Results 1 to 10 of 18
Dear all,
I've 2 problem with my new network infrastructure (I think!)
I show you a basic plan of my network.
First problem:
Sometimes I lost my internet connection...
I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 08-16-2010 #1Just Joined!
- Join Date
- Aug 2010
- Posts
- 22
Iptables and SYN-FLOOD attack
Dear all,
I've 2 problem with my new network infrastructure (I think!)
I show you a basic plan of my network.
First problem:
Sometimes I lost my internet connection...
I can ping outside but webpage didn't display and no mail reception on client...
I've to restart the VPN router to make up the connection.
When the VPN router was restared, it sending me an email with information that it has been attack since my internal 192.168.1.1 ip address!
I've this POSTROUTING rules on my firewall
iptables -t nat -A POSTROUTING -o $I_RT -j MASQUERADE #I_RT is eth0 with 192.168.1.1 address
I don't know how to resolve this problem. I had some syn-flood attack prevent but they didn't work...
2nd problem:
I drop all before allow my rules one by one.
I allow my script to forward client request to http, https, pop, smtp and it's work fine.
But I can't give access on internet since my firewall. I try many setting with INPUT and OUTPUT rules but nothings work...
Have you an idea for a good configuration to allow my firewall to access on web?
Thanks for your help!
- 08-17-2010 #2Just Joined!
- Join Date
- Aug 2010
- Posts
- 22
Nobody have any idea about this SYN-FLOOD attack?
Did it come from my POSTROUTING rule which give 192.168.1.1 to all request from my clients lan?I did'nt any other idea...
- 08-18-2010 #3Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,613
OK, how are you writing your firewall rules? Order palys a big role as they are read first-in first-executed or top down. How are you blocking before you allow? Use the code tags and post your firewall rules then maybe I can help you.
You can look at this TUTORIAL a while if you'd like.
- 08-18-2010 #4Just Joined!
- Join Date
- Aug 2010
- Posts
- 22
Thanks for your response!
I know that order have is important and I think in my script I've some problem with this...
I block all and autohried one by one. I join you my script and hope you will see something!
Thanks for your help
Code:echo "############################################################" echo "#Firewall Initilization#####################################" echo "#V1.8 - 18/08/2010##########################################" ################################################################## #Network Interfaces I_RT="eth0" I_SRV="eth1" I_CLT="eth2" #IP Firewall interfaces IP_RT="192.168.1.1" IP_SRV="192.168.2.1" IP_CLT="192.168.3.1" #Network LAN_RT="192.168.1.0/24" LAN_SRV="192.168.2.0/24" LAN_CLT="192.168.3.0/24" #IP #IP_SW="192.168.2.5 192.168.3.5 192.168.3.6" IP_ADMIN="192.168.3.10 192.168.3.11 192.168.3.12 192.168.2.240" IP_VMW1="192.168.2.10" IP_DNS="192.168.2.21" IP_AD="192.168.2.21" IP_LIMS="192.168.2.22" IP_BACKUP="192.168.2.23" IP_WSUS="192.168.2.24" IP_NAS="192.168.2.25" IP_SPOT="192.168.2.27" #LIMS Pinters IMP_LIMS="192.168.3.210 192.168.3.211 192.168.3.212" IMP_DESK="192.168.2.200 192.168.2.201" GRP_SSH="192.168.2.22 192.168.2.23" DNS_ISP="212.27.40.240 212.27.40.240" #POP and SMTP SRV_POP="212.227.15.140 212.227.15.156 64.202.165.92" SRV_SMTP="212.227.15.168 212.227.15.184 66.245.241.38" INTERNET="192.168.3.0/24 192.168.2.24" NTP="194.57.169.1" #BANNED IP IP_RESERVED="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 3.0.0.0/8 4.0.0.0/8 5.0.0.0/8 7.0.0.0/8 10.0.0.0/8 14.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 126.0.0.0/8 169.254.0.0/16 172.16.0.0/12 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8 176.0.0.0/8 177.0.0.0/8 178.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8 187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/8 225.0.0.0/8 226.0.0.0/8 227.0.0.0/8 228.0.0.0/8 229.0.0.0/8 230.0.0.0/8 231.0.0.0/8 232.0.0.0/8 233.0.0.0/8 234.0.0.0/8 235.0.0.0/8 236.0.0.0/8 237.0.0.0/8 238.0.0.0/8 239.0.0.0/8 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8" #Default rules iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #Flush all rules iptables -F iptables -X iptables -Z iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F iptables -t nat -X iptables -t nat -Z ########################################################### echo "#Network services###########################################" ########################################################### #Routing (active at the end) echo "0" > /proc/sys/net/ipv4/ip_forward #Process easily down echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/default/secure_redirects echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route #ICMP attack echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Spoofing attack echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter #Syn-flood attack echo "1" > /proc/sys/net/ipv4/tcp_syncookies #Bigger packets than the RFC echo "1" > /proc/sys/net/ipv4/tcp_timestamps #Less deconnection time of TCP echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout #Less time life of packets echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time #Closed port > 655535 in windows echo "0" > /proc/sys/net/ipv4/tcp_window_scaling #Send only lost packets echo "0" > /proc/sys/net/ipv4/tcp_sack ########################################################### echo "#Logs rules#################################################" ########################################################### ########################################################### echo "#Shared rules###############################################" ########################################################### #IP BANNED for reserved in $IP_RESERVED; do iptables -A INPUT -i $I_RT -s $reserved -j DROP iptables -A FORWARD -i $I_RT -s $reserved -j DROP done #Ignore invalid packets iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP #Block scan ports iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #Prevent some attacks iptables -A INPUT -i $IP_CLT -p tcp -m multiport --sport 20,21,22,23,25,53,80,110,143,443,993,995 -j DROP iptables -A INPUT -p tcp --sport 0 -j DROP iptables -A INPUT -p udp --sport 0 -j DROP iptables -A INPUT -p tcp --dport 0 -j DROP iptables -A INPUT -p udp --dport 0 -j DROP iptables -N syn-flood iptables -A syn-flood -m limit --limit 5/s --limit-burst 4 -j ACCEPT iptables -A syn-flood -j DROP iptables -A INPUT -i $I_RT -p tcp --syn -j syn-flood iptables -A INPUT -i $I_CLT -p tcp ! --syn -m state --state NEW -j DROP iptables -A FORWARD -p tcp --syn -m limit --limit 5/s -j ACCEPT iptables -A FORWARD -p udp -m limit --limit 5/s -j ACCEPT #NAT (Masquerade) iptables -t nat -A POSTROUTING -o $I_RT -j MASQUERADE #Localhost iptables -I INPUT -i lo -j ACCEPT iptables -I OUTPUT -o lo -j ACCEPT #Allow Ping from Admin to firewall (better configuration coming) for adm_ping in $IP_ADMIN; do iptables -I INPUT -p icmp -s $adm_ping -j ACCEPT iptables -I OUTPUT -p icmp -d $adm_ping -j ACCEPT done #Autorised current connection iptables -I INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -i $I_CLT -o $I_SRV -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -i $I_SRV -o $I_CLT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT ########################################################### echo "#Rules on LAN_SRV###########################################" ########################################################### #SSH & SCP for adm_ssh in $IP_ADMIN; do iptables -I INPUT -p tcp -s $adm_ssh --sport 1024:65535 -d $IP_SRV --dport 324 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I OUTPUT -p tcp -s $IP_SRV --sport 324 -d $adm_ssh --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done ########################################################### echo "#Rules on LAN_RT############################################" ########################################################### #DNS for rt_dns in $DNS_ISP; do iptables -A OUTPUT -p udp --sport 1024:65535 -d $rt_dns --dport 53 -j ACCEPT iptables -A INPUT -p udp -s $rt_dns --sport 53 --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024:65535 -d $rt_dns --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -s $rt_dns --sport 53 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done iptables -A OUTPUT -p tcp --dport 80 --sport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT ########################################################### echo "#Forward servers request####################################" ########################################################### ################### #NTP server for ntp in $NTP; do iptables -I FORWARD -p udp -s $IP_WSUS --sport 1024:65535 -d $ntp --dport 123 -j ACCEPT iptables -I FORWARD -p udp -s $ntp --sport 123 -d $IP_WSUS --dport 1024:65535 -j ACCEPT done ################### ########################################################### echo "#Forward clients request##############################" ########################################################### #Allow PING for Admin for ping_adm in $IP_ADMIN; do iptables -A FORWARD -p icmp -s $ping_adm -j ACCEPT iptables -A FORWARD -p icmp -d $ping_adm -j ACCEPT done ################### #Allow clients ping on AD (necessary for GPO) iptables -A FORWARD -p icmp -s $LAN_CLT -d $IP_AD -j ACCEPT iptables -A FORWARD -p icmp -s $IP_AD -d $LAN_CLT -j ACCEPT #Active Directory iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_AD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $IP_AD -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_AD -j ACCEPT iptables -I FORWARD -p udp -s $IP_AD -d $LAN_CLT --dport 1024:65535 -j ACCEPT iptables -I FORWARD -p tcp -s $LAN_DEBR --sport 1024:65535 -d $IP_AD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $IP_AD -d $LAN_DEBR --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p udp -s $LAN_DEBR --sport 1024:65535 -d $IP_AD -j ACCEPT iptables -I FORWARD -p udp -s $IP_AD -d $LAN_DEBR --dport 1024:65535 -j ACCEPT ################### ################### #DNS (Interne) iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_DNS --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $IP_DNS --sport 53 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_DNS --dport 53 -j ACCEPT iptables -I FORWARD -p udp -s $IP_DNS --sport 53 -d $LAN_CLT --dport 1024:65535 -j ACCEPT #DNS (ISP) for dns_srv in $DNS_ISP; do for int in $INTERNET; do iptables -I FORWARD -p tcp -s $int --sport 1024:65535 -d $dns_srv --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $dns_srv --sport 53 -d $int --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p udp -s $int --sport 1024:65535 -d $dns_srv --dport 53 -j ACCEPT iptables -I FORWARD -p udp -s $dns_srv --sport 53 -d $int --dport 1024:65535 -j ACCEPT done done ################### ################### #Internet (80/443) for int in $INTERNET; do iptables -I FORWARD -p tcp -s $int --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp --sport 80 -d $int --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $int --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp --sport 443 -d $int --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done ################### ################### #LIMS iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_LIMS --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $IP_LIMS --sport 8080 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT #Entreprise Manager for Oracle for ip_adm in $IP_ADMIN; do iptables -I FORWARD -p tcp -s $ip_adm --sport 1024:65535 -d $IP_LIMS --dport 1158 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $IP_LIMS --sport 1158 -d $ip_adm --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done #LIMS pinters for imp_lims in $IMP_LIMS; do iptables -A FORWARD -p tcp -s $IP_LIMS --sport 1024:65535 -d $imp_lims --dport 9100 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done #Spectro.bat app iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_LIMS --dport 1099 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -s $IP_LIMS --sport 1099 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_LIMS --dport 1099 -j ACCEPT iptables -A FORWARD -p udp -s $IP_LIMS --sport 1099 -d $LAN_CLT --dport 1024:65535 -j ACCEPT ################### ################### #SSH for ip in $IP_ADMIN; do for ssh in $GRP_SSH; do iptables -I FORWARD -p tcp -s $ip --sport 1024:65535 -d $ssh --dport 324 -m state --state ESTABLISHE,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $ssh --sport 324 -d $ip --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done done ################### ################### #Mail (SMTP & POP) for pop in $SRV_POP; do iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $pop --dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $pop --sport 110 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done for smtp in $SRV_SMTP; do iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $smtp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $smtp --sport 25 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done for smtp in $SRV_SMTP; do iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $smtp --dport 587 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -p tcp -s $smtp --sport 587 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done ################### ################### #BSI-WSUS (WSUS) iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 8530 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -s $IP_WSUS --sport 8530 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT #BSI-WSUS (Order + BaseBSI) iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 500 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -s $IP_WSUS --sport 500 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT #BSI-WSUS (Spool printer) iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 9100 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 515 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #BSI-WSUS (Origin) iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 61616 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -s $IP_WSUS --sport 61616 -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 61616 -j ACCEPT iptables -A FORWARD -p udp -s $IP_WSUS --sport 61616 -d $LAN_CLT --dport 1024:65535 -j ACCEPT #BSI-WSUS (Symantec Enpoint Protection) iptables -I FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 8014 -j ACCEPT iptables -I FORWARD -p tcp -s $IP_WSUS --sport 8014 -d $LAN_CLT --dport 1024:65535 -j ACCEPT #BSI-WSUS (NTP) iptables -I FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_WSUS --dport 123 -j ACCEPT iptables -I FORWARD -p udp -s $IP_WSUS --sport 123 -d $LAN_CLT --dport 1024:65535 -j ACCEPT ################### ################### #BSI-NAS (WEB interface) for ip_nas in $IP_ADMIN; do iptables -A FORWARD -p tcp -s $ip_nas --sport 1024:65535 -d $IP_NAS --dport 446 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -s $IP_NAS --sport 446 -d $ip_nas --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT done ################### ################### #Spotfire iptables -A FORWARD -p tcp -s $LAN_CLT --sport 1024:65535 -d $IP_SPOT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -s $IP_SPOT -d $LAN_CLT --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p udp -s $LAN_CLT --sport 1024:65535 -d $IP_SPOT -j ACCEPT iptables -A FORWARD -p udp -s $IP_SPOT -d $LAN_CLT --dport 1024:65535 -j ACCEPT ################### ########################################################### echo "#Routing activation#########################################" ########################################################### echo "1" > /proc/sys/net/ipv4/ip_forward ########################################################### echo "#End of firewall initialization#############################" echo "############################################################"
- 08-18-2010 #5Just Joined!
- Join Date
- Aug 2010
- Posts
- 22
I lost my connection again..
I've restarted my router and it's up again...
I again receive a mail form router too about a syn-flood attack from my 192.168.1.1 IP address.
I join the resultat of his command:
iptables -L > iptables.log
These are the results of my script, it can be more easier to read the resultat that to devin it!Code:Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- 192.168.2.240 192.168.2.1 tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 2 ACCEPT tcp -- 192.168.3.12 192.168.2.1 tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 3 ACCEPT tcp -- 192.168.3.11 192.168.2.1 tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 4 ACCEPT tcp -- 192.168.3.10 192.168.2.1 tcp spts:1024:65535 dpt:324 state NEW,RELATED,ESTABLISHED 5 ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED 6 ACCEPT icmp -- 192.168.2.240 anywhere icmp echo-request 7 ACCEPT icmp -- 192.168.3.12 anywhere icmp echo-request 8 ACCEPT icmp -- 192.168.3.11 anywhere icmp echo-request 9 ACCEPT icmp -- 192.168.3.10 anywhere icmp echo-request 10 ACCEPT all -- anywhere anywhere 11 DROP all -- 0.0.0.0/8 anywhere 12 DROP all -- 1.0.0.0/8 anywhere 13 DROP all -- 2.0.0.0/8 anywhere 14 DROP all -- 3.0.0.0/8 anywhere 15 DROP all -- 4.0.0.0/8 anywhere 16 DROP all -- 5.0.0.0/8 anywhere 17 DROP all -- 7.0.0.0/8 anywhere 18 DROP all -- 10.0.0.0/8 anywhere 19 DROP all -- 14.0.0.0/8 anywhere 20 DROP all -- 23.0.0.0/8 anywhere 21 DROP all -- 27.0.0.0/8 anywhere 22 DROP all -- 31.0.0.0/8 anywhere 23 DROP all -- 36.0.0.0/8 anywhere 24 DROP all -- 37.0.0.0/8 anywhere 25 DROP all -- 39.0.0.0/8 anywhere 26 DROP all -- 41.0.0.0/8 anywhere 27 DROP all -- 42.0.0.0/8 anywhere 28 DROP all -- 58.0.0.0/8 anywhere 29 DROP all -- 59.0.0.0/8 anywhere 30 DROP all -- 60.0.0.0/8 anywhere 31 DROP all -- 70.0.0.0/8 anywhere 32 DROP all -- 71.0.0.0/8 anywhere 33 DROP all -- 72.0.0.0/8 anywhere 34 DROP all -- 73.0.0.0/8 anywhere 35 DROP all -- 74.0.0.0/8 anywhere 36 DROP all -- 75.0.0.0/8 anywhere 37 DROP all -- 76.0.0.0/8 anywhere 38 DROP all -- 77.0.0.0/8 anywhere 39 DROP all -- 78.0.0.0/8 anywhere 40 DROP all -- 79.0.0.0/8 anywhere 41 DROP all -- 83.0.0.0/8 anywhere 42 DROP all -- 84.0.0.0/8 anywhere 43 DROP all -- 85.0.0.0/8 anywhere 44 DROP all -- 86.0.0.0/8 anywhere 45 DROP all -- 87.0.0.0/8 anywhere 46 DROP all -- 88.0.0.0/8 anywhere 47 DROP all -- 89.0.0.0/8 anywhere 48 DROP all -- 90.0.0.0/8 anywhere 49 DROP all -- 91.0.0.0/8 anywhere 50 DROP all -- 92.0.0.0/8 anywhere 51 DROP all -- 93.0.0.0/8 anywhere 52 DROP all -- 94.0.0.0/8 anywhere 53 DROP all -- 95.0.0.0/8 anywhere 54 DROP all -- 96.0.0.0/8 anywhere 55 DROP all -- 97.0.0.0/8 anywhere 56 DROP all -- 98.0.0.0/8 anywhere 57 DROP all -- 99.0.0.0/8 anywhere 58 DROP all -- 100.0.0.0/8 anywhere 59 DROP all -- 101.0.0.0/8 anywhere 60 DROP all -- 102.0.0.0/8 anywhere 61 DROP all -- 103.0.0.0/8 anywhere 62 DROP all -- 104.0.0.0/8 anywhere 63 DROP all -- 105.0.0.0/8 anywhere 64 DROP all -- 106.0.0.0/8 anywhere 65 DROP all -- 107.0.0.0/8 anywhere 66 DROP all -- 108.0.0.0/8 anywhere 67 DROP all -- 109.0.0.0/8 anywhere 68 DROP all -- 110.0.0.0/8 anywhere 69 DROP all -- 111.0.0.0/8 anywhere 70 DROP all -- 112.0.0.0/8 anywhere 71 DROP all -- 113.0.0.0/8 anywhere 72 DROP all -- 114.0.0.0/8 anywhere 73 DROP all -- 115.0.0.0/8 anywhere 74 DROP all -- 116.0.0.0/8 anywhere 75 DROP all -- 117.0.0.0/8 anywhere 76 DROP all -- 118.0.0.0/8 anywhere 77 DROP all -- 119.0.0.0/8 anywhere 78 DROP all -- 120.0.0.0/8 anywhere 79 DROP all -- 121.0.0.0/8 anywhere 80 DROP all -- 122.0.0.0/8 anywhere 81 DROP all -- 123.0.0.0/8 anywhere 82 DROP all -- 124.0.0.0/8 anywhere 83 DROP all -- 125.0.0.0/8 anywhere 84 DROP all -- 126.0.0.0/8 anywhere 85 DROP all -- 169.254.0.0/16 anywhere 86 DROP all -- 172.16.0.0/12 anywhere 87 DROP all -- 173.0.0.0/8 anywhere 88 DROP all -- 174.0.0.0/8 anywhere 89 DROP all -- 175.0.0.0/8 anywhere 90 DROP all -- 176.0.0.0/8 anywhere 91 DROP all -- 177.0.0.0/8 anywhere 92 DROP all -- 178.0.0.0/8 anywhere 93 DROP all -- 179.0.0.0/8 anywhere 94 DROP all -- 180.0.0.0/8 anywhere 95 DROP all -- 181.0.0.0/8 anywhere 96 DROP all -- 182.0.0.0/8 anywhere 97 DROP all -- 183.0.0.0/8 anywhere 98 DROP all -- 184.0.0.0/8 anywhere 99 DROP all -- 185.0.0.0/8 anywhere 100 DROP all -- 186.0.0.0/8 anywhere 101 DROP all -- 187.0.0.0/8 anywhere 102 DROP all -- 189.0.0.0/8 anywhere 103 DROP all -- 190.0.0.0/8 anywhere 104 DROP all -- 197.0.0.0/8 anywhere 105 DROP all -- 222.0.0.0/8 anywhere 106 DROP all -- 223.0.0.0/8 anywhere 107 DROP all -- 224.0.0.0/8 anywhere 108 DROP all -- 225.0.0.0/8 anywhere 109 DROP all -- 226.0.0.0/8 anywhere 110 DROP all -- 227.0.0.0/8 anywhere 111 DROP all -- 228.0.0.0/8 anywhere 112 DROP all -- 229.0.0.0/8 anywhere 113 DROP all -- 230.0.0.0/8 anywhere 114 DROP all -- 231.0.0.0/8 anywhere 115 DROP all -- 232.0.0.0/8 anywhere 116 DROP all -- 233.0.0.0/8 anywhere 117 DROP all -- 234.0.0.0/8 anywhere 118 DROP all -- 235.0.0.0/8 anywhere 119 DROP all -- 236.0.0.0/8 anywhere 120 DROP all -- 237.0.0.0/8 anywhere 121 DROP all -- 238.0.0.0/8 anywhere 122 DROP all -- 239.0.0.0/8 anywhere 123 DROP all -- 240.0.0.0/8 anywhere 124 DROP all -- 241.0.0.0/8 anywhere 125 DROP all -- 242.0.0.0/8 anywhere 126 DROP all -- 243.0.0.0/8 anywhere 127 DROP all -- 244.0.0.0/8 anywhere 128 DROP all -- 245.0.0.0/8 anywhere 129 DROP all -- 246.0.0.0/8 anywhere 130 DROP all -- 247.0.0.0/8 anywhere 131 DROP all -- 248.0.0.0/8 anywhere 132 DROP all -- 249.0.0.0/8 anywhere 133 DROP all -- 250.0.0.0/8 anywhere 134 DROP all -- 251.0.0.0/8 anywhere 135 DROP all -- 252.0.0.0/8 anywhere 136 DROP all -- 253.0.0.0/8 anywhere 137 DROP all -- 254.0.0.0/8 anywhere 138 DROP all -- 255.0.0.0/8 anywhere 139 DROP all -- anywhere anywhere state INVALID 140 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 141 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 142 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 143 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN 144 DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST 145 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN 146 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 147 DROP tcp -- anywhere anywhere multiport sports ftp-data,ftp,ssh,telnet,smtp,domain,http,pop3,imap,https,imaps,pop3s 148 DROP tcp -- anywhere anywhere tcp spt:0 149 DROP udp -- anywhere anywhere udp spt:0 150 DROP tcp -- anywhere anywhere tcp dpt:0 151 DROP udp -- anywhere anywhere udp dpt:0 152 syn-flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN 153 DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 154 ACCEPT udp -- 212.27.40.240 anywhere udp spt:domain dpts:1024:65535 155 ACCEPT tcp -- 212.27.40.240 anywhere tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 156 ACCEPT udp -- 212.27.40.240 anywhere udp spt:domain dpts:1024:65535 157 ACCEPT tcp -- 212.27.40.240 anywhere tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 158 ACCEPT tcp -- anywhere anywhere tcp spt:http dpts:1024:65535 state RELATED,ESTABLISHED Chain FORWARD (policy DROP) num target prot opt source destination 1 ACCEPT udp -- 192.168.2.24 192.168.3.0/24 udp spt:ntp dpts:1024:65535 2 ACCEPT udp -- 192.168.3.0/24 192.168.2.24 udp spts:1024:65535 dpt:ntp 3 ACCEPT tcp -- 192.168.2.24 192.168.3.0/24 tcp spt:8014 dpts:1024:65535 4 ACCEPT tcp -- 192.168.3.0/24 192.168.2.24 tcp spts:1024:65535 dpt:8014 5 ACCEPT tcp -- 66.245.241.38 192.168.3.0/24 tcp spt:submission dpts:1024:65535 state RELATED,ESTABLISHED 6 ACCEPT tcp -- 192.168.3.0/24 66.245.241.38 tcp spts:1024:65535 dpt:submission state NEW,RELATED,ESTABLISHED 7 ACCEPT tcp -- 212.227.15.184 192.168.3.0/24 tcp spt:submission dpts:1024:65535 state RELATED,ESTABLISHED 8 ACCEPT tcp -- 192.168.3.0/24 212.227.15.184 tcp spts:1024:65535 dpt:submission state NEW,RELATED,ESTABLISHED 9 ACCEPT tcp -- 212.227.15.168 192.168.3.0/24 tcp spt:submission dpts:1024:65535 state RELATED,ESTABLISHED 10 ACCEPT tcp -- 192.168.3.0/24 212.227.15.168 tcp spts:1024:65535 dpt:submission state NEW,RELATED,ESTABLISHED 11 ACCEPT tcp -- 66.245.241.38 192.168.3.0/24 tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 12 ACCEPT tcp -- 192.168.3.0/24 66.245.241.38 tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 13 ACCEPT tcp -- 212.227.15.184 192.168.3.0/24 tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 14 ACCEPT tcp -- 192.168.3.0/24 212.227.15.184 tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 15 ACCEPT tcp -- 212.227.15.168 192.168.3.0/24 tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 16 ACCEPT tcp -- 192.168.3.0/24 212.227.15.168 tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 17 ACCEPT tcp -- 64.202.165.92 192.168.3.0/24 tcp spt:pop3 dpts:1024:65535 state RELATED,ESTABLISHED 18 ACCEPT tcp -- 192.168.3.0/24 64.202.165.92 tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED 19 ACCEPT tcp -- 212.227.15.156 192.168.3.0/24 tcp spt:pop3 dpts:1024:65535 state RELATED,ESTABLISHED 20 ACCEPT tcp -- 192.168.3.0/24 212.227.15.156 tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED 21 ACCEPT tcp -- 212.227.15.140 192.168.3.0/24 tcp spt:pop3 dpts:1024:65535 state RELATED,ESTABLISHED 22 ACCEPT tcp -- 192.168.3.0/24 212.227.15.140 tcp spts:1024:65535 dpt:pop3 state NEW,RELATED,ESTABLISHED 23 ACCEPT tcp -- 192.168.2.23 192.168.2.240 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 24 ACCEPT tcp -- 192.168.2.240 192.168.2.23 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 25 ACCEPT tcp -- 192.168.2.22 192.168.2.240 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 26 ACCEPT tcp -- 192.168.2.240 192.168.2.22 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 27 ACCEPT tcp -- 192.168.2.23 192.168.3.12 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 28 ACCEPT tcp -- 192.168.3.12 192.168.2.23 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 29 ACCEPT tcp -- 192.168.2.22 192.168.3.12 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 30 ACCEPT tcp -- 192.168.3.12 192.168.2.22 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 31 ACCEPT tcp -- 192.168.2.23 192.168.3.11 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 32 ACCEPT tcp -- 192.168.3.11 192.168.2.23 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 33 ACCEPT tcp -- 192.168.2.22 192.168.3.11 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 34 ACCEPT tcp -- 192.168.3.11 192.168.2.22 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 35 ACCEPT tcp -- 192.168.2.23 192.168.3.10 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 36 ACCEPT tcp -- 192.168.3.10 192.168.2.23 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 37 ACCEPT tcp -- 192.168.2.22 192.168.3.10 tcp spt:324 dpts:1024:65535 state NEW,RELATED,ESTABLISHED 38 ACCEPT tcp -- 192.168.3.10 192.168.2.22 tcp spts:1024:65535 dpt:324 state RELATED,ESTABLISHED 39 ACCEPT tcp -- 192.168.2.22 192.168.2.240 tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 40 ACCEPT tcp -- 192.168.2.240 192.168.2.22 tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 41 ACCEPT tcp -- 192.168.2.22 192.168.3.12 tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 42 ACCEPT tcp -- 192.168.3.12 192.168.2.22 tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 43 ACCEPT tcp -- 192.168.2.22 192.168.3.11 tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 44 ACCEPT tcp -- 192.168.3.11 192.168.2.22 tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 45 ACCEPT tcp -- 192.168.2.22 192.168.3.10 tcp spt:dbcontrol-oms dpts:1024:65535 state RELATED,ESTABLISHED 46 ACCEPT tcp -- 192.168.3.10 192.168.2.22 tcp spts:1024:65535 dpt:dbcontrol-oms state NEW,RELATED,ESTABLISHED 47 ACCEPT tcp -- 192.168.2.22 192.168.158.0/24 tcp spt:webcache state RELATED,ESTABLISHED 48 ACCEPT tcp -- 192.168.158.0/24 192.168.2.22 tcp dpt:webcache state NEW,RELATED,ESTABLISHED 49 ACCEPT tcp -- 192.168.2.22 192.168.3.0/24 tcp spt:webcache dpts:1024:65535 state RELATED,ESTABLISHED 50 ACCEPT tcp -- 192.168.3.0/24 192.168.2.22 tcp spts:1024:65535 dpt:webcache state NEW,RELATED,ESTABLISHED 51 ACCEPT tcp -- anywhere 192.168.2.24 tcp spt:https dpts:1024:65535 state RELATED,ESTABLISHED 52 ACCEPT tcp -- 192.168.2.24 anywhere tcp spts:1024:65535 dpt:https state NEW,RELATED,ESTABLISHED 53 ACCEPT tcp -- anywhere 192.168.2.24 tcp spt:http dpts:1024:65535 state RELATED,ESTABLISHED 54 ACCEPT tcp -- 192.168.2.24 anywhere tcp spts:1024:65535 dpt:http state NEW,RELATED,ESTABLISHED 55 ACCEPT tcp -- anywhere 192.168.3.0/24 tcp spt:https dpts:1024:65535 state RELATED,ESTABLISHED 56 ACCEPT tcp -- 192.168.3.0/24 anywhere tcp spts:1024:65535 dpt:https state NEW,RELATED,ESTABLISHED 57 ACCEPT tcp -- anywhere 192.168.3.0/24 tcp spt:http dpts:1024:65535 state RELATED,ESTABLISHED 58 ACCEPT tcp -- 192.168.3.0/24 anywhere tcp spts:1024:65535 dpt:http state NEW,RELATED,ESTABLISHED 59 ACCEPT udp -- 212.27.40.240 192.168.2.24 udp spt:domain dpts:1024:65535 60 ACCEPT udp -- 192.168.2.24 212.27.40.240 udp spts:1024:65535 dpt:domain 61 ACCEPT tcp -- 212.27.40.240 192.168.2.24 tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 62 ACCEPT tcp -- 192.168.2.24 212.27.40.240 tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 63 ACCEPT udp -- 212.27.40.240 192.168.3.0/24 udp spt:domain dpts:1024:65535 64 ACCEPT udp -- 192.168.3.0/24 212.27.40.240 udp spts:1024:65535 dpt:domain 65 ACCEPT tcp -- 212.27.40.240 192.168.3.0/24 tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 66 ACCEPT tcp -- 192.168.3.0/24 212.27.40.240 tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 67 ACCEPT udp -- 212.27.40.240 192.168.2.24 udp spt:domain dpts:1024:65535 68 ACCEPT udp -- 192.168.2.24 212.27.40.240 udp spts:1024:65535 dpt:domain 69 ACCEPT tcp -- 212.27.40.240 192.168.2.24 tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 70 ACCEPT tcp -- 192.168.2.24 212.27.40.240 tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 71 ACCEPT udp -- 212.27.40.240 192.168.3.0/24 udp spt:domain dpts:1024:65535 72 ACCEPT udp -- 192.168.3.0/24 212.27.40.240 udp spts:1024:65535 dpt:domain 73 ACCEPT tcp -- 212.27.40.240 192.168.3.0/24 tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 74 ACCEPT tcp -- 192.168.3.0/24 212.27.40.240 tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 75 ACCEPT udp -- 192.168.2.21 192.168.3.0/24 udp spt:domain dpts:1024:65535 76 ACCEPT udp -- 192.168.3.0/24 192.168.2.21 udp spts:1024:65535 dpt:domain 77 ACCEPT tcp -- 192.168.2.21 192.168.3.0/24 tcp spt:domain dpts:1024:65535 state RELATED,ESTABLISHED 78 ACCEPT tcp -- 192.168.3.0/24 192.168.2.21 tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 79 ACCEPT udp -- 192.168.2.21 192.168.158.0/24 udp dpts:1024:65535 80 ACCEPT udp -- 192.168.158.0/24 192.168.2.21 udp spts:1024:65535 81 ACCEPT tcp -- 192.168.2.21 192.168.158.0/24 tcp dpts:1024:65535 state RELATED,ESTABLISHED 82 ACCEPT tcp -- 192.168.158.0/24 192.168.2.21 tcp spts:1024:65535 state NEW,RELATED,ESTABLISHED 83 ACCEPT udp -- 192.168.2.21 192.168.3.0/24 udp dpts:1024:65535 84 ACCEPT udp -- 192.168.3.0/24 192.168.2.21 udp spts:1024:65535 85 ACCEPT tcp -- 192.168.2.21 192.168.3.0/24 tcp dpts:1024:65535 state RELATED,ESTABLISHED 86 ACCEPT tcp -- 192.168.3.0/24 192.168.2.21 tcp spts:1024:65535 state NEW,RELATED,ESTABLISHED 87 ACCEPT udp -- 194.57.169.1 192.168.2.24 udp spt:ntp dpts:1024:65535 88 ACCEPT udp -- 192.168.2.24 194.57.169.1 udp spts:1024:65535 dpt:ntp 89 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 90 ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED 91 DROP all -- 0.0.0.0/8 anywhere 92 DROP all -- 1.0.0.0/8 anywhere 93 DROP all -- 2.0.0.0/8 anywhere 94 DROP all -- 3.0.0.0/8 anywhere 95 DROP all -- 4.0.0.0/8 anywhere 96 DROP all -- 5.0.0.0/8 anywhere 97 DROP all -- 7.0.0.0/8 anywhere 98 DROP all -- 10.0.0.0/8 anywhere 99 DROP all -- 14.0.0.0/8 anywhere 100 DROP all -- 23.0.0.0/8 anywhere 101 DROP all -- 27.0.0.0/8 anywhere 102 DROP all -- 31.0.0.0/8 anywhere 103 DROP all -- 36.0.0.0/8 anywhere 104 DROP all -- 37.0.0.0/8 anywhere 105 DROP all -- 39.0.0.0/8 anywhere 106 DROP all -- 41.0.0.0/8 anywhere 107 DROP all -- 42.0.0.0/8 anywhere 108 DROP all -- 58.0.0.0/8 anywhere 109 DROP all -- 59.0.0.0/8 anywhere 110 DROP all -- 60.0.0.0/8 anywhere 111 DROP all -- 70.0.0.0/8 anywhere 112 DROP all -- 71.0.0.0/8 anywhere 113 DROP all -- 72.0.0.0/8 anywhere 114 DROP all -- 73.0.0.0/8 anywhere 115 DROP all -- 74.0.0.0/8 anywhere 116 DROP all -- 75.0.0.0/8 anywhere 117 DROP all -- 76.0.0.0/8 anywhere 118 DROP all -- 77.0.0.0/8 anywhere 119 DROP all -- 78.0.0.0/8 anywhere 120 DROP all -- 79.0.0.0/8 anywhere 121 DROP all -- 83.0.0.0/8 anywhere 122 DROP all -- 84.0.0.0/8 anywhere 123 DROP all -- 85.0.0.0/8 anywhere 124 DROP all -- 86.0.0.0/8 anywhere 125 DROP all -- 87.0.0.0/8 anywhere 126 DROP all -- 88.0.0.0/8 anywhere 127 DROP all -- 89.0.0.0/8 anywhere 128 DROP all -- 90.0.0.0/8 anywhere 129 DROP all -- 91.0.0.0/8 anywhere 130 DROP all -- 92.0.0.0/8 anywhere 131 DROP all -- 93.0.0.0/8 anywhere 132 DROP all -- 94.0.0.0/8 anywhere 133 DROP all -- 95.0.0.0/8 anywhere 134 DROP all -- 96.0.0.0/8 anywhere 135 DROP all -- 97.0.0.0/8 anywhere 136 DROP all -- 98.0.0.0/8 anywhere 137 DROP all -- 99.0.0.0/8 anywhere 138 DROP all -- 100.0.0.0/8 anywhere 139 DROP all -- 101.0.0.0/8 anywhere 140 DROP all -- 102.0.0.0/8 anywhere 141 DROP all -- 103.0.0.0/8 anywhere 142 DROP all -- 104.0.0.0/8 anywhere 143 DROP all -- 105.0.0.0/8 anywhere 144 DROP all -- 106.0.0.0/8 anywhere 145 DROP all -- 107.0.0.0/8 anywhere 146 DROP all -- 108.0.0.0/8 anywhere 147 DROP all -- 109.0.0.0/8 anywhere 148 DROP all -- 110.0.0.0/8 anywhere 149 DROP all -- 111.0.0.0/8 anywhere 150 DROP all -- 112.0.0.0/8 anywhere 151 DROP all -- 113.0.0.0/8 anywhere 152 DROP all -- 114.0.0.0/8 anywhere 153 DROP all -- 115.0.0.0/8 anywhere 154 DROP all -- 116.0.0.0/8 anywhere 155 DROP all -- 117.0.0.0/8 anywhere 156 DROP all -- 118.0.0.0/8 anywhere 157 DROP all -- 119.0.0.0/8 anywhere 158 DROP all -- 120.0.0.0/8 anywhere 159 DROP all -- 121.0.0.0/8 anywhere 160 DROP all -- 122.0.0.0/8 anywhere 161 DROP all -- 123.0.0.0/8 anywhere 162 DROP all -- 124.0.0.0/8 anywhere 163 DROP all -- 125.0.0.0/8 anywhere 164 DROP all -- 126.0.0.0/8 anywhere 165 DROP all -- 169.254.0.0/16 anywhere 166 DROP all -- 172.16.0.0/12 anywhere 167 DROP all -- 173.0.0.0/8 anywhere 168 DROP all -- 174.0.0.0/8 anywhere 169 DROP all -- 175.0.0.0/8 anywhere 170 DROP all -- 176.0.0.0/8 anywhere 171 DROP all -- 177.0.0.0/8 anywhere 172 DROP all -- 178.0.0.0/8 anywhere 173 DROP all -- 179.0.0.0/8 anywhere 174 DROP all -- 180.0.0.0/8 anywhere 175 DROP all -- 181.0.0.0/8 anywhere 176 DROP all -- 182.0.0.0/8 anywhere 177 DROP all -- 183.0.0.0/8 anywhere 178 DROP all -- 184.0.0.0/8 anywhere 179 DROP all -- 185.0.0.0/8 anywhere 180 DROP all -- 186.0.0.0/8 anywhere 181 DROP all -- 187.0.0.0/8 anywhere 182 DROP all -- 189.0.0.0/8 anywhere 183 DROP all -- 190.0.0.0/8 anywhere 184 DROP all -- 197.0.0.0/8 anywhere 185 DROP all -- 222.0.0.0/8 anywhere 186 DROP all -- 223.0.0.0/8 anywhere 187 DROP all -- 224.0.0.0/8 anywhere 188 DROP all -- 225.0.0.0/8 anywhere 189 DROP all -- 226.0.0.0/8 anywhere 190 DROP all -- 227.0.0.0/8 anywhere 191 DROP all -- 228.0.0.0/8 anywhere 192 DROP all -- 229.0.0.0/8 anywhere 193 DROP all -- 230.0.0.0/8 anywhere 194 DROP all -- 231.0.0.0/8 anywhere 195 DROP all -- 232.0.0.0/8 anywhere 196 DROP all -- 233.0.0.0/8 anywhere 197 DROP all -- 234.0.0.0/8 anywhere 198 DROP all -- 235.0.0.0/8 anywhere 199 DROP all -- 236.0.0.0/8 anywhere 200 DROP all -- 237.0.0.0/8 anywhere 201 DROP all -- 238.0.0.0/8 anywhere 202 DROP all -- 239.0.0.0/8 anywhere 203 DROP all -- 240.0.0.0/8 anywhere 204 DROP all -- 241.0.0.0/8 anywhere 205 DROP all -- 242.0.0.0/8 anywhere 206 DROP all -- 243.0.0.0/8 anywhere 207 DROP all -- 244.0.0.0/8 anywhere 208 DROP all -- 245.0.0.0/8 anywhere 209 DROP all -- 246.0.0.0/8 anywhere 210 DROP all -- 247.0.0.0/8 anywhere 211 DROP all -- 248.0.0.0/8 anywhere 212 DROP all -- 249.0.0.0/8 anywhere 213 DROP all -- 250.0.0.0/8 anywhere 214 DROP all -- 251.0.0.0/8 anywhere 215 DROP all -- 252.0.0.0/8 anywhere 216 DROP all -- 253.0.0.0/8 anywhere 217 DROP all -- 254.0.0.0/8 anywhere 218 DROP all -- 255.0.0.0/8 anywhere 219 DROP all -- anywhere anywhere state INVALID 220 ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 5/sec burst 5 221 ACCEPT udp -- anywhere anywhere limit: avg 5/sec burst 5 222 ACCEPT icmp -- 192.168.3.10 anywhere icmp echo-request 223 ACCEPT icmp -- anywhere 192.168.3.10 icmp echo-reply 224 ACCEPT icmp -- 192.168.3.11 anywhere icmp echo-request 225 ACCEPT icmp -- anywhere 192.168.3.11 icmp echo-reply 226 ACCEPT icmp -- 192.168.3.12 anywhere icmp echo-request 227 ACCEPT icmp -- anywhere 192.168.3.12 icmp echo-reply 228 ACCEPT icmp -- 192.168.2.240 anywhere icmp echo-request 229 ACCEPT icmp -- anywhere 192.168.2.240 icmp echo-reply 230 ACCEPT icmp -- 192.168.3.0/24 192.168.2.21 231 ACCEPT icmp -- 192.168.2.21 192.168.3.0/24 232 ACCEPT tcp -- 192.168.2.22 192.168.3.210 tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 233 ACCEPT tcp -- 192.168.2.22 192.168.3.211 tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 234 ACCEPT tcp -- 192.168.2.22 192.168.3.212 tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 235 ACCEPT tcp -- 192.168.2.22 192.168.158.205 tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 236 ACCEPT tcp -- 192.168.2.22 109.0.34.213 tcp spts:1024:65535 dpt:ssh state NEW,RELATED,ESTABLISHED 237 ACCEPT tcp -- 109.0.34.213 192.168.2.22 tcp spt:ssh dpts:1024:65535 state RELATED,ESTABLISHED 238 ACCEPT tcp -- 192.168.3.0/24 192.168.2.22 tcp spts:1024:65535 dpt:rmiregistry state NEW,RELATED,ESTABLISHED 239 ACCEPT tcp -- 192.168.2.22 192.168.3.0/24 tcp spt:rmiregistry dpts:1024:65535 state RELATED,ESTABLISHED 240 ACCEPT udp -- 192.168.3.0/24 192.168.2.22 udp spts:1024:65535 dpt:rmiregistry 241 ACCEPT udp -- 192.168.2.22 192.168.3.0/24 udp spt:rmiregistry dpts:1024:65535 242 ACCEPT tcp -- 192.168.2.22 anywhere tcp spts:1024:65535 dpt:smtp state NEW,RELATED,ESTABLISHED 243 ACCEPT tcp -- anywhere 192.168.2.22 tcp spt:smtp dpts:1024:65535 state RELATED,ESTABLISHED 244 ACCEPT tcp -- 192.168.3.0/24 192.168.2.24 tcp spts:1024:65535 dpt:8530 state NEW,RELATED,ESTABLISHED 245 ACCEPT tcp -- 192.168.2.24 192.168.3.0/24 tcp spt:8530 dpts:1024:65535 state RELATED,ESTABLISHED 246 ACCEPT tcp -- 192.168.3.0/24 192.168.2.24 tcp spts:1024:65535 dpt:isakmp state NEW,RELATED,ESTABLISHED 247 ACCEPT tcp -- 192.168.2.24 192.168.3.0/24 tcp spt:isakmp dpts:1024:65535 state RELATED,ESTABLISHED 248 ACCEPT tcp -- 192.168.3.0/24 192.168.2.24 tcp spts:1024:65535 dpt:jetdirect state NEW,RELATED,ESTABLISHED 249 ACCEPT tcp -- 192.168.3.0/24 192.168.2.24 tcp spts:1024:65535 dpt:61616 state NEW,RELATED,ESTABLISHED 250 ACCEPT tcp -- 192.168.2.24 192.168.3.0/24 tcp spt:61616 dpts:1024:65535 state RELATED,ESTABLISHED 251 ACCEPT udp -- 192.168.3.0/24 192.168.2.24 udp spts:1024:65535 dpt:61616 252 ACCEPT udp -- 192.168.2.24 192.168.3.0/24 udp spt:61616 dpts:1024:65535 253 ACCEPT tcp -- 192.168.3.10 192.168.2.25 tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 254 ACCEPT tcp -- 192.168.2.25 192.168.3.10 tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 255 ACCEPT tcp -- 192.168.3.11 192.168.2.25 tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 256 ACCEPT tcp -- 192.168.2.25 192.168.3.11 tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 257 ACCEPT tcp -- 192.168.3.12 192.168.2.25 tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 258 ACCEPT tcp -- 192.168.2.25 192.168.3.12 tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 259 ACCEPT tcp -- 192.168.2.240 192.168.2.25 tcp spts:1024:65535 dpt:ddm-rdb state NEW,RELATED,ESTABLISHED 260 ACCEPT tcp -- 192.168.2.25 192.168.2.240 tcp spt:ddm-rdb dpts:1024:65535 state RELATED,ESTABLISHED 261 ACCEPT tcp -- 192.168.3.0/24 192.168.2.27 tcp spts:1024:65535 state NEW,RELATED,ESTABLISHED 262 ACCEPT tcp -- 192.168.2.27 192.168.3.0/24 tcp dpts:1024:65535 state RELATED,ESTABLISHED 263 ACCEPT udp -- 192.168.3.0/24 192.168.2.27 udp spts:1024:65535 264 ACCEPT udp -- 192.168.2.27 192.168.3.0/24 udp dpts:1024:65535 Chain OUTPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- 192.168.2.1 192.168.2.240 tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 2 ACCEPT tcp -- 192.168.2.1 192.168.3.12 tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 3 ACCEPT tcp -- 192.168.2.1 192.168.3.11 tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 4 ACCEPT tcp -- 192.168.2.1 192.168.3.10 tcp spt:324 dpts:1024:65535 state RELATED,ESTABLISHED 5 ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED 6 ACCEPT icmp -- anywhere 192.168.2.240 icmp echo-reply 7 ACCEPT icmp -- anywhere 192.168.3.12 icmp echo-reply 8 ACCEPT icmp -- anywhere 192.168.3.11 icmp echo-reply 9 ACCEPT icmp -- anywhere 192.168.3.10 icmp echo-reply 10 ACCEPT all -- anywhere anywhere 11 DROP all -- anywhere anywhere state INVALID 12 ACCEPT udp -- anywhere 212.27.40.240 udp spts:1024:65535 dpt:domain 13 ACCEPT tcp -- anywhere 212.27.40.240 tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 14 ACCEPT udp -- anywhere 212.27.40.240 udp spts:1024:65535 dpt:domain 15 ACCEPT tcp -- anywhere 212.27.40.240 tcp spts:1024:65535 dpt:domain state NEW,RELATED,ESTABLISHED 16 ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http state NEW,RELATED,ESTABLISHED Chain syn-flood (1 references) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere limit: avg 5/sec burst 4 2 DROP all -- anywhere anywhere
I make a scan with nmap on one of my server and I see thaht many port are open...
What's wrong in my script? Order? Rules?
- 08-19-2010 #6Just Joined!
- Join Date
- Aug 2010
- Posts
- 22
The second problem was solve.
I think the problem come from my allowing current connection.I modify to settings:
But for my internet connection I don't know if the problem is resolve...Code:#Autorised current connection iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I think not.
I would like more information to put my rule in the better order as possible.
Cause client which didn't have a ADMIN IP can connect in SSH on my server but not in my firewall which use INPUT/OUTPUT rules and not FOWARD for the clients...
How I can do this?
And for syn-flood attack have you an idea?
Sincerely
- 08-19-2010 #7Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,613
Why to much to read with tags all through it. Scripts are nice for setting up the firewall but you should let IPTABLES save and load the save file. That is just my opinion.
Here is what you have;
Server LAN
Client LAN
INTERNET
FIREWALL
You ned to ask what you want each to be allowed do.
My self I don't allow any connections to the firewall
I would not allow the servers to do anything except DL updates. They are normally the first to get compromissed and attack your network.
Next question is what do you not want the clients to do or do you only want to allow them to do some things?
Is the internet going to have access to the servers?
I never lock down by IP Address unless I have to. I prefer to use ports to do my locking down.
If you would like that I look at your rules then run 'iptables-save' and post the output for the file. Much easier to read.
- 08-20-2010 #8Just Joined!
- Join Date
- Aug 2010
- Posts
- 22
Thanks Lazydog.
My script is loaded by /etc/rc.d/rc.local service at system startup.
And I know what I want! Want to be sure that my script do that I write!
And I want that my rule about syn-flood works fine to avoid my "attack" on my router!
It's real that give internet access for the firewall is not the better settings...
Only one server server is allow to access on port 53 80 443 to download all updates needed in my LAN.
I don't want the client can try ssh connection anywhere.
I add a file with the iptable-save results.
Thanks for your help
- 08-20-2010 #9Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,613
OK, the SYN rules look fine. Why are you listing every address and dropping it?
This is an over kill, not needed and will slow down the firewall as it has to read and apply each of them. You do this again on the FORWARD chain also and again it shouldn't be like this. The Policy will drop these packets and it you want to feel safer then add a DROP rule at the end of every chain. I do this out of habit.Code:-A INPUT -s 0.0.0.0/255.0.0.0 -i eth0 -j DROP -A INPUT -s 1.0.0.0/255.0.0.0 -i eth0 -j DROP -A INPUT -s 2.0.0.0/255.0.0.0 -i eth0 -j DROP -A INPUT -s 3.0.0.0/255.0.0.0 -i eth0 -j DROP [....] -A INPUT -s 252.0.0.0/255.0.0.0 -i eth0 -j DROP -A INPUT -s 253.0.0.0/255.0.0.0 -i eth0 -j DROP -A INPUT -s 254.0.0.0/255.0.0.0 -i eth0 -j DROP -A INPUT -s 255.0.0.0/255.0.0.0 -i eth0 -j DROP
Your thousands of ESTABLISHED,RELATED rules are also not needed. You only need one per chain, as the first rule, that covers everything.
I think you are looking at the firewall in the wrong way. Default you should drop everything and then only allow through what is needed/wanted. Looking at your rules you are trying to control every thing with individual rules and it just makes reading/following your rules a nightmare.
For example you are dropping everything long before they reach the SYN rules so these rules are useless as no packets will every reach them. And if you follow the block rules I have listed for Internet INPUT side you don't have to worry about SYN flags as all packets are dropped anyway.
Your rules should be interface specific. In other words you should never allow any connection to your firewall from the outside so the following rules should be used;
This allows the connection that the firewall starts, i.e., NTP, to be allowed to return the requested information.Code:-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i eth0 -j DROP
Here is an example of rules that are bloated and don't need to be.
I'm going to assume that 192.168.2.1 is the firewall since these are INPUT rules.
These rules...
Could be changed to this....Code:-A INPUT -s 192.168.2.240 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.3.12 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.3.11 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.3.10 -d 192.168.2.1 -p tcp -m tcp --sport 1024:65535 --dport 324 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
The ESTABLISHED,RELATED part is handled by the INPUT rule you already have listed for this. This is all you really need. The same applies to your other bloated rules.Code:-A INPUT -s 192.168.2.240 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT -A INPUT -s 192.168.3.12 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT -A INPUT -s 192.168.3.11 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT -A INPUT -s 192.168.3.10 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
You should really read up on firewalls and rule setup. Packets that are passing through the system will never touch the INPUT rules and packets that stop at the firewall will never touch FORWARD rules.
- 08-23-2010 #10Just Joined!
- Join Date
- Aug 2010
- Posts
- 22
Thanks Lazydog!
For the first, I see that on a script made by a professional knowledge.
It says that we never be contacted by these network which are reserved.
But in the results of the iptables-save command we see that some of this rules was blocked: (by the counters)
For the ESTABLISHED,RELATED, i must have these settings at the end of my rule to allow the server to send the accepted request of my client.Code:[27:1080] -A INPUT -s 72.0.0.0/255.0.0.0 -i eth0 -j DROP
Or I can do otherwise?
I understand what you change here:
I find this better too!Code:-A INPUT -s 192.168.2.240 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT -A INPUT -s 192.168.3.12 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT -A INPUT -s 192.168.3.11 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT -A INPUT -s 192.168.3.10 -p tcp -m tcp --dport 324 -m state --state NEW -j ACCEPT
But can I remove the ESTABLISHED,RELATED setting to all of my rule, even in FORWARD field? (for tcp request only)
I don't know the difference... The objective of the firewall is to allow only what we need. And it's what I do. I think!I think you are looking at the firewall in the wrong way. Default you should drop everything and then only allow through what is needed/wanted. Looking at your rules you are trying to control every thing with individual rules and it just makes reading/following your rules a nightmare.
I can't make rule which seem like this: (not safe I find!)
Maybe you think that I need to make less rules?Code:iptables -I FORWARD -p tcp -s $LAN_CLT -d $LAN_SRV -j ACCEPT iptables -I FORWARD -p tcp -s $LAN_SRV -d $LAN_CLT - -j ACCEPT iptables -I FORWARD -p udp -s $LAN_CLT -d $LAN_SRV -j ACCEPT iptables -I FORWARD -p udp -s $LAN_SRV -d $LAN_CLT -j ACCEPT
But how? I can't open every port on my servers. So I have to made rules by services...
I'm not a specialist in firewall! If you have some better way to show me in the configuration of iptables script I'm ok!
Thanks for your help.
Do you have an idea why my router down with Syn-flood attack from LAN?
Thanks again!
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
