LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-03-2010, 05:04 AM   #1
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Rep: Reputation: 0
IPTABLES does not behave as expected?


Hello,

I am running a Debian server, with 2.6.30 kernel and everything standard.

I have two ethernet cards (eth1 is the external, eth0 the internal) and I use the server as backup server, firewall, https for email reading with squirrelmail, Samba server, email server and that's it.

If I understood correctly IPTABLES, the following OUTPUT rules should allow my server to establish communications with an http server (for dselect), an imaps server (for fetchmail) and an ssh server.

However, it does not work, it only works when I allow all OUTPUT (adding "NEW" to "ESTABLISHED,RELATED")).

Could anyone let me know what is wrong and how I can fix it (not opening my OUTPUT to any communication)?

My IPTABLES script is pretty long, so I only copy/paste the OUTPUT lines unless anyone requests the rest.

Thank you in advance

Quote:

INTIF="eth0"

ssh="22"
dhcp_s="67"
dhcp_d="68"
http="80"
sambarange="135:139"
https="443"
microsoft_ds="445"
ssmtp="465"
imaps="993"
std_ports="22,443,465,993"

$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT

$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $ssh -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $https -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $ssmtp -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $imaps -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport $http -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m multiport --source-port $sambarange -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport --source-port $sambarange -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport $microsoft_ds -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTIF -d 255.255.255.255 --sport $dhcp_s --dport $dhcp_d -j ACCEPT

Last edited by NiceLittleRabbit; 01-03-2010 at 05:11 AM.
 
Old 01-03-2010, 10:34 AM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Hi.

The OUTPUT chain deals with packets which leave your computer, goes to NIC direction (any NIC).
Do you really want to filter that kind of traffic?
 
Old 01-03-2010, 10:46 AM   #3
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Hello,

Well, yes I'd like to be able to control what leaves my computer, when and why. Also, I know linux virii are rare but they exist.

However, if this issue cannot be solved I will of course allow everything on the OUTPUT chain and I do not think I will have nightmares because of that ...
 
Old 01-03-2010, 11:01 AM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
In that case you have to add NEW to:
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Otherwise you will never connect to anything, because NEW means - "attempt to connect"
 
Old 01-03-2010, 12:27 PM   #5
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Wouldn't that mean that I allow any connection from the server -> outside?
 
Old 01-03-2010, 02:08 PM   #6
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Yes, you allow to ESTABLISH connection.
But you always can specify port and address for instance.
 
Old 01-03-2010, 02:43 PM   #7
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
OK, so I guess you mean I can write something like:

Quote:
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -m multiport --source-port $sambarange-j ACCEPT
Sound logical to me. Thanks for your help
 
Old 01-03-2010, 03:01 PM   #8
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
There are many different ways to filter traffic. Yours can be one of them, try. You can also do "-j check port"
 
Old 01-03-2010, 03:57 PM   #9
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Hello ninmull22,

I have just tried

Quote:
$IPTABLES -A OUTPUT -p tcp --sport $ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport $smtp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport $http -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport $https -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport $microsoft_ds -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport $ssmtp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport $imaps -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m multiport --source-port $sambarange -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m multiport --source-port $sambarange -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -o $INTIF -d 255.255.255.255 --sport $dhcp_s --dport $dhcp_d -j ACCEPT
but I can't still get out from the server using for instance Lynx (http), Dselect (http) ou ssh.

As I said earlier, writing:

Quote:
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I could leave the server.

(As an aside comment, I assumed that writing

Quote:
-m state --state NEW,RELATED,ESTABLISHED
was the same than writing nothing, as here I am indicating that any state will do.)

Do you spot where the error is in the lines that would not allow me to leave the server?

Thanks in advance
 
Old 01-03-2010, 04:18 PM   #10
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
You can do things more simple, because NEW,ESTABLISHED,RELATED = everything, you do not need it any more, right? So:

IPTABLES -A OUTPUT -p ALL -j check_output_traffic #ALL = TCP,UDP, SNMP

then you can add new chain "check_output_traffic"

IPTABLES -A check_output_traffic -p tcp --dport $ssh -j ACCEPT #you need to state a destination port!
IPTABLES -A check_output_traffic -p tcp --dport $smtp -j ACCEPT
...
and at the end everything that doesn't match any rules goes to DROP:

IPTABLES -A check_output_traffic -j DROP

Last edited by nimnull22; 01-03-2010 at 04:20 PM.
 
Old 01-04-2010, 04:52 PM   #11
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Hello Nimnull22,

I tried the following:
Quote:
$IPTABLES -N CHECK_OUTPUT_TRAFFIC
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p icmp -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p tcp --dport $ssh -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p tcp --dport $smtp -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p tcp --dport $http -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p tcp --dport $https -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p udp --dport $microsoft_ds -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p tcp --dport $ssmtp -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p tcp --dport $imaps -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -o $INTIF -p tcp -m multiport --destination-port $sambarange -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -o $INTIF -p udp -m multiport --destination-port $sambarange -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -p udp -o $INTIF -d 255.255.255.255 --sport $dhcp_s --dport $dhcp_d -j ACCEPT
$IPTABLES -A CHECK_OUTPUT_TRAFFIC -j DROP

$IPTABLES -A OUTPUT -j CHECK_OUTPUT_TRAFFIC
But it still would not work. By the way, I do not really see a major difference between this method and the one I proposed earlier, that may be why it is still not working: do I have something wrong?
 
Old 01-04-2010, 05:12 PM   #12
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Please do:
iptables-save

Post output here please
 
Old 01-05-2010, 05:03 AM   #13
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
iptables-save output

Here it comes:

Quote:
# Generated by iptables-save v1.4.2 on Tue Jan 5 11:39:44 2010
*mangle
:PREROUTING ACCEPT [132:100174]
:INPUT ACCEPT [132:100174]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [219:425367]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Jan 5 11:39:44 2010
# Generated by iptables-save v1.4.2 on Tue Jan 5 11:39:44 2010
*filter
:INPUT DROP [6:3773]
:FORWARD DROP [0:0]
:OUTPUT DROP [4:4396]
:CHECK_OUTPUT_TRAFFIC - [0:0]
:syn-flood - [0:0]
-A INPUT -s 10.26.2.0/27 -i eth1 -m limit --limit 3/min -j LOG --log-prefix "Spoofed packet: "
-A INPUT -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "Frag packet: "
-A INPUT -s 192.168.0.0/16 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class C address: "
-A INPUT -s 172.16.0.0/12 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class B address: "
-A INPUT -s 10.26.2.0/27 -i eth1 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class A address: "
-A INPUT -s 169.254.0.0/16 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class M$ address: "
-A INPUT -i eth1 -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP flood: "
-A INPUT -s 81.56.156.0/24 -i ! eth1 -m limit --limit 3/min -j LOG --log-prefix "Spoofed (MODEM) packet: "
-A INPUT -i eth1 -m limit --limit 6/hour -j LOG --log-prefix "Drop Spoofed MODEM packet:"
-A INPUT -i eth1 -m limit --limit 6/hour -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 2 -j LOG --log-prefix "Watched INPUT packet: "
-A INPUT -m limit --limit 6/hour -j LOG --log-prefix "Dropped INPUT packet: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-PSH scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-ALL scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: "
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan(?): "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: "
-A INPUT -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "Port 0 OS fingerprint: "
-A INPUT -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "UDP port 0 OS fingerprint: "
-A INPUT -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "TCP source port 0: "
-A INPUT -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "UDP source port 0: "
-A INPUT -p tcp -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "Possible DRDOS attempt: "
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m iprange --src-range 10.26.2.1-10.26.2.31 -m multiport --dports 22,80,135,136,137,138,139,443,445,465,993 -j ACCEPT
-A INPUT -i eth1 -p tcp -m multiport --dports 22,443,465,993 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -f -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-option 64 -j DROP
-A INPUT -p tcp -m tcp --tcp-option 128 -j DROP
-A INPUT -s 81.56.156.146/32 -i ! eth1 -j DROP
-A INPUT -d 127.0.0.0/8 -i eth1 -j DROP
-A INPUT -d 255.255.255.255/32 -i eth1 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m multiport --sports 20,21,22,23,25,80,110,143,443,465,990,993,995 -j DROP
-A INPUT -p tcp -m tcp --sport 0 -j DROP
-A INPUT -p udp -m udp --sport 0 -j DROP
-A INPUT -p tcp -m tcp --dport 0 -j DROP
-A INPUT -p udp -m udp --dport 0 -j DROP
-A INPUT -s 10.26.2.0/27 -i eth1 -j DROP
-A INPUT -j DROP
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A FORWARD -o eth0 -f -m limit --limit 3/min -j LOG --log-prefix "FRAGMENTED PACKET (FWD): "
-A FORWARD -s 10.26.2.0/27 -i eth1 -m limit --limit 3/min -j LOG --log-prefix "Spoofed packet: "
-A FORWARD -i eth0 -o eth1 -m iprange --src-range 10.26.2.1-10.26.2.31 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -s 81.56.156.0/24 -i ! eth1 -j DROP
-A FORWARD -i eth1 -m iprange --src-range 10.26.2.1-10.26.2.31 -j DROP
-A FORWARD -p tcp -m multiport --dports 135:139 -j DROP
-A FORWARD -p udp -m multiport --dports 135:139 -j DROP
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "Watched OUTPUT packet: "
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 2 -j LOG --log-prefix "Watched OUTPUT packet: "
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j CHECK_OUTPUT_TRAFFIC
-A CHECK_OUTPUT_TRAFFIC -p icmp -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -p tcp -m tcp --dport 22 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -p tcp -m tcp --dport 25 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -p tcp -m tcp --dport 80 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -p tcp -m tcp --dport 443 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -p udp -m udp --dport 445 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -p tcp -m tcp --dport 465 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -p tcp -m tcp --dport 993 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -o eth0 -p tcp -m multiport --dports 135:139 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -o eth0 -p udp -m multiport --dports 135:139 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -d 255.255.255.255/32 -o eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -j DROP
-A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A syn-flood -j DROP
COMMIT
# Completed on Tue Jan 5 11:39:44 2010
# Generated by iptables-save v1.4.2 on Tue Jan 5 11:39:44 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:328]
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Jan 5 11:39:44 2010
 
Old 01-05-2010, 10:28 AM   #14
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Please, change rules:

IPTABLES -N check_output_traffic
IPTABLES -A OUTPUT -p ALL -j check_output_traffic
IPTABLES -A check_output_traffic -p tcp --dport 80 -j ACCEPT
IPTABLES -A check_output_traffic -j DROP

Everything else in OUTPUT chain delete please.
After that check HTTP.
 
Old 01-05-2010, 11:20 AM   #15
NiceLittleRabbit
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Original Poster
Rep: Reputation: 0
Hello,

It did not work either. Here comes the iptables-save output

Quote:
# Generated by iptables-save v1.4.6 on Tue Jan 5 18:12:58 2010
*mangle
:PREROUTING ACCEPT [916:406869]
:INPUT ACCEPT [81:27082]
:FORWARD ACCEPT [830:376567]
:OUTPUT ACCEPT [169:70603]
:POSTROUTING ACCEPT [830:376567]
COMMIT
# Completed on Tue Jan 5 18:12:58 2010
# Generated by iptables-save v1.4.6 on Tue Jan 5 18:12:58 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:BLOCK_KIDS - [0:0]
:CHECK_INPUT_TRAFFIC - [0:0]
:CHECK_OUTPUT_TRAFFIC - [0:0]
-A INPUT -s 10.26.2.0/27 -i eth1 -m limit --limit 3/min -j LOG --log-prefix "Spoofed packet: "
-A INPUT -f -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "Frag packet: "
-A INPUT -s 192.168.0.0/16 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class C address: "
-A INPUT -s 172.16.0.0/12 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class B address: "
-A INPUT -s 10.26.2.0/27 -i eth1 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class A address: "
-A INPUT -s 169.254.0.0/16 -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Class M$ address: "
-A INPUT -i eth1 -p icmp -m limit --limit 12/hour --limit-burst 1 -j LOG --log-prefix "ICMP flood: "
-A INPUT -s 81.56.156.0/24 ! -i eth1 -m limit --limit 3/min -j LOG --log-prefix "Spoofed (MODEM) packet: "
-A INPUT -i eth1 -m limit --limit 6/hour -j LOG --log-prefix "Drop Spoofed MODEM packet:"
-A INPUT -i eth1 -m limit --limit 6/hour -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options --log-ip-options
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 2 -j LOG --log-prefix "Watched INPUT packet: "
-A INPUT -m limit --limit 6/hour -j LOG --log-prefix "Dropped INPUT packet: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-PSH scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-ALL scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: "
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan(?): "
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: "
-A INPUT -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "Port 0 OS fingerprint: "
-A INPUT -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "UDP port 0 OS fingerprint: "
-A INPUT -p tcp -m tcp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "TCP source port 0: "
-A INPUT -p udp -m udp --sport 0 -m limit --limit 6/hour -j LOG --log-prefix "UDP source port 0: "
-A INPUT -p tcp -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "Possible DRDOS attempt: "
-A INPUT -j CHECK_INPUT_TRAFFIC
-A INPUT -f -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-option 64 -j DROP
-A INPUT -p tcp -m tcp --tcp-option 128 -j DROP
-A INPUT -s 81.56.156.146/32 ! -i eth1 -j DROP
-A INPUT -d 127.0.0.0/8 -i eth1 -j DROP
-A INPUT -d 255.255.255.255/32 -i eth1 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m multiport --sports 20,21,22,23,25,80,110,143,443,465,990,993,995 -j DROP
-A INPUT -p tcp -m tcp --sport 0 -j DROP
-A INPUT -p udp -m udp --sport 0 -j DROP
-A INPUT -p tcp -m tcp --dport 0 -j DROP
-A INPUT -p udp -m udp --dport 0 -j DROP
-A INPUT -s 10.26.2.0/27 -i eth1 -j DROP
-A INPUT -j DROP
-A FORWARD -o eth0 -f -m limit --limit 3/min -j LOG --log-prefix "FRAGMENTED PACKET (FWD): "
-A FORWARD -s 10.26.2.0/27 -i eth1 -m limit --limit 3/min -j LOG --log-prefix "Spoofed packet: "
-A FORWARD -i eth0 -o eth1 -m iprange --src-range 10.26.2.1-10.26.2.31 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -s 81.56.156.0/24 ! -i eth1 -j DROP
-A FORWARD -i eth1 -m iprange --src-range 10.26.2.1-10.26.2.31 -j DROP
-A FORWARD -p tcp -m multiport --dports 135:139 -j DROP
-A FORWARD -p udp -m multiport --dports 135:139 -j DROP
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -j DROP
-A OUTPUT -o eth1 -p tcp -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "Watched OUTPUT packet: "
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 2 -j LOG --log-prefix "Watched OUTPUT packet: "
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j CHECK_OUTPUT_TRAFFIC
-A CHECK_INPUT_TRAFFIC -m state --state RELATED,ESTABLISHED -j ACCEPT
-A CHECK_INPUT_TRAFFIC -i eth0 -p icmp -m iprange --src-range 10.26.2.1-10.26.2.31 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -p tcp -m tcp --dport 22 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -i eth0 -p tcp -m iprange --src-range 10.26.2.1-10.26.2.31 -m tcp --dport 25 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -i eth0 -p tcp -m iprange --src-range 10.26.2.1-10.26.2.31 -m tcp --dport 80 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -p tcp -m tcp --dport 443 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -i eth0 -p udp -m iprange --src-range 10.26.2.1-10.26.2.31 -m udp --dport 445 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -p tcp -m tcp --dport 465 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -p tcp -m tcp --dport 993 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -i eth0 -p tcp -m iprange --src-range 10.26.2.1-10.26.2.31 -m multiport --dports 135:139 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -i eth0 -p udp -m iprange --src-range 10.26.2.1-10.26.2.31 -m multiport --dports 135:139 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -d 255.255.255.255/32 -i eth1 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A CHECK_INPUT_TRAFFIC -s 127.0.0.1/32 -i lo -j ACCEPT
-A CHECK_INPUT_TRAFFIC -j DROP
-A CHECK_OUTPUT_TRAFFIC -p tcp -m tcp --dport 80 -j ACCEPT
-A CHECK_OUTPUT_TRAFFIC -j DROP
COMMIT
# Completed on Tue Jan 5 18:12:58 2010
# Generated by iptables-save v1.4.6 on Tue Jan 5 18:12:58 2010
*nat
:PREROUTING ACCEPT [48:3589]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [59:3592]
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Jan 5 18:12:58 2010
I could not surf the web from the server and I have a hard time trying to understand why ...
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pipe gnuplot + while read does not behave as expected Geneset Linux - General 1 03-29-2009 03:23 PM
Getting a scanner to behave .... expatCM Linux - Software 1 01-04-2009 07:33 AM
Port redirection with iptables not working as expected. Eric-Mtl Linux - Networking 1 08-16-2007 07:42 AM
popen() doesn't behave as expected Kimbo Programming 4 07-28-2007 06:26 AM
iptables rules doesn't work as expected.. Shioni Linux - Security 4 11-15-2006 01:37 AM


All times are GMT -5. The time now is 11:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration