Results 1 to 7 of 7
I understand this to be a relatively 'common' topic. However, all of the forums that I've seen are unique to that specific setup.. I am probably wrong, but I really ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 12-28-2010 #1Just Joined!
- Join Date
- Dec 2010
- Location
- Georgia
- Posts
- 4
pptp, iptables
I understand this to be a relatively 'common' topic. However, all of the forums that I've seen are unique to that specific setup.. I am probably wrong, but I really need help with this..
Now, what I'm thinking is happening is iptables is restricting the new network, and if it is, I'm not sure how to add..
I'm relatively (Brand) new to PPTP (in any form) I was actually pretty surprised I got it to work
So, if anybody could run me through this with proper routing and corrections to IPTABLES, I'd be thankful..
Here's my setup:
Slackware 13.1
External IFace = eth0 / DHCP (assigned from comcast)
Internal IFace = eth1 / 192.168.0.0/24
pptp Iface = inet addr:192.168.10.7 P-t-P:192.168.10.1 Mask:255.255.255.255
ppp0 Link encap:Point-to-Point Protocol
inet addr:192.168.10.7 P-t-P:192.168.10.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:62 (62.0 B) TX bytes:68 (68.0 B)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
85.17.121.209 68.51.184.1 255.255.255.255 UGH 0 0 0 eth0
192.168.10.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
68.51.184.0 * 255.255.252.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 68.51.184.1 0.0.0.0 UG 0 0 0 eth0
My IP-UP script for PPTP:
#!/bin/bash
ip route del 80.82.65.246 dev ppp0 src 68.51.186.50
ip route add 80.82.65.246 via 68.51.184.1 dev eth0 src 68.51.186.50
ip route replace default dev ppp0
and IP-Tables:
SYSCTL="/sbin/sysctl -w"
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
INET_IFACE="eth0"
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.0.1"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
echo "Loading kernel modules ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_owner
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Flushing Tables ..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -d 192.168.10.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.10.0/24 -j ACCEPT
iptables -t nat -N DNAT_PROXY
iptables -t nat -A DNAT_PROXY -p tcp -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT_PROXY
echo "Adding custom blocklist to filter"
/etc/IPSblock
echo "Create and populate custom rule chains ..."
$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
--log-level 4 --log-prefix "Illegal source: "
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-level 4 --log-prefix "Unknown packet: "
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-level 4 --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-level 4 --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
--log-level 4 --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 139 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 445 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
-j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 758 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1935 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 53 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8000 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 137 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 138 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 139 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 445 -j DROP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m \
recent --set --name SSH
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW -m \
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
echo "Process INPUT chain ..."
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 4 --log-prefix "INPUT packet died: "
echo "Process FORWARD chain ..."
$IPT -A FORWARD -p ALL -j bad_packets
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 4 --log-prefix "FORWARD packet died: "
echo "Process OUTPUT chain ..."
# Generally trust the firewall on output
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o eth0 -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 4 --log-prefix "OUTPUT packet died: "
echo "Load rules for nat table ..."
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "Load rules for mangle table ..."Last edited by amnes1a; 12-28-2010 at 08:03 PM.
- 12-28-2010 #2Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
ppp0 is an interface. Do you have a firewall rule setup for this interface?
- 12-28-2010 #3Just Joined!
- Join Date
- Dec 2010
- Location
- Georgia
- Posts
- 4
Well, I tried a whole bunch of different rules, none of 'em seemed to work ..
I added:
iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -d 192.168.10.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.10.0/24 -j ACCEPT
for the localip/remoteip
So I can ping the VPN
My issue lies within transparency
I want to do:
Lan -> VPN -> Internet
Internet -> VPN -> LAN
Lan -> Lan
I'm just not sure: How, Where, What to put to make that happen..
- 12-29-2010 #4Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
give the output from the following commands;
route -n
ifconfig
- 12-31-2010 #5Just Joined!
- Join Date
- Dec 2010
- Location
- Georgia
- Posts
- 4
Code:[root@msu] ppp $ route -N Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 80.82.65.246 68.51.184.1 255.255.255.255 UGH 0 0 0 eth0 192.168.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 68.51.184.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 68.51.184.1 0.0.0.0 UG 0 0 0 eth0 [root@msu] ppp $
Code:[root@msu] ppp $ for i in eth0 eth1 ppp0; do ifconfig $i; done eth0 Link encap:Ethernet HWaddr 00:16:d7:33:45:c5 inet addr:67.215.XXX.XXX Bcast:67.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1 RX packets:176864 errors:0 dropped:0 overruns:0 frame:0 TX packets:46066 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29310567 (27.9 MiB) TX bytes:6812767 (6.4 MiB) Interrupt:19 Base address:0xe800 eth1 Link encap:Ethernet HWaddr 00:1e:2a:47:c5:87 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:7000 Metric:1 RX packets:51875 errors:0 dropped:0 overruns:0 frame:0 TX packets:74919 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7627872 (7.2 MiB) TX bytes:44846878 (42.7 MiB) Interrupt:18 Base address:0xa800 ppp0 Link encap:Point-to-Point Protocol inet addr:192.168.10.6 P-t-P:192.168.10.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1486 Metric:1 RX packets:5 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:62 (62.0 B) TX bytes:68 (68.0 B) [root@msu] ppp $
- 01-01-2011 #6Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
The firewall output you posted is a nightmare to follow. Are you doing any NATting? Could you save your rules with iptables-save and post that file please. It is easier to read and follow.
- 01-01-2011 #7Just Joined!
- Join Date
- Dec 2010
- Location
- Georgia
- Posts
- 4
Code:# Generated by iptables-save v1.4.7 on Fri Dec 31 22:47:55 2010 *nat :PREROUTING ACCEPT [20078:1633825] :POSTROUTING ACCEPT [5097:706379] :OUTPUT ACCEPT [25043:2048240] :DNAT_PROXY - [0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT_PROXY -A POSTROUTING -o eth0 -j MASQUERADE -A DNAT_PROXY -d 192.168.0.0/24 -j RETURN -A DNAT_PROXY -p tcp -j REDIRECT --to-ports 3128 COMMIT # Completed on Fri Dec 31 22:47:55 2010 # Generated by iptables-save v1.4.7 on Fri Dec 31 22:47:55 2010 *mangle :PREROUTING ACCEPT [4975374:2232344448] :INPUT ACCEPT [3655681:1165821791] :FORWARD ACCEPT [1319580:1066442200] :OUTPUT ACCEPT [5226639:3820148562] :POSTROUTING ACCEPT [6549188:4887205531] COMMIT # Completed on Fri Dec 31 22:47:55 2010 # Generated by iptables-save v1.4.7 on Fri Dec 31 22:47:55 2010 *filter :INPUT DROP [7873:752935] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :bad_packets - [0:0] :bad_tcp_packets - [0:0] :icmp_packets - [0:0] :tcp_inbound - [0:0] :tcp_outbound - [0:0] :udp_inbound - [0:0] :udp_outbound - [0:0] -A INPUT -s 188.124.5.0/24 -j DROP -A INPUT -s 76.74.22.0/23 -j DROP -A INPUT -s 64.226.0.0/15 -j DROP -A INPUT -s 129.240.0.0/16 -j DROP -A INPUT -s 193.169.234.0/23 -j DROP -A INPUT -s 219.84.0.0/16 -j DROP -A INPUT -s 121.0.0.0/14 -j DROP -A INPUT -s 91.189.96.0/20 -j DROP -A INPUT -s 211.0.0.0/8 -j DROP -A INPUT -s 220.0.0.0/8 -j DROP -A INPUT -s 211.92.184.129/32 -j DROP -A INPUT -s 65.55.158.80/32 -j DROP -A INPUT -s 222.190.113.170/32 -j DROP -A INPUT -s 82.94.223.2/32 -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource -A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH --rsource -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -j bad_packets -A INPUT -d 224.0.0.1/32 -j DROP -A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT -A INPUT -d 192.168.0.255/32 -i eth1 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -j tcp_inbound -A INPUT -i eth0 -p udp -j udp_inbound -A INPUT -i eth0 -p icmp -j icmp_packets -A INPUT -m pkttype --pkt-type broadcast -j DROP -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: " -A FORWARD -j bad_packets -A FORWARD -i eth1 -p tcp -j tcp_outbound -A FORWARD -i eth1 -p udp -j udp_outbound -A FORWARD -i eth1 -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: " -A OUTPUT -d 76.74.22.0/23 -j DROP -A OUTPUT -d 64.226.0.0/15 -j DROP -A OUTPUT -d 129.240.0.0/16 -j DROP -A OUTPUT -s 193.169.234.0/23 -j DROP -A OUTPUT -s 219.84.0.0/16 -j DROP -A OUTPUT -s 121.0.0.0/14 -j DROP -A OUTPUT -s 91.189.96.0/20 -j DROP -A OUTPUT -d 211.0.0.0/8 -j DROP -A OUTPUT -d 220.0.0.0/8 -j DROP -A OUTPUT -s 211.92.184.129/32 -j DROP -A OUTPUT -s 65.55.158.80/32 -j DROP -A OUTPUT -s 222.190.113.170/32 -j DROP -A OUTPUT -s 82.94.223.2/32 -j DROP -A OUTPUT -p icmp -m state --state INVALID -j DROP -A OUTPUT -s 127.0.0.1/32 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -s 192.168.0.1/32 -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: " -A bad_packets -s 192.168.0.0/24 -i eth0 -j LOG --log-prefix "Illegal source: " -A bad_packets -s 192.168.0.0/24 -i eth0 -j DROP -A bad_packets -m state --state INVALID -j LOG --log-prefix "Unknown packet: " -A bad_packets -m state --state INVALID -j DROP -A bad_packets -p tcp -j bad_tcp_packets -A bad_packets -j RETURN -A bad_tcp_packets -i eth1 -p tcp -j RETURN -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: " -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A bad_tcp_packets -p tcp -j RETURN -A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: " -A icmp_packets -p icmp -f -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT -A icmp_packets -p icmp -j RETURN -A tcp_inbound -p tcp -m tcp --dport 21 -j DROP -A tcp_inbound -p tcp -m tcp --dport 25 -j DROP -A tcp_inbound -p tcp -m tcp --dport 110 -j DROP -A tcp_inbound -p tcp -m tcp --dport 758 -j DROP -A tcp_inbound -p tcp -m tcp --dport 1935 -j DROP -A tcp_inbound -p tcp -m tcp --dport 53 -j DROP -A tcp_inbound -p tcp -m tcp --dport 8000 -j DROP -A tcp_inbound -p tcp -m tcp --dport 80 -j DROP -A tcp_inbound -p tcp -m tcp --dport 137 -j DROP -A tcp_inbound -p tcp -m tcp --dport 138 -j DROP -A tcp_inbound -p tcp -m tcp --dport 139 -j DROP -A tcp_inbound -p tcp -m tcp --dport 445 -j DROP -A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT -A tcp_inbound -p tcp -j RETURN -A tcp_outbound -p tcp -j ACCEPT -A udp_inbound -p udp -m udp --dport 137 -j DROP -A udp_inbound -p udp -m udp --dport 138 -j DROP -A udp_inbound -p udp -m udp --dport 139 -j DROP -A udp_inbound -p udp -m udp --dport 445 -j DROP -A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A udp_inbound -p udp -j RETURN -A udp_outbound -p udp -j ACCEPT COMMIT # Completed on Fri Dec 31 22:47:55 2010
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
