Find the answer to your Linux question:
Results 1 to 7 of 7
I understand this to be a relatively 'common' topic. However, all of the forums that I've seen are unique to that specific setup.. I am probably wrong, but I really ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2010
    Location
    Georgia
    Posts
    4

    pptp, iptables


    I understand this to be a relatively 'common' topic. However, all of the forums that I've seen are unique to that specific setup.. I am probably wrong, but I really need help with this..

    Now, what I'm thinking is happening is iptables is restricting the new network, and if it is, I'm not sure how to add..

    I'm relatively (Brand) new to PPTP (in any form) I was actually pretty surprised I got it to work

    So, if anybody could run me through this with proper routing and corrections to IPTABLES, I'd be thankful..






    Here's my setup:
    Slackware 13.1

    External IFace = eth0 / DHCP (assigned from comcast)

    Internal IFace = eth1 / 192.168.0.0/24

    pptp Iface = inet addr:192.168.10.7 P-t-P:192.168.10.1 Mask:255.255.255.255

    ppp0 Link encap:Point-to-Point Protocol
    inet addr:192.168.10.7 P-t-P:192.168.10.1 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
    RX packets:5 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:62 (62.0 B) TX bytes:68 (68.0 B)


    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    85.17.121.209 68.51.184.1 255.255.255.255 UGH 0 0 0 eth0
    192.168.10.1 * 255.255.255.255 UH 0 0 0 ppp0
    192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
    68.51.184.0 * 255.255.252.0 U 0 0 0 eth0
    loopback * 255.0.0.0 U 0 0 0 lo
    default 68.51.184.1 0.0.0.0 UG 0 0 0 eth0





    My IP-UP script for PPTP:

    #!/bin/bash
    ip route del 80.82.65.246 dev ppp0 src 68.51.186.50
    ip route add 80.82.65.246 via 68.51.184.1 dev eth0 src 68.51.186.50
    ip route replace default dev ppp0


    and IP-Tables:
    SYSCTL="/sbin/sysctl -w"

    IPT="/usr/sbin/iptables"
    IPTS="/usr/sbin/iptables-save"
    IPTR="/usr/sbin/iptables-restore"

    INET_IFACE="eth0"

    LOCAL_IFACE="eth1"
    LOCAL_IP="192.168.0.1"
    LOCAL_NET="192.168.0.0/24"
    LOCAL_BCAST="192.168.0.255"

    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    if [ "$1" = "save" ]
    then
    echo -n "Saving firewall to /etc/sysconfig/iptables ... "
    $IPTS > /etc/sysconfig/iptables
    echo "done"
    exit 0
    elif [ "$1" = "restore" ]
    then
    echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
    $IPTR < /etc/sysconfig/iptables
    echo "done"
    exit 0
    fi


    echo "Loading kernel modules ..."

    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_filter
    /sbin/modprobe iptable_mangle
    /sbin/modprobe iptable_nat
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_owner
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_conntrack_irc


    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
    echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses



    echo "Flushing Tables ..."

    $IPT -P INPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -t nat -P PREROUTING ACCEPT
    $IPT -t nat -P POSTROUTING ACCEPT
    $IPT -t nat -P OUTPUT ACCEPT
    $IPT -t mangle -P PREROUTING ACCEPT
    $IPT -t mangle -P OUTPUT ACCEPT

    $IPT -F
    $IPT -t nat -F
    $IPT -t mangle -F

    $IPT -X
    $IPT -t nat -X
    $IPT -t mangle -X

    if [ "$1" = "stop" ]
    then
    echo "Firewall completely flushed! Now running with no firewall."
    exit 0
    fi




    $IPT -P INPUT DROP
    $IPT -P OUTPUT DROP
    $IPT -P FORWARD DROP






    iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
    iptables -A OUTPUT -s 192.168.10.0/24 -j ACCEPT
    iptables -A INPUT -d 192.168.10.0/24 -j ACCEPT
    iptables -A OUTPUT -d 192.168.10.0/24 -j ACCEPT

    iptables -t nat -N DNAT_PROXY

    iptables -t nat -A DNAT_PROXY -p tcp -j REDIRECT --to-ports 3128
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT_PROXY


    echo "Adding custom blocklist to filter"
    /etc/IPSblock




    echo "Create and populate custom rule chains ..."


    $IPT -N bad_packets


    $IPT -N bad_tcp_packets


    $IPT -N icmp_packets
    $IPT -N udp_inbound

    $IPT -N udp_outbound

    $IPT -N tcp_inbound

    $IPT -N tcp_outbound






    $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
    --log-level 4 --log-prefix "Illegal source: "

    $IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP

    $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-level 4 --log-prefix "Unknown packet: "

    $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP


    $IPT -A bad_packets -p tcp -j bad_tcp_packets

    $IPT -A bad_packets -p ALL -j RETURN


    $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN




    $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-level 4 --log-prefix "New not syn: "
    $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-level 4 --log-prefix "Stealth scan: "
    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-level 4 --log-prefix "Stealth scan: "
    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-level 4 --log-prefix "Stealth scan: "
    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-level 4 --log-prefix "Stealth scan: "
    $IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

    $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-level 4 --log-prefix "Stealth scan: "
    $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-level 4 --log-prefix "Stealth scan: "
    $IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

    $IPT -A bad_tcp_packets -p tcp -j RETURN


    $IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-level 4 --log-prefix "ICMP Fragment: "
    $IPT -A icmp_packets --fragment -p ICMP -j DROP


    $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

    $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

    $IPT -A icmp_packets -p ICMP -j RETURN






    $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
    $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
    $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 139 -j DROP
    $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 445 -j DROP



    $IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
    -j ACCEPT

    $IPT -A udp_inbound -p UDP -j RETURN


    $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT




    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 758 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1935 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8000 -j ACCEPT
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j DROP

    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 137 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 138 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 139 -j DROP
    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 445 -j DROP



    $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

    iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m \
    recent --set --name SSH
    iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m \
    recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

    $IPT -A tcp_inbound -p TCP -j RETURN



    $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT


    echo "Process INPUT chain ..."

    $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

    $IPT -A INPUT -p ALL -j bad_packets

    $IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP

    $IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
    $IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT



    $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
    -j ACCEPT

    $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
    $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
    $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

    $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

    $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-level 4 --log-prefix "INPUT packet died: "



    echo "Process FORWARD chain ..."


    $IPT -A FORWARD -p ALL -j bad_packets

    $IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

    $IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

    $IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

    $IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
    -j ACCEPT

    $IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-level 4 --log-prefix "FORWARD packet died: "


    echo "Process OUTPUT chain ..."

    # Generally trust the firewall on output

    $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

    $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
    $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

    $IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
    $IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

    $IPT -A OUTPUT -p ALL -o eth0 -j ACCEPT

    $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-level 4 --log-prefix "OUTPUT packet died: "



    echo "Load rules for nat table ..."





    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE



    echo "Load rules for mangle table ..."
    Last edited by amnes1a; 12-28-2010 at 08:03 PM.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    ppp0 is an interface. Do you have a firewall rule setup for this interface?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Dec 2010
    Location
    Georgia
    Posts
    4
    Well, I tried a whole bunch of different rules, none of 'em seemed to work ..
    I added:

    iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
    iptables -A OUTPUT -s 192.168.10.0/24 -j ACCEPT
    iptables -A INPUT -d 192.168.10.0/24 -j ACCEPT
    iptables -A OUTPUT -d 192.168.10.0/24 -j ACCEPT
    for the localip/remoteip

    So I can ping the VPN

    My issue lies within transparency

    I want to do:
    Lan -> VPN -> Internet
    Internet -> VPN -> LAN
    Lan -> Lan

    I'm just not sure: How, Where, What to put to make that happen..

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    give the output from the following commands;

    route -n
    ifconfig

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Dec 2010
    Location
    Georgia
    Posts
    4
    Code:
    [root@msu] ppp $ route -N
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    80.82.65.246    68.51.184.1     255.255.255.255 UGH   0      0        0 eth0
    192.168.10.1    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
    68.51.184.0     0.0.0.0         255.255.252.0   U     0      0        0 eth0
    127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
    0.0.0.0         68.51.184.1     0.0.0.0         UG    0      0        0 eth0
    [root@msu] ppp $
    Code:
    [root@msu] ppp $ for i in eth0 eth1 ppp0; do ifconfig $i; done
    eth0      Link encap:Ethernet  HWaddr 00:16:d7:33:45:c5
              inet addr:67.215.XXX.XXX  Bcast:67.255.255.255  Mask:255.0.0.0
              UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
              RX packets:176864 errors:0 dropped:0 overruns:0 frame:0
              TX packets:46066 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:29310567 (27.9 MiB)  TX bytes:6812767 (6.4 MiB)
              Interrupt:19 Base address:0xe800
    
    eth1      Link encap:Ethernet  HWaddr 00:1e:2a:47:c5:87
              inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:7000  Metric:1
              RX packets:51875 errors:0 dropped:0 overruns:0 frame:0
              TX packets:74919 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:7627872 (7.2 MiB)  TX bytes:44846878 (42.7 MiB)
              Interrupt:18 Base address:0xa800
    
    ppp0      Link encap:Point-to-Point Protocol
              inet addr:192.168.10.6  P-t-P:192.168.10.1  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1486  Metric:1
              RX packets:5 errors:0 dropped:0 overruns:0 frame:0
              TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:3
              RX bytes:62 (62.0 B)  TX bytes:68 (68.0 B)
    
    [root@msu] ppp $

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    The firewall output you posted is a nightmare to follow. Are you doing any NATting? Could you save your rules with iptables-save and post that file please. It is easier to read and follow.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Dec 2010
    Location
    Georgia
    Posts
    4
    Code:
    # Generated by iptables-save v1.4.7 on Fri Dec 31 22:47:55 2010
    *nat
    :PREROUTING ACCEPT [20078:1633825]
    :POSTROUTING ACCEPT [5097:706379]
    :OUTPUT ACCEPT [25043:2048240]
    :DNAT_PROXY - [0:0]
    -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT_PROXY 
    -A POSTROUTING -o eth0 -j MASQUERADE 
    -A DNAT_PROXY -d 192.168.0.0/24 -j RETURN 
    -A DNAT_PROXY -p tcp -j REDIRECT --to-ports 3128 
    COMMIT
    # Completed on Fri Dec 31 22:47:55 2010
    # Generated by iptables-save v1.4.7 on Fri Dec 31 22:47:55 2010
    *mangle
    :PREROUTING ACCEPT [4975374:2232344448]
    :INPUT ACCEPT [3655681:1165821791]
    :FORWARD ACCEPT [1319580:1066442200]
    :OUTPUT ACCEPT [5226639:3820148562]
    :POSTROUTING ACCEPT [6549188:4887205531]
    COMMIT
    # Completed on Fri Dec 31 22:47:55 2010
    # Generated by iptables-save v1.4.7 on Fri Dec 31 22:47:55 2010
    *filter
    :INPUT DROP [7873:752935]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    :bad_packets - [0:0]
    :bad_tcp_packets - [0:0]
    :icmp_packets - [0:0]
    :tcp_inbound - [0:0]
    :tcp_outbound - [0:0]
    :udp_inbound - [0:0]
    :udp_outbound - [0:0]
    -A INPUT -s 188.124.5.0/24 -j DROP 
    -A INPUT -s 76.74.22.0/23 -j DROP 
    -A INPUT -s 64.226.0.0/15 -j DROP 
    -A INPUT -s 129.240.0.0/16 -j DROP 
    -A INPUT -s 193.169.234.0/23 -j DROP 
    -A INPUT -s 219.84.0.0/16 -j DROP 
    -A INPUT -s 121.0.0.0/14 -j DROP 
    -A INPUT -s 91.189.96.0/20 -j DROP 
    -A INPUT -s 211.0.0.0/8 -j DROP 
    -A INPUT -s 220.0.0.0/8 -j DROP 
    -A INPUT -s 211.92.184.129/32 -j DROP 
    -A INPUT -s 65.55.158.80/32 -j DROP 
    -A INPUT -s 222.190.113.170/32 -j DROP 
    -A INPUT -s 82.94.223.2/32 -j DROP 
    -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource 
    -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP 
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -j bad_packets 
    -A INPUT -d 224.0.0.1/32 -j DROP 
    -A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT 
    -A INPUT -d 192.168.0.255/32 -i eth1 -j ACCEPT 
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -i eth0 -p tcp -j tcp_inbound 
    -A INPUT -i eth0 -p udp -j udp_inbound 
    -A INPUT -i eth0 -p icmp -j icmp_packets 
    -A INPUT -m pkttype --pkt-type broadcast -j DROP 
    -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: " 
    -A FORWARD -j bad_packets 
    -A FORWARD -i eth1 -p tcp -j tcp_outbound 
    -A FORWARD -i eth1 -p udp -j udp_outbound 
    -A FORWARD -i eth1 -j ACCEPT 
    -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: " 
    -A OUTPUT -d 76.74.22.0/23 -j DROP 
    -A OUTPUT -d 64.226.0.0/15 -j DROP 
    -A OUTPUT -d 129.240.0.0/16 -j DROP 
    -A OUTPUT -s 193.169.234.0/23 -j DROP 
    -A OUTPUT -s 219.84.0.0/16 -j DROP 
    -A OUTPUT -s 121.0.0.0/14 -j DROP 
    -A OUTPUT -s 91.189.96.0/20 -j DROP 
    -A OUTPUT -d 211.0.0.0/8 -j DROP 
    -A OUTPUT -d 220.0.0.0/8 -j DROP 
    -A OUTPUT -s 211.92.184.129/32 -j DROP 
    -A OUTPUT -s 65.55.158.80/32 -j DROP 
    -A OUTPUT -s 222.190.113.170/32 -j DROP 
    -A OUTPUT -s 82.94.223.2/32 -j DROP 
    -A OUTPUT -p icmp -m state --state INVALID -j DROP 
    -A OUTPUT -s 127.0.0.1/32 -j ACCEPT 
    -A OUTPUT -o lo -j ACCEPT 
    -A OUTPUT -s 192.168.0.1/32 -j ACCEPT 
    -A OUTPUT -o eth1 -j ACCEPT 
    -A OUTPUT -o eth0 -j ACCEPT 
    -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: " 
    -A bad_packets -s 192.168.0.0/24 -i eth0 -j LOG --log-prefix "Illegal source: " 
    -A bad_packets -s 192.168.0.0/24 -i eth0 -j DROP 
    -A bad_packets -m state --state INVALID -j LOG --log-prefix "Unknown packet: " 
    -A bad_packets -m state --state INVALID -j DROP 
    -A bad_packets -p tcp -j bad_tcp_packets 
    -A bad_packets -j RETURN 
    -A bad_tcp_packets -i eth1 -p tcp -j RETURN 
    -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: " 
    -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: " 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: " 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: " 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: " 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: " 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: " 
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
    -A bad_tcp_packets -p tcp -j RETURN 
    -A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: " 
    -A icmp_packets -p icmp -f -j DROP 
    -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP 
    -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT 
    -A icmp_packets -p icmp -j RETURN 
    -A tcp_inbound -p tcp -m tcp --dport 21 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 25 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 110 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 758 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 1935 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 53 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 8000 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 80 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 137 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 138 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 139 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 445 -j DROP 
    -A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT 
    -A tcp_inbound -p tcp -j RETURN 
    -A tcp_outbound -p tcp -j ACCEPT 
    -A udp_inbound -p udp -m udp --dport 137 -j DROP 
    -A udp_inbound -p udp -m udp --dport 138 -j DROP 
    -A udp_inbound -p udp -m udp --dport 139 -j DROP 
    -A udp_inbound -p udp -m udp --dport 445 -j DROP 
    -A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
    -A udp_inbound -p udp -j RETURN 
    -A udp_outbound -p udp -j ACCEPT 
    COMMIT
    # Completed on Fri Dec 31 22:47:55 2010

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •