Your message dated Sat, 19 Aug 2006 16:13:04 -0400
with message-id <[EMAIL PROTECTED]>
and subject line iptables bts cleanup
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: iptables
Version: v1.2.11
Severity: grave
|After some up time the mac adresses of my iptables filter are changing.
|I am using Debian GNU/Linux 3.1, kernel 2.4.27-2-k7|
|//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
I am using my my own iptables script which will be started on startup.
The script is defined as follows:
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# cat /etc/init.d/filter_masq
#! /bin/sh
# PacketFilterScript
case "$1" in
start)
echo -n "Turning on packet filtering:"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "."
iptables -X
iptables -F
iptables -t nat -F
# POLICY START
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# POLICY STOP
# RULES START
#-------INPUT--------------------------------------------------------------------------------------------------------------------------------
iptables -A INPUT -s 127.0.0.1/8 -p icmp -j ACCEPT
iptables -A INPUT -s 127.0.0.1/8 -p tcp --dport 53:3306 -j
ACCEPT # domain:mysql
iptables -A INPUT -s 127.0.0.1/8 -p udp --dport 53:3306 -j
ACCEPT # domain:mysql
iptables -A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 53:2049 -j
ACCEPT # domain:nfs
iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 53:2049 -j
ACCEPT # domain:nfs
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) shodan.localnet
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) shodan.localnet
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) osiris.localnet
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) osiris.localnet
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) hhosch.localnet
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) hhosch.localnet
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p tcp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) finn-power
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp
--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) finn-power
iptables -A INPUT -p tcp --dport 20:21 -j
ACCEPT # ftp-data:ftp
iptables -A INPUT -p tcp --dport 22 -j
ACCEPT # ssh
iptables -A INPUT -p udp --dport 22 -j
ACCEPT # ssh
iptables -A INPUT -p tcp --dport 53 -j
ACCEPT # domain
iptables -A INPUT -p udp --dport 53 -j
ACCEPT # domain
iptables -A INPUT -p tcp --dport 80 -j
ACCEPT # http
iptables -A INPUT -p udp --dport 80 -j
ACCEPT # http
iptables -A INPUT -p tcp --dport 123 -j
ACCEPT # ntp
iptables -A INPUT -p udp --dport 123 -j
ACCEPT # ntp
iptables -A INPUT -p tcp --dport 443 -j
ACCEPT # https
iptables -A INPUT -p udp --dport 443 -j
ACCEPT # https
iptables -A INPUT -p tcp --dport 3306 -j
ACCEPT # mysql
iptables -A INPUT -p udp --dport 3306 -j
ACCEPT # mysql
iptables -A INPUT -p tcp --dport 32768:65535 -j
ACCEPT # 32768:65535
iptables -A INPUT -p udp --dport 32768:65535 -j
ACCEPT # 32768:65535
#-------FORWARD------------------------------------------------------------------------------------------------------------------------------
iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -j
ACCEPT # shodan.localnet
iptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -j
ACCEPT # osiris.localnet
iptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -j
ACCEPT # hhosch.localnet
iptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -j
ACCEPT # finn-power
#-------OUTPUT-------------------------------------------------------------------------------------------------------------------------------
iptables -A OUTPUT -d 127.0.0.1/8 -p icmp -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/8 -p tcp --sport 53:3306 -j
ACCEPT # domain:mysql
iptables -A OUTPUT -d 127.0.0.1/8 -p udp --sport 53:3306 -j
ACCEPT # domain:mysql
iptables -A OUTPUT -d 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 53:2049 -j
ACCEPT # domain:nfs
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --sport 53:2049 -j
ACCEPT # domain:nfs
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 3128:3130 -j
ACCEPT # 3128:icpv2 (squid)
iptables -A OUTPUT -d 192.168.0.0/24 -p udp --sport 3128:3130 -j
ACCEPT # 3128:icpv2 (squid)
iptables -A OUTPUT -p tcp --sport 20:21 -j
ACCEPT # ftp-data:ftp
iptables -A OUTPUT -p tcp --sport 22 -j
ACCEPT # ssh
iptables -A OUTPUT -p udp --sport 22 -j
ACCEPT # ssh
iptables -A OUTPUT -p tcp --sport 53 -j
ACCEPT # domain
iptables -A OUTPUT -p udp --sport 53 -j
ACCEPT # domain
iptables -A OUTPUT -p tcp --sport 80 -j
ACCEPT # http
iptables -A OUTPUT -p udp --sport 80 -j
ACCEPT # http
iptables -A OUTPUT -p tcp --sport 123 -j
ACCEPT # ntp
iptables -A OUTPUT -p udp --sport 123 -j
ACCEPT # ntp
iptables -A OUTPUT -p tcp --sport 443 -j
ACCEPT # https
iptables -A OUTPUT -p udp --sport 443 -j
ACCEPT # https
iptables -A OUTPUT -p tcp --sport 3306 -j
ACCEPT # mysql
iptables -A OUTPUT -p udp --sport 3306 -j
ACCEPT # mysql
iptables -A OUTPUT -p tcp --sport 32768:65535 -j
ACCEPT # 32768:65535
iptables -A OUTPUT -p udp --sport 32768:65535 -j
ACCEPT # 32768:65535
#-------nat----------------------------------------------------------------------------------------------------------------------------------
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport
80 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport
443 -j REDIRECT --to 3128
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport
8080 -j REDIRECT --to 3128
iptables -t nat -A POSTROUTING -p icmp -s 192.168.0.0/24 -o ppp0
-j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 --dport
20:123 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 --dport
22:123 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 --dport
995:65535 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 --dport
995:65535 -o ppp0 -j MASQUERADE
# RULES STOP
;;
stop)
echo -n "Turning off packet filtering:"
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -X
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
echo "."
;;
*)
echo "Usage: { start | stop }"
exit 1
;;
esac
exit 0
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
The rules after startup are the following
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 127.0.0.0/8 anywhere
ACCEPT tcp -- 127.0.0.0/8 anywhere tcp
dpts:domain:mysql
ACCEPT udp -- 127.0.0.0/8 anywhere udp
dpts:domain:mysql
ACCEPT icmp -- localnet/24 anywhere
ACCEPT tcp -- localnet/24 anywhere tcp
dpts:domain:2049
ACCEPT udp -- localnet/24 anywhere udp
dpts:domain:2049
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT udp -- anywhere anywhere udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp
dpts:32768:65535
ACCEPT udp -- anywhere anywhere udp
dpts:32768:65535
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
ACCEPT all -- anywhere localnet/24
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F5:E8:FF
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F6:10:BD
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere 127.0.0.0/8
ACCEPT tcp -- anywhere 127.0.0.0/8 tcp
spts:domain:mysql
ACCEPT udp -- anywhere 127.0.0.0/8 udp
spts:domain:mysql
ACCEPT icmp -- anywhere localnet/24
ACCEPT tcp -- anywhere localnet/24 tcp
spts:domain:2049
ACCEPT udp -- anywhere localnet/24 udp
spts:domain:2049
ACCEPT tcp -- anywhere localnet/24 tcp
spts:3128:icpv2
ACCEPT udp -- anywhere localnet/24 udp
spts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
spts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT udp -- anywhere anywhere udp spt:www
ACCEPT tcp -- anywhere anywhere tcp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT udp -- anywhere anywhere udp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:mysql
ACCEPT udp -- anywhere anywhere udp spt:mysql
ACCEPT tcp -- anywhere anywhere tcp
spts:32768:65535
ACCEPT udp -- anywhere anywhere udp
spts:32768:65535
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
But after some up time the mac adresses of the iptables filter are
changing and the computers are unable to access the proxy server:
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# /etc/init.d/filter_masq start
Turning on packet filtering:.
debian:/home/hgsch# iptables
-L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 127.0.0.0/8 anywhere
ACCEPT tcp -- 127.0.0.0/8 anywhere tcp
dpts:domain:mysql
ACCEPT udp -- 127.0.0.0/8 anywhere udp
dpts:domain:mysql
ACCEPT icmp -- localnet/24 anywhere
ACCEPT tcp -- localnet/24 anywhere tcp
dpts:domain:2049
ACCEPT udp -- localnet/24 anywhere udp
dpts:domain:2049
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:12:3F:D6:89:8A udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:13:D3:FD:20:FA tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:13:D3:FD:20:FA udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:14:38:00:AB:A6 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
dpts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT udp -- anywhere anywhere udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp
dpts:32768:65535
ACCEPT udp -- anywhere anywhere udp
dpts:32768:65535
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere localnet/24
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:13:D3:FD:20:FA
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere 127.0.0.0/8
ACCEPT tcp -- anywhere 127.0.0.0/8 tcp
spts:domain:mysql
ACCEPT udp -- anywhere 127.0.0.0/8 udp
spts:domain:mysql
ACCEPT icmp -- anywhere localnet/24
ACCEPT tcp -- anywhere localnet/24 tcp
spts:domain:2049
ACCEPT udp -- anywhere localnet/24 udp
spts:domain:2049
ACCEPT tcp -- anywhere localnet/24 tcp
spts:3128:icpv2
ACCEPT udp -- anywhere localnet/24 udp
spts:3128:icpv2
ACCEPT tcp -- anywhere anywhere tcp
spts:ftp-data:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:www
ACCEPT udp -- anywhere anywhere udp spt:www
ACCEPT tcp -- anywhere anywhere tcp spt:ntp
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT udp -- anywhere anywhere udp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:mysql
ACCEPT udp -- anywhere anywhere udp spt:mysql
ACCEPT tcp -- anywhere anywhere tcp
spts:32768:65535
ACCEPT udp -- anywhere anywhere udp
spts:32768:65535
debian:/home/hgsch#
--- End Message ---
--- Begin Message ---
276043 iptables: at least warn of leftover junk
317379 iptables: please provide initscript for reloading firewall rules at boot
360448 iptables: eats MAC addresses
Cleaning up stuff that will not be fixed or is just unfathomable. Sorry.
--- End Message ---
