LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-12-2016, 09:35 AM   #1
MaddGames
LQ Newbie
 
Registered: Nov 2015
Posts: 7

Rep: Reputation: Disabled
stateful ip6tables firewall at gateway?


There are many tutorials on the Internet explaining how to set up a stateful IPv6 firewall on a host using ip6tables, which of course involves connection tracking. However, I assume (as it is logical) that routers do not track connections made by hosts on their LAN.

Is it possible to configure a router (running Ubuntu 14.04) to track connections made by its LAN (let's call it 2001:1:2:3::/64 for this example), and only allow in ESTABLISHED and RELATED packets? I do not have access to each individual host to set up a firewall, plus each host runs a different OS, and hosts on that LAN belong to someone else and I only have access to the router.

So basically I want a firewall on a router similar to what a home IPv6 LAN would use.

I also need to make an exception so that certain hosts are not bound by this firewall and allow all packets in, but I guess I can just do it with:

Code:
ip6tables -A FORWARD -d 2001:1:2:3::1f1f -j ACCEPT
(before the other rules).

There are also other LANs routed by this router and they must be able to route whatever they want to/from the public internet, via this router (again, I assume a command similar to the one above should work, just set -d to be a whole /64).

Is this configuration possible?
 
Old 02-13-2016, 06:12 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,331

Rep: Reputation: Disabled
Quote:
Originally Posted by MaddGames View Post
There are many tutorials on the Internet explaining how to set up a stateful IPv6 firewall on a host using ip6tables, which of course involves connection tracking. However, I assume (as it is logical) that routers do not track connections made by hosts on their LAN.
That depends on whether or not the relevant netfilter connection tracking modules are loaded.

(Unless of course you're talking about connections between hosts on the same LAN, in which case the router is not and cannot be involved at all.)
Quote:
Originally Posted by MaddGames View Post
Is it possible to configure a router (running Ubuntu 14.04) to track connections made by its LAN (let's call it 2001:1:2:3::/64 for this example), and only allow in ESTABLISHED and RELATED packets?
That happens by default as long as you load the moduled. Adding an iptables rule that makes references to states will cause the module(s) to be loaded automatically.

It seems you're simply describing standard stateful firewall functionality, which has literally been supported in Linux for decades.
 
Old 02-15-2016, 07:43 AM   #3
MaddGames
LQ Newbie
 
Registered: Nov 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
OK, I have written the following script to set up a firewall:

Code:
# reset the firewall first
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -F

# enable all traffic to the server
ip6tables -A INPUT -d 2001:1:1953:2::1f1f -j ACCEPT

# drop all other input traffic by default
ip6tables -P INPUT DROP

# for every other address, make sure that all inputs are established
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow in packets destined to our network if they are established
ip6tables -A FORWARD -m state --state NEW -s 2001:1:1953:2::/64 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -d 2001:1:1953:2::/64 -j ACCEPT
ip6tables -A FORWARD -s 2001:1:1953:2::/64 -j ACCEPT

# drop everything else destined to our network
ip6tables -A FORWARD -d 2001:1:1953:2::/64 -j DROP
Running "ip6tables -L" gives me:

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all      anywhere             2001:1:1953:2::1f1f 
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all      2001:1:1953:2::/64  anywhere             state NEW
ACCEPT     all      anywhere             2001:1:1953:2::/64  state RELATED,ESTABLISHED
ACCEPT     all      2001:1:1953:2::/64  anywhere            
DROP       all      anywhere             2001:1:1953:2::/64 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
(Prefix censored out)

An online IPv6 portscan if a host on my LAN (where I am testing this) indeed shows that all ports are filtered, but hosts on the LAN also have problems with accessing the Internet. It works for a bit after resetting the firewall, but later it seems all traffic (either outbound or inbound) is dropped, as I cannot ping anything over IPv6, and my web browser falls back to IPv4. In "traceroute -6 google.com", not even the router responds. What is wrong with this configuration?
 
Old 02-15-2016, 08:09 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Use the default Policy of DROP!

This way you not only get rid of the -j DROP at the end of a chain but also are more secure. Its always easier to allow a certain state then to deny a uncertain state.
Also I would use --state within the #enable all traffic to the server with --state NEW. Also add a ESTABLISHEd,RELATED line at top of the chain. If you start using statefull firewall always have a ESTABLISHEd,RELATED line quite early in every chain and the rest goes with --state NEW. Did you allow ipv6forwarding? Either use the proc or sys filesystem for it or sysctl. Sysctl can use a config file thus the changes are carried over after a reboot. You also need to save your iptables and have them loaded after a boot. On debian distros you can use "iptables-preserve" package.

You also are missing a masquerade line within the FORWARD chain. Or was it the -t nat FORWARD?
You might also think about to flesh out the connections to the server. Maybe only allow dhcp (67-68/udp) and dns (53/udp,53/tcp). Maybe a webserver? or FTP. Surely ssh (22/tcp). Go with the --state NEW rule therefor.

Last edited by zhjim; 02-15-2016 at 08:11 AM.
 
Old 02-15-2016, 04:50 PM   #5
MaddGames
LQ Newbie
 
Registered: Nov 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by zhjim View Post
Use the default Policy of DROP!

This way you not only get rid of the -j DROP at the end of a chain but also are more secure. Its always easier to allow a certain state then to deny a uncertain state.
Also I would use --state within the #enable all traffic to the server with --state NEW. Also add a ESTABLISHEd,RELATED line at top of the chain. If you start using statefull firewall always have a ESTABLISHEd,RELATED line quite early in every chain and the rest goes with --state NEW. Did you allow ipv6forwarding? Either use the proc or sys filesystem for it or sysctl. Sysctl can use a config file thus the changes are carried over after a reboot. You also need to save your iptables and have them loaded after a boot. On debian distros you can use "iptables-preserve" package.

You also are missing a masquerade line within the FORWARD chain. Or was it the -t nat FORWARD?
You might also think about to flesh out the connections to the server. Maybe only allow dhcp (67-68/udp) and dns (53/udp,53/tcp). Maybe a webserver? or FTP. Surely ssh (22/tcp). Go with the --state NEW rule therefor.
IPv6 forwarding is certainly enabled, as my LAN can access the Internet when the firewall is disabled. The firewall is in one of the startup scripts. I do not do NAT or DHCP because this router does not forward IPv4 packets.

Does it really make sense to set the forward policy to DROP? Wouldn't that cause packets outbound to the Internet, e.g. to Google, to be dropped unless I explicitly allow traffic out to google? For this reason I added the -j DROP at the end of the forward chain, so it only drops unwanted packets destined to the LAN netblock.
 
Old 02-16-2016, 03:27 AM   #6
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Me bad. Always forget that you don't actually need Masquerade with ipv6

I always felt safer with a policy set to DROP. And actually yes you would have to explicitly allow certain ports to go through the forward chain. But should only be a handful if you are not into gaming. You need like 5 ports to be open to the public. http, https, dns, imap, smtp. 5 simple rules but again you are more on the safe side then. If you setup a firewall might just do it right. You also don't need to set the destination ip only the destination port. Thus one http rule for all of google, yahoo, etc.

Quote:
iptables -s $LAN --dport 80 --state NEW -j ACCEPT
Or even
Quote:
for i in 22 80 443 53; do
iptables -s $LAN --dport $i --state NEW -j ACCEPT
done
You would also need to allow traffic from and to the loopback ::1 address
 
Old 02-16-2016, 07:12 AM   #7
MaddGames
LQ Newbie
 
Registered: Nov 2015
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by zhjim View Post
Me bad. Always forget that you don't actually need Masquerade with ipv6

I always felt safer with a policy set to DROP. And actually yes you would have to explicitly allow certain ports to go through the forward chain. But should only be a handful if you are not into gaming. You need like 5 ports to be open to the public. http, https, dns, imap, smtp. 5 simple rules but again you are more on the safe side then. If you setup a firewall might just do it right. You also don't need to set the destination ip only the destination port. Thus one http rule for all of google, yahoo, etc.



Or even


You would also need to allow traffic from and to the loopback ::1 address
I think you misunderstood me. This device forwards traffic to the public Internet, so setting the forward policy to DROP would cause it to stop forwarding outbound traffic to the Internet. Or am I wrong?
 
Old 02-16-2016, 08:14 AM   #8
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
There actually is no difference between a DROP Policy and a last rule with a DROP target. Its really jut good practice imho to use drop for the policy. And if you actually go through the hassle of defining certain ports to be allowed to be forwarded to the internet you actually are safer and learned some as well . It all depends on how hard you wanna try or invest time into.
 
Old 04-25-2016, 11:45 AM   #9
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 510

Rep: Reputation: 58
i just answered this question on a little read forum, wished to post in a recent linuxquestions.org post

it does use connection tracking i beleive ... but read so you know there is a difference between ipv6 and ipv4

###############

here's a simple firewall FOR TRUSTED CLIENTS connected to a "smart firewalled server"

keep in mind a server firewall is a bit longer and more complicated because it has to protect things going multiple ways because multiple kinds of network topology. for instance, the smart router only forwards internet packets to clients - it might never respond to them upon it's own hostname for many kinds of packets, and might never forward traffic of certain kinds into a "trusted lan group" (aka, your LAN)

p.s. the below was automatically generated, and ALSO REQUIRES routes to be correct and as posted, meaning NOT IPV6 permiscuous "let the fonz in foo.be use ipv6 to change my route table" bull that ipv6 does if you dont stop it. ipv6 takes "maybe a team" of people to configure so that it does not allow permiscuous changes to your server remotely (route tables, ability to bypass normal packet delivery mechanisms, etc - ipv6 has allot of things enabled that all have to be carefully disabled for "normal use")

because of all those restrictions, this "client firewall" is not really too long to post

oh - server version not too bad guess i'll post it

keep in mind this is an ipv4 firewall made several years ago - NOT intended to be perfect but to do advise of linuxdoc.org "Network Administrator's Guid" - gen'ed automatically by a bash script which IS too long to post (i will release in as a back burner project after redacting my personal junk from it for reference with respect to x-lfs-2010). the script allows a host to specify server or not, and which network is connected to which topology, and it auto knows what IP class, of course whether to allow, server and server how, etc; and currently port forwarding is diabled and not shown. difficult to translate to ipv6 but not impossible.

Last edited by X-LFS-2010; 04-25-2016 at 11:48 AM.
 
Old 04-25-2016, 11:46 AM   #10
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 510

Rep: Reputation: 58
####################################################
unset SERVER
####################################################

# Generated by iptables-save v1.4.8 on Mon Apr 25 10:20:03 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:allowed_rel - [0:0]
:allowed_server - [0:0]
:bad_tcp_packets - [0:0]
:hook_fwd_begin - [0:0]
:hook_fwd_end - [0:0]
:hook_fwd_est - [0:0]
:hook_fwd_list - [0:0]
:hook_i_begin - [0:0]
:hook_i_end - [0:0]
:hook_i_est - [0:0]
:hook_i_list - [0:0]
:hook_nat_begin - [0:0]
:hook_nat_end - [0:0]
:hook_o_begin - [0:0]
:hook_o_end - [0:0]
:hook_o_est - [0:0]
:hook_o_list - [0:0]
:icmp_packets - [0:0]
:sw_loc - [0:0]
:sw_loc_drop_fwd - [0:0]
:sw_loc_drop_i - [0:0]
:sw_loc_drop_o - [0:0]
:sw_resv_drop_i - [0:0]
:sw_resv_drop_o - [0:0]
:tcp_fwd_packets_tlan_i - [0:0]
:tcp_fwd_packets_tlan_o - [0:0]
:tcp_fwd_packets_u2lan_i - [0:0]
:tcp_fwd_packets_u2lan_o - [0:0]
:tcp_fwd_packets_ulan_i - [0:0]
:tcp_fwd_packets_ulan_o - [0:0]
:tcp_packets - [0:0]
:tcp_packets_i - [0:0]
:tcp_packets_o - [0:0]
:tcp_packets_plan_i - [0:0]
:tcp_packets_plan_o - [0:0]
:tcp_packets_u2lan_i - [0:0]
:tcp_packets_u2lan_o - [0:0]
:tcp_packets_ulan_i - [0:0]
:tcp_packets_ulan_o - [0:0]
:udp_fwd_packets_tlan_i - [0:0]
:udp_fwd_packets_tlan_o - [0:0]
:udp_fwd_packets_u2lan_i - [0:0]
:udp_fwd_packets_u2lan_o - [0:0]
:udp_fwd_packets_ulan_i - [0:0]
:udp_fwd_packets_ulan_o - [0:0]
:udp_packets - [0:0]
:udp_packets_i - [0:0]
:udp_packets_o - [0:0]
:udp_packets_plan_i - [0:0]
:udp_packets_plan_o - [0:0]
:udp_packets_u2lan_i - [0:0]
:udp_packets_u2lan_o - [0:0]
:udp_packets_ulan_i - [0:0]
:udp_packets_ulan_o - [0:0]
-A INPUT -j hook_i_begin
-A INPUT -j sw_loc_drop_i
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s a.b.c.d/32 -j sw_loc
-A INPUT -s a.b.c.d/32 -j sw_loc
-A INPUT -p icmp -j icmp_packets
-A INPUT -j hook_i_est
-A INPUT -j hook_i_list
-A INPUT -p udp -m udp --sport 520 -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix " IPT INPUT packet died: " --log-level 6
-A INPUT -j hook_i_end
-A FORWARD -j hook_fwd_begin
-A FORWARD -j sw_loc_drop_fwd
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -p icmp -j icmp_packets
-A FORWARD -j hook_fwd_est
-A FORWARD -j hook_fwd_list
-A FORWARD -p udp -m udp --sport 520 -j DROP
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix " IPT FORWARD packet died: " --log-level 6
-A FORWARD -j hook_fwd_end
-A OUTPUT -j hook_o_begin
-A OUTPUT -j sw_loc_drop_o
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -s a.b.c.d/32 -j sw_loc
-A OUTPUT -s a.b.c.d/32 -j sw_loc
-A OUTPUT -j hook_o_est
-A OUTPUT -j hook_o_list
-A OUTPUT -p udp -m udp --dport 520 -j DROP
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix " IPT OUTPUT packet died: " --log-level 6
-A OUTPUT -j hook_o_end
-A allowed -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j REJECT --reject-with icmp-port-unreachable
-A allowed_rel -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A allowed_server -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A bad_tcp_packets -p tcp -m state --state INVALID -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -m icmp --icmp-type 5 -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -m icmp --icmp-type 9 -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -m icmp --icmp-type 10 -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -j ACCEPT
-A sw_loc -d a.b.c.d/32 -j ACCEPT
-A sw_loc -d a.b.c.d/32 -j ACCEPT
-A sw_loc_drop_fwd -s a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -s a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -d a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -d a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -j REJECT --reject-with icmp-port-unreachable
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 53 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 80 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 25 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 8000 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 8080 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 8888 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 443 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 2401 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 6667 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 119 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 21 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 20 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 109:110 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 143 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 43 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 123 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --dport 8000 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 53 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 80 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 25 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 8000 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 8080 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 8888 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 443 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 2401 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 6667 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 119 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 21 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 20 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 109:110 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 143 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 43 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 123 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --sport 8000 -j allowed
-A tcp_packets_ulan_i -p tcp -m tcp --sport 5190 -j allowed
-A tcp_packets_ulan_o -p tcp -m tcp --dport 5190 -j allowed
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 53 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 80 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 8000 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 8080 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 8888 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 443 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 2401 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 6667 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 21 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 20 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 109:110 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 143 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 123 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --dport 8000 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 53 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 80 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 8000 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 8080 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 8888 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 443 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 2401 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 6667 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 21 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 20 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 109:110 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 143 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 123 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --sport 8000 -j ACCEPT
COMMIT
# Completed on Mon Apr 25 10:20:03 2016
# Generated by iptables-save v1.4.8 on Mon Apr 25 10:20:03 2016
*nat
:PREROUTING ACCEPT [125:8976]
:INPUT ACCEPT [125:8976]
:OUTPUT ACCEPT [555:33765]
:POSTROUTING ACCEPT [555:33765]
COMMIT
# Completed on Mon Apr 25 10:20:03 2016
# Generated by iptables-save v1.4.8 on Mon Apr 25 10:20:03 2016
*mangle
:PREROUTING ACCEPT [19297:21507405]
:INPUT ACCEPT [19297:21507405]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14706:1777550]
:POSTROUTING ACCEPT [14706:1777550]
-A PREROUTING -p udp -m udp --dport 56321 -j DROP
-A PREROUTING -p tcp -m tcp --dport 56321 -j DROP
-A PREROUTING -p udp -m udp --sport 56321 -j DROP
-A PREROUTING -p tcp -m tcp --sport 56321 -j DROP
-A INPUT -p udp -m udp --dport 56321 -j DROP
-A INPUT -p tcp -m tcp --dport 56321 -j DROP
-A INPUT -p udp -m udp --sport 56321 -j DROP
-A INPUT -p tcp -m tcp --sport 56321 -j DROP
-A FORWARD -p udp -m udp --dport 56321 -j DROP
-A FORWARD -p tcp -m tcp --dport 56321 -j DROP
-A FORWARD -p udp -m udp --sport 56321 -j DROP
-A FORWARD -p tcp -m tcp --sport 56321 -j DROP
-A OUTPUT -p udp -m udp --dport 56321 -j DROP
-A OUTPUT -p tcp -m tcp --dport 56321 -j DROP
-A OUTPUT -p udp -m udp --sport 56321 -j DROP
-A OUTPUT -p tcp -m tcp --sport 56321 -j DROP
-A POSTROUTING -p udp -m udp --dport 56321 -j DROP
-A POSTROUTING -p tcp -m tcp --dport 56321 -j DROP
-A POSTROUTING -p udp -m udp --sport 56321 -j DROP
-A POSTROUTING -p tcp -m tcp --sport 56321 -j DROP
COMMIT
# Completed on Mon Apr 25 10:20:03 2016
 
Old 04-25-2016, 11:46 AM   #11
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 510

Rep: Reputation: 58
####################################################
SERVER=1
####################################################

# Generated by iptables-save va.b.c.d on Mon Apr 25 10:49:21 2016
*filter
:INPUT DROP [168:14051]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:328]
:allowed - [0:0]
:allowed_rel - [0:0]
:allowed_server - [0:0]
:bad_tcp_packets - [0:0]
:hook_fwd_begin - [0:0]
:hook_fwd_end - [0:0]
:hook_fwd_est - [0:0]
:hook_fwd_list - [0:0]
:hook_i_begin - [0:0]
:hook_i_end - [0:0]
:hook_i_est - [0:0]
:hook_i_list - [0:0]
:hook_nat_begin - [0:0]
:hook_nat_end - [0:0]
:hook_o_begin - [0:0]
:hook_o_end - [0:0]
:hook_o_est - [0:0]
:hook_o_list - [0:0]
:icmp_packets - [0:0]
:sw_loc - [0:0]
:sw_loc_drop_fwd - [0:0]
:sw_loc_drop_i - [0:0]
:sw_loc_drop_o - [0:0]
:sw_resv_drop_i - [0:0]
:sw_resv_drop_o - [0:0]
:tcp_fwd_packets_tlan_i - [0:0]
:tcp_fwd_packets_tlan_o - [0:0]
:tcp_fwd_packets_u2lan_i - [0:0]
:tcp_fwd_packets_u2lan_o - [0:0]
:tcp_fwd_packets_ulan_i - [0:0]
:tcp_fwd_packets_ulan_o - [0:0]
:tcp_packets - [0:0]
:tcp_packets_i - [0:0]
:tcp_packets_o - [0:0]
:tcp_packets_plan_i - [0:0]
:tcp_packets_plan_o - [0:0]
:tcp_packets_u2lan_i - [0:0]
:tcp_packets_u2lan_o - [0:0]
:tcp_packets_ulan_i - [0:0]
:tcp_packets_ulan_o - [0:0]
:udp_fwd_packets_tlan_i - [0:0]
:udp_fwd_packets_tlan_o - [0:0]
:udp_fwd_packets_u2lan_i - [0:0]
:udp_fwd_packets_u2lan_o - [0:0]
:udp_fwd_packets_ulan_i - [0:0]
:udp_fwd_packets_ulan_o - [0:0]
:udp_packets - [0:0]
:udp_packets_i - [0:0]
:udp_packets_o - [0:0]
:udp_packets_plan_i - [0:0]
:udp_packets_plan_o - [0:0]
:udp_packets_u2lan_i - [0:0]
:udp_packets_u2lan_o - [0:0]
:udp_packets_ulan_i - [0:0]
:udp_packets_ulan_o - [0:0]
-A INPUT -p tcp -m tcp --sport 992 -j ACCEPT
-A INPUT -p udp -m udp --dport 5000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4404 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 4404 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 28 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4401 -j ACCEPT
-A INPUT -j hook_i_begin
-A INPUT -j sw_loc_drop_i
-A INPUT -i eth0 -j sw_resv_drop_i
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -i eth1 -j ACCEPT
-A INPUT -s a.b.c.d/32 -j sw_loc
-A INPUT -s a.b.c.d/32 -j sw_loc
-A INPUT -s a.b.c.d/32 -j sw_loc
-A INPUT -s a.b.c.d/32 -j sw_loc
-A INPUT -p icmp -j icmp_packets
-A INPUT -j hook_i_est
-A INPUT -j hook_i_list
-A INPUT -d a.b.c.d/32 -i eth0 -p tcp -j tcp_packets_i
-A INPUT -d a.b.c.d/32 -i eth0 -p udp -j udp_packets_i
-A INPUT -i eth2 -p tcp -j tcp_packets_u2lan_i
-A INPUT -i eth2 -p udp -j udp_packets_u2lan_i
-A INPUT -p udp -m udp --sport 520 -j DROP
-A INPUT -i eth0 -p udp -m udp --sport 137:139 -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix " IPT INPUT packet died: " --log-level 6
-A INPUT -j hook_i_end
-A FORWARD -j hook_fwd_begin
-A FORWARD -j sw_loc_drop_fwd
-A FORWARD -i eth0 -j sw_resv_drop_i
-A FORWARD -o eth0 -j sw_resv_drop_o
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -i eth0 -o eth0 -j DROP
-A FORWARD -i eth1 -o eth1 -j ACCEPT
-A FORWARD -p icmp -j icmp_packets
-A FORWARD -j hook_fwd_est
-A FORWARD -j hook_fwd_list
-A FORWARD -i eth2 -o eth0 -p tcp -j tcp_fwd_packets_u2lan_o
-A FORWARD -i eth2 -o eth0 -p udp -j udp_fwd_packets_u2lan_o
-A FORWARD -i eth1 -o eth0 -p tcp -j tcp_fwd_packets_tlan_o
-A FORWARD -i eth1 -o eth0 -p udp -j udp_fwd_packets_tlan_o
-A FORWARD -i eth0 -o eth2 -p tcp -j tcp_fwd_packets_u2lan_i
-A FORWARD -i eth0 -o eth2 -p udp -j udp_fwd_packets_u2lan_i
-A FORWARD -i eth0 -o eth1 -p tcp -j tcp_fwd_packets_tlan_i
-A FORWARD -i eth0 -o eth1 -p udp -j udp_fwd_packets_tlan_i
-A FORWARD -p udp -m udp --sport 520 -j DROP
-A FORWARD -o eth0 -p tcp -m tcp --dport 113 -j DROP
-A FORWARD -i eth0 -p udp -m udp --sport 137:139 -j DROP
-A FORWARD -o eth0 -p udp -m udp --sport 137:139 -j DROP
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix " IPT FORWARD packet died: " --log-level 6
-A FORWARD -j hook_fwd_end
-A OUTPUT -p tcp -m tcp --dport 992 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 5000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 4404 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 4404 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 28 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 28 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 4401 -j ACCEPT
-A OUTPUT -j hook_o_begin
-A OUTPUT -j sw_loc_drop_o
-A OUTPUT -o eth0 -j sw_resv_drop_o
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -s a.b.c.d/32 -j sw_loc
-A OUTPUT -s a.b.c.d/32 -j sw_loc
-A OUTPUT -s a.b.c.d/32 -j sw_loc
-A OUTPUT -s a.b.c.d/32 -j sw_loc
-A OUTPUT -j hook_o_est
-A OUTPUT -j hook_o_list
-A OUTPUT -s a.b.c.d/32 -o eth0 -p tcp -j tcp_packets_o
-A OUTPUT -s a.b.c.d/32 -o eth0 -p udp -j udp_packets_o
-A OUTPUT -o eth2 -p tcp -j tcp_packets_u2lan_o
-A OUTPUT -o eth2 -p udp -j udp_packets_u2lan_o
-A OUTPUT -p udp -m udp --dport 520 -j DROP
-A OUTPUT -o eth0 -p tcp -m tcp --dport 113 -j DROP
-A OUTPUT -o eth0 -p udp -m udp --sport 137:139 -j DROP
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix " IPT OUTPUT packet died: " --log-level 6
-A OUTPUT -j hook_o_end
-A allowed -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j REJECT --reject-with icmp-port-unreachable
-A allowed_rel -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A allowed_server -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A bad_tcp_packets -p tcp -m state --state INVALID -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -m icmp --icmp-type 5 -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -m icmp --icmp-type 9 -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -m icmp --icmp-type 10 -j REJECT --reject-with icmp-port-unreachable
-A icmp_packets -p icmp -j ACCEPT
-A sw_loc -d a.b.c.d/32 -j ACCEPT
-A sw_loc -d a.b.c.d/32 -j ACCEPT
-A sw_loc -d a.b.c.d/32 -j ACCEPT
-A sw_loc -d a.b.c.d/32 -j ACCEPT
-A sw_loc_drop_fwd -s a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -s a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -s a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -s a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -d a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -d a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -d a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_fwd -d a.b.c.d/32 -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -d a.b.c.d/32 -j RETURN
-A sw_loc_drop_i -j REJECT --reject-with icmp-port-unreachable
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -s a.b.c.d/32 -j RETURN
-A sw_loc_drop_o -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/8 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/16 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/16 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/12 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/16 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/24 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/24 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/24 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/16 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/15 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/24 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/4 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_i -s a.b.c.d/4 -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/8 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/16 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/16 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/12 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/16 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/24 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/24 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/24 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/16 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/15 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/24 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/4 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A sw_resv_drop_o -d a.b.c.d/4 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 5050 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 5190 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 53 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 80 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 25 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 8000 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 8080 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 8888 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 443 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 2401 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 6667 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 119 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 21 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 20 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 109:110 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 143 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 43 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --sport 123 -j allowed
-A tcp_fwd_packets_tlan_i -p tcp -m tcp --dport 8000 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 5050 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 5190 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 53 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 80 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 25 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 8000 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 8080 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 8888 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 443 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 2401 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 6667 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 119 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 21 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 20 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 109:110 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 143 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 43 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --dport 123 -j allowed
-A tcp_fwd_packets_tlan_o -p tcp -m tcp --sport 8000 -j allowed
-A tcp_fwd_packets_u2lan_i -p tcp -m tcp --sport 25:65534 -j allowed
-A tcp_fwd_packets_u2lan_i -p tcp -m tcp --dport 25:65534 -j allowed
-A tcp_fwd_packets_u2lan_o -p tcp -m tcp --dport 25:65534 -j allowed
-A tcp_fwd_packets_u2lan_o -p tcp -m tcp --sport 25:65534 -j allowed
-A tcp_packets_i -p tcp -m tcp --sport 123 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 53 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 80 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 8000 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 8080 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 8888 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 443 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 2401 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 6667 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 119 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 25 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 21 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 20 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 109:110 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 143 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --sport 43 -j allowed_server
-A tcp_packets_i -p tcp -m tcp --dport 8000 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 123 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 53 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 80 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 8000 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 8080 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 8888 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 443 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 2401 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 6667 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 119 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 25 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 21 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 20 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 109:110 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 143 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --dport 43 -j allowed_server
-A tcp_packets_o -p tcp -m tcp --sport 8000 -j allowed_server
-A tcp_packets_u2lan_i -p tcp -m tcp --sport 53 -j allowed
-A tcp_packets_u2lan_i -p tcp -m tcp --dport 53 -j allowed
-A tcp_packets_u2lan_o -p tcp -m tcp --dport 53 -j allowed
-A tcp_packets_u2lan_o -p tcp -m tcp --sport 53 -j allowed
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 53 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 80 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 8000 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 8080 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 8888 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 443 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 2401 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 6667 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 21 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 20 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 109:110 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 143 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --sport 123 -j ACCEPT
-A udp_fwd_packets_tlan_i -p udp -m udp --dport 8000 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 53 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 80 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 8000 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 8080 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 8888 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 443 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 2401 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 6667 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 21 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 20 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 109:110 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 143 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --dport 123 -j ACCEPT
-A udp_fwd_packets_tlan_o -p udp -m udp --sport 8000 -j ACCEPT
-A udp_fwd_packets_u2lan_i -p udp -m udp --sport 25:65534 -j ACCEPT
-A udp_fwd_packets_u2lan_i -p udp -m udp --dport 25:65534 -j ACCEPT
-A udp_fwd_packets_u2lan_o -p udp -m udp --dport 25:65534 -j ACCEPT
-A udp_fwd_packets_u2lan_o -p udp -m udp --sport 25:65534 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 123 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 53 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 80 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 8000 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 8080 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 8888 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 443 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 2401 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 6667 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 21 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 20 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 109:110 -j ACCEPT
-A udp_packets_i -p udp -m udp --sport 143 -j ACCEPT
-A udp_packets_i -p udp -m udp --dport 8000 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 123 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 53 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 80 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 8000 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 8080 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 8888 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 443 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 2401 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 6667 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 21 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 20 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 109:110 -j ACCEPT
-A udp_packets_o -p udp -m udp --dport 143 -j ACCEPT
-A udp_packets_o -p udp -m udp --sport 8000 -j ACCEPT
-A udp_packets_u2lan_i -p udp -m udp --sport 53 -j ACCEPT
-A udp_packets_u2lan_i -p udp -m udp --dport 53 -j ACCEPT
-A udp_packets_u2lan_o -p udp -m udp --dport 53 -j ACCEPT
-A udp_packets_u2lan_o -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Mon Apr 25 10:49:21 2016
# Generated by iptables-save va.b.c.d on Mon Apr 25 10:49:21 2016
*nat
:PREROUTING ACCEPT [5438:379815]
:INPUT ACCEPT [201429:13576778]
:OUTPUT ACCEPT [4268:363131]
:POSTROUTING ACCEPT [603:43248]
-A POSTROUTING -o eth0 -j SNAT --to-source a.b.c.d
COMMIT
# Completed on Mon Apr 25 10:49:21 2016
# Generated by iptables-save va.b.c.d on Mon Apr 25 10:49:21 2016
*mangle
:PREROUTING ACCEPT [204928:144297350]
:INPUT ACCEPT [7912:752265]
:FORWARD ACCEPT [197016:143545085]
:OUTPUT ACCEPT [7985:1303658]
:POSTROUTING ACCEPT [204690:144788667]
-A PREROUTING -p udp -m udp --dport 56321 -j DROP
-A PREROUTING -p tcp -m tcp --dport 56321 -j DROP
-A PREROUTING -p udp -m udp --sport 56321 -j DROP
-A PREROUTING -p tcp -m tcp --sport 56321 -j DROP
-A INPUT -p udp -m udp --dport 56321 -j DROP
-A INPUT -p tcp -m tcp --dport 56321 -j DROP
-A INPUT -p udp -m udp --sport 56321 -j DROP
-A INPUT -p tcp -m tcp --sport 56321 -j DROP
-A FORWARD -p udp -m udp --dport 56321 -j DROP
-A FORWARD -p tcp -m tcp --dport 56321 -j DROP
-A FORWARD -p udp -m udp --sport 56321 -j DROP
-A FORWARD -p tcp -m tcp --sport 56321 -j DROP
-A OUTPUT -p udp -m udp --dport 56321 -j DROP
-A OUTPUT -p tcp -m tcp --dport 56321 -j DROP
-A OUTPUT -p udp -m udp --sport 56321 -j DROP
-A OUTPUT -p tcp -m tcp --sport 56321 -j DROP
-A POSTROUTING -p udp -m udp --dport 56321 -j DROP
-A POSTROUTING -p tcp -m tcp --dport 56321 -j DROP
-A POSTROUTING -p udp -m udp --sport 56321 -j DROP
-A POSTROUTING -p tcp -m tcp --sport 56321 -j DROP
COMMIT
# Completed on Mon Apr 25 10:49:21 2016
 
Old 04-25-2016, 11:51 AM   #12
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 510

Rep: Reputation: 58
so to summarize: you need a "firm routing table", and to block everything going every which way unless intended you want to choke internet (web) but be more allowing on you LAN likely. you need also to write stuff to /proc to disable some things (also not shown above)

start by choking anything that matches any inet class address

also note if you have no firewall at all you may be safe a while - but in the long term: no.

personally i have people from china or where CONTINUALLY trying to access services (telnet, ftp) on my box (and when i ran FTP i had logs showing why they were accessing it was to upload viruses and break the box - which is why i dont allow ftp)

by continually i mean "several times daily" and that it is done by robots which would take a while to take advantage of a hole left in

Last edited by X-LFS-2010; 04-25-2016 at 11:54 AM.
 
Old 04-25-2016, 12:00 PM   #13
X-LFS-2010
Member
 
Registered: Apr 2016
Posts: 510

Rep: Reputation: 58
one more point of advice

you only ACCEPT if you have rules in the channel that DROP everything bad

don't look at "posted ipables script", see ACCEPT, and assume that means your network should ACCEPT. you ACCEPT so that the rules within do the DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What firewall to use with VPS server that doesn't have stateful firewall matching Alan_SP Linux - Security 18 10-16-2015 09:40 AM
Help with stateful firewall rules malo Linux - Security 2 04-05-2013 06:31 AM
Are IPtables a stateful firewall? abefroman Linux - Security 1 08-06-2008 05:56 AM
CiscoVPN - stateful firewall? Nigel_Tufnel Linux - Networking 11 02-14-2007 09:13 PM
Is router plus stateful firewall enough? jxi Linux - Security 3 10-04-2003 09:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration