Re: [expert] IPTABLES

Thu, 14 Aug 2003 11:10:45 -0700 

On Wednesday 13 August 2003 06:55 am, t_gecks wrote:
> Jack Coates schrieb:
> > If you want a firewall, urpmi shorewall or look at gshield or something
> > else to do this stuff for you.
> >
> > If you want to learn netfilter & iptables, I can highly recommend
> > "Policy Routing Using Linux" by Matthew Marsh, see Amazon or similar.
> >
> > You probably have something else matching above those rules which is
> > stopping them from processing.
>
> To check exactly this an iptables -L -n -v on the command line perhaps
> can help, one of the first columns shows if the rule fired and how many
> bytes were affected.

These are all my rules:

echo "setting INPUT rules ..."
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -j ACCEPT

echo "setting FORWARD rules ..."
$IPTABLES -A FORWARD -p udp --dport 137 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 137 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 135 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 4444 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 4444 -j DROP
$IPTABLES -A FORWARD -p udp --sport 631 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 631 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 901 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 901 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 6346 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 6346 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 6350 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 6350 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 1213:1214 -j DROP
$IPTABLES -A FORWARD -p udp --sport 1213:1214 -j DROP
$IPTABLES -A FORWARD -p udp --sport 1542 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 3470:3476 -j DROP
$IPTABLES -A FORWARD -p tcp --dport 1433:1434 -j DROP
$IPTABLES -A FORWARD -i $EXT_IF -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

echo "setting NAT ..."
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Here's the output of 'iptables -L -n -v':

Chain INPUT (policy ACCEPT 1613 packets, 96669 bytes)
 pkts bytes target     prot opt in     out     source              destination
 2891  258K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          
tcp flags:!0x16/0x02

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0       
udp dpt:137
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:137
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:135
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:4444
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp spt:4444
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
udp spt:631
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp spt:631
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:901
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp spt:901
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp spt:6346
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:6346
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp spt:6350
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpt:6350
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp spts:1213:1214
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
udp spts:1213:1214
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0          
udp spt:1542
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpts:3470:3476
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          
tcp dpts:1433:1434
    0     0 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4485 packets, 427K bytes)

This would seem to imply that none of the FORWARD rules had any hits.  Niether 
has the INPUT rule to block SYN packets.  If I understand this correctly 
though, the first INPUT rule should not allow any incoming packet unless the 
connection was established from inside.

What puzzles me is that things like the SYN packets and NBNS requests cause a 
response from my gateway machine, like an ACK or a DNS lookup on the 
requesting IP.  While these packets are apparently not being forwarded to my 
local network, the activity on the PPP connection keeps the connection open 
when I'm not using it and causes me some concern about its vulnerability.

-- 
Thomas K. Gamble
[EMAIL PROTECTED]
Registered Linux User #270415
The fear of the Lord leads to life,
and he who has it shall abide in satisfaction;
he will not be visited with evil.
(Proverbs 19:23)

 09:17:54 up 3 days, 23:32,  5 users,  load average: 0.00, 0.20, 0.44




Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to