Traffic still going pass Firewall
Hi. I have a Slackware 10 PC in the middle of 2 networkA AND B
Network A --> eth0 SLACKWARE eth1 <--- Network B br0 <---------<----------<-----<--------<--------<--------------- TRAFIC FLOW slackware is using a bridge interface(br0). My firewall is setup to DROP all incomming packets, but it doesn't. The trafic still does past firewall and into NetworkA. The firewall scipt works like follows: It denies all TRAFIC as default...and only allow IP's spesified inside the LocalNetwork=" " list , but i still allows all trafic............... MY SCRIPT #!/bin/bash # SN: 13098209 | Pieterse, Iwan | Copyright 2002-2004 (ssengnihtoN Basic Script) # Reset the default policies in the filter table. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # While loading. # Reset the default policies in the nat table. iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # Reset the default policies in the mangle table. iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT # Flush all the rules in the filter and nat tables. iptables -F iptables -t nat -F iptables -t mangle -F # Erase all chains that's not default in filter and nat table. iptables -X iptables -t nat -X iptables -t mangle -X # Reset the counters. iptables -Z # Turning on IP forwarding. echo 1 > /proc/sys/net/ipv4/ip_forward # ICMP Broadcasting protection. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Colour constants. cyan="\033[40;36m" # Configuration # # Configuration # LocalNetwork="192.168.29.20 192.168.29.10" # IPs to allow internet access echo -e "$cyan IP(s) to FORWARD, MASQUERADE and DROP: $LocalNetwork" # Values to use for logging. LIMITLOG="-m limit --limit 4/h --limit-burst 1 -j LOG --log-level alert --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix" # Constants ALL="INPUT FORWARD OUTPUT" VIOLATE="-m recent --set --name VIOLATED -j DROP" # # Drop INPUT from hosts in the VIOLATED list. # iptables -A INPUT -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 300 -j DROP iptables -A FORWARD -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 120 -j DROP # # Accept ESTABLISHED and RELATED connections on ports 1024:65535 # for Chain in $ALL; do iptables -A $Chain -m state --state ESTABLISHED -j ACCEPT iptables -A $Chain -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT iptables -A $Chain -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT done # # IP(s) to FORWARD, MASQUERADE and DROP. # for IP in $LocalNetwork; do # Accept all your LAN IP(s) explicitly. iptables -A INPUT -s $IP -i br0 -j ACCEPT # Forward your LAN. iptables -A FORWARD -i br0 -o ppp+ -s $IP -d ! $IP -j ACCEPT iptables -A FORWARD -i ! ppp+ -m state --state NEW -s $IP -j ACCEPT # Masquerading. iptables -t nat -A POSTROUTING -o ppp+ -s $IP -d ! $IP -j MASQUERADE done # # Explicit ACCEPT / helper modules only! # for Chain in $ALL; do iptables -A $Chain -m helper --helper irc -j ACCEPT iptables -A $Chain -m helper --helper ftp -j ACCEPT done # # Interpret # iptables -t mangle -A POSTROUTING -o ppp+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # IRC priority/precedence. iptables -t mangle -A PREROUTING -p tcp --dport 6667 -j TOS --set-tos Minimize-Delay # # Unauthorized Packets. # iptables -N Attack iptables -A INPUT -m state --state NEW -j Attack iptables -A Attack $LIMITLOG "Unauthorized Packet: " iptables -A Attack $VIOLATE iptables -A Attack -j DROP # # Change default policy. # iptables -P OUTPUT ACCEPT |
can you post the output of "iptables -L" as well?
|
All times are GMT -5. The time now is 12:03 AM. |