Quote:
Originally Posted by michaelk
I didn't fully explain what is going on. Go back to the rules you had in post #8.
In addition to the existing output rules adding the drop rule in #10 effectively is the same thing as having the output policy as drop as long it is the last rule in that table. iptables rules are handled sequentially. If printing still works then the existing output rules are sufficient if not then something is missing.
|
I'm lost
ATM RULES:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 553 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.1.8 --dport 9100 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.8 --dport 9100 -j ACCEPT
iptables -A INPUT -s 192.168.1.8 -p tcp -m tcp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.8 -p udp -m udp --dport 631 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.8 -p udp -m udp --dport 631 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.8 --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.8 -p udp -m udp --dport 5353 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.8 -p udp -m udp --dport 5353 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p icmp -f -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "IPTABLES NULL-SCAN:"
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "IPTABLES XMAS-SCAN:"
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "IPTABLES SYNFIN-SCAN:"
iptables -t filter -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j LOG --log-prefix "IPTABLES NMAP-XMAS-SCAN:"
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j LOG --log-prefix "IPTABLES FIN-SCAN:"
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j LOG --log-prefix "IPTABLES NMAP-ID:"
iptables -t filter -A INPUT -p tcp --tcp-flags ALL URG,PSH,SYN,FIN -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPTABLES SYN-RST:"
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t filter -N syn-flood
iptables -t filter -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -t filter -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
iptables -t filter -A syn-flood -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
iptables -t filter -A syn-flood -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPTABLES SYN-FLOOD:"
iptables -t filter -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -t filter -N port-scan
iptables -t filter -A INPUT -i eth0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
iptables -t filter -A port-scan -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -t filter -A port-scan -j LOG --log-prefix "IPTABLES PORT-SCAN:"
iptables -t filter -A port-scan -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP
EVERYTHING work fine, would u suggest ADD or Remove rules?