|
Traffic still going pass Firewall
Hi. I have a Slackware 10 PC in the middle of 2 networkA AND B
Network A --> eth0 SLACKWARE eth1 <--- Network B
br0
<---------<----------<-----<--------<--------<--------------- TRAFIC FLOW
slackware is using a bridge interface(br0).
My firewall is setup to DROP all incomming packets, but it doesn't. The trafic still does past firewall and into NetworkA. The firewall scipt works like follows: It denies all TRAFIC as default...and only allow IP's spesified inside the LocalNetwork=" " list , but i still allows all trafic...............
MY SCRIPT
#!/bin/bash
# SN: 13098209 | Pieterse, Iwan | Copyright 2002-2004 (ssengnihtoN Basic Script)
# Reset the default policies in the filter table.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP # While loading.
# Reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Reset the counters.
iptables -Z
# Turning on IP forwarding.
echo 1 > /proc/sys/net/ipv4/ip_forward
# ICMP Broadcasting protection.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Colour constants.
cyan="\033[40;36m" # Configuration
#
# Configuration
#
LocalNetwork="192.168.29.20 192.168.29.10" # IPs to allow internet access
echo -e "$cyan IP(s) to FORWARD, MASQUERADE and DROP: $LocalNetwork"
# Values to use for logging.
LIMITLOG="-m limit --limit 4/h --limit-burst 1 -j LOG --log-level alert --log-tcp-sequence --log-tcp-options --log-ip-options --log-prefix"
# Constants
ALL="INPUT FORWARD OUTPUT"
VIOLATE="-m recent --set --name VIOLATED -j DROP"
#
# Drop INPUT from hosts in the VIOLATED list.
#
iptables -A INPUT -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 300 -j DROP
iptables -A FORWARD -s ! 127.0.0.1 -m recent --name VIOLATED --rttl --update --seconds 120 -j DROP
#
# Accept ESTABLISHED and RELATED connections on ports 1024:65535
#
for Chain in $ALL; do
iptables -A $Chain -m state --state ESTABLISHED -j ACCEPT
iptables -A $Chain -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
iptables -A $Chain -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
done
#
# IP(s) to FORWARD, MASQUERADE and DROP.
#
for IP in $LocalNetwork; do
# Accept all your LAN IP(s) explicitly.
iptables -A INPUT -s $IP -i br0 -j ACCEPT
# Forward your LAN.
iptables -A FORWARD -i br0 -o ppp+ -s $IP -d ! $IP -j ACCEPT
iptables -A FORWARD -i ! ppp+ -m state --state NEW -s $IP -j ACCEPT
# Masquerading.
iptables -t nat -A POSTROUTING -o ppp+ -s $IP -d ! $IP -j MASQUERADE
done
#
# Explicit ACCEPT / helper modules only!
#
for Chain in $ALL; do
iptables -A $Chain -m helper --helper irc -j ACCEPT
iptables -A $Chain -m helper --helper ftp -j ACCEPT
done
#
# Interpret
#
iptables -t mangle -A POSTROUTING -o ppp+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# IRC priority/precedence.
iptables -t mangle -A PREROUTING -p tcp --dport 6667 -j TOS --set-tos Minimize-Delay
#
# Unauthorized Packets.
#
iptables -N Attack
iptables -A INPUT -m state --state NEW -j Attack
iptables -A Attack $LIMITLOG "Unauthorized Packet: "
iptables -A Attack $VIOLATE
iptables -A Attack -j DROP
#
# Change default policy.
#
iptables -P OUTPUT ACCEPT
|
