OK, here is version 2. I had "an excellent adventure" along the way.
* At the very last line (COMMIT), iptables-restore said it failed, but
no clue whatsoever as to why.
* I copied the rules file to a scratch-file, and converted it to a bash
script that called iptables each time.
* This method showed errors when using "-m multiport"
* "multiport" is apparently not part of the core of iptables. It's an
extra kernel option that has to be invoked explicity.
* cd /usr/src/linux
make menuconfig
[*] Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Here's where it gets tricky. You *MUST* first enable...
[*] Advanced netfilter configuration
...and then go into...
Core Netfilter Configuration --->
...and select...
<*> "multiport" Multiple port match support
Rebuild kernel and reboot. Now for the iptables rules, version 2
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BAD_DPORT - [0:0]
:BAD_SPORT - [0:0]
:DROP_LOG - [0:0]
:FECESBOOK - [0:0]
:ICMP_IN - [0:0]
:ICMP_OUT - [0:0]
:PRIVATE_LOG - [0:0]
:UNSOLICITED - [0:0]
[0:0] -A BAD_DPORT -j LOG --log-prefix "BAD_DPORT:" --log-level 6
[0:0] -A BAD_DPORT -j DROP
[0:0] -A BAD_SPORT -j LOG --log-prefix "BAD_SPORT:" --log-level 6
[0:0] -A BAD_SPORT -j DROP
[0:0] -A DROP_LOG -j LOG --log-level 6
[0:0] -A DROP_LOG -j DROP
[0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
[0:0] -A FECESBOOK -j DROP
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ICMP_IN -j LOG --log-prefix "IN_BAD_ICMP:" --log-level 6
[0:0] -A ICMP_IN -j DROP
[0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 30 -j ACCEPT
[0:0] -A ICMP_OUT -j LOG --log-prefix "OUT_BAD_ICMP:" --log-level 6
[0:0] -A ICMP_OUT -j DROP
[0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
[0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
[0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
[0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
[0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
[0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
[0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
[0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
[0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
[0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG
[0:0] -A INPUT -p icmp -j ICMP_IN
[0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -p tcp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT
[0:0] -A OUTPUT -p udp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT
[0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.220.144.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
[0:0] -A OUTPUT -d 200.58.112.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 213.155.64.0/19 -j FECESBOOK
[0:0] -A PRIVATE_LOG -j LOG --log-prefix "IN_BAD_ADDR:" --log-level 6
[0:0] -A PRIVATE_LOG -j DROP
[0:0] -A UNSOLICITED -j LOG --log-prefix "UNSOLICITED:" --log-level 6
[0:0] -A UNSOLICITED -j DROP
COMMIT
--
Walter Dnes <waltd...@waltdnes.org>
I don't run "desktop environments"; I run useful applications
