 -j DROP
-A input_ext -p udp -m udp --dport 138 -j DROP
-A input_ext -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_ext -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -p udp -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_ext -m state --state INVALID -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT-INVALID " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SuSE-FW-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -j DROP
-A input_int -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT " --log-tcp-options --log-ip-options
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A input_int -s 64.81.79.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_int -s 216.231.41.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A input_int -p udp -m state --state RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT
-A input_int -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -p udp -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT " --log-tcp-options --log-ip-options
-A input_int -m state --state INVALID -j LOG --log-prefix "SuSE-FW-DROP-DEFAULT-INVALID " --log-tcp-options --log-ip-options
-A input_int -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Tue Nov 4 20:34:45 2003
# Generated by iptables-save v1.2.8 on Tue Nov 4 20:34:45 2003
*nat
:PREROUTING ACCEPT [7:1556]
:POSTROUTING ACCEPT [50:3814]
:OUTPUT ACCEPT [50:3814]
COMMIT
# Completed on Tue Nov 4 20:34:45 2003


All times are GMT -5. The time now is 09:54 AM.