iptables question on input rules to various subnets

JockVSJock · 07-02-2015, 02:53 PM

The previous Linux admin made two types of INPUT rules that go to two different subnets:

Chain INPUT-156-SUBNET (1 references)
Chain INPUT-220-SUBNET (1 references)

If I look under INPUT, I see the following rules:

157K 37M INPUT-156-SUBNET all -- * * 0.0.0.0/0 0.0.0.0/0
157K 37M INPUT-220-SUBNET all -- * * 0.0.0.0/0 0.0.0.0/0

I'm guessing these rules are pointing or directing traffic to the other chains, correct?

My other question to is how did the previous admin create the INPUT rules for the different subnets?

unSpawn · 07-02-2015, 03:30 PM

I don't know about others but I prefer 'iptables-save' output to look at.

JockVSJock · 07-02-2015, 06:11 PM

This is an issue I'm having at work and won't be able to post a full output till early next week.

Let me just say that the previous admin was using the INPUT chain to assign rules to computers on a case-by-case basis. Well people and computers come and go, along with DHCP reservations, so this is making it very hard to manage.

I tried to add a whole subnet under INPUT, however the end users still can't get access and I noticed that there were two INPUT Chains for those subnets and thought maybe the traffic was hitting the INPUT chain and then once it had a match was forwarded to the those subnet rules... I'm still learning about IPTables here.

thanks

salasi · 07-03-2015, 04:03 AM

Quote:

Originally Posted by unSpawn

I don't know about others but I prefer 'iptables-save' output to look at.

One more vote for 'iptables-save'. If your rules are generated from a bash script, posting the script is fine, too. iptables -S is ok, but, oddly, iptables -L (which is what most people go for, presumably 'L' sounding like 'list') is wholly inadequate, and just leads to confusion.

Any output is code and should be posted in code tags. Just easier to read.

The other thing to note is that we get loads of '...and what does this rule do...'. This is usually an unanswerable question (except in the trivial sense that a match rule matches with something, a drop rule drops something, etc) without the context of the rest of the relevant rules. The easiest thing is usually just to post the whole shebang, some people are, probably understandably, nervous about this. If you need to obfuscate addresses, just do it and say 'w.x.y.z is address of DNS server' or whatever seems relevant.

from the man page

Code:

      -L, --list [chain]
              List  all  rules in the selected chain.  If no chain is selected, all chains are listed. Like every other iptables command, it applies to the specified table (filter is the default), so NAT
              rules get listed by
               iptables -t nat -n -L
              Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups.  It is legal to specify the -Z (zero) option as well, in which case the  chain(s)  will  be
              atomically listed and zeroed.  The exact output is affected by the other arguments given. The exact rules are suppressed until you use
               iptables -L -v

       -S, --list-rules [chain]
              Print  all  rules in the selected chain.  If no chain is selected, all chains are printed like iptables-save. Like every other iptables command, it applies to the specified table (filter is
              the default).

JockVSJock · 07-06-2015, 08:49 AM

Ok, here is the full IPTable ruleset for the server that I'm having issues with:

Again, my main goal is to prevent having to enter in ip addresses for individual machines under INPUT rules, especially when people are coming and going along with DHCP leases.

I want to be able to assign a whole subnet (156) and anyone in that subnet will be able to SSH into this server.

There are two rules under INPUT

Code:

-A INPUT -j INPUT-156-SUBNET 
-A INPUT -j INPUT-220-SUBNET

I'm thinking that these are forwarding traffic into these subnets of 156 and 220, however I'm not totally sure.

Code:

# Generated by iptables-save v1.3.5 on Mon Jul  6 08:25:14 2015
*nat
:PREROUTING ACCEPT [435042:42940729]
:POSTROUTING ACCEPT [59973:3749655]
:OUTPUT ACCEPT [76816:4848931]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -d ! 192.168.122.0/255.255.255.0 -j MASQUERADE 
COMMIT
# Completed on Mon Jul  6 08:25:14 2015
# Generated by iptables-save v1.3.5 on Mon Jul  6 08:25:14 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:INPUT-156-SUBNET - [0:0]
:INPUT-220-SUBNET - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p udplite -j DROP 
-A INPUT -s 143.83.156.0/255.255.252.0 -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -s 143.83.140.XX -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 143.83.140.XX -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 143.83.220.X -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 143.83.220.X -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -s 143.83.221.XXX -p tcp -m multiport --ports 443,1521,1158,5560 -j ACCEPT 
-A INPUT -s 143.83.158.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A INPUT -s 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A INPUT -s 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A INPUT -s 143.83.157.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A INPUT -s 143.83.159.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A INPUT -s 143.83.220.XXX -p tcp -m multiport --ports 22,1521 -j ACCEPT 
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT 
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT 
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT 
-A INPUT -s 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT 
-A INPUT -s 143.83.220.XX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 143.83.220.XX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 128.44.113.XX -p tcp -m multiport --ports 80,443,591,8443 -j ACCEPT 
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 9898 -j ACCEPT 
-A INPUT -s 143.83.220.XXX -p udp -m udp --dport 514 -j ACCEPT 
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 5560 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 5560 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 5560 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 5560 -j ACCEPT 
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 1158 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1158 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1158 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1158 -j ACCEPT 
-A INPUT -s 143.83.221.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.221.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.159.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.159.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.159.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A INPUT -s 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP 
-A INPUT -j INPUT-156-SUBNET 
-A INPUT -j INPUT-220-SUBNET 
-A INPUT -j RH-Firewall-1-INPUT 
-A INPUT -s 127.0.0.1 -p tcp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -j DROP 


-A FORWARD -j RH-Firewall-1-INPUT 
-A FORWARD -d 127.0.0.1 -p tcp -j ACCEPT 
-A FORWARD -o lo -j ACCEPT 
-A FORWARD -j DROP 


-A OUTPUT -d 127.0.0.1 -p tcp -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 25 -j DROP 
-A OUTPUT -d 143.83.221.XXX -p tcp -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -j ACCEPT 
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT 
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT 
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8505:8535 -j ACCEPT 
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp --dport 8400:8404 -j ACCEPT 
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.220.XX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 128.44.113.XX -p tcp -m multiport --ports 80,443,591,8443 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 32769 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 32803 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 2049 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 2049 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 892 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 892 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 662 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 662 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 32769 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 32803 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 2049 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 2049 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 892 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 892 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p udp -m udp --dport 662 -j ACCEPT 
-A OUTPUT -d 143.83.221.XXX -p tcp -m tcp --dport 662 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 111 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 111 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 9898 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p udp -m udp --dport 514 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 60 -j ACCEPT 
-A OUTPUT -d 143.83.158.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A OUTPUT -d 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A OUTPUT -d 143.83.156.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A OUTPUT -d 143.83.157.XX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A OUTPUT -d 143.83.159.XXX -p tcp -m multiport --ports 22,1521,1158,5560 -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.220.XXX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.159.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.157.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.157.XX -p tcp -m tcp --dport 1521 -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -d 143.83.223.XXX -p tcp -m tcp -j ACCEPT 
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP 
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j DROP 


-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 32769 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 32769 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 32803 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 32803 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 2049 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 2049 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 892 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 892 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 662 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 662 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p udp -m udp --dport 111 -j ACCEPT 
-A INPUT-156-SUBNET -s 143.83.156.0/255.255.252.0 -p tcp -m tcp --dport 111 -j ACCEPT 


-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 32769 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 32769 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 32803 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 32803 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 2049 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 2049 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 892 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 892 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 662 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 662 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p udp -m udp --dport 111 -j ACCEPT 
-A INPUT-220-SUBNET -s 143.83.220.0/255.255.252.0 -p tcp -m tcp --dport 111 -j ACCEPT 


-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Mon Jul  6 08:25:14 2015

unSpawn · 07-06-2015, 04:44 PM

I'm sorry to say but that filter table rule set is a complete mess:
- there's a DROP policy and then somebody drops udplite protocol anyway?..
- about the only rule using -m state is RELATED,ESTABLISHED in RH-Firewall-1-INPUT,
- the line above the final REJCT in RH-Firewall-1-INPUT allows TCP/22 to ALL (basically neutralizing all the TCP/22 access rules above),
- somebody uses -m multiport in some places and then in some not AND for the same source IP range,
- then there's multiple duplicate rules for the same source IP range,
- and somebody defined INPUT-156-SUBNET rules in the most inefficient way (instead use "-A INPUT -m conntrack --ctstate NEW -s 143.83.156.0/255.255.252.0 -j INPUT-156-SUBNET" then you only need one -m multiport rule per UDP/TCP protocol in the INPUT-156-SUBNET chain).

I would very much urge you to clean up your rule set first. If you don't want to do that (for reasons unfathomable) then the easiest, quickest way to debug this and understand traversal is to have a "-j LOG" rule precede any DROP or REJECT rules.

JockVSJock · 07-06-2015, 08:30 PM

Quote:

Originally Posted by unSpawn

I'm sorry to say but that filter table rule set is a complete mess:
- there's a DROP policy and then somebody drops udplite protocol anyway?..
- about the only rule using -m state is RELATED,ESTABLISHED in RH-Firewall-1-INPUT,
- the line above the final REJCT in RH-Firewall-1-INPUT allows TCP/22 to ALL (basically neutralizing all the TCP/22 access rules above),
- somebody uses -m multiport in some places and then in some not AND for the same source IP range,
- then there's multiple duplicate rules for the same source IP range,
- and somebody defined INPUT-156-SUBNET rules in the most inefficient way (instead use "-A INPUT -m conntrack --ctstate NEW -s 143.83.156.0/255.255.252.0 -j INPUT-156-SUBNET" then you only need one -m multiport rule per UDP/TCP protocol in the INPUT-156-SUBNET chain).

I would very much urge you to clean up your rule set first. If you don't want to do that (for reasons unfathomable) then the easiest, quickest way to debug this and understand traversal is to have a "-j LOG" rule precede any DROP or REJECT rules.

Thanks for looking at this.

I do want to clean up this ruleset, it is a mess and unmanageable. I'm just not sure where to start and I'm still learning IPTables. Do you have any recommendations?

thanks

unSpawn · 07-07-2015, 01:13 AM

Read https://www.frozentux.net/documents/iptables-tutorial/, then post your cleaned up rule set (removing duplicate rules and combining same range different port numbers with -m multiport) and adding "-j LOG" rules and we'll correct / add / explain. Deal?

JockVSJock · 07-07-2015, 06:17 AM

Quote:

Originally Posted by unSpawn

Deal?

Deal.

Looks like I've got some reading and note taking to do.

thanks

unSpawn · 07-07-2015, 04:55 PM

You're welcome. Removing duplicate rules and combining same range different port numbers with -m multiport should be a task done in max half an hour. Post your results when you're ready and we'll commence.