LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-25-2003, 06:18 AM   #1
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
nailed down firewall


As a side note: this is just a thread part of my main thread which is destinated at securing debian!

And for a system that should be secure you need of course a firewall:
Code:
----------------------------------------------------------------------
created netfilter firewall
----------------------------------------------------------------------
saved no firewall rules as inactive firewall
	/etc/init.d/iptables save inactive


created /usr/local/sbin/firewall.sh:

#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch         |
# |                                                                  |
# |                                                                  |
# | This firewall is not intended to be used by newbies. I give no   |
# | warranty of any kind that using it protects your box.            |
# | Personally I suggest using a OpenBSD box as firewall          |
# |                                                                  |
# | If you agree to all of the above and also dislike M$ you may     |
# | continue reading. Have fun                                    |
# \------------------------------------------------------------------/



# --------------------------------------------------------------------
# 1. definitions
# --------------------------------------------------------------------
COMPANY_FIREWALL_IP="192.168.0.84/32"
IPTABLES="/sbin/iptables"
LOG_LEVEL="info"
LOOPBACK_IF="lo"
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 2. removing current rulesets
# --------------------------------------------------------------------
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------

	# 4.1 - LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N LOG_DROP
	$IPTABLES -F LOG_DROP

	$IPTABLES -A LOG_DROP -m limit --limit 5/minute \
		-j LOG --log-level $LOG_LEVEL
	$IPTABLES -A LOG_DROP -j DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.2 - CHECK_ICMP_ACCESS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_ICMP_ACCESS
	$IPTABLES -F CHECK_ICMP_ACCESS

	$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
		--icmp-type destination-unreachable -j ACCEPT

	$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
		--icmp-type echo-reply -j ACCEPT

	$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
		--icmp-type time-exceeded -j ACCEPT

	$IPTABLES -A CHECK_ICMP_ACCESS -j DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.3 - CHECK_PROBES
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_PROBES
	$IPTABLES -F CHECK_PROBES

	# os fingerprinting
	$IPTABLES -A CHECK_PROBES -p tcp -s 0.0.0.0 --dport 0 \
		-j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp -s 0.0.0.0 --dport 0 \
		-j LOG_DROP

	# tcpmux scanning
	$IPTABLES -A CHECK_PROBES -p tcp --dport 1 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 1 -j LOG_DROP

	# sscan
	$IPTABLES -A CHECK_PROBES -p tcp -m multiport \
		--sports 1,2,3,4,5 -j LOG_DROP

	# sysstat scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 11 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 11 -j LOG_DROP

	# finger scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 79 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 79 -j LOG_DROP

	# linuxconf scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 98 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 98 -j LOG_DROP

	# mountd scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 635 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 635 -j LOG_DROP

	# proxy scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 1080 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 1080 -j LOG_DROP

	# proxy scan
	$IPTABLES -A CHECK_PROBES -p tcp --dport 3128 -j LOG_DROP
	$IPTABLES -A CHECK_PROBES -p udp --dport 3128 -j LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.4 - CHECK_TCP_FLAGS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_TCP_FLAGS
	$IPTABLES -F CHECK_TCP_FLAGS

	# stealth FIN scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL FIN \
		-j LOG_DROP

	# stealth NULL scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp --tcp-flags ALL NONE \
		-j LOG_DROP

	# stealth SYN/FIN (probably)
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags SYN,FIN SYN,FIN -j LOG_DROP

	# stealth SYN/RST scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags SYN,RST SYN,RST -j LOG_DROP

	# stealth xmas-scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags ALL FIN,URG,PSH -j LOG_DROP

	# stealth xmas-all-scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags ALL ALL -j LOG_DROP

	# stealth xmas-PSH-scan
	$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
		--tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.5 - EXTERNAL_SERVICES_INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N EXTERNAL_SERVICES_INPUT
	$IPTABLES -F EXTERNAL_SERVICES_INPUT

	# SSH
	$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
		--dport 22 -j ACCEPT

	# MONIT (HTTP INTERFACE)
	$IPTABLES -A EXTERNAL_SERVICES_INPUT -s $COMPANY_FIREWALL_IP \
		-p tcp --dport 2812 -j ACCEPT

	# SSH (2nd SSH only available from inside of company network)
	$IPTABLES -A EXTERNAL_SERVICES_INPUT -s $COMPANY_FIREWALL_IP \
		-p tcp --dport 49150 -j ACCEPT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------

	# 5.1 - INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
	$IPTABLES -A INPUT -m state --state INVALID -j DROP
	$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
	$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
	$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED \
		 -j ACCEPT
	$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 5.2 - FORWARD
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 5.3 - OUTPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------


executed /usr/local/sbin/firewall.sh
saved firewall as active
	/etc/init.d/iptables save active

enabled firewall at boot time
	dpkg-reconfigure iptables
----------------------------------------------------------------------
The saving stuff is debian specific (also the dpkg-reconfigure).
 
Old 05-25-2003, 07:11 AM   #2
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
2nd layer

You can set up something like a multi-layer firewall:[list=1][*]router[*]netfilter[*]tcp_wrappers[/list=1]

If it's possible to limit access to a service by specific hosts at the application level you should do that also. It doesn't hurt...
Code:
----------------------------------------------------------------------
configured tcp_wrappers				 [ /etc/hosts.allow,
						     /etc/hosts.deny ]
----------------------------------------------------------------------
	added to /etc/hosts.allow:

# ====================================================================
# hosts
# --------------------------------------------------------------------
ALL:		192.168.0.84:				ALLOW
# ====================================================================


# ====================================================================
# services
# --------------------------------------------------------------------
SSHD:		ALL:					ALLOW
# ====================================================================



	added to /etc/hosts.deny:

# ====================================================================
# hosts
# --------------------------------------------------------------------
ALL:		ALL					DENY
# ====================================================================

----------------------------------------------------------------------
 
Old 05-25-2003, 10:16 PM   #3
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Re: nailed down firewall

hmmm...looks pretty nailed down to me. Question: could I use this for a basic server? Like say I just run ssh,http,https would I just edit the following section to allow access to port 22,80 and 443?


Quote:
Originally posted by markus1982
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 4.5 - EXTERNAL_SERVICES_INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N EXTERNAL_SERVICES_INPUT
$IPTABLES -F EXTERNAL_SERVICES_INPUT

# SSH
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 22 -j ACCEPT

# MONIT (HTTP INTERFACE)
$IPTABLES -A EXTERNAL_SERVICES_INPUT -s $COMPANY_FIREWALL_IP \
-p tcp --dport 2812 -j ACCEPT

# SSH (2nd SSH only available from inside of company network)
$IPTABLES -A EXTERNAL_SERVICES_INPUT -s $COMPANY_FIREWALL_IP \
-p tcp --dport 49150 -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also, I use MySQL for Apache to connect to as well as Sendmail. What changes would I have to make to allow these services to work?

As you can tell I have little experience with iptables.
 
Old 05-26-2003, 05:33 AM   #4
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Well I have a new version:
Code:
#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch         |
# |                                                                  |
# |                                                                  |
# | This firewall is not intended to be used by newbies. I give no   |
# | warranty of any kind that using it protects your box.            |
# | Personally I suggest using a OpenBSD box as firewall          |
# |                                                                  |
# | If you agree to all of the above and also dislike M$ you may     |
# | continue reading. Have fun                                    |
# \------------------------------------------------------------------/



# --------------------------------------------------------------------
# 1. definitions
# --------------------------------------------------------------------
COMPANY_FIREWALL_IP="192.168.0.84/32"
IPTABLES="/sbin/iptables"
LOG_LEVEL="info"
LOOPBACK_IF="lo"
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 2. removing current rulesets
# --------------------------------------------------------------------
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------

	# 4.1 - LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N LOG_DROP
	$IPTABLES -F LOG_DROP

		# rate limit to prevent log partition fill up
		# ----------------------------------------------------
		$IPTABLES -A LOG_DROP -m limit --limit 12/minute \
			-j LOG --log-level $LOG_LEVEL
		$IPTABLES -A LOG_DROP -j DROP
		# ----------------------------------------------------
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.2 - CHECK_DENIED_PORTS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_DENIED_PORTS
	$IPTABLES -F CHECK_DENIED_PORTS

		# authentication tap ident
		# ----------------------------------------------------
		$IPTABLES -A CHECK_DENIED_PORTS -p tcp --dport 113 \
			-j REJECT --reject-with tcp-reset
		# ----------------------------------------------------
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.3 - CHECK_DESTINATION_IP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_DESTINATION_IP
	$IPTABLES -F CHECK_DESTINATION_IP

		# Class A reserved
		# ----------------------------------------------------
		$IPTABLES -A CHECK_DESTINATION_IP \
			-d 10.0.0.0/8 -j DROP
		# ----------------------------------------------------


		# Class B reserved
		# ----------------------------------------------------
		$IPTABLES -A CHECK_DESTINATION_IP \
			-d 172.16.0.0/12 -j DROP
		# ----------------------------------------------------


		# Class C reserved
		# ----------------------------------------------------
		$IPTABLES -A CHECK_DESTINATION_IP \
			-d 192.168.0.0/16 -j DROP
		# ----------------------------------------------------


		# Class D reserved
		# ----------------------------------------------------
		$IPTABLES -A CHECK_DESTINATION_IP \
			-d 224.0.0.0/4 -j DROP
		# ----------------------------------------------------


		# Class E reserved
		# ----------------------------------------------------
		$IPTABLES -A CHECK_DESTINATION_IP \
			-d 240.0.0.0/5 -j DROP
		# ----------------------------------------------------


		# Class A broadcast
		# ----------------------------------------------------
		$IPTABLES -A CHECK_DESTINATION_IP \
			-d 255.255.255.255/32 -j DROP
		# ----------------------------------------------------

	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.4 - CHECK_ICMP_ACCESS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_ICMP_ACCESS
	$IPTABLES -F CHECK_ICMP_ACCESS

		# ICMP TYPE 0 (echo-reply)
		# ----------------------------------------------------
		$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
			--icmp-type 0 -j ACCEPT
		# ----------------------------------------------------


		# ICMP TYPE 3 (destination-unreachable)
		# ----------------------------------------------------
		$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
			--icmp-type 3 -j ACCEPT
		# ----------------------------------------------------


		# ICMP TYPE 11 (time-exceeded)
		# ----------------------------------------------------
		$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
			--icmp-type 11 -j ACCEPT
		# ----------------------------------------------------


		# ICMP TYPE 30 (traceroute)
		# ----------------------------------------------------
		$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
			--icmp-type 30 -j ACCEPT
		# ----------------------------------------------------

	$IPTABLES -A CHECK_ICMP_ACCESS -j LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.5 - CHECK_TCP_FLAGS
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N CHECK_TCP_FLAGS
	$IPTABLES -F CHECK_TCP_FLAGS

		# stealth FIN scan
		# ----------------------------------------------------
		$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
			--tcp-flags ALL FIN -j LOG_DROP
		# ----------------------------------------------------


		# stealth NULL scan
		# ----------------------------------------------------
		$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
			--tcp-flags ALL NONE -j LOG_DROP
		# ----------------------------------------------------


		# stealth SYN/FIN (probably)
		# ----------------------------------------------------
		$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
			--tcp-flags SYN,FIN SYN,FIN -j LOG_DROP
		# ----------------------------------------------------


		# stealth SYN/RST scan
		# ----------------------------------------------------
		$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
			--tcp-flags SYN,RST SYN,RST -j LOG_DROP
		# ----------------------------------------------------


		# stealth xmas-scan
		# ----------------------------------------------------
		$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
			--tcp-flags ALL FIN,URG,PSH -j LOG_DROP
		# ----------------------------------------------------


		# stealth xmas-all-scan
		# ----------------------------------------------------
		$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
			--tcp-flags ALL ALL -j LOG_DROP
		# ----------------------------------------------------


		# stealth xmas-PSH-scan
		# ----------------------------------------------------
		$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
			--tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP
		# ----------------------------------------------------
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 4.6 - EXTERNAL_SERVICES_INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N EXTERNAL_SERVICES_INPUT
	$IPTABLES -F EXTERNAL_SERVICES_INPUT

		# SSH
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
			--dport 22 -j ACCEPT
		# ----------------------------------------------------

		# MONIT (HTTP INTERFACE)
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT \
			-s $COMPANY_FIREWALL_IP \
			-p tcp --dport 2812 -j ACCEPT
		# ----------------------------------------------------


		# SSH (2nd SSH)
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT \
			-s $COMPANY_FIREWALL_IP \
			-p tcp --dport 49150 -j ACCEPT
		# ----------------------------------------------------


		# UNIX traceroute
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT \
			-p udp --dport 33434:33600 -j ACCEPT
		# ----------------------------------------------------
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------

	# 5.1 - INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
	$IPTABLES -A INPUT -j CHECK_DESTINATION_IP
	$IPTABLES -A INPUT -p ! icmp -j CHECK_DENIED_PORTS
	$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
	$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
	$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED \
		-j ACCEPT
	$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
	$IPTABLES -A INPUT -j LOG_DROP
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 5.2 - FORWARD
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


	# 5.3 - OUTPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------
It will log the denied packets (new attacks). However I decided to limit it to 12/min ... so no log flooding. I suggest daily logrotation and creating a seperate syslog entry (kern.=info -/var/log/kern.info).

For your firewall you would just need to adjust it:
Code:
	# 4.6 - EXTERNAL_SERVICES_INPUT
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$IPTABLES -N EXTERNAL_SERVICES_INPUT
	$IPTABLES -F EXTERNAL_SERVICES_INPUT

		# SSH
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
			--dport 22 -j ACCEPT
		# ----------------------------------------------------


		# HTTP/HTTPS
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
			--dport 80 -j ACCEPT
		$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
			--dport 443 -j ACCEPT
		# ----------------------------------------------------


		# MONIT (HTTP INTERFACE)
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT \
			-s $COMPANY_FIREWALL_IP \
			-p tcp --dport 2812 -j ACCEPT
		# ----------------------------------------------------


		# SSH (2nd SSH)
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT \
			-s $COMPANY_FIREWALL_IP \
			-p tcp --dport 49150 -j ACCEPT
		# ----------------------------------------------------


		# UNIX traceroute
		# ----------------------------------------------------
		$IPTABLES -A EXTERNAL_SERVICES_INPUT \
			-p udp --dport 33434:33600 -j ACCEPT
		# ----------------------------------------------------
	# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For your mysql I assume it's on the same server? If so it's just a local connect (loopback) thus it's permitted (loopback device has full permissions).
 
Old 05-26-2003, 12:04 PM   #5
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Okay a few more questions. You have:

COMPANY_FIREWALL_IP="192.168.0.84/32"

This is the IP of the LAN right? For instance, if I am on a 192.168.0.x LAN mine would be:

COMPANY_FIREWALL_IP="192.168.0.0/32"

right?

Also, where is it specified where to log the drop packets. All I see is a LOG variable but I don't see a defintition for it.

Thanks again!
 
Old 05-26-2003, 12:34 PM   #6
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
Okay a few more questions. You have:

COMPANY_FIREWALL_IP="192.168.0.84/32"

This is the IP of the LAN right? For instance, if I am on a 192.168.0.x LAN mine would be:

COMPANY_FIREWALL_IP="192.168.0.0/32"

right?
Nope. It should be 192.168.0.0/24 then. /32 is just a single host. /24 is a Class C network. It's not the LAN, it's a single IP ... If you need more help on that check out network CIDR stuff:

Classless Inter-Domain Routing (CIDR) Overview
http://www.redhat.com/docs/manuals/d...net-types.html

There are also calculators available:
http://logi.cc/nw/NetCalc.php3 (you should check this out since it contains some kind of explanaiton)


Quote:
Also, where is it specified where to log the drop packets. All I see is a LOG variable but I don't see a defintition for it.
Well, LOG_LEVEL="info" so it will log to syslog (kern.info). For instance a syslog configuration could look like that:
Code:
#  /etc/syslog.conf	Configuration file for syslogd.
#
#			For more information see syslog.conf(5)
#			manpage.


# --------------------------------------------------------------------
# logging by priority
# --------------------------------------------------------------------
*.=crit				/var/log/critical.log
*.=emerg			/var/log/emergency.log
*.=err				/var/log/error.log
*.=info;\
	cron.none;\
	kern.none;\
	mail.none;		/var/log/info.log
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# logging by facility
# --------------------------------------------------------------------
auth,authpriv.*			/var/log/auth.log
cron.*				-/var/log/cron.log
daemon.*			-/var/log/daemon.log
kern.=info			-/var/log/kern.info
kern.*;kern.!=info;		-/var/log/kern.log
lpr.*				-/var/log/lpr.log
mail.*				-/var/log/mail.log
news.crit			/var/log/news/news.crit
news.err			/var/log/news/news.err
news.notice			-/var/log/news/news.notice
user.*				-/var/log/user.log
uucp.*				-/var/log/uucp.log
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# logging to the virtual consoles (= display)
# --------------------------------------------------------------------
daemon,mail.*;\
	news.=crit;news.=err;news.=notice;\
	*.=debug;*.=info;\
	*.=notice;*.=warn	/dev/tty8
# --------------------------------------------------------------------
In this example kern.log contains everything except kern.info and kern.info contains the kern.info stuff only - this is some informational stuff and your netfilter log_drops.
 
Old 05-26-2003, 12:36 PM   #7
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Okay got ya. So if the firewalls IP address is 192.168.0.70 then you would do:

COMPANY_FIREWALL_IP="192.168.0.70/32"
 
Old 05-26-2003, 12:44 PM   #8
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Quote:
Okay got ya. So if the firewalls IP address is 192.168.0.70 then you would do:

COMPANY_FIREWALL_IP="192.168.0.70/32"
Well let me clear this up: Immagine you have a server (= external) and also a company network. In between there is a firewall of course. All traffic that gets to the external server gets through the company firewall ... the source ip is always the company firewall.

So you just need that company firewall stuff if you have some internal network, etc. it could also be 192.168.0.0/16 if you want the whole 192.168.x.x network to be able to connect to the monit port, etc.


If your firewall (not the ip of the external server) has the ip 192.168.0.70 then it would of course be 192.168.0.70/32 like you pointed out (although you don't need CIDR format if you just use a single IP).
 
Old 05-26-2003, 12:46 PM   #9
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Okay thanks a lot for your expertise. So I could just do:

COMPANY_FIREWALL_IP="192.168.0.70"

The CIDR format is unecessary as you said. I'm going to give this script a shot if you don't mind.
 
Old 05-26-2003, 12:51 PM   #10
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Of course I don't mind. That's why I have posted things here ... for the community :-) You should thanks unSpawn, he helped me a lot in securing debian!
 
Old 05-26-2003, 01:01 PM   #11
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Okay thanks a lot and thanks to unspawn as well. One last question and I won't bother you anymore. I don't need these sections right:

# MONIT (HTTP INTERFACE)
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT \
-s $COMPANY_FIREWALL_IP \
-p tcp --dport 2812 -j ACCEPT
# ----------------------------------------------------


# SSH (2nd SSH)
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT \
-s $COMPANY_FIREWALL_IP \
-p tcp --dport 49150 -j ACCEPT
# ----------------------------------------------------


# UNIX traceroute
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT \
-p udp --dport 33434:33600 -j ACCEPT
# ----------------------------------------------------

The SSH is specific to your network right? The second two I'm not sure what they are for.
 
Old 05-26-2003, 01:04 PM   #12
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
Well I have monit running to keep monitoring services (monit is strated through init). Monit has a HTTP server. It's by default configured to listen to port 2812. That's why I limited that at the firewall level to the internal network.

Regarding SSH: I've set it up at a 2nd port which is unassigned ...


If you don't want your machine to be reachable by a traceroute you can kill the traceroute stuff also. It will only work with linux traceroutes (which use UDP packets in the range of port 33434 till 33600). windows' tracert uses ping ...
 
Old 05-26-2003, 04:23 PM   #13
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Okay so here is what my script looks like with the necessary changes:

#!/bin/sh
# /------------------------------------------------------------------\
# | netfilter firewall for Linux 2.4+ built by Markus Welsch |
# | |
# | |
# | This firewall is not intended to be used by newbies. I give no |
# | warranty of any kind that using it protects your box. |
# | Personally I suggest using a OpenBSD box as firewall |
# | |
# | If you agree to all of the above and also dislike M$ you may |
# | continue reading. Have fun |
# \------------------------------------------------------------------/



# --------------------------------------------------------------------
# 1. definitions
# --------------------------------------------------------------------
COMPANY_FIREWALL_IP="192.168.0.100"
IPTABLES="/sbin/iptables"
LOG_LEVEL="info"
LOOPBACK_IF="lo"
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 2. removing current rulesets
# --------------------------------------------------------------------
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 3. enforcing default policy as drop
# --------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 4. setting up user-defined chains
# --------------------------------------------------------------------

# 4.1 - LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N LOG_DROP
$IPTABLES -F LOG_DROP

# rate limit to prevent log partition fill up
# ----------------------------------------------------
$IPTABLES -A LOG_DROP -m limit --limit 12/minute \
-j LOG --log-level $LOG_LEVEL
$IPTABLES -A LOG_DROP -j DROP
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 4.2 - CHECK_DENIED_PORTS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_DENIED_PORTS
$IPTABLES -F CHECK_DENIED_PORTS

# authentication tap ident
# ----------------------------------------------------
$IPTABLES -A CHECK_DENIED_PORTS -p tcp --dport 113 \
-j REJECT --reject-with tcp-reset
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 4.3 - CHECK_DESTINATION_IP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_DESTINATION_IP
$IPTABLES -F CHECK_DESTINATION_IP

# Class A reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 10.0.0.0/8 -j DROP
# ----------------------------------------------------


# Class B reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 172.16.0.0/12 -j DROP
# ----------------------------------------------------


# Class C reserved
# ----------------------------------------------------
#$IPTABLES -A CHECK_DESTINATION_IP \
# -d 192.168.0.0/16 -j DROP
# ----------------------------------------------------


# Class D reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 224.0.0.0/4 -j DROP
# ----------------------------------------------------


# Class E reserved
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 240.0.0.0/5 -j DROP
# ----------------------------------------------------


# Class A broadcast
# ----------------------------------------------------
$IPTABLES -A CHECK_DESTINATION_IP \
-d 255.255.255.255/32 -j DROP
# ----------------------------------------------------

# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 4.4 - CHECK_ICMP_ACCESS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_ICMP_ACCESS
$IPTABLES -F CHECK_ICMP_ACCESS

# ICMP TYPE 0 (echo-reply)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 0 -j ACCEPT
# ----------------------------------------------------


# ICMP TYPE 3 (destination-unreachable)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 3 -j ACCEPT
# ----------------------------------------------------


# ICMP TYPE 11 (time-exceeded)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 11 -j ACCEPT
# ----------------------------------------------------


# ICMP TYPE 30 (traceroute)
# ----------------------------------------------------
$IPTABLES -A CHECK_ICMP_ACCESS -p icmp \
--icmp-type 30 -j ACCEPT
# ----------------------------------------------------

$IPTABLES -A CHECK_ICMP_ACCESS -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 4.5 - CHECK_TCP_FLAGS
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N CHECK_TCP_FLAGS
$IPTABLES -F CHECK_TCP_FLAGS

# stealth FIN scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL FIN -j LOG_DROP
# ----------------------------------------------------


# stealth NULL scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL NONE -j LOG_DROP
# ----------------------------------------------------


# stealth SYN/FIN (probably)
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,FIN SYN,FIN -j LOG_DROP
# ----------------------------------------------------


# stealth SYN/RST scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags SYN,RST SYN,RST -j LOG_DROP
# ----------------------------------------------------


# stealth xmas-scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL FIN,URG,PSH -j LOG_DROP
# ----------------------------------------------------


# stealth xmas-all-scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL ALL -j LOG_DROP
# ----------------------------------------------------


# stealth xmas-PSH-scan
# ----------------------------------------------------
$IPTABLES -A CHECK_TCP_FLAGS -p tcp \
--tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG_DROP
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 4.6 - EXTERNAL_SERVICES_INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -N EXTERNAL_SERVICES_INPUT
$IPTABLES -F EXTERNAL_SERVICES_INPUT

# SSH
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 22 -j ACCEPT
# ----------------------------------------------------


# HTTP/HTTPS
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 80 -j ACCEPT
$IPTABLES -A EXTERNAL_SERVICES_INPUT -p tcp \
--dport 443 -j ACCEPT
# ----------------------------------------------------


# UNIX traceroute
# ----------------------------------------------------
$IPTABLES -A EXTERNAL_SERVICES_INPUT \
-p udp --dport 33434:33600 -j ACCEPT
# ----------------------------------------------------
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# --------------------------------------------------------------------



# --------------------------------------------------------------------
# 5. setting up base chains
# --------------------------------------------------------------------

# 5.1 - INPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A INPUT -i $LOOPBACK_IF -j ACCEPT
$IPTABLES -A INPUT -j CHECK_DESTINATION_IP
$IPTABLES -A INPUT -p ! icmp -j CHECK_DENIED_PORTS
$IPTABLES -A INPUT -p icmp -j CHECK_ICMP_ACCESS
$IPTABLES -A INPUT -p tcp -j CHECK_TCP_FLAGS
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -j EXTERNAL_SERVICES_INPUT
$IPTABLES -A INPUT -j LOG_DROP
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 5.2 - FORWARD
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


# 5.3 - OUTPUT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# --------------------------------------------------------------------

I had to comment out:

# Class C reserved
# ----------------------------------------------------
#$IPTABLES -A CHECK_DESTINATION_IP \
#-d 192.168.0.0/16 -j DROP
# ----------------------------------------------------

or else it won't let me do anything because my firewall is behind a router giving out 192.168.0.x addresses.

Ran the script, checked iptables rules(iptables -L) and started the iptables service.

I then added these two lines to syslog.conf:

kern.=info -/var/log/kern.info
kern.*;kern.!=info; -/var/log/kern.log

Then restarted the syslog daemon. The two files were created. So I tried to telnet to a blocked port:

telnet 192.168.0.100 55
Connection Refused.

Okay, thats what I was expecting. Now when I check /var/log/kern.info there is no record for refusing a connection. What am I missing here?

Last edited by Crashed_Again; 05-26-2003 at 04:38 PM.
 
Old 05-26-2003, 08:50 PM   #14
Crashed_Again
Senior Member
 
Registered: Dec 2002
Location: Atlantic City, NJ
Distribution: Ubuntu & Arch
Posts: 3,503

Rep: Reputation: 57
Okay, actually I just checked it now and it has this:

May 26 16:13:20 localhost kernel: klogd 1.4.1, log source = /proc/kmsg started.
May 26 16:17:00 localhost kernel: Kernel logging (proc) stopped.
May 26 16:17:00 localhost kernel: Kernel log daemon terminating.
May 26 16:17:02 localhost kernel: klogd 1.4.1, log source = /proc/kmsg started.
May 26 16:48:40 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=64.165.8.158 DST=192.168.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=40041 DF PROTO=TCP SPT=6346 DPT=1865 WINDOW=65535 RES=0x00 ACK SYN URGP=0
May 26 16:48:43 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=64.165.8.158 DST=192.168.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=40169 DF PROTO=TCP SPT=6346 DPT=1865 WINDOW=65535 RES=0x00 ACK SYN URGP=0
May 26 16:48:49 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=64.165.8.158 DST=192.168.0.100 LEN=52 TOS=0x00 PREC=0x00 TTL=110 ID=40434 DF PROTO=TCP SPT=6346 DPT=1865 WINDOW=65535 RES=0x00 ACK SYN URGP=0
May 26 16:50:23 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.124.171 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=49225 PROTO=TCP SPT=56427 DPT=443 WINDOW=3072 RES=0x00 URG PSH SYN FIN URGP=0
May 26 16:52:50 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.124.171 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=11119 PROTO=TCP SPT=56509 DPT=443 WINDOW=3072 RES=0x00 URG PSH SYN FIN URGP=0
May 26 16:54:53 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=68.46.124.171 DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=39100 PROTO=TCP SPT=56519 DPT=443 WINDOW=4096 RES=0x00 URG PSH SYN FIN URGP=0
May 26 19:33:46 localhost kernel: hub.c: new USB device 00:1d.0-2, assigned address 3
May 26 19:33:49 localhost kernel: Initializing USB Mass Storage driver...
May 26 19:33:49 localhost kernel: usb.c: registered new driver usb-storage
May 26 19:33:49 localhost kernel: scsi1 : SCSI emulation for USB Mass Storage devices
May 26 19:33:49 localhost kernel: USB Mass Storage support registered.
May 26 19:41:47 localhost kernel: IN=eth0 OUT= MAC=00:00:39:15:44:ce:00:40:05:bd:5f:49:08:00 SRC=67.65.137.58 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=111 ID=49642 PROTO=TCP SPT=6346 DPT=2473 WINDOW=0 RES=0x00 ACK RST URGP=0
May 26 19:42:28 localhost kernel: usb.c: USB disconnect on device 00:1d.0-2 address 3

hmmm....what to make of this?
 
Old 05-27-2003, 03:08 PM   #15
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Original Poster
Rep: Reputation: 46
You need to add port 443 (=HTTPS) to the EXTERNAL_SERVICES_INPUT chain to allow HTTPS!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BSD Firewall vs Linux Firewall ? rootlinux Linux - Security 5 08-29-2007 08:38 AM
hopkins got nailed MidniteHex General 1 07-17-2005 10:03 AM
Firewall lets ips which are not in the firewall ... why ? sys7em Linux - Networking 2 06-30-2005 01:50 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM


All times are GMT -5. The time now is 09:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration