IPTABLES rules not working right
Hi,
I thought I had a properly written ruleset here but when I sniffed the traffic I still see snmp and and traffic from a blocked machine (.250).
This box has antivirus s/w listening on 9000 ports so it preroutes to it.
My guess the problem must be the first COMMIT which should be removed. But before doing so I would like to get a 2nd opinion on my rules.
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9080
-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j REDIRECT --to-ports 9110
-A PREROUTING -i eth1 -p tcp -m tcp --dport 25 -j REDIRECT --to-ports 9025
-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j REDIRECT --to-ports 9021
COMMIT
*filter
# Set inbound rules
-N FW-INBOUND
-A FW-INBOUND -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FW-INBOUND -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#TCP-Packets with one ore more bad flags
-N LBADFLAG
-A LBADFLAG -m limit --limit "2/s" --limit-burst "10" -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
-A LBADFLAG -j DROP
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations
# (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
-N CHECKBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
-A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
# Dont allow any smb beyond this point
-N SMB
-A SMB -p tcp --dport 137 -j DROP
-A SMB -p tcp --dport 138 -j DROP
-A SMB -p tcp --dport 139 -j DROP
-A SMB -p tcp --dport 445 -j DROP
-A SMB -p udp --dport 137 -j DROP
-A SMB -p udp --dport 138 -j DROP
-A SMB -p udp --dport 139 -j DROP
-A SMB -p udp --dport 445 -j DROP
-A SMB -p tcp --sport 137 -j DROP
-A SMB -p tcp --sport 138 -j DROP
-A SMB -p tcp --sport 139 -j DROP
-A SMB -p tcp --sport 445 -j DROP
-A SMB -p udp --sport 137 -j DROP
-A SMB -p udp --sport 138 -j DROP
-A SMB -p udp --sport 139 -j DROP
-A SMB -p udp --sport 445 -j DROP
# Trap any SNMP traffic
-N SNMP
-A SNMP -p udp --dport 161 -j DROP
-A SNMP -p udp --dport 162 -j DROP
# Don't allow traffic from this PC to exit
-N HOST
-A HOST -p tcp -s 192.168.0.250 -j DROP
-A HOST -p udp -s 192.168.0.250 -j DROP
-A HOST -p icmp -s 192.168.0.250 -j DROP
COMMIT
|