LinuxQuestions.org - Blocking almost everything with iptables

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Blocking almost everything with iptables (https://www.linuxquestions.org/questions/linux-security-4/blocking-almost-everything-with-iptables-596918/)

Blocking almost everything with iptables

Hello.
For several days I've been trying to create firewall rules in iptables for my router. I've tried several scripts found on the net but I cant get it to work.
What I want it to do is to:

*Deny everything from the outside, except a few specified rules (like established connections and such)
*Deny all traffic out, except the traffic on a few specified ports
*Masqurade the local LAN

Example: I want to be able to ssh (dosnt matter on what port) to the firewall.
I also want the firewall to block all the traffic from the inside that that I havnt allowed, in case one of the machines gets compromised.

I would like to point out that I'll happy write the rules myself, to hopefully learn something, so if someone could explain how to do it it would be really appriceated. If you want to write the rules anyway, if thats easier, thats fine. Please just try to have a few comments explaining what they do.

I'm posting my own rules here, for you to take a look if you like.

Code:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP



iptables -N logdrop

iptables -A logdrop -j LOG

iptables -A logdrop -j DROP



iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN "

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP



iptables -A INPUT --source 192.168.0.0/24 -j DROP

iptables -A INPUT --source 172.16.0.0/16 -j DROP



iptables -A INPUT --in-interface lo --source 127.0.0.0/8 -j ACCEPT



iptables -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP



iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT



#SSH

iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT

iptables -A OUTPUT -p tcp --destination-port 22 -j ACCEPT



#WWW

iptables -A OUTPUT -p tcp --destination-port 80 -j ACCEPT



iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



iptables -A INPUT -j logdrop

Hopefully someone understands my question and know how to help me:)
Sorry for my bad english.
Thanks in advanced.

Here's a script to get you started (based on the one I use myself at home):

Code:

#!/bin/sh



IPT="/sbin/iptables"

LAN_IFACE="eth1"

WAN_IFACE="eth0"



$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT DROP



$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT



$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P INPUT ACCEPT

$IPT -t mangle -P FORWARD ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

$IPT -t mangle -P POSTROUTING ACCEPT



$IPT -t raw -P PREROUTING ACCEPT

$IPT -t raw -P OUTPUT ACCEPT



$IPT -F

$IPT -F -t nat

$IPT -F -t mangle

$IPT -F -t raw



$IPT -X

$IPT -X -t nat

$IPT -X -t mangle

$IPT -X -t raw



# The ubiquitous INPUT rules:

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT



# Make sure any incoming TCP packets of state NEW are proper SYNs:

$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "

$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP



# Allow SSH from the LAN to this box:

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -j ACCEPT



# Allow SSH from the WAN (Internet) to this box:

#$IPT -A INPUT -p TCP -i $WAN_IFACE --dport 22 -m state --state NEW -j ACCEPT



# Log other packets before they get sent to DROP by our policy:

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "



# The ubiquitous OUTPUT rules:

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT



# Allow this box to surf the WWW:

$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p UDP -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT



# Log other packets before they get sent to DROP by our policy:

$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "



# The ubiquitous FORWARD rule:

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT



# Allow boxes on the LAN to surf the WWW:

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT



# Log other packets before they get sent to DROP by our policy:

$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "



# Do IP masquerading for boxes on the LAN:

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Let me know if you have any questions. BTW, what distro are you using (maybe add it to your profile)?

thx alot for the rules:D
I'm using Gentoo 2007.
I'll try the rules out and come back to tell how it went:)

ok, so I copied the rules and made the script executeable.
Theres one but tho, when I execute the script nothing happends.
iptables -L dont show anything, any by that i mean nothing at all. theres just a "new line" after that. Not the usual text about the different chains and such. What am I doing wrong?
Its not only this script that acts like this btw.
Edit: Forgot to say that even the scripts that used to work (even if I managed to lock myself out with them) isnt working.

Tried make a normal script with:

Code:

#!/bin/bash

echo "hello"

That worked, so I guess theres something wrong with my scripts.
I've tried substitute all $IPT with iptables and so on, still nothing.

Thanks for help if anyone got experience with this, all iptables scripts works like this. Sorry if this is in the wrong forum.

You don't need to replace the $IPTs. Just make sure the IPT="" at the top has the right path to your iptables binary. Do you not get some sort of error message when you execute? You're doing this as root, right? Ummm... wait a second... You're saying you get absolutely nothing when you do a "iptables -L"? Something is definitely not right somewhere. Does you kernel have proper iptables support? Not sure what could be wrong.

PS: I just tested the script and it executes fine here.

I do have proper support for iptables i think, atleat I have almost everything loaded into the kernel (from iptables).
Lets just say I've compiled the kernel for as much support for iptables as possible. Also, I've compiled it for dns and dhcp support if that could help in anyway of figuring this problem out.

Is there any way to post my kernel config? Except for cat /usr/src/linux/.config (since its _very_ long and dont really say anything if you dont know the names of the modules).
Thanks in advanced.

Edit: Yes, I'm doing this as root. And I get absolutly noting from executing the scripts.

The whole config would be too large to post. Maybe grep it for "NETFILTER" and stuff like that. Here's mine FWIW:

Code:

win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep NETFILTER

CONFIG_BRIDGE_NETFILTER=y

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_DEBUG is not set

CONFIG_NETFILTER_NETLINK=m

CONFIG_NETFILTER_NETLINK_LOG=m

CONFIG_NETFILTER_NETLINK_QUEUE=m

CONFIG_NETFILTER_XTABLES=m

CONFIG_NETFILTER_XT_MATCH_COMMENT=m

CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m

CONFIG_NETFILTER_XT_MATCH_CONNMARK=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m

CONFIG_NETFILTER_XT_MATCH_DCCP=m

CONFIG_NETFILTER_XT_MATCH_DSCP=m

CONFIG_NETFILTER_XT_MATCH_ESP=m

CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m

CONFIG_NETFILTER_XT_MATCH_HELPER=m

CONFIG_NETFILTER_XT_MATCH_LENGTH=m

CONFIG_NETFILTER_XT_MATCH_LIMIT=m

CONFIG_NETFILTER_XT_MATCH_MAC=m

CONFIG_NETFILTER_XT_MATCH_MARK=m

CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m

CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m

CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m

CONFIG_NETFILTER_XT_MATCH_POLICY=m

CONFIG_NETFILTER_XT_MATCH_QUOTA=m

CONFIG_NETFILTER_XT_MATCH_REALM=m

CONFIG_NETFILTER_XT_MATCH_SCTP=m

CONFIG_NETFILTER_XT_MATCH_STATE=m

CONFIG_NETFILTER_XT_MATCH_STATISTIC=m

CONFIG_NETFILTER_XT_MATCH_STRING=m

CONFIG_NETFILTER_XT_MATCH_TCPMSS=m

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_CONNMARK=m

CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m

CONFIG_NETFILTER_XT_TARGET_DSCP=m

CONFIG_NETFILTER_XT_TARGET_MARK=m

CONFIG_NETFILTER_XT_TARGET_NFLOG=m

CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m

CONFIG_NETFILTER_XT_TARGET_NOTRACK=m

CONFIG_NETFILTER_XT_TARGET_SECMARK=m

CONFIG_NETFILTER_XT_TARGET_TCPMSS=m

win32sux@candystore:~$

Code:

win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep IPTABLES

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP6_NF_IPTABLES=m

win32sux@candystore:~$

Code:

win32sux@candystore:~$ cat /boot/config-2.6.22-14-generic | grep _NF_

CONFIG_BRIDGE_NF_EBTABLES=m

CONFIG_IP_NF_ARPFILTER=m

CONFIG_IP_NF_ARPTABLES=m

CONFIG_IP_NF_ARP_MANGLE=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_MANGLE=m

CONFIG_IP_NF_MATCH_ADDRTYPE=m

CONFIG_IP_NF_MATCH_AH=m

CONFIG_IP_NF_MATCH_ECN=m

CONFIG_IP_NF_MATCH_IPRANGE=m

CONFIG_IP_NF_MATCH_OWNER=m

CONFIG_IP_NF_MATCH_RECENT=m

CONFIG_IP_NF_MATCH_TOS=m

CONFIG_IP_NF_MATCH_TTL=m

CONFIG_IP_NF_QUEUE=m

CONFIG_IP_NF_RAW=m

CONFIG_IP_NF_TARGET_ECN=m

CONFIG_IP_NF_TARGET_LOG=m

CONFIG_IP_NF_TARGET_MASQUERADE=m

CONFIG_IP_NF_TARGET_NETMAP=m

CONFIG_IP_NF_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_SAME=m

CONFIG_IP_NF_TARGET_TOS=m

CONFIG_IP_NF_TARGET_TTL=m

CONFIG_IP_NF_TARGET_ULOG=m

CONFIG_NF_CONNTRACK=m

CONFIG_NF_CONNTRACK_AMANDA=m

CONFIG_NF_CONNTRACK_ENABLED=m

CONFIG_NF_CONNTRACK_FTP=m

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_CONNTRACK_IRC=m

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_PPTP=m

CONFIG_NF_CONNTRACK_PROC_COMPAT=y

# CONFIG_NF_CONNTRACK_SANE is not set

CONFIG_NF_CONNTRACK_SECMARK=y

CONFIG_NF_CONNTRACK_TFTP=m

CONFIG_NF_CT_ACCT=y

CONFIG_NF_CT_PROTO_GRE=m

CONFIG_NF_NAT=m

CONFIG_NF_NAT_AMANDA=m

CONFIG_NF_NAT_FTP=m

CONFIG_NF_NAT_IRC=m

CONFIG_NF_NAT_NEEDED=y

CONFIG_NF_NAT_PPTP=m

CONFIG_NF_NAT_PROTO_GRE=m

CONFIG_NF_NAT_TFTP=m

CONFIG_DECNET_NF_GRABULATOR=m

CONFIG_IP6_NF_FILTER=m

CONFIG_IP6_NF_IPTABLES=m

CONFIG_IP6_NF_MANGLE=m

CONFIG_IP6_NF_MATCH_AH=m

CONFIG_IP6_NF_MATCH_EUI64=m

CONFIG_IP6_NF_MATCH_FRAG=m

CONFIG_IP6_NF_MATCH_HL=m

CONFIG_IP6_NF_MATCH_IPV6HEADER=m

CONFIG_IP6_NF_MATCH_MH=m

CONFIG_IP6_NF_MATCH_OPTS=m

CONFIG_IP6_NF_MATCH_OWNER=m

CONFIG_IP6_NF_MATCH_RT=m

CONFIG_IP6_NF_QUEUE=m

CONFIG_IP6_NF_RAW=m

CONFIG_IP6_NF_TARGET_HL=m

CONFIG_IP6_NF_TARGET_LOG=m

CONFIG_IP6_NF_TARGET_REJECT=m

CONFIG_IP_NF_TARGET_CLUSTERIP=m

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CONNTRACK_H323=m

CONFIG_NF_CONNTRACK_IPV6=m

CONFIG_NF_CONNTRACK_NETBIOS_NS=m

CONFIG_NF_CONNTRACK_SIP=m

CONFIG_NF_CT_NETLINK=m

CONFIG_NF_CT_PROTO_SCTP=m

CONFIG_NF_NAT_H323=m

CONFIG_NF_NAT_SIP=m

CONFIG_NF_NAT_SNMP_BASIC=m

win32sux@candystore:~$

Solved it:)
After recompiling iptables it works again:)
Thx for the help=)

Ok, sorry to be back. The problem is that I cant do anything but ssh on the WAN interface, in and out. When trying to ping or surf or whatever it always timeout. When I remove the rules, everything is fine again. I admit, I did edit the script but only stuff that I thought was safe... However when I try to ping or nslookup on a dns it finds the IP adress of the dnsname, even those that I havnt visited so apperently some traffic is going out and back. Also when I try to surf links is trying to connect so i guess the packets are going to the server but not back.
While trying to fix this firewall I'm behind a hardware router, this is how it looks like:
http://static3.filefront.com/images/...rrmgueohyr.jpg

After editing the script to the following have both me and my friends tried to figure out whats wrong:

Code:

#!/bin/sh



IPT="/sbin/iptables"

LAN_IFACE="eth0"

WAN_IFACE="eth1"



$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT DROP



$IPT -t nat -P PREROUTING ACCEPT

$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t nat -P OUTPUT ACCEPT



$IPT -t mangle -P PREROUTING ACCEPT

$IPT -t mangle -P INPUT ACCEPT

$IPT -t mangle -P FORWARD ACCEPT

$IPT -t mangle -P OUTPUT ACCEPT

$IPT -t mangle -P POSTROUTING ACCEPT



$IPT -t raw -P PREROUTING ACCEPT

$IPT -t raw -P OUTPUT ACCEPT



$IPT -F

$IPT -F -t nat

$IPT -F -t mangle

$IPT -F -t raw



$IPT -X

$IPT -X -t nat

$IPT -X -t mangle

$IPT -X -t raw



# The ubiquitous INPUT rules:

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT



# Make sure any incoming TCP packets of state NEW are proper SYNs:

$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "

$IPT -A INPUT -p TCP ! --syn -m state --state NEW -j DROP



# Allow SSH from the LAN to this box:

$IPT -A INPUT -p TCP -i $LAN_IFACE --dport 22 -m state --state NEW -j ACCEPT



# Allow SSH from the WAN (Internet) to this box:



# Log other packets before they get sent to DROP by our policy:

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

# The ubiquitous OUTPUT rules:

$IPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT



# Allow this box to surf the WWW:

$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p UDP -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT

#$IPT -A OUTPUT -p TCP -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT



$IPT -A OUTPUT -p tcp -o $WAN_IFACE --dport 'rsync' -m state --state NEW -j ACCEPT



# Log other packets before they get sent to DROP by our policy:

$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "



# The ubiquitous FORWARD rule:

$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT



# Allow boxes on the LAN to surf the WWW:

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 80 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 443 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -m state --state NEW -j ACCEPT



#Allow services @ LAN -> WAN

#Torrent

$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 58052 -m state --state NEW -j ACCEPT

#IRC

$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 'ircd' -m state --state NEW -j ACCEPT

#MSN

$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 1863 -m state --state NEW -j ACCEPT

#ICQ

$IPT -A FORWARD -p tcp -i $LAN_IFACE -o $WAN_IFACE --dport 5190 -m state --state NEW -j ACCEPT



#Portforward

#Torrent

$IPT -t nat -A PREROUTING -i eth1 -p tcp -d 58052 -j DNAT --to 10.0.0.50:58052

$IPT -A FORWARD -i eth1 -o eth0 -p tcp -d 10.0.0.50 -j ACCEPT

$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.50



#Remote desktop

$IPT -t nat -A PREROUTING -i eth1 -p tcp -d 3398 -j DNAT --to 10.0.0.50:3389

$IPT -A FORWARD -i eth1 -o eth0 -p tcp -d 10.0.0.50 -j ACCEPT

$IPT -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.50



# Log other packets before they get sent to DROP by our policy:

$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "



# Do IP masquerading for boxes on the LAN

$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

Thankful for abit more help:)

Edit: How do I link images? :S [img] doesnt work like i phpBB...

Quote:

Originally Posted by GeneralDark (Post 2951141)

Ok, sorry to be back. The problem is that I cant do anything but ssh on the WAN interface, in and out.

Is this on the router itself or on LAN clients?

Quote:

When trying to ping or surf or whatever it always timeout.

Well, the ping timeout is understandable, as there is no rules allowing pings. In any case, the script I posted logs any packet which is filtered, so take a look at the log file while attempting to surf in order to see what is happening. If you post the relevant lines from the log, we can help determine why it is happening.

I am ssh:ing from the other machine in the picture, 192.168.0.2, into the gentoo router WAN interface.
Sorry that it didnt cross my mind to check the logs, should have been obvious... Anyway, heres the output of it:

Code:

Nov  7 22:00:01 firewall cron[32202]: PAM [dlerror: /lib/security/pam_limits.so: symbol pam_syslog, version LIBPAM_EXTENSION_1.0 not defined in file libpam.so.0 with link time reference]

Nov  7 22:00:01 firewall cron[32202]: PAM adding faulty module: /lib/security/pam_limits.so

Nov  7 22:00:01 firewall cron[32202]: Module is unknown

Am I reading this correct that I should need another module in the kernel?
/var/log/messages is the correct file to read, right?
/var/log/dmesg contains the following(did only paste the last lines):

Code:

Netfilter messages via NETLINK v0.30.

nf_conntrack version 0.5.0 (4096 buckets, 16384 max)

ctnetlink v0.93: registering with nfnetlink.

ip_tables: (C) 2000-2006 Netfilter Core Team

ClusterIP Version 0.8 loaded successfully

arp_tables: (C) 2002 David S. Miller

TCP cubic registered

NET: Registered protocol family 1

NET: Registered protocol family 17

Using IPI Shortcut mode

kjournald starting.  Commit interval 5 seconds

EXT3-fs: mounted filesystem with ordered data mode.

VFS: Mounted root (ext3 filesystem) readonly.

Freeing unused kernel memory: 284k freed

EXT3 FS on hda3, internal journal

EXT2-fs warning (device hda1): ext2_fill_super: mounting ext3 filesystem as ext2

Adding 498004k swap on /dev/hda2.  Priority:-1 extents:1 across:498004k

I dont find enything in any of them thats intresting really. The PAM thing is the inloggsystem, right?

btw, can I have the logs from iptables in a separate logfile?

Actually I was expecting to see "DROP" entries in the /var/log/syslog file.

You should try to SSH to the LAN side in addition to the WAN side.

made a cat /var/log/messages | grep DROP (dont have any /var/log/syslog , syslog-ng conf file is only refering to this file anyway).
Here is some of the results (did cut most of it and replaced my MAC adresses):
MAC with only xx = eth0 (LAN interface)
MAC with only yy = the interface in my box thats connected to the gentoo directly (on the gentoos LAN, eth0, interface)

Code:

Nov  8 21:14:51 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=16883 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:14:52 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=18505 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:14:54 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=19915 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:14:57 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=22917 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:14:58 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=24555 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:00 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=25990 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:00 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=25999 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:01 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=27576 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:03 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28963 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:03 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=28969 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:04 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=30297 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:06 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=31966 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:06 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=31971 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:07 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=33505 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:09 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=35031 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:12 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=38221 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:13 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=39679 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:15 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=41080 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:15 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=41082 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:16 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=42642 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:18 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=47474 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:18 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=47518 PROTO=UDP SPT=137 DPT=137 LEN=76

Nov  8 21:15:19 firewall INPUT DROP: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.0.0.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=56891 PROTO=UDP SPT=137 DPT=137 LEN=76

I did find another intresting line tho, it tries to, via broadcast, search for the domain (If I understood it correctly).
eth0: LAN interface
eth1: WAN interface
192.168.0.2 My comp on the WAN network (seen from the gentoobox' view)
10.0.0.100 My comp on the LAN network (seen from the gentoobox' view)
10.0.0.1 Gentoo eth0 (LAN)
firewall=Gentoobox' hostname

Edit: found the following line aswell:

Code:

Nov  8 21:16:56 firewall INPUT DROP: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:yy:yy:yy:yy:yy:yy:yy:yy SRC=10.0.0.100 DST=10.255.255.255 LEN=244 TOS=0x00 PREC=0x00 TTL=128 ID=23322 PROTO=UDP SPT=138 DPT=138 LEN=224

If I read the logs right the box is trying to find the domains on the local network

Did it bring any light?

Those look like Samba packets. You don't have any Samba rules, so the script seems to be working as it should.

Quote:

Originally Posted by win32sux (Post 2952539)

Those look like Samba packets. You don't have any Samba rules, so the script seems to be working as it should.

I don't have Samba installed :S