Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys, i need a firewall script urgently... here is the sample... that i am using now...
Code:
# Some variables.. making the life may be a little complex...
IPTABLES=iptables
PATH="/sbin"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"
# Flushing all rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -Z
$IPTABLES -t nat -Z
# My default rules
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 111,135,139,199,445,587,593,953,4444,6000 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --destination-port 69,135,137,138 -j DROP
# Do some checks for obviously spoofed IP's
$IPTABLES -A INPUT -i $WAN_DEV -d $WAN_IP -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $WAN_DEV -d $WAN_IP -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $WAN_DEV -d $WAN_IP -s 192.168.0.0/16 -j DROP
# Denying permanently these as they always found to make disturbance
$IPTABLES -A INPUT -i eth0 -s 59.120.161.18 -d $ANY_ADDR -j DROP
# Saving and activating the new rules
service iptables save
service iptables restart
Now, this were ok.. but here is the things... My linux box is a web server, secure web server, DNS server [which replies to ppls queries and it also query from other servers itself. means DNS server and also acts like a dns client to resolv ips that is does not have.], FTP server, MySQL server. I also have to allow SSH from WAN. Now all i need to do is I need to block all the ports to IN and allow only specific ports to come IN then. I also want to deny all local/private IPs at the eth0, the wan interface of mine, to prevent the spoofing. Please help me by providing a cool script which is easy to read (Dont forget to write comments in the script.) Guys, I need your this kind of assistance because right now, i cant concentrate in any thing...
#!/bin/bash
# Some variables.. making the life may be a little complex...
IPTABLES=iptables
PATH="/sbin"
LAN_DEV="eth1"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X
# Default Deny at the input
iptables -P INPUT DROP
# Default deny at the output
iptables -P OUTPUT DROP
# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT
# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT
# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,21,3306,22 -m state --state NEW -j ACCEPT
# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT
# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT
# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
# Saving and activating the new rules
service iptables save
service iptables restart
Note that with that config you will not be able to initiate outgoing connections from that box. So for example, if you wanted to send an email to someone else, you wouldn't be able to. Is that how you want it configured? From a security standpoint, that is excellent but definitely limits usability.
Also why do you want systems to be able to access MySQL on this host? If it's a backend DB for a webserver app or even for other systems on your network, then you should just limit access to only those systems. Definitely don't want people hammering away on it if you don't need to provide open access to it.
Also how does this system get an IP? Is it static or is it dynamically assigned (like via DHCP)?
It will not receive any mail and also will not send any mail. Well, can u give me an idea? Is php's mail function uses local smtp? I think so. If so, then what else i should use along with it? Adding a rule to allow output on 25??Well, it could not initiate any new connections but it can lookup udp 53 from other servers. means it is working as a dns server adn also when requires, it works asa dns client. i have tested... now other things need to be test is ssh from this machine. and ohh.. it has a static ip. mysql will be allowed from specific ips as per your advice. any more advice?? I need a really secure (so far possible) system. thus the firewall should be really a HOT higly inflamable fire... but upon needs, it will allow and fullfill all the needs also...
MAjor prpblem happened. After using the new script...
Code:
#!/bin/bash
IPTABLES=iptables
PATH="/sbin"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X
# Default Deny at the input
iptables -P INPUT DROP
# Default deny at the output
iptables -P OUTPUT DROP
# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT
# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT
# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,20,21,22 -m state --state NEW -j ACCEPT
# Allow to query on some ports from this host. They are http, https, smtp, ssh
iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,22 -m state --state NEW -j ACCEPT
# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT
# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT
# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
# Saving and activating the new rules
service iptables save
service iptables restart
After doing this, I found i can't upload files to the server using ftp. I've checked using iptraf that is is trying to listen on 20 and 21 for ftp upload. but i get a long delay and finally timeout. it was ok before implementing this script. also http files are coming to my pc more slower than before though i am in the lan and directly conencted to the server.
Then i used this one, a little change to the existing ...
Code:
# Default Deny at the input
iptables -P INPUT DROP
# Default deny at the output
iptables -P OUTPUT ACCEPT
# Allow input that has been established and related
iptables -A OUTPUT -o eth0 -m state --state NEW,STABLISHED,RELATED -j ACCEPT
# Allow input that has been established and related
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
But get zero... same thing... and then i simply did this...
Code:
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X
# Default Deny at the input
iptables -P INPUT ACCEPT
# Default deny at the output
iptables -P OUTPUT ACCEPT
# Allow input that has been established and related
iptables -A INPUT -i eth0 -m state --state NEW,STABLISHED,RELATED -j ACCEPT
# Allow input that has been established and related
iptables -A OUTPUT -o eth0 -m state --state NEW,STABLISHED,RELATED -j ACCEPT
in the same code. But again, no result... i have restarted the machine but no change... then i used the previous one...
Code:
# Flushing all rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -Z
$IPTABLES -t nat -Z
#System Default
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# My default rules
$IPTABLES -A INPUT -p tcp -m multiport --destination-port 111,135,139,199,445,587,593,4444,6000 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --destination-port 69,135,137,138 -j DROP
But also no change... I can browse http and others but slow. and ftp is not working... please help...
which of all the scripts you posted are you using now?? also, if you could post your complete active iptables configuration it would be great:
Code:
iptables -nvL -t filter
Code:
iptables -nvL -t mangle
Code:
iptables -nvL -t nat
PS: assuming your policy is set to DROP, appending a LOG rule to the end of your INPUT chain (and your OUTPUT one too, depending) and before any DROP rules will let you see exactly what kinda packets are getting filtered...
currently i am using this... this is a 755 file in my server which i just executed for once and then iptables conf file generates and takes care of everything
Code:
# Some variables.. making the life may be a little complex...
IPTABLES=iptables
PATH="/sbin"
LAN_DEV="eth1"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"
echo "Adding modprobes and appending them to the module loading file"
# Adding mobprobes
/sbin/modprobe ip_conntrack_ftp
echo > /etc/rc.d/init.d/modprobes
echo "# Adding modprobes so they can load later while reboot. These are for iptables firawall" >> /etc/rc.d/init.d/modprobes
echo "/sbin/modprobe ip_conntrack_ftp" >> /etc/rc.d/init.d/modprobes
echo "#" >> /etc/rc.d/init.d/modprobes
echo "# modprobes added" >> /etc/rc.d/init.d/modprobes
echo "Flushing all existing rules"
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X
echo "Default deny at input"
# Default Deny at the input
iptables -P INPUT DROP
echo "Default deny at output"
# Default deny at the output
iptables -P OUTPUT DROP
echo "Allowing all ESTUBLISHED and RELATED connections at the INPUT"
# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing all ESTUBLISHED and RELATED connections at the OUTPUT"
# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing to respond as a DNS server, listening on UDP 53 @ the INPUT"
# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT
echo "Allowing to be a DNS client, querying on UDP 53 @ OUTPUT (Other party is listening on 53)"
# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT
echo "Allowing to listen on some ports those are providing services"
# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,20,21,22 -m state --state NEW -j ACCEPT
echo "Allowing to query on some ports those are necessary by the local system"
# Allow to query on some ports from this host. They are http, https, smtp, ssh
iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,22 -m state --state NEW -j ACCEPT
echo "Allowing to ping myself"
# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
echo "Allowing to respond on ping to me"
# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
echo "Allowing localhost loopback INPUT"
# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT
echo "Allowing localhost loopback OUTPUT"
# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT
echo "Preventing Spoofing"
# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
echo "Saving the policies and restarting the service"
# Saving and activating the new rules
service iptables save
service iptables restart
echo "Firewall setup completed"
echo "Your firewall chain policies are: "
echo ""
echo ""
iptables -L -v
This my current code. And finally i doscovered adding the modprobe solves the problem more or less. Now, since i am using service iptables save, means im using the conf file from /etc/sysconfig/iptables while rebooting the machine, i need a way to add the modprobe auto like the way iptables adding the rules. putting a file whih chmod 755 in /etc/init.d and ln -s at rc0.d/KxxZZZZ is making no output. I wat to load the rules the way basically it loads while startup, from the /etc/sysconfig/iptables by iptables save. But also i need to add the modprobe such a way so it'll load along with iptables and thus i will not need to type the command after reboot. any help??
finally i doscovered adding the modprobe solves the problem more or less. Now, since i am using service iptables save, means im using the conf file from /etc/sysconfig/iptables while rebooting the machine, i need a way to add the modprobe auto like the way iptables adding the rules. putting a file whih chmod 755 in /etc/init.d and ln -s at rc0.d/KxxZZZZ is making no output. I wat to load the rules the way basically it loads while startup, from the /etc/sysconfig/iptables by iptables save. But also i need to add the modprobe such a way so it'll load along with iptables and thus i will not need to type the command after reboot. any help??
you don't really load any modules from the iptables configuration file... on red hat, what you wanna use is the /etc/modules.conf file or something along those lines...
you don't really load any modules from the iptables configuration file... on red hat, what you wanna use is the /etc/modules.conf file or something along those lines...
Okk.. I am not loading from iptables (modprobes) but i want them to load auto while reboot like iptables rules loads auto after the command iptables save and iptables restart. I checked the /etc/modules.conf but i can't understanding ny thing of it...
cat /etc/modules.conf gives me..
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci
So?? all i need is an 755 file that will have the modprobe lines and that will be executed while booting. So they'll automatically load (So far i think..) help...
Okk.. I am not loading from iptables (modprobes) but i want them to load auto while reboot like iptables rules loads auto after the command iptables save and iptables restart. I checked the /etc/modules.conf but i can't understanding ny thing of it...
cat /etc/modules.conf gives me..
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci
So??
add a line like this to the file:
Code:
add above ip_conntrack ip_conntrack_ftp
Quote:
all i need is an 755 file that will have the modprobe lines and that will be executed while booting. So they'll automatically load (So far i think..) help...
well, the modules.conf file is the recommended way to do it, but if you really must do it this way, my money's on a rc.local file...
Quote:
Originally Posted by aq_mishu
currently i am using this... this is a 755 file in my server which i just executed for once and then iptables conf file generates and takes care of everything
Code:
# Some variables.. making the life may be a little complex...
IPTABLES=iptables
PATH="/sbin"
LAN_DEV="eth1"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"
echo "Adding modprobes and appending them to the module loading file"
# Adding mobprobes
/sbin/modprobe ip_conntrack_ftp
echo > /etc/rc.d/init.d/modprobes
echo "# Adding modprobes so they can load later while reboot. These are for iptables firawall" >> /etc/rc.d/init.d/modprobes
echo "/sbin/modprobe ip_conntrack_ftp" >> /etc/rc.d/init.d/modprobes
echo "#" >> /etc/rc.d/init.d/modprobes
echo "# modprobes added" >> /etc/rc.d/init.d/modprobes
echo "Flushing all existing rules"
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X
echo "Default deny at input"
# Default Deny at the input
iptables -P INPUT DROP
echo "Default deny at output"
# Default deny at the output
iptables -P OUTPUT DROP
echo "Allowing all ESTUBLISHED and RELATED connections at the INPUT"
# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing all ESTUBLISHED and RELATED connections at the OUTPUT"
# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing to respond as a DNS server, listening on UDP 53 @ the INPUT"
# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT
echo "Allowing to be a DNS client, querying on UDP 53 @ OUTPUT (Other party is listening on 53)"
# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT
echo "Allowing to listen on some ports those are providing services"
# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,20,21,22 -m state --state NEW -j ACCEPT
echo "Allowing to query on some ports those are necessary by the local system"
# Allow to query on some ports from this host. They are http, https, smtp, ssh
iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,22 -m state --state NEW -j ACCEPT
echo "Allowing to ping myself"
# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
echo "Allowing to respond on ping to me"
# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
echo "Allowing localhost loopback INPUT"
# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT
echo "Allowing localhost loopback OUTPUT"
# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT
echo "Preventing Spoofing"
# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
echo "Saving the policies and restarting the service"
# Saving and activating the new rules
service iptables save
service iptables restart
echo "Firewall setup completed"
echo "Your firewall chain policies are: "
echo ""
echo ""
iptables -L -v
This my current code.
i've cleaned your script up a little bit... there was some weird stuff in there, but AFAICT nothing which would cause the symptoms you are experiencing... then again, your script might not reflect your active configuration (which is why i asked you for -nvL output too)...
Code:
#!/bin/sh
IPT="/sbin/iptables"
IFACE="eth0"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $IFACE -s 192.168.0.0/16 -m limit \
-j LOG --log-prefix "INPUT DROP SPOOF: "
$IPT -A INPUT -i $IFACE -s 192.168.0.0/16 -j DROP
$IPT -A INPUT -i $IFACE -s 172.16.0.0/12 -m limit \
-j LOG --log-prefix "INPUT DROP SPOOF: "
$IPT -A INPUT -i $IFACE -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -i $IFACE -s 10.0.0.0/8 -m limit \
-j LOG --log-prefix "INPUT DROP SPOOF: "
$IPT -A INPUT -i $IFACE -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -p UDP -i $IFACE --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i $IFACE -m multiport --dports 21,22,80,443 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP -i $IFACE --icmp-type 8 ! --fragment \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -m limit -j LOG --log-prefix "INPUT DROP: "
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p TCP -o $IFACE -m multiport --dports 22,25,80,443 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -m limit -j LOG --log-prefix "OUTPUT DROP: "
echo "Firewall setup completed! Your iptables configuration is:"
echo ""
echo ""
$IPT -nvL
NOTES: having "service iptables" commands in your iptables script is not a good idea... your iptables script should get run by you manually, and you shouldn't do a "service iptables save" until *you* are completely satisfied with the active configuration... also, the port 20 rule isn't needed, due to the conntrack FTP module... this script will log anything it filters, so you should be able to see what gets sent to DROP right while the problem occurs with a:
add above ip_conntrack ip_conntrack_ftp
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci
or
ip_conntrack ip_conntrack_ftp
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci
giving you the iptables -nvL ....
Code:
iptables -nvL
Chain INPUT (policy DROP 76 packets, 28994 bytes)
pkts bytes target prot opt in out source destination
661K 27M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 568 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
66 3248 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,20,21,22
1931 116K ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
7 502 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 10 packets, 605 bytes)
pkts bytes target prot opt in out source destination
1128K 1685M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
55 4147 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,22
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
7 502 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Well, guys, thanks a LOT for the kind help. So far it's working fine. I mean upto now, it is okk. Now rest of the things have to be done by me like to remember what i have done where... (My memory is low... i cant remember a lot) But upto now, it is working fine. Thanks win32sux, i have added the line that you have written. Well, if i did it wrong, then u may suggest me. And also any suggestion from any part of the world is always welcome. The modules.conf is:
add above ip_conntrack ip_conntrack_ftp
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci
and it is now working... i have rebooted my box and tested... so far, so good.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.